diff --git a/config/security_rules.json b/config/security_rules.json index 26a236d3..c6dc6ea1 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -1,4 +1,2629 @@ [ + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "event_ids": [ + "59" + ], + "id": "18e6fa4a-353d-42b6-975c-bb05dbf4a004", + "level": "informational", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "lolbas" + ], + "title": "Bits Job Created" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + ], + "description": "Logon for RDS (Remote Desktop Services). Formerly known as Terminal Services.\nUses RDP so I am refering to these as RDP Logons as that is what most people will expect.\nOn newer OSes (Win 7+, 2012+), this event is logged only when a user successfully logs on to a RDP session.\nOn older OSes (Vista, 2008), this event is logged when a user logs on to a RDP session, regardless of success.\nThis event might be be created when rdesktop is used as a client and NLA is disabled.\nUser and domain names are empty if the server is configured with Restricted Admin.\nInformation in this event is also found in the Security event log.\n", + "event_ids": [ + "1149" + ], + "id": "e91c514e-08c5-4c42-96d7-ab1f5668a2f7", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008", + "TA0001" + ], + "title": "RDP Logon" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" + ], + "description": "This event is generated when anyone connects to RDP and sends data. It does not need to be a legitimate RDP connection.\nUnfortunately, there are no details about the remote machine.\nThis event is noisy and will generate a lot of logs and is of limited investigative value.\nIf you see a large number of these events, but not successful logon events with EID 1149, etc... then it may indicate a brute force attack.\nThe Security event log will have more information so this event is only useful if the Security event logs are not available.\n", + "event_ids": [ + "261" + ], + "id": "6dbed1df-f08a-47ab-9a58-999c0787d034", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Conn (Noisy)" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS-Server/Analytical" + ], + "description": "", + "event_ids": [ + "260" + ], + "id": "cd6eb342-9dcd-450d-b448-bebd97cb6e89", + "level": "informational", + "service": "dns-server-analytic", + "subcategory_guids": [], + "tags": [], + "title": "Recursive DNS Request" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS-Server/Analytical" + ], + "description": "", + "event_ids": [ + "261" + ], + "id": "6db38b96-3772-4cbf-a8ad-c65d8ac5134e", + "level": "informational", + "service": "dns-server-analytic", + "subcategory_guids": [], + "tags": [], + "title": "Recursive DNS Response" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Partition/Diagnostic" + ], + "description": "Device is connected or disconnected", + "event_ids": [ + "1006" + ], + "id": "a6a0d64-75d1-433a-b415-4123bab080ec", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [], + "title": "Device Conn" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Engine state is changed from None to Available.", + "event_ids": [ + "400" + ], + "id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9", + "level": "informational", + "service": "powershell-classic", + "subcategory_guids": [], + "tags": [ + "PwShClassic" + ], + "title": "PwSh Engine Started" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "An attacker may have started Powershell 2.0 to evade detection.", + "event_ids": [ + "400" + ], + "id": "bc082394-73e6-4d00-a9af-e7b524ef5085", + "level": "medium", + "service": "powershell-classic", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.010", + "lolbas", + "T1562" + ], + "title": "PwSh 2.0 Downgrade Attack" + }, + { + "category": "", + "channel": [ + "OAlerts" + ], + "description": "Displays the dialog box message that popped up in Office Activated App for the user.", + "event_ids": [ + "300" + ], + "id": "8cab5688-ca77-483d-a295-56dd6c1db944", + "level": "informational", + "service": "security", + "subcategory_guids": [], + "tags": [], + "title": "Office App PopUp" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], + "description": "Detects when powershell or cmd is used in WMI. (For persistence, lateral movement, etc...)", + "event_ids": [ + "5861" + ], + "id": "ab4852ca-3e27-4dbb-af6b-5f8458d5717a", + "level": "medium", + "service": "wmi", + "subcategory_guids": [], + "tags": [ + "WMI", + "TA0003", + "TA0008" + ], + "title": "WMI Filter To Consumer Binding_Command Execution" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], + "description": "Created when a EventFilterToConsumerBinding event happens.", + "event_ids": [ + "5861" + ], + "id": "ac9f0a2a-e9c5-4d19-b69e-e3d518ca6797", + "level": "informational", + "service": "wmi", + "subcategory_guids": [], + "tags": [ + "WMI" + ], + "title": "Permanent WMI Event Consumer" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], + "description": "", + "event_ids": [ + "5860" + ], + "id": "d96164c4-9e15-4d48-964f-153ac0dab6e9", + "level": "informational", + "service": "wmi", + "subcategory_guids": [], + "tags": [ + "WMI" + ], + "title": "Temporary WMI Event Consumer" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], + "description": "The time wmiprvse was executed and path to the provider DLL. Attackers may sometimes install malicious WMI provider DLLs.", + "event_ids": [ + "5857" + ], + "id": "547aec97-2635-474a-a36c-7a3a46b07fde", + "level": "informational", + "service": "wmi", + "subcategory_guids": [], + "tags": [ + "WMI" + ], + "title": "WMI Provider Started" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Ntfs/Operational" + ], + "description": "A NTFS volume has been successfully mounted. Introduced in Windows 10 / Windows Server 2016 (Build 14393), with more fields logged (including information on the underlying device) starting with Windows 11 / Windows Server 2022 (Build 22000).", + "event_ids": [ + "4" + ], + "id": "af127790-5563-473e-8d3a-43b3509572b1", + "level": "informational", + "service": "ntfs", + "subcategory_guids": [], + "tags": [], + "title": "NTFS volume mounted" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Windows defender malware detection", + "event_ids": [ + "1116" + ], + "id": "810bfd3a-9fb3-44e0-9016-8cdf785fddbf", + "level": "critical", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "malware" + ], + "title": "Defender Alert (Severe)" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Windows defender malware detection", + "event_ids": [ + "1116" + ], + "id": "3f5005fc-e354-4b0b-b1a1-3eec1d336023", + "level": "medium", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "malware" + ], + "title": "Defender Alert (Moderate)" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Windows defender malware detection", + "event_ids": [ + "1116" + ], + "id": "1e11c0f0-aecd-45d8-9229-da679c0265ea", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "malware" + ], + "title": "Defender Alert (High)" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Windows defender malware detection", + "event_ids": [ + "1116" + ], + "id": "61056ed8-7be5-46e4-9015-c5f6bc8b93a1", + "level": "low", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "malware" + ], + "title": "Defender Alert (Low)" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-WinRM/Operational" + ], + "description": "", + "event_ids": [ + "6" + ], + "id": "4f321a68-176a-4f1d-873a-8793bc49e3b0", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "PwSh", + "WinRM" + ], + "title": "Win RM Session Created" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-RDPClient/Operational" + ], + "description": "", + "event_ids": [ + "1102" + ], + "id": "1a850b71-6aef-4f31-a509-f31b2c778476", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Attempt" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-RDPClient/Operational" + ], + "description": "", + "event_ids": [ + "1024" + ], + "id": "512e70f5-bf70-4de1-9375-2174999a7f8d", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Conn Attempt" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Crypto-DPAPI/Debug" + ], + "description": "Detects whenever SPCryptUnprotect is called in the Microsoft-Windows-Crypto-DPAPI/Debug event log.", + "event_ids": [ + "16385" + ], + "id": "420d5d28-78ed-4e43-844a-94ce69db378c", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [], + "title": "CryptoDPAPI Decrypt" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "On Powershell v5+, Windows will automatically log suspicious powershell execution and mark the Level as Warning.", + "event_ids": [ + "4104" + ], + "id": "73be1519-4648-4ed7-b305-605504afc242", + "level": "medium", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "PwSh" + ], + "title": "Potentially Malicious PwSh" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Powershell Scriptblock Logging. Windows 10+ will flag suspicious PwSh as level 3 (warning) so \nI am filtering out these events as they are being created with the \"Potentially Malicious PwSh\" rule.\n", + "event_ids": [ + "4104" + ], + "id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba", + "level": "informational", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "PwSh" + ], + "title": "PwSh Scriptblock" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Powershell Module Loggong. Displays powershell execution", + "event_ids": [ + "4103" + ], + "id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031", + "level": "informational", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "PwSh" + ], + "title": "PwSh Pipeline Exec" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-WLAN-AutoConfig" + ], + "description": "Prints connection info to wireless access points.", + "event_ids": [ + "8001" + ], + "id": "90dd0797-f481-453d-a97e-dd78436893f9", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [], + "title": "Wifi AP Conn" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-VHDMP-Operational" + ], + "description": "A VHDX (Virtual Hard Disk version 2) image was mounted. They are often used with WSL disk partitions.", + "event_ids": [ + "12" + ], + "id": "2c544083-e209-4a8d-ad28-4f1427353d2e", + "level": "low", + "service": "vhdmp", + "subcategory_guids": [], + "tags": [], + "title": "VHDX Mounted" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-VHDMP-Operational" + ], + "description": "A VMGS or VHD (Virtual Hard Disk) image was mounted. They are often used with HyperV.", + "event_ids": [ + "12" + ], + "id": "d00c370c-c6c2-474f-9d41-a250644852b5", + "level": "low", + "service": "vhdmp", + "subcategory_guids": [], + "tags": [], + "title": "VHD Mounted" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-VHDMP-Operational" + ], + "description": "An ISO disk image was mounted. The original event is for when the handle is created. \nThere is an event ID 1 for when it is mounted but this happens at the same time and this event contains more detailed information \nso I am using this instead of EID 1 for VHD mounting.\nAttackers have started to place malware instead .iso files now that office documents downloaded from the internet have their macros blocked by default since 2022.\n", + "event_ids": [ + "12" + ], + "id": "f9915ff9-17ce-4524-9851-cc4bdd9bb35e", + "level": "low", + "service": "vhdmp", + "subcategory_guids": [], + "tags": [], + "title": "ISO Mounted" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Logs only the first time a device has been plugged in.", + "event_ids": [ + "20001" + ], + "id": "f5c0b936-bec8-418a-a79a-89833468fea2", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "New USB PnP Device" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Logs only the first time a device has been plugged in.", + "event_ids": [ + "20001" + ], + "id": "9eaea7e6-6567-4ad0-bcc9-fe568dd27909", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "New Non-USB PnP Device" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "", + "event_ids": [ + "7031" + ], + "id": "d869bf31-92b3-4e21-a447-708f10156e7c", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1499" + ], + "title": "Service Crashed" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The shutdown operation is initiated automatically by a program that uses the InitiateSystemShutdownEx function with the force flag.", + "event_ids": [ + "6008" + ], + "id": "517c0b15-d2bf-48a3-926c-f7b4a96dcec3", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1499" + ], + "title": "Unexpected Shutdown" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "This is an event that shows the computer uptime.This event is important because it also contains the OS timezone information.\n", + "event_ids": [ + "6013" + ], + "id": "982fdd1f-38fe-4243-bea3-6032fc01b723", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "Computer Uptime/Timezone" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "", + "event_ids": [ + "7034" + ], + "id": "f5dc6a6d-fdf1-441a-a10c-aa10e2908aa4", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1499" + ], + "title": "Service Crashed" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Malware will often create services for persistence and use BASE64 encoded strings to execute malicious code or abuse legitimate binaries like cmd.exe, powershell, etc... inside the path to execute. Normally, services will not run built-in binaries, run from user or temp folders or contain encoded data.", + "event_ids": [ + "7045" + ], + "id": "dbbfd9f3-9508-478b-887e-03ddb9236909", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Suspicious Service Path" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Tries to look for random-looking service names that are often used by malware for persistence.", + "event_ids": [ + "7045" + ], + "id": "cc429813-21db-4019-b520-2f19648e1ef1", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Suspicious Service Name" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Startup, restarting the event log service, etc...", + "event_ids": [ + "6005" + ], + "id": "11dc7d25-01c9-4b07-9d91-8e07b60d8fd3", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "Event Log Svc Started" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "PSExec is a MS SysInternals tool often abused for lateral movement.", + "event_ids": [ + "7045" + ], + "id": "0694c340-3a46-40ac-acfc-c3444ae6572c", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0008", + "attack.s0029", + "T1136.002", + "T1543.003", + "T1570", + "T1021.002", + "T1569.002", + "T1543", + "T1136", + "T1569", + "T1021" + ], + "title": "PSExec Lateral Movement" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The system has booted up. It also contains information about the OS version even though this information is not present in the event message. You can tell if the system was started up normally or in safe mode depending on the value of the BootMode. 0 for normal boot. 1 for Safe Mode. 2 for Safe Mode with networking.", + "event_ids": [ + "12" + ], + "id": "8da41a05-364b-4e3c-95d9-397abb82eac4", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "Computer Startup In Safe Mode" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Somebody cleared an imporant event log.", + "event_ids": [ + "104" + ], + "id": "ed90ed4f-0d93-4f1a-99a2-4b9003b750a7", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "T1070" + ], + "title": "Log File Cleared" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "", + "event_ids": [ + "7040" + ], + "id": "ab3507cf-5231-4af6-ab1d-5d3b3ad467b5", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Event Log Service Startup Type Changed To Disabled" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Shutdown, reboot, event log service stopped, etc...", + "event_ids": [ + "6006" + ], + "id": "b6d53116-36b2-4413-a99b-e6708f9c3027", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "Event Log Svc Stopped" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "A new service was installed. (Possibly malware.)", + "event_ids": [ + "7045" + ], + "id": "64c5d39d-10a7-44f4-b5d6-fd0d93d0a69f", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003" + ], + "title": "Svc Installed" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "", + "event_ids": [ + "7045" + ], + "id": "76355548-fa5a-4310-9610-0de4b11f4688", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Possible Metasploit Svc Installed" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The system has booted up. It also contains information about the OS version even though this information is not present in the event message. You can tell if the system was started up normally or in safe mode depending on the value of the BootMode. 0 for normal boot. 1 for Safe Mode. 2 for Safe Mode with networking.", + "event_ids": [ + "12" + ], + "id": "a225cc36-bfdc-4e7a-ad01-f544b90e2d2a", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "Computer Startup" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The computer started up. This event is important because it also contains the OS version information.\n%Data[3]% contains the Service Pack name (Ex: Service Pack 1) for Windows 7 systems but can be infered from the build number so is left out.\n%Data[4]% contains processor license information (Ex: Multiprocessor Free) but is not so useful so is left out.\n%Data[5]% contains the Revision (a.k.a. Update Version) Number in Windows 7 logs.\nWindows 10+ seems to always output 0 for this so it is not a reliable source for identifying the Revision Number.\n", + "event_ids": [ + "6009" + ], + "id": "b27292f1a-18b3-4433-b340-151874a7d4e8", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "Computer Startup" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Blue Screen Of Death. MS calls these Bug Check Errors.\nparam1 will contain various error codes for debugging:\nexample: 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050)\n - 0x0000009f is the Bug Check Code (a.k.a. Stop Code) meaning DRIVER_POWER_STATE_FAILURE\n - 0x0000000000000003 indicates the type of inconsistency. In this case, 0x3 means the system is transitioning from a sleep state (S4 or S5) to an awake state (S0).\n - 0xffffe682fdfaf570 is a pointer to the DEVICE_OBJECT structure representing the device that is being enumerated.\n - 0xfffff800666c4750 is a pointer to the IRP (I/O Request Packet) that was pending for the device object.\n - 0xffffe6831844f050 is a pointer to the NTSTATUS code indicating the cause of the failure.\nparam2 is the path to a memory dump (ex: C:\\WINDOWS\\MEMORY.DMP)\nparam3 is the report ID (ex: cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8)\n", + "event_ids": [ + "1001" + ], + "id": "082fbbf5-bb05-468c-ad9c-ef2a383bb293", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [], + "title": "BSOD" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Somebody cleared an imporant event log.", + "event_ids": [ + "104" + ], + "id": "f481a1f3-969e-4187-b3a5-b47c272bfebd", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "T1070" + ], + "title": "Important Log File Cleared" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DriverFrameworks-UserMode/Operational" + ], + "description": "", + "event_ids": [ + "2003" + ], + "id": "b39b18a5-cece-4e7d-a438-827d0b0e8a82", + "level": "informational", + "service": "driver-framework", + "subcategory_guids": [], + "tags": [], + "title": "USB Plugged In" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-Gateway/Operational" + ], + "description": "", + "event_ids": [ + "302" + ], + "id": "27648a93-cfc0-4903-beb2-9395e784a484", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008", + "TA0001" + ], + "title": "RDS GTW Logon" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-Gateway/Operational" + ], + "description": "", + "event_ids": [ + "302" + ], + "id": "24a04758-729d-4c43-9bd5-cccd31db80d0", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008", + "TA0001" + ], + "title": "RDS GTW Logon Error" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-Gateway/Operational" + ], + "description": "", + "event_ids": [ + "303" + ], + "id": "e5f74909-58a9-45ec-b70d-21c654dca4f3", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008", + "TA0001" + ], + "title": "RDS GTW Logoff" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. \nFor example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) \nDisk wipers like bcwipe will also generate this.\nMore legitimate filepaths may have to be added to the filter.\nThis is marked as a medium alert as there is a high possibility for false positives.\n", + "event_ids": [ + "4673" + ], + "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1561", + "TA0040", + "T1003" + ], + "title": "Process Ran With High Privilege" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.", + "event_ids": [ + "4674" + ], + "id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Possible Hidden Service Created" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A process has read credentials in the Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.", + "event_ids": [ + "5379" + ], + "id": "d478c070-8f84-4e65-9f45-cc432a000e93", + "level": "low", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1555.004", + "T1555" + ], + "title": "Credential Manager Accessed" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A process has enumerated credential information in Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.", + "event_ids": [ + "5379" + ], + "id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936", + "level": "low", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1555.004", + "T1555" + ], + "title": "Credential Manager Enumerated" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user has cleared the Security event log.", + "event_ids": [ + "1102" + ], + "id": "c2f690ac-53f8-4745-8cfe-7127dda28c74", + "level": "high", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "T1070" + ], + "title": "Log Cleared" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Process execution.", + "event_ids": [ + "4688" + ], + "id": "ac933178-c222-430d-8dcf-17b4f3a2fed8", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Proc Exec" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "", + "event_ids": [ + "4688" + ], + "id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Susp CmdLine (Possible Meterpreter getsystem)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "event_ids": [ + "4688" + ], + "id": "6be7f3fc-8917-11ec-a8a3-0242ac120002", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1563.002", + "T1021.001", + "T1563", + "T1021" + ], + "title": "Possible RDP Hijacking" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "", + "event_ids": [ + "4688" + ], + "id": "6c34b782-a5b5-4298-80f3-1918caf1f558", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "lolbas" + ], + "title": "Possible LOLBIN" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Originally \"Special privileges assigned to new logon\". This will create a seperate LID that is used when special admin-level privileges are used.", + "event_ids": [ + "4672" + ], + "id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE921B-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Admin Logon" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints failed logons", + "event_ids": [ + "4625" + ], + "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon Failure (User Does Not Exist)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Type 10 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", + "event_ids": [ + "4624" + ], + "id": "a4e05f05-ff88-48b9-8524-a88c1c32fe19", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (RemoteInteractive (RDP)) *Creds in memory*" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Search for many 4648 explicit credential logon attempts in a short period of time.", + "event_ids": [ + "4648" + ], + "id": "ffd622af-d049-449f-af5a-0492fdcc3a58", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0006", + "T1110" + ], + "title": "PW Spray" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Type 11 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", + "event_ids": [ + "4624" + ], + "id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (CachedInteractive) *Creds in memory*" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a failed logon event due to a wrong password", + "event_ids": [ + "4625" + ], + "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Failed Logon - Incorrect Password" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4625" + ], + "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon Failure (Wrong Password)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Type 13 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", + "event_ids": [ + "4624" + ], + "id": "e50e3952-06d9-44a8-ab07-7a41c9801d78", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (CachedUnlock) *Creds in memory*" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information", + "event_ids": [ + "4624" + ], + "id": "c7b22878-e5d8-4c30-b245-e51fd354359e", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Network)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a failed logon event due to a wrong password", + "event_ids": [ + "4648" + ], + "id": "ab1accc0-b6e2-4841-8dfb-5902581392c3", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Failed Logon - Incorrect Password" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "System Noise", + "event_ids": [ + "4624" + ], + "id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Service) (Noisy)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Type 9 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", + "event_ids": [ + "4624" + ], + "id": "d80facaa-ca97-47bb-aed2-66362416eb49", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (NewCredentials) *Creds in memory*" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.", + "event_ids": [ + "4625" + ], + "id": "4574194d-e7ca-4356-a95c-21b753a1787e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0006", + "T1110" + ], + "title": "User Guessing" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "The logon event happens when the computer boots up.", + "event_ids": [ + "4624" + ], + "id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (System) - Bootup" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4625" + ], + "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon Failure (Unknown Reason)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n", + "event_ids": [ + "4648" + ], + "id": "8c1899fe-493d-4faf-aae1-0853a33a3278", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0008" + ], + "title": "Explicit Logon Attempt" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Outputs system noise", + "event_ids": [ + "4624" + ], + "id": "0266af4f-8825-495e-959c-bff801094349", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Network) (Noisy)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike or Mimikatz for user impersonation.", + "event_ids": [ + "4648" + ], + "id": "7616e857-8e41-4976-bc21-811d122b9fc9", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0008" + ], + "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Tries to detect token impersonation by tools like Cobalt Strike.", + "event_ids": [ + "4624" + ], + "id": "46614e82-7926-41f9-85aa-006b98c5c2a3", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Possible Token Impersonation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n", + "event_ids": [ + "4648" + ], + "id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0008" + ], + "title": "Explicit Logon Attempt (Noisy)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information", + "event_ids": [ + "4624" + ], + "id": "8ad8b25f-6052-4cfd-9a50-717cb514af13", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Batch)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Type 2 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", + "event_ids": [ + "4624" + ], + "id": "7beb4832-f357-47a4-afd8-803d69a5c85c", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Interactive) *Creds in memory*" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a failed logon event due to an incorrect username", + "event_ids": [ + "4625" + ], + "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Failed Logon - Non-Existent User" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Tries to detect token impersonation by tools like Cobalt Strike.", + "event_ids": [ + "4624" + ], + "id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "NewInteractive Logon (Suspicious Process)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This is filtered by default as it is usually system noise.", + "event_ids": [ + "4624" + ], + "id": "b1782e40-d247-4de1-86d1-37392cb62e3b", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Interactive) (Noisy)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information", + "event_ids": [ + "4624" + ], + "id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Unlock)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Type 12 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", + "event_ids": [ + "4624" + ], + "id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (CachedRemoteInteractive) *Creds in memory*" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information. Despite the naming NetworkCleartext, the password is not sent over the network in cleartext. It is usually for IIS Basic Authentication.", + "event_ids": [ + "4624" + ], + "id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (NetworkCleartext)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon type 5 service logons.", + "event_ids": [ + "4624" + ], + "id": "408e1304-51d7-4d3e-ab31-afd07192400b", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon (Service)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Search for many 4625 wrong password failed logon attempts in a short period of time.", + "event_ids": [ + "4625" + ], + "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0006", + "T1110" + ], + "title": "PW Guessing" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4647" + ], + "id": "6bad16f1-02c4-4075-b414-3cd16944bc65", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9216-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logoff (User Initiated)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4634" + ], + "id": "7309e070-56b9-408b-a2f4-f1840f8f1ebf", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9216-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logoff" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4634" + ], + "id": "84288799-8b61-4d98-bad0-4043c40cf992", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9216-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logoff (Noisy)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when there is a RDP session disconnect.", + "event_ids": [ + "4779" + ], + "id": "f3532729-5536-42b4-ad74-d061b61a3891", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE921C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Session Disconnect" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when there is a RDP session reconnect.", + "event_ids": [ + "4778" + ], + "id": "db23f704-61c8-4c95-a5b7-4db61c89f41d", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE921C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Session Reconnect" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Directory Service Object Modified. Log written only to domain controllers (2008+)", + "event_ids": [ + "5136" + ], + "id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Dir Svc Obj Modified" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A computer account was created.", + "event_ids": [ + "4741" + ], + "id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Computer Account Created" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subject user is the user that performed the action. Only logged on DCs.", + "event_ids": [ + "4728" + ], + "id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added To Global Security Grp" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "User Added To Non-Admin Global Security Group. Only logged on DCs.", + "event_ids": [ + "4728" + ], + "id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added To Non-Admin Global Grp" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user was added to the local Administrators group. Unfortunately the user name does not get recorded in the log, only the SID, so you need to look up the username via the SID.", + "event_ids": [ + "4732" + ], + "id": "611e2e76-a28f-4255-812c-eb8836b2f5bb", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added To Local Admin Grp" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user was added to the Domain Admins group. Only logged on DCs.", + "event_ids": [ + "4728" + ], + "id": "4bb89c86-a138-42a0-baaf-fc2f777a4506", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added To Global Domain Admins Grp" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user was added to the local Domain Admins group.", + "event_ids": [ + "4732" + ], + "id": "bc58e432-959f-464d-812e-d60ce5d46fa1", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added To Local Domain Admins Grp" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.", + "event_ids": [ + "4720" + ], + "id": "70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "attack.11136.001" + ], + "title": "Hidden User Account Created" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A local user account was created.", + "event_ids": [ + "4720" + ], + "id": "13edce80-2b02-4469-8de4-a3e37271dcdb", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "attack.1136.001" + ], + "title": "Local User Account Created" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user account changed it's own password. Adversaries might change the password to lockout legitimate user or set the password to a known clear text passwort via Pass the Hash if only the password hash is known. This will allow an adversary to access services where Pass the Hash is not an option.", + "event_ids": [ + "4723" + ], + "id": "3b3046f3-a51c-4378-b059-c716aaa865b4", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004" + ], + "title": "User Password Changed" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user accounts password was changed by another account. The current password is not required to reset the password. An adversary might change the password of another account to lock out legitimate users or gain access to the account. This could be done if the account controlled by the attacker has permission to change the password, or as a step in attacks like Pass the Cert.", + "event_ids": [ + "4724" + ], + "id": "0b78aca4-35f0-4bec-acce-c5743ff26614", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004" + ], + "title": "Password Reset By Admin" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.", + "event_ids": [ + "4825" + ], + "id": "f97a152e-753c-4975-9375-19087fb66f8c", + "level": "informational", + "service": "security", + "subcategory_guids": [], + "tags": [], + "title": "RDP Denied" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)", + "event_ids": [ + "4611" + ], + "id": "614c150b-905d-4071-9b8e-0425e370c493", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Logon Proc Registered With LSA" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)", + "event_ids": [ + "4611" + ], + "id": "41ca6049-dd12-462c-a772-7bba78d8e2f0", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Abnormal Logon Proc Registered With LSA" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "A new service was installed. (Possibly malware.)", + "event_ids": [ + "4697" + ], + "id": "95fe88c9-5b9d-4454-97b4-957918b84208", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Svc Installed" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", + "event_ids": [ + "6410" + ], + "id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9212-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Code Integrity Proble (Possible Modification)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", + "event_ids": [ + "6281" + ], + "id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9212-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Code Integrity Error (Invalid Image Page Hash)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", + "event_ids": [ + "5038" + ], + "id": "0c871345-668e-4b71-bdad-61e42ecc31e3", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9212-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Code Integrity Error (Invalid Image Hash)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.", + "event_ids": [ + "4768" + ], + "id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.004", + "T1558" + ], + "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.", + "event_ids": [ + "4769" + ], + "id": "f19849e7-b5ba-404b-a731-9b624d7f6d19", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4768" + ], + "id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Kerberos TGT Requested" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Logged when NTLM authentication is used usually for local accounts but NTLM can also be used with domain accounts. The original event title says it is only generated on domain controllers but that is not true. This also gets logged on clients.", + "event_ids": [ + "4776" + ], + "id": "4fbe94b0-577a-4f77-9b13-250e27d440fa", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "NTLM Auth" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Prints logon information.", + "event_ids": [ + "4769" + ], + "id": "da6257f3-cf49-464a-96fc-c84a7ce20636", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Kerberos Service Ticket Requested" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "", + "event_ids": [ + "5140" + ], + "id": "15d042c1-07c6-4e16-ae7d-e0e556ccd9a8", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9224-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1039", + "TA0009" + ], + "title": "NetShare Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "", + "event_ids": [ + "5145" + ], + "id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1039", + "TA0009" + ], + "title": "NetShare File Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "The Windows Filtering Platform has allowed a connection.", + "event_ids": [ + "5156" + ], + "id": "d0a61a11-57c9-4afc-b940-3f19b60db08e", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Net Conn" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "The Windows Filtering Platform has blocked a connection.", + "event_ids": [ + "5157" + ], + "id": "b793a8e6-28a4-4fb8-816e-17a99e4e7b40", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Net Conn Blocked" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Scheduled task was deleted.", + "event_ids": [ + "4699" + ], + "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Task Deleted" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Scheduled task created. Malware often persists with tasks but also used legitimately often as well.", + "event_ids": [ + "4698" + ], + "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Task Created" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "", + "event_ids": [ + "106" + ], + "id": "33599dfb-f3e4-4298-8d3f-59407f65f4e7", + "level": "informational", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "Task" + ], + "title": "Task Created" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "", + "event_ids": [ + "200" + ], + "id": "d1923809-955b-47c4-b3e5-37c0e461919c", + "level": "informational", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "Task" + ], + "title": "Task Executed" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "", + "event_ids": [ + "140" + ], + "id": "aba04101-e439-4e2f-b051-4be561993c31", + "level": "informational", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "Task" + ], + "title": "Task Updated" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "", + "event_ids": [ + "141" + ], + "id": "ff6ada24-c7f0-4ae5-a7a6-f20ddb7b591f", + "level": "informational", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "Task" + ], + "title": "Task Deleted" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Windows Installer installed software via an MSI file.\n%Data[1]%: Product Name\n%Data[2]%: Product Version\n%Data[3]%: Product Language in LCID format. (Ex: 1033 for English)\n%Data[4]%: Installation status code. 0 means success.\n%Data[5]%: Vendor\n%Data[6]%: Not sure.\nBinary: Not sure how to decode.\n", + "event_ids": [ + "1022", + "1033" + ], + "id": "ef118d4d-ef83-40a7-bb27-2bb3945473ee", + "level": "informational", + "service": "application", + "subcategory_guids": [], + "tags": [], + "title": "MSI Install" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], + "description": "This event is created when a new local session is created for either a local or remote interactive login.\nOriginal event message: “Shell start notification received”\nThe Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins.\nNote that local sessions are different from logon sessions.\nLocal sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. \nEvent 22 is created when a new local session needs to be created.\nThat happens after a user successfully authenticates for a local or remote interactive logon session and the user does not already have an existing local session.\nThis event follows a Local Session Manager 21 event.\nThis event gives the same information in Remote Connection Manager 1149, Local Session Manager 21 and Security 4648.\n", + "event_ids": [ + "22" + ], + "id": "320e2cb0-a56a-476f-a299-79dc45644fee", + "level": "informational", + "service": "terminalservices-localsessionmanager", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Sess Start (Noisy)" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], + "description": "This event is created when a new local session is created for either a local or remote interactive login when a user successfully authenticates and there is no existing local session.\nThis event will be created when a user logs on for the first time or after a logout but not after just a disconnect because the session will still exist.\nIn that case, a reconnect event will be created.\nThe Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins.\nNote that local sessions are different from logon sessions.\nLocal sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. \nSrcIP will be an IP address if it is a remote session and \"LOCAL\" if it is a local session.\nThis event gives the same information in Remote Connection Manager 1149, Local Session Manager 22 and Security 4648.\n", + "event_ids": [ + "21" + ], + "id": "b107551c-409d-44b8-bb0d-3b007c269881", + "level": "informational", + "service": "terminalservices-localsessionmanager", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Logon" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], + "description": "Event 23 is created when a local session logs off. That happens after a user successfully logs off a local or remote interactive logon session. Not just a disconnect.", + "event_ids": [ + "23" + ], + "id": "e14a729f-f4f8-427b-a238-dfbde9c1614b", + "level": "informational", + "service": "terminalservices-localsessionmanager", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Logoff" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], + "description": "Event 24 is created when a local session disconnects. That happens after a user successfully logs off or disconnects a local or remote interactive logon session.\nThis event immediately follows a EID 23 RDP Logoff event.\nThis event has the same information as EID 23 and Security EID 4634.\n", + "event_ids": [ + "24" + ], + "id": "3fc6234f-93a5-4d48-b618-30e2c69c0a86", + "level": "informational", + "service": "terminalservices-localsessionmanager", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Disconnect" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], + "description": "", + "event_ids": [ + "25" + ], + "id": "8fe4a60b-2af3-43d6-95e2-8f13caccc179", + "level": "informational", + "service": "terminalservices-localsessionmanager", + "subcategory_guids": [], + "tags": [ + "RDP", + "TA0008" + ], + "title": "RDP Reconnect" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", + "event_ids": [ + "141" + ], + "id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940", + "level": "high", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Important Scheduled Task Deleted" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task", + "event_ids": [ + "129" + ], + "id": "d5a3d13e-7db3-bcf5-824a-789488ab40fd", + "level": "medium", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Scheduled Task Executed Uncommon LOLBIN" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "event_ids": [ + "129" + ], + "id": "c1fd9ca2-a3f8-1adc-0f1d-1d6099f5d827", + "level": "medium", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Scheduled Task Executed From A Suspicious Location" + }, { "category": "", "channel": [ @@ -43,28928 +2668,80 @@ { "category": "", "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" + "Application" ], - "description": "Detects the presence of a loaded unsigned kernel module on the system.", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "event_ids": [ - "3001" + "1000" ], - "id": "23f17a2b-73ca-e465-e823-bb1d47543f6d", + "id": "24cdd840-5da1-6c12-5b58-4da49cc4b11a", "level": "high", - "service": "codeintegrity-operational", + "service": "application", "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Unsigned Kernel Module Loaded" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects image load events with revoked certificates by code integrity.", - "event_ids": [ - "3032", - "3035" - ], - "id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Revoked Image Loaded" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects block events for files that are disallowed by code integrity for protected processes", - "event_ids": [ - "3104" - ], - "id": "c2644e00-b2a8-1e98-7dfc-bbef3a929767", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects blocked load attempts of revoked drivers", - "event_ids": [ - "3023" - ], - "id": "3838c754-9c4c-f500-6c7d-4c73b29717a9", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1543" - ], - "title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects the load of a revoked kernel driver", - "event_ids": [ - "3021", - "3022" - ], - "id": "4764bb53-3383-ae11-5351-b67f0001d2a5", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Revoked Kernel Driver Loaded" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects blocked image load events with revoked certificates by code integrity.", - "event_ids": [ - "3036" - ], - "id": "6f9f7b5c-f44b-fe0a-bcb2-ff4a09bd4ccf", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Blocked Image Load With Revoked Certificate" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects loaded unsigned image on the system", - "event_ids": [ - "3037" - ], - "id": "d6ea0e4a-9918-a082-1c5d-bd5d2a4f0b76", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Unsigned Image Loaded" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.", - "event_ids": [ - "3077" - ], - "id": "a4736e84-f507-2e6b-bc7a-573328447cbf", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1543" - ], - "title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects loaded kernel modules that did not meet the WHQL signing requirements.", - "event_ids": [ - "3082", - "3083" - ], - "id": "b1f60092-6ced-8775-b5dd-ac15a042e292", - "level": "high", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CodeIntegrity/Operational" - ], - "description": "Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.\n", - "event_ids": [ - "3033", - "3034" - ], - "id": "f45ca591-7575-818e-9a07-7493461a33c3", - "level": "low", - "service": "codeintegrity-operational", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects PowerShell called from an executable by the version mismatch method", - "event_ids": [ - "400" - ], - "id": "b8c409c0-bd7a-5c05-0bae-56f88fe7b78d", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Called from an Executable Version Mismatch" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.", - "event_ids": [ - "400" - ], - "id": "11151659-80c2-7657-d058-2a07c5662662", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Nslookup PowerShell Download Cradle" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\n", - "event_ids": [ - "400" - ], - "id": "b1868902-0d34-3392-8d98-99c0919a01d4", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0005", - "T1059.001", - "T1036.003", - "T1036", - "T1059" - ], - "title": "Renamed Powershell Under Powershell Channel" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "event_ids": [ - "400" - ], - "id": "19bee8fa-b4db-79ab-2c60-ea8ae4875dcc", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1049" - ], - "title": "Use Get-NetTCPConnection" - }, - { - "category": "", - "channel": [ - "pwsh" - ], - "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", - "event_ids": [], - "id": "29a3935d-0428-4f39-d39e-ec43c598b272", - "level": "high", - "service": "powershell-classic", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" - }, - { - "category": "", - "channel": [ - "pwsh" - ], - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "event_ids": [], - "id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3", - "level": "medium", - "service": "powershell-classic", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "TA0008", - "T1021.003", - "T1059", - "T1021" - ], - "title": "Suspicious Non PowerShell WSMAN COM Provider" - }, - { - "category": "", - "channel": [ - "pwsh" - ], - "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", - "event_ids": [], - "id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9", - "level": "medium", - "service": "powershell-classic", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1074.001", - "T1074" - ], - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects suspicious PowerShell download command", - "event_ids": [ - "400" - ], - "id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Download" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "event_ids": [ - "400" - ], - "id": "cc575689-20fe-0dda-ed3b-93e52d0d8ef1", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1095" - ], - "title": "Netcat The Powershell Version" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects remote PowerShell sessions", - "event_ids": [ - "400" - ], - "id": "d79eda57-503a-274d-fab8-0d26ff047015", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "TA0008", - "T1021.006", - "T1021", - "T1059" - ], - "title": "Remote PowerShell Session (PS Classic)" - }, - { - "category": "ps_classic_provider_start", - "channel": [ - "pwsh" - ], - "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", - "event_ids": [ - "600" - ], - "id": "3ec981cc-6521-d6a9-9630-d1df7d2090b9", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Tamper Windows Defender - PSClassic" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "event_ids": [ - "400" - ], - "id": "05ab81d4-8539-cffc-89f9-e470468bb28c", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Downgrade Attack - PowerShell" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "event_ids": [ - "400" - ], - "id": "970cb6bc-a1b8-c7da-f658-ea96f2045162", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Delete Volume Shadow Copies Via WMI With PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", - "event_ids": [ - "4104" - ], - "id": "9a9b4924-bf93-774d-4bee-a2d13260663c", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detect use of X509Enrollment", - "event_ids": [ - "4104" - ], - "id": "8acde15f-c52f-455b-127c-8de1892767e5", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "Suspicious X509Enrollment - Ps Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detect adversaries enumerate sensitive files", - "event_ids": [ - "4104" - ], - "id": "246287be-b277-41bc-b620-83f82d6006d3", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1083" - ], - "title": "Powershell Sensitive File Discovery" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", - "event_ids": [ - "4104" - ], - "id": "2b77aa85-451b-f506-eda5-71bef0c2bfa6", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0002", - "T1027", - "T1059.001", - "T1059" - ], - "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "event_ids": [ - "4104" - ], - "id": "a86c5f75-859a-89ac-20a4-ad3be80336c9", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1033" - ], - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "event_ids": [ - "4104" - ], - "id": "b38a93d1-2bd3-6583-6617-1f4bdccf8589", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "TA0002", - "T1562" - ], - "title": "AMSI Bypass Pattern Assembly GetType" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "event_ids": [ - "4104" - ], - "id": "6dcad107-58f0-d885-7198-fe78bda1ff4b", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1565" - ], - "title": "Powershell Add Name Resolution Policy Table Rule" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "event_ids": [ - "4104" - ], - "id": "80fe1b47-6d38-9fc5-9535-6afd04b55a15", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0043", - "TA0007", - "TA0040" - ], - "title": "Potential Active Directory Enumeration Using AD Module - PsScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "event_ids": [ - "4104" - ], - "id": "abc8469f-9601-7199-13b7-9620478f5335", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1518" - ], - "title": "Detected Windows Software Discovery - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Enumerates Active Directory to determine computers that are joined to the domain", - "event_ids": [ - "4104" - ], - "id": "d72c1916-ab63-11e1-1916-5e8b3822f133", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1018" - ], - "title": "DirectorySearcher Powershell Exploitation" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "event_ids": [ - "4104" - ], - "id": "a47e2fc3-e3e3-9763-7cb2-d19df00ad719", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1553.005", - "T1553" - ], - "title": "Suspicious Mount-DiskImage" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "event_ids": [ - "4104" - ], - "id": "ebdae8b0-7b83-5602-356e-b214571cee19", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.003", - "T1070" - ], - "title": "Disable Powershell Command History" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [ - "4104" - ], - "id": "308e8029-d702-799b-6aea-82f749348b24", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocations - Generic" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "event_ids": [ - "4104" - ], - "id": "f698fa3e-50d4-0a6b-4f65-9cc569e1a709", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Powershell XML Execute Command" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "event_ids": [ - "4104" - ], - "id": "247b332c-8cf3-11c1-bf63-2693c99a6082", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0007", - "T1482", - "T1087", - "T1087.001", - "T1087.002", - "T1069.001", - "T1069.002", - "T1069", - "T1059.001", - "T1059" - ], - "title": "Malicious PowerShell Commandlets - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", - "event_ids": [ - "4104" - ], - "id": "a91de133-e7bc-3e22-d4ec-af1bfe620409", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218.007", - "T1218" - ], - "title": "PowerShell WMI Win32_Product Install MSI" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", - "event_ids": [ - "4104" - ], - "id": "6535a2a7-e5ce-2a80-726d-8eb3b016084d", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1546.003", - "T1546" - ], - "title": "Powershell WMI Persistence" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "event_ids": [ - "4104" - ], - "id": "f5ce4704-7343-4e6a-f741-f53b6d412d1f", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1137.006", - "T1137" - ], - "title": "Code Executed Via Office Add-in XLL File" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "event_ids": [ - "4104" - ], - "id": "b5223513-5e9d-2c11-1cf7-d980bfed58f5", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1021.006", - "T1021" - ], - "title": "Enable Windows Remote Management" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", - "event_ids": [ - "4104" - ], - "id": "777d9383-7a6f-f82a-d22e-2f05f433bc9b", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "PowerShell Write-EventLog Usage" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", - "event_ids": [ - "4104" - ], - "id": "7778d03c-e7bd-53bb-1f84-6557e3ecf12d", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1074.001", - "T1074" - ], - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "event_ids": [ - "4104" - ], - "id": "0c3ed50a-e9ab-a1ab-192f-17494d3bcb53", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1555.003", - "T1555" - ], - "title": "Access to Browser Login Data" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", - "event_ids": [ - "4104" - ], - "id": "57b18282-5df7-0636-ee86-75ccdbe55519", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "Powershell Execute Batch Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", - "event_ids": [ - "4104" - ], - "id": "4ee64eb7-79b5-d7d2-9ba7-89616409e7d0", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1620" - ], - "title": "Potential In-Memory Execution Using Reflection.Assembly" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", - "event_ids": [ - "4104" - ], - "id": "80aaec39-a75b-8ad7-ac46-14fd5159f93f", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.002", - "T1069" - ], - "title": "Active Directory Group Enumeration With Get-AdGroup" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "event_ids": [ - "4104" - ], - "id": "77515874-226e-d597-815a-9962d2951358", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "PowerShell Get-Process LSASS in ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", - "event_ids": [ - "4104" - ], - "id": "f1205c3a-b112-f060-2b3e-b43fd3460482", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070", - "T1562.006", - "car.2016-04-002", - "T1562" - ], - "title": "Disable of ETW Trace - Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "event_ids": [ - "4104" - ], - "id": "649adb28-28ab-34b1-166d-cfffb0245bbd", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0005" - ], - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Base64 encoded Shellcode", - "event_ids": [ - "4104" - ], - "id": "7f3d30e6-1565-4e09-7b13-5d7c5b8b0947", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0004", - "T1055", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell ShellCode" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.", - "event_ids": [ - "4104" - ], - "id": "4dc42aa9-1963-4ee8-e6ed-021575365449", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1020" - ], - "title": "PowerShell Script With File Upload Capabilities" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "event_ids": [ - "4104" - ], - "id": "71d6a25b-6fe6-37e2-40bc-c4de171fbbc9", - "level": "critical", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "TA0011", - "T1071.004", - "T1572", - "TA0040", - "T1529", - "attack.g0091", - "attack.s0363", - "T1071", - "T1059" - ], - "title": "Silence.EDA Detection" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "event_ids": [ - "4104" - ], - "id": "30be45df-1ada-4075-3586-5a3d6eda8cd3", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "event_ids": [ - "4104" - ], - "id": "369a4eed-03b4-7aea-6309-c6d7173b0567", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1033" - ], - "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects potential exfiltration attempt via audio file using PowerShell", - "event_ids": [ - "4104" - ], - "id": "4956629d-759b-2297-1edf-5751449384cb", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010" - ], - "title": "Potential Data Exfiltration Via Audio File" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", - "event_ids": [ - "4104" - ], - "id": "5ab8284b-d017-c68c-31ff-6c9b51010284", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0002", - "T1027", - "T1059.001", - "T1059" - ], - "title": "Potential PowerShell Obfuscation Using Character Join" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "event_ids": [ - "4104" - ], - "id": "245734a0-22f3-d684-07a7-ed1cea011d8e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "Root Certificate Installed - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", - "event_ids": [ - "4104" - ], - "id": "297f849b-2dff-ce76-be52-6f50e2f5d205", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Troubleshooting Pack Cmdlet Execution" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", - "event_ids": [ - "4104" - ], - "id": "a427508a-2c94-8fdb-863f-555304b70605", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1491.001", - "T1491" - ], - "title": "Replace Desktop Wallpaper by Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [ - "4104" - ], - "id": "e355cee1-576c-66ad-ccaf-3f4dfa5b541e", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Stdin - Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [ - "4104" - ], - "id": "70b65468-d1e8-0a6b-78c3-a458a95e477b", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "event_ids": [ - "4104" - ], - "id": "a547df68-c62d-4415-9a62-cbe68f006b9e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Powershell Store File In Alternate Data Stream" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of PowerShell to identify the current logged user.", - "event_ids": [ - "4104" - ], - "id": "43541d1d-9cb1-a49f-2fb9-4121c1302705", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1033" - ], - "title": "Suspicious PowerShell Get Current User" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.", - "event_ids": [ - "4104" - ], - "id": "00f90856-99dc-9ecd-31ca-0d93b7577bac", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1018", - "T1087.002", - "T1087" - ], - "title": "Active Directory Computers Enumeration With Get-AdComputer" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", - "event_ids": [ - "4104" - ], - "id": "55d8816f-49cc-7135-b3b1-63d41ce23a01", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", - "event_ids": [ - "4104" - ], - "id": "13a97026-d21c-5c67-761d-537efe8f3fe7", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1083" - ], - "title": "Powershell Directory Enumeration" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", - "event_ids": [ - "4104" - ], - "id": "40e38653-158e-78ce-f816-60a159924dc9", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0005", - "TA0007", - "TA0002", - "TA0004", - "T1046", - "T1082", - "T1106", - "T1518", - "T1548.002", - "T1552.001", - "T1555", - "T1555.003", - "T1552", - "T1548" - ], - "title": "HackTool - WinPwn Execution - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "event_ids": [ - "4104" - ], - "id": "654b7573-5b04-0352-d832-f32c333f4a56", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1497.001", - "T1497" - ], - "title": "Powershell Detect Virtualization Environment" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "event_ids": [ - "4104" - ], - "id": "977cdcc1-6d3a-a221-a03f-d794230e01ae", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Powershell Create Scheduled Task" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", - "event_ids": [ - "4104" - ], - "id": "6454f2bf-2962-a90a-eec3-6c7bef6be08e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.003", - "T1070" - ], - "title": "Suspicious IO.FileStream" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts set ACL to of a file or a folder", - "event_ids": [ - "4104" - ], - "id": "3586407d-f3a3-bb2d-8467-0956e15af381", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1222" - ], - "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [ - "4104" - ], - "id": "527063ac-15f7-52e7-7ced-4348087aaec7", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", - "event_ids": [ - "4104" - ], - "id": "6154995f-9153-aaa3-dc51-d3062506c78a", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "TA0006", - "T1056.001", - "T1056" - ], - "title": "Potential Keylogger Activity" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "event_ids": [ - "4104" - ], - "id": "3bef19ed-f703-65eb-ab07-eebb20abdd4e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007" - ], - "title": "PowerShell Hotfix Enumeration" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", - "event_ids": [ - "4104" - ], - "id": "b56d246e-e1d8-6f33-6e90-65864d130915", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1553.005", - "T1553" - ], - "title": "Suspicious Unblock-File" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "event_ids": [ - "4104" - ], - "id": "a4fa5d2e-a803-b311-5ff7-669ada2d36eb", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1553.005", - "T1553" - ], - "title": "Suspicious Invoke-Item From Mount-DiskImage" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "event_ids": [ - "4104" - ], - "id": "437d2bdc-4ee9-913b-42df-e947c8193f88", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1555" - ], - "title": "Dump Credentials from Windows Credential Manager With PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "event_ids": [ - "4104" - ], - "id": "79769f3b-efb3-9463-e114-7446d4361146", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Malicious Nishang PowerShell Commandlets" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", - "event_ids": [ - "4104" - ], - "id": "0f434135-833f-9c32-7048-ab3c6264d3d2", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1132.001", - "T1132" - ], - "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "event_ids": [ - "4104" - ], - "id": "647d9a85-b4af-a355-a79e-5ad4afa553bd", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1048.003", - "T1048" - ], - "title": "PowerShell ICMP Exfiltration" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", - "event_ids": [ - "4104" - ], - "id": "f0174af7-3de1-3209-5f81-f96ff9d1f5c6", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1090" - ], - "title": "Suspicious TCP Tunnel Via PowerShell Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "event_ids": [ - "4104" - ], - "id": "389e5737-c793-4d03-4191-fe78d2cc1dcb", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1217" - ], - "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "event_ids": [ - "4104" - ], - "id": "f279fcb8-4560-0d0c-3bee-043b32f9b3fb", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Live Memory Dump Using Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "event_ids": [ - "4104" - ], - "id": "61d6fe12-d403-c9b3-bc3f-fb10de58a4c3", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0043", - "TA0007", - "TA0006", - "TA0040" - ], - "title": "AADInternals PowerShell Cmdlets Execution - PsScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "event_ids": [ - "4104" - ], - "id": "d7f88495-fd82-8062-2c13-6036a8358e39", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1119" - ], - "title": "Automated Collection Command PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", - "event_ids": [ - "4104" - ], - "id": "12b5b805-7b4b-d153-35e2-2230d216346c", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential Suspicious PowerShell Keywords" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects creation of a local user via PowerShell", - "event_ids": [ - "4104" - ], - "id": "b49ece4c-cd58-540c-62a8-d4189dc45f3e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "TA0003", - "T1136.001", - "T1136", - "T1059" - ], - "title": "PowerShell Create Local User" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "event_ids": [ - "4104" - ], - "id": "00ba998e-b435-22a6-2dbf-e85e1918b8a7", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1114.001", - "T1114" - ], - "title": "Powershell Local Email Collection" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "event_ids": [ - "4104" - ], - "id": "714c75ab-6bed-7c9d-462b-f7f9252e47e5", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "event_ids": [ - "4104" - ], - "id": "329df23d-a366-2e13-47f7-3c67cfb56f75", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", - "event_ids": [ - "4104" - ], - "id": "82a11bd6-070f-3229-f413-73fe2ddd7018", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1222" - ], - "title": "PowerShell Set-Acl On Windows Folder - PsScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", - "event_ids": [ - "4104" - ], - "id": "b32352bf-5bcb-d3c9-a9eb-4bbf8ed85654", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.006", - "T1070" - ], - "title": "Powershell Timestomp" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", - "event_ids": [ - "4104" - ], - "id": "72ba1398-c3d6-c1a6-9133-bc72ccaca90d", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects keywords that could indicate clearing PowerShell history", - "event_ids": [ - "4104" - ], - "id": "36e3fc18-c21d-b046-86b0-9f14ccbb975e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.003", - "T1070" - ], - "title": "Clear PowerShell History - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", - "event_ids": [ - "4104" - ], - "id": "6074ad34-a80f-fdd9-5c49-e1a2fc4572c4", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Tamper Windows Defender - ScriptBlockLogging" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.", - "event_ids": [ - "4104" - ], - "id": "53f26dda-d088-32eb-a704-03c3b6986b49", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1020" - ], - "title": "PowerShell Script With File Hostname Resolving Capabilities" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Get the processes that are running on the local computer.", - "event_ids": [ - "4104" - ], - "id": "0e7ff574-cd58-3250-821d-47fedcc03db6", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1057" - ], - "title": "Suspicious Process Discovery With Get-Process" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "event_ids": [ - "4104" - ], - "id": "33f62d96-55cf-87d2-e9f0-0a5fff75a278", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.003", - "attack.ds0005", - "T1003" - ], - "title": "Create Volume Shadow Copy with Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.", - "event_ids": [ - "4104" - ], - "id": "5ac6d31e-76f4-b5ee-831e-7d076ff2dca6", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006" - ], - "title": "Veeam Backup Servers Credential Dumping Script Execution" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", - "event_ids": [ - "4104" - ], - "id": "58f5980d-d851-77b4-2f1f-945eb2d3e430", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1552.004", - "T1552" - ], - "title": "Certificate Exported Via PowerShell - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the execution of the hacktool Rubeus using specific command line flags", - "event_ids": [ - "4104" - ], - "id": "1296d31f-9f66-0be1-424b-a641f15c4475", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003", - "T1558.003", - "TA0008", - "T1550.003", - "T1558", - "T1550" - ], - "title": "HackTool - Rubeus Execution - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", - "event_ids": [ - "4104" - ], - "id": "437f4723-94d2-dfdf-cd3b-9cf2e0af0fba", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1047" - ], - "title": "WMIC Unquoted Services Path Lookup - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [ - "4104" - ], - "id": "1bc61c35-56bd-6b9c-12fc-5513d8aa80d2", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", - "event_ids": [ - "4104" - ], - "id": "43254631-95ca-6c3c-11bc-16c19f09e819", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1615" - ], - "title": "Suspicious GPO Discovery With Get-GPO" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "event_ids": [ - "4104" - ], - "id": "94272bf4-116b-5204-4be6-69b2d5648fa4", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1564.006", - "T1564" - ], - "title": "Suspicious Hyper-V Cmdlets" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", - "event_ids": [ - "4104" - ], - "id": "f9889db2-6490-a082-33a3-1b46dff5e2f1", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1552.001", - "T1552" - ], - "title": "Extracting Information with PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "event_ids": [ - "4104" - ], - "id": "cb989f20-ebb9-8b1b-a5d6-f98b3929346c", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable-WindowsOptionalFeature Command PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "event_ids": [ - "4104" - ], - "id": "ec4cdf41-f053-d3af-6a68-973d32bacdff", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1098" - ], - "title": "Powershell LocalAccount Manipulation" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "event_ids": [ - "4104" - ], - "id": "8c8871af-c2f2-4671-9f1d-d6c3e90b7c42", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Potential COM Objects Download Cradles Usage - PS Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", - "event_ids": [ - "4104" - ], - "id": "57e275e0-10cf-be8d-39b2-027fbfeb2913", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1573" - ], - "title": "Suspicious SSL Connection" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects use of WinAPI functions in PowerShell scripts", - "event_ids": [ - "4104" - ], - "id": "edeeb148-ce01-b5b8-a531-3b364b7fd191", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1106", - "T1059" - ], - "title": "Potential WinAPI Calls Via PowerShell Scripts" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "event_ids": [ - "4104" - ], - "id": "6ab29276-37b6-8501-afb8-33126a6a9918", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218" - ], - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", - "event_ids": [ - "4104" - ], - "id": "efbceae5-07cf-4b09-fc03-df062b971e10", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1071.001", - "T1071" - ], - "title": "Change User Agents with WebRequest" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "event_ids": [ - "4104" - ], - "id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010" - ], - "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "event_ids": [ - "4104" - ], - "id": "e84977df-6377-368d-ed22-e05ee31e9947", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Malicious ShellIntel PowerShell Commandlets" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "event_ids": [ - "4104" - ], - "id": "088701bf-4758-9a2a-76c0-2e148a7e122c", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Request A Single Ticket via PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "event_ids": [ - "4104" - ], - "id": "b0c6066e-a243-d2f6-c744-990ed060759c", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Potential Invoke-Mimikatz PowerShell Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "event_ids": [ - "4104" - ], - "id": "aa7ecfb4-5a28-3a35-0b06-35cdfed46928", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1119" - ], - "title": "Recon Information for Export with PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious Powershell code that execute COM Objects", - "event_ids": [ - "4104" - ], - "id": "9134b08c-39fa-8211-b3f5-5bd1839b9540", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0004", - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Suspicious GetTypeFromCLSID ShellExecute" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects parameters used by WMImplant", - "event_ids": [ - "4104" - ], - "id": "a91bd8f4-12c9-8c19-370c-2ddece54fd99", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1047", - "T1059.001", - "T1059" - ], - "title": "WMImplant Hack Tool" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "event_ids": [ - "4104" - ], - "id": "ce3cad3a-afec-9acc-c763-9b4cb0fd5ece", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1574.011", - "stp.2a", - "T1574" - ], - "title": "Service Registry Permissions Weakness Check" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "event_ids": [ - "4104" - ], - "id": "e701b235-4663-b82b-8611-b51a0706589b", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1564.004", - "TA0002", - "T1059.001", - "T1564", - "T1059" - ], - "title": "NTFS Alternate Data Stream" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", - "event_ids": [ - "4104" - ], - "id": "e59d0c87-f426-154d-9744-50e5cb987c9f", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.006", - "T1003" - ], - "title": "Suspicious Get-ADReplAccount" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "event_ids": [ - "4104" - ], - "id": "129010c2-32d8-8ae8-d3a5-cdd24744231e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1555" - ], - "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", - "event_ids": [ - "4104" - ], - "id": "12bd77fd-a44d-6373-2156-4c29b22d9c85", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1120" - ], - "title": "Powershell Suspicious Win32_PnPEntity" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", - "event_ids": [ - "4104" - ], - "id": "0fb43313-1253-f71b-1a13-e10e073c1627", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1033" - ], - "title": "Get-ADUser Enumeration Using UserAccountControl Flags" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "event_ids": [ - "4104" - ], - "id": "4397a007-0c10-834b-0796-7b4b1b931b03", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Malicious PowerShell Keywords" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "event_ids": [ - "4104" - ], - "id": "1a8e1936-4b07-2bb2-ef3a-2cdf7d294a56", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070", - "T1070.003" - ], - "title": "Clearing Windows Console History" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "event_ids": [ - "4104" - ], - "id": "bf9ed747-37f2-803e-2a51-91d56622d6ba", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1113" - ], - "title": "Windows Screen Capture with CopyFromScreen" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [ - "4104" - ], - "id": "d7307e8a-60da-106b-aeb8-c4ebd5c1fb6d", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [ - "4104" - ], - "id": "8655ba53-c937-dbcf-91c5-3125219b9497", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocations - Specific" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "event_ids": [ - "4104" - ], - "id": "c9aa7755-6950-a83c-72f5-53d0eab019eb", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1056.001", - "T1056" - ], - "title": "Powershell Keylogging" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse", - "event_ids": [ - "4104" - ], - "id": "802477a9-01ea-d5f8-2ff9-44285787d0f7", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Web Access Installation - PsScript" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [ - "4104" - ], - "id": "00b36dc9-4f98-0596-4487-6aabd187344b", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\n", - "event_ids": [ - "4104" - ], - "id": "231be74a-ed58-7e55-d906-23131f589913", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "Suspicious Get Local Groups Information - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "event_ids": [ - "4104" - ], - "id": "addd9852-1b8e-322b-77eb-4a749ba8dca6", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562", - "TA0002", - "T1059" - ], - "title": "Windows Defender Exclusions Added - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs", - "event_ids": [ - "4104" - ], - "id": "a8e07a3d-571c-0d25-729b-fa16be9ea6c5", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.001", - "T1070" - ], - "title": "Suspicious Eventlog Clear" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "event_ids": [ - "4104" - ], - "id": "2182e106-ae16-770c-3022-a67abacb10d0", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.005", - "T1070" - ], - "title": "PowerShell Deleted Mounted Share" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell calling a credential prompt", - "event_ids": [ - "4104" - ], - "id": "77e99ce3-b834-1c0d-0fe8-ffd39f1bc29f", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Credential Prompt" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [ - "4104" - ], - "id": "a4545017-4d6d-c3bd-7fec-62214f01e6b2", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "event_ids": [ - "4104" - ], - "id": "1dc5f777-bb62-c024-3838-e53492b5e574", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1048" - ], - "title": "Powershell DNSExfiltration" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", - "event_ids": [ - "4104" - ], - "id": "98d89b85-61ea-f78b-d1fa-cd52182b6b28", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1574.012", - "T1574" - ], - "title": "Registry-Free Process Scope COR_PROFILER" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell download command", - "event_ids": [ - "4104" - ], - "id": "e3888b82-f1d3-14e8-54e5-16b522dfd8a9", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Download - Powershell Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Uses PowerShell to install/copy a file into a system directory such as \"System32\" or \"SysWOW64\"", - "event_ids": [ - "4104" - ], - "id": "b16a0b26-d586-4ff7-f200-20927037e55f", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1556.002", - "T1556" - ], - "title": "Powershell Install a DLL in System Directory" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", - "event_ids": [ - "4104" - ], - "id": "f9203bdd-ca24-aced-1e79-b9cfd7936099", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1110.001", - "T1110" - ], - "title": "Suspicious Connection to Remote Account" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", - "event_ids": [ - "4104" - ], - "id": "f1a1daa1-2c4e-6354-e062-1f80427eafc3", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Remote Session Creation" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "event_ids": [ - "4104" - ], - "id": "4502b93e-2c0d-56b8-7ce1-35523e4fb0ba", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Potential AMSI Bypass Script Using NULL Bits" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\nAdversaries may attempt to capture network to gather information over the course of an operation.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.\n", - "event_ids": [ - "4104" - ], - "id": "0357e3d7-f8fe-0601-0902-364f4cdbed81", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0007", - "T1040" - ], - "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "event_ids": [ - "4104" - ], - "id": "0b0963db-269b-9351-ab12-4aa9d1f8a105", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0004", - "T1484.001", - "T1484" - ], - "title": "Modify Group Policy Settings - ScriptBlockLogging" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "event_ids": [ - "4104" - ], - "id": "629a73b6-b63c-b6d1-5e2c-5d7ee3042f44", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1571" - ], - "title": "Testing Usage of Uncommonly Used Port" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "event_ids": [ - "4104" - ], - "id": "737309de-cb25-6cd6-de11-74ac6a587299", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet", - "event_ids": [ - "4104" - ], - "id": "97e928f0-6985-66cd-fd2d-3783904a3c7c", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "event_ids": [ - "4104" - ], - "id": "53ba1f6b-70f2-242f-1377-8dc22d806e78", - "level": "critical", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010" - ], - "title": "Suspicious PowerShell Mailbox Export to Share - PS" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [ - "4104" - ], - "id": "33811b3f-3506-6bff-bb4a-4250e7714358", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Clip - Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Powershell use PassThru option to start in background", - "event_ids": [ - "4104" - ], - "id": "c6dce605-3bb0-c881-1c5c-f3e4e9d62577", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1036.003", - "T1036" - ], - "title": "Suspicious Start-Process PassThru" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "event_ids": [ - "4104" - ], - "id": "9d0ff6ee-9967-a757-d8dc-cf3f3b3546b1", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Suspicious New-PSDrive to Admin Share" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", - "event_ids": [ - "4104" - ], - "id": "2843f0fc-1a75-2140-6c4c-f5c296073941", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1136.002", - "T1136" - ], - "title": "Manipulation of User Computer or Group Security Principals Across AD" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "event_ids": [ - "4104" - ], - "id": "8094e74c-0e24-f840-50c3-bfcdc98cd6a9", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "Add Windows Capability Via PowerShell Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of PSAttack PowerShell hack tool", - "event_ids": [ - "4104" - ], - "id": "8dd08d08-a638-c74c-8e7a-07d55d3b3318", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell PSAttack" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence", - "event_ids": [ - "4104" - ], - "id": "aa566d46-235a-b467-88ed-434788883da2", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "T1546.013", - "T1546" - ], - "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "event_ids": [ - "4104" - ], - "id": "c9326131-769a-8ba4-03f2-7d17f9847a50", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Potential Suspicious Windows Feature Enabled" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "event_ids": [ - "4104" - ], - "id": "b935d5dd-d5e5-51df-9c4f-dc30aec0a6e6", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Windows Firewall Profile Disabled" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "event_ids": [ - "4104" - ], - "id": "956b0dfd-4aba-c0c7-7608-c7889eea8a67", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", - "event_ids": [ - "4104" - ], - "id": "b46c37cc-554c-aab3-0744-26f3a5ace219", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0005", - "TA0004" - ], - "title": "Potential Persistence Via Security Descriptors - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [ - "4104" - ], - "id": "c4a3b240-b0c5-3eed-9e95-d3db01157764", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "event_ids": [ - "4104" - ], - "id": "43de23b6-5e9c-142a-9e42-64992bede784", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", - "event_ids": [ - "4104" - ], - "id": "33a52335-678e-da31-eb46-d7cfc302cb3e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1531" - ], - "title": "Remove Account From Domain Admin Group" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "event_ids": [ - "4104" - ], - "id": "77af6d22-9887-7943-53f1-6a849e2e892d", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027.009", - "T1027" - ], - "title": "Powershell Token Obfuscation - Powershell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "event_ids": [ - "4104" - ], - "id": "a57f49ff-b916-4527-881f-bef76dc42248", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Powershell MsXml COM Object" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "event_ids": [ - "4104" - ], - "id": "b3cb91b9-f3a8-1486-c398-1ea1e5183b3c", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "Suspicious Get Information for SMB Share" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", - "event_ids": [ - "4104" - ], - "id": "eddbf1d6-60c9-96f5-4cdf-f0947b3aad8f", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.", - "event_ids": [ - "4104" - ], - "id": "e5a59479-4ded-f6c3-ab4d-8d464128fbb2", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Change PowerShell Policies to an Insecure Level - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.", - "event_ids": [ - "4104" - ], - "id": "c0fcc261-538c-247d-21ff-05b6d2cbdf07", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0043", - "TA0007", - "TA0006", - "T1018", - "T1558", - "T1589.002", - "T1589" - ], - "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "event_ids": [ - "4104" - ], - "id": "a4603d3c-bb7c-8db0-3d8a-23f265190006", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1021.006", - "T1021" - ], - "title": "Execute Invoke-command on Remote Host" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "event_ids": [ - "4104" - ], - "id": "cde108d4-944b-2594-02b8-61f2852260a1", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell ADRecon Execution" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.", - "event_ids": [ - "4104" - ], - "id": "cc813de1-cf1f-dd91-bcfb-3821610d9dfc", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerView PowerShell Cmdlets - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "event_ids": [ - "4104" - ], - "id": "de547eac-5fa2-bf69-1a62-760251de3870", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1547.004", - "T1547" - ], - "title": "Winlogon Helper DLL" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [ - "4104" - ], - "id": "fd4e11cc-a1e1-264d-4545-f06b97371ed2", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "event_ids": [ - "4104" - ], - "id": "d2c72fb1-8ebf-d5d3-1e88-80f15ba1079a", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1564.003", - "T1564" - ], - "title": "Suspicious PowerShell WindowStyle Option" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects powershell scripts that import modules from suspicious directories", - "event_ids": [ - "4104" - ], - "id": "0a3956ee-9813-55f3-ca74-4d00e9df5262", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Import PowerShell Modules From Suspicious Directories" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", - "event_ids": [ - "4104" - ], - "id": "3c8ea56a-ad16-8598-c24e-3fdd6b345dda", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1201" - ], - "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus\n", - "event_ids": [ - "4104" - ], - "id": "2e7d9c7a-fab3-d015-8552-39acf165059c", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1518.001", - "T1518" - ], - "title": "Security Software Discovery Via Powershell Script" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [ - "4103" - ], - "id": "58925ff0-2936-8ebd-4c28-8fdbb8ac19a8", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "event_ids": [ - "4103" - ], - "id": "8ed7f4b3-91aa-4c85-95e8-a361f9004b2e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1115" - ], - "title": "PowerShell Get Clipboard" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [ - "4103" - ], - "id": "c539a450-9d59-8ac3-1709-f3b5f2e5a989", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [ - "4103" - ], - "id": "da4a803e-e609-d187-675c-d7e7f0083763", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [ - "4103" - ], - "id": "93fea8ea-89ab-d08a-3904-a6949999010c", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "event_ids": [ - "4103" - ], - "id": "043fe2ff-2844-9176-3d40-aa3bf3e794a6", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0043", - "TA0007", - "TA0040" - ], - "title": "Potential Active Directory Enumeration Using AD Module - PsModule" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [ - "4103" - ], - "id": "d1ec8808-93c9-9dcb-b4b8-b20791287ee2", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "event_ids": [ - "4103" - ], - "id": "85b06a92-2ad6-ef34-57c3-fac694f74095", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Suspicious Get-ADDBAccount Usage" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "event_ids": [ - "4103" - ], - "id": "b7826f95-a54d-d6e4-d4e0-38998c4eb8d7", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Alternate PowerShell Hosts - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [ - "4103" - ], - "id": "e27c3517-69ca-c8c3-fc57-c4baba10867f", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\n", - "event_ids": [ - "4103" - ], - "id": "300dbe85-b7a0-be0b-aa57-321c1ee97848", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "Suspicious Get Local Groups Information" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "event_ids": [ - "4103" - ], - "id": "31981511-e5c7-fa6d-65dd-422e26ba8f0d", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0001", - "T1078" - ], - "title": "Suspicious Computer Machine Password by PowerShell" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "event_ids": [ - "4103" - ], - "id": "9863342f-1e0e-72c5-8faa-674337cd6d2b", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218" - ], - "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [ - "4103" - ], - "id": "b2064db0-e465-72c2-edcc-57cfd9676207", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "event_ids": [ - "4103" - ], - "id": "8485a923-ab47-503c-8823-f930f71f83a1", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1049" - ], - "title": "Use Get-NetTCPConnection - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [ - "4103" - ], - "id": "61ec8448-ba5d-0b4f-8089-eb047d43a2ec", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", - "event_ids": [ - "4103" - ], - "id": "e4ba78e1-d659-9152-8504-cae6d6c7372e", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1140" - ], - "title": "PowerShell Decompress Commands" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "event_ids": [ - "4103" - ], - "id": "f3c1031c-796c-6c50-7af9-c490e09550f6", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", - "event_ids": [ - "4103" - ], - "id": "a26b0227-f81e-097b-19ba-ffbb04417ccc", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Malicious PowerShell Scripts - PoshModule" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [ - "4103" - ], - "id": "567da8d6-9387-9852-16ed-a336bfaad91e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects remote PowerShell sessions", - "event_ids": [ - "4103" - ], - "id": "d8bf9898-a71e-347a-25d6-1fde2e2925e6", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "TA0008", - "T1021.006", - "T1059", - "T1021" - ], - "title": "Remote PowerShell Session (PS Module)" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [ - "4103" - ], - "id": "acb9f9fe-df3e-be2a-239f-51b194099630", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [ - "4103" - ], - "id": "6ead282b-ed6b-7f68-1ed2-b8f5fb092b4e", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell download command", - "event_ids": [ - "4103" - ], - "id": "3a7c8368-70ba-0539-d7a9-662a59306969", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Download - PoshModule" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "event_ids": [ - "4103" - ], - "id": "36554b35-d185-3e51-6b7f-9b61726b8d3a", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0007", - "T1482", - "T1087", - "T1087.001", - "T1087.002", - "T1069.001", - "T1069.002", - "T1069", - "T1059.001", - "T1059" - ], - "title": "Malicious PowerShell Commandlets - PoshModule" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "event_ids": [ - "4103" - ], - "id": "b21405ff-2071-082b-067f-fa116d28a858", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects keywords that could indicate clearing PowerShell history", - "event_ids": [ - "4103" - ], - "id": "5dea4020-38c8-b6d5-ebdb-2a7cfa20044e", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.003", - "T1070" - ], - "title": "Clear PowerShell History - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "event_ids": [ - "4103" - ], - "id": "a1d89efd-6d69-416b-3004-ec9c460a863d", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "Suspicious Get Information for SMB Share - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", - "event_ids": [ - "4103" - ], - "id": "c2325f35-edc7-9b45-d0bc-548ab4074e0a", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", - "event_ids": [ - "4103" - ], - "id": "a707acca-c4f5-6929-a1fc-0908ab087be0", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0009", - "T1074.001", - "T1074" - ], - "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [ - "4103" - ], - "id": "7a595cb6-87c9-7d42-5bf9-f404e939d500", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.\n", - "event_ids": [ - "4103" - ], - "id": "a0ecd6f3-309d-3ad0-2231-421f98a89f32", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0008" - ], - "title": "HackTool - Evil-WinRm Execution - PowerShell Module" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\nthat often undergo minimal changes by attackers due to bad opsec.\n", - "event_ids": [ - "4103" - ], - "id": "118c017d-54bd-d0a7-e24e-74482fd67b54", - "level": "critical", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Bad Opsec Powershell Code Artifacts" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious enumeration of the domain the user is associated with.", - "event_ids": [ - "4688" - ], - "id": "a0611cee-4fe8-b36f-b9a7-8c31f5d9977b", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1016" - ], - "title": "Userdomain Variable Enumeration" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects an RDP connection originating from a domain controller.", - "event_ids": [ - "5156" - ], - "id": "8b0f1458-5a23-5950-ebc7-f8d7a562dc06", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021" - ], - "title": "New RDP Connection Initiated From Domain Controller" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Remote registry management using REG utility from non-admin workstation", - "event_ids": [ - "5145" - ], - "id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0005", - "TA0007", - "attack.s0075", - "T1012", - "T1112", - "T1552.002", - "T1552" - ], - "title": "Remote Registry Management Using Reg Utility" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects interactive console logons to Server Systems", - "event_ids": [ - "4624", - "4625", - "528", - "529" - ], - "id": "7298c707-7564-3229-7c76-ec514847d8c2", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1078" - ], - "title": "Interactive Logon to Server Systems" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", - "event_ids": [ - "4672", - "4964" - ], - "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE921B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0008", - "TA0006", - "T1558", - "T1649", - "T1550" - ], - "title": "User with Privileges Logon" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "event_ids": [ - "4624", - "4625" - ], - "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1550.002", - "car.2016-04-004", - "T1550" - ], - "title": "Potential Pass the Hash Activity" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)", - "event_ids": [ - "4742" - ], - "id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1068", - "cve.2020-1472" - ], - "title": "Potential Zerologon (CVE-2020-1472) Exploitation" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Shell-Core/Operational" - ], - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", - "event_ids": [ - "28115" - ], - "id": "487f5b43-6155-d21c-7189-1a6108974f1b", - "level": "medium", - "service": "shell-core", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "Suspicious Application Installed" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppLocker/MSI and Script", - "Microsoft-Windows-AppLocker/EXE and DLL", - "Microsoft-Windows-AppLocker/Packaged app-Deployment", - "Microsoft-Windows-AppLocker/Packaged app-Execution" - ], - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "event_ids": [ - "8004", - "8007", - "8022", - "8025" - ], - "id": "da0e47f5-493f-9da4-b041-8eb762761118", - "level": "medium", - "service": "applocker", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1204.002", - "T1059.001", - "T1059.003", - "T1059.005", - "T1059.006", - "T1059.007", - "T1059", - "T1204" - ], - "title": "File Was Not Allowed To Run" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Security-Mitigations*" - ], - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "event_ids": [ - "11", - "12" - ], - "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", - "level": "high", - "service": "security-mitigations", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "Microsoft Defender Blocked from Loading Unsigned DLL" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Security-Mitigations*" - ], - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "event_ids": [ - "11", - "12" - ], - "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", - "level": "high", - "service": "security-mitigations", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "Unsigned Binary Loaded From Suspicious Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects installation of a new shim using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\n", - "event_ids": [ - "4688" - ], - "id": "7d9d897f-58c0-2dae-d6f2-410c0f0f5e07", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1546.011", - "T1546" - ], - "title": "Potential Shim Database Persistence via Sdbinst.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", - "event_ids": [ - "4688" - ], - "id": "bfa46528-db30-f4b6-d9b2-afca48a92538", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Suspicious Reg Add Open Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", - "event_ids": [ - "4688" - ], - "id": "e644857f-3d08-b5e8-61be-9e01a3706716", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0005", - "TA0007", - "TA0002", - "TA0004", - "T1046", - "T1082", - "T1106", - "T1518", - "T1548.002", - "T1552.001", - "T1555", - "T1555.003", - "T1548", - "T1552" - ], - "title": "HackTool - WinPwn Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "event_ids": [ - "4688" - ], - "id": "9a8e6f2d-2a56-788b-343a-a50584a15079", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0007", - "TA0002", - "T1615", - "T1569.002", - "T1574.005", - "T1569", - "T1574" - ], - "title": "HackTool - SharpUp PrivEsc Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", - "event_ids": [ - "4688" - ], - "id": "86b3dc5a-8aaa-c378-77ea-e9d3d850d487", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Potential Rundll32 Execution With DLL Stored In ADS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", - "event_ids": [ - "4688" - ], - "id": "7d26daa9-542e-73b8-57cf-fd0cd8794d26", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Disable Important Scheduled Task" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", - "event_ids": [ - "4688" - ], - "id": "49fe14e0-e6d2-95cc-58a2-431e7dd03cf5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010" - ], - "title": "Active Directory Structure Export Via Ldifde.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "event_ids": [ - "4688" - ], - "id": "f93df83e-4e70-cffa-f5d8-2b7c77d7bb45", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "TA0005", - "T1202" - ], - "title": "Suspicious Runscripthelper.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Identifies the creation of local users via the net.exe command.", - "event_ids": [ - "4688" - ], - "id": "6770bbc3-76b1-d22f-6192-d180542dc2a2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "T1136" - ], - "title": "New User Created Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "event_ids": [ - "4688" - ], - "id": "f4b9cf98-c3c6-4a42-a20e-6728d79f8fec", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Firewall Rule Deleted Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "event_ids": [ - "4688" - ], - "id": "c918e9f3-229d-19b9-a50f-408e5811b033", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "HackTool - CreateMiniDump Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line parameters used by Koadic hack tool", - "event_ids": [ - "4688" - ], - "id": "21709122-92d3-408a-ce43-7f0ab256c315", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059.005", - "T1059.007", - "T1059" - ], - "title": "HackTool - Koadic Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line", - "event_ids": [ - "4688" - ], - "id": "85c1b693-1ea8-0d6c-249a-3a2bffdd4bb4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007" - ], - "title": "Obfuscated IP Via CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", - "event_ids": [ - "4688" - ], - "id": "ff27f8e8-0d0c-7ee1-fc19-a2d8cd69186a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0006", - "T1649" - ], - "title": "HackTool - Certify Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the malicious use of a control panel item", - "event_ids": [ - "4688" - ], - "id": "412f66af-4b64-0d69-8b91-9fa5161724cd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218.002", - "TA0003", - "T1546", - "T1218" - ], - "title": "Control Panel Items" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a when net.exe is called with a password in the command line", - "event_ids": [ - "4688" - ], - "id": "63b59ec7-e487-aef1-5cca-722ee215db7f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0001", - "TA0003", - "TA0004", - "TA0008", - "T1021.002", - "T1078", - "T1021" - ], - "title": "Password Provided In Command Line Of Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "event_ids": [ - "4688" - ], - "id": "68ad4ec6-5204-d63f-155f-0ad495ef92b3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090" - ], - "title": "PUA - Fast Reverse Proxy (FRP) Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects user accept agreement execution in psexec commandline", - "event_ids": [ - "4688" - ], - "id": "adbf9c6f-f765-81c9-b566-460d75f15e4a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0008", - "T1569", - "T1021" - ], - "title": "Psexec Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", - "event_ids": [ - "4688" - ], - "id": "7371bd41-e687-4fb7-9c66-a38b83560275", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Potential COM Objects Download Cradles Usage - Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "event_ids": [ - "4688" - ], - "id": "3e89a33f-127c-1329-d332-0d836db05ad7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "PUA - CleanWipe Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "event_ids": [ - "4688" - ], - "id": "735b333c-168f-1517-ce6e-44604578243f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Use of Wfc.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects port forwarding activity via SSH.exe", - "event_ids": [ - "4688" - ], - "id": "9f52bf0b-cd07-33a3-f9c1-6cf08889812a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0008", - "T1572", - "T1021.001", - "T1021.004", - "T1021" - ], - "title": "Port Forwarding Activity Via SSH.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious use of XORDump process memory dumping utility", - "event_ids": [ - "4688" - ], - "id": "e11f3d67-9772-748c-2a6a-e825964efe89", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "TA0006", - "T1003" - ], - "title": "HackTool - XORDump Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.", - "event_ids": [ - "4688" - ], - "id": "faa3b493-02b2-9e9c-3d74-8a59a0205e5d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1202", - "TA0005", - "T1218" - ], - "title": "Potentially Suspicious Child Processes Spawned by ConHost" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", - "event_ids": [ - "4688" - ], - "id": "9ea6664e-70c1-5f36-42c2-1fdb75330fb7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potentially Suspicious CMD Shell Output Redirect" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", - "event_ids": [ - "4688" - ], - "id": "1441d7b2-4429-f275-3f6d-ba7c9718c13b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012", - "T1007" - ], - "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", - "event_ids": [ - "4688" - ], - "id": "56a9069d-21e3-4b02-f132-6a4e930a4432", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1482" - ], - "title": "HackTool - TruffleSnout Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).\nThe technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting\nmalformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection\nby hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with\nhidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.\n", - "event_ids": [ - "4688" - ], - "id": "74a80804-adfc-f831-6290-6ae386436db4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.010", - "T1218.007", - "TA0002", - "T1059.001", - "T1059", - "T1027", - "T1218" - ], - "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.\n", - "event_ids": [ - "4688" - ], - "id": "314ca2e6-e324-0e58-b1e7-2d38858b534a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.002", - "T1564" - ], - "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", - "event_ids": [ - "4688" - ], - "id": "21d20eb3-388b-e372-90f5-c3da2c00dc9f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1047", - "T1562" - ], - "title": "Potential Windows Defender Tampering Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects dump of credentials in VeeamBackup dbo", - "event_ids": [ - "4688" - ], - "id": "9a714c62-1669-9a37-eb23-3aca9c2ca26e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1005" - ], - "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\nThe downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\\"\n", - "event_ids": [ - "4688" - ], - "id": "04dd1706-97cc-c1bf-45db-6a9786736ab4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Potential File Download Via MS-AppInstaller Protocol Handler" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.", - "event_ids": [ - "4688" - ], - "id": "8d2051ab-4ac8-617f-7be7-3a2c8e1a8aa8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1037.001", - "TA0003", - "T1037" - ], - "title": "Uncommon Userinit Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "event_ids": [ - "4688" - ], - "id": "637e9594-8499-4a83-1fec-53dd2ff90147", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0011", - "T1105" - ], - "title": "Curl Download And Execute Combination" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags\n", - "event_ids": [ - "4688" - ], - "id": "af3979fb-2ecb-3ae6-3f48-ca04d867be13", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Suspicious Windows Update Agent Empty Cmdline" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "event_ids": [ - "4688" - ], - "id": "4e18ea92-76c9-f5f4-1980-ea4c976954af", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"IMEWDBLD.exe\" to download arbitrary files", - "event_ids": [ - "4688" - ], - "id": "9a2b890c-d67f-9cbf-6350-4365c0828269", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Arbitrary File Download Via IMEWDBLD.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", - "event_ids": [ - "4688" - ], - "id": "bc7f261d-3cfe-72c9-521d-d3cd1a0032bf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "event_ids": [ - "4688" - ], - "id": "3ff6fb4d-1767-844e-dbf0-3bfa8dd55d56", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using Windows Media Player - Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", - "event_ids": [ - "4688" - ], - "id": "24b74db7-6d52-4791-9c5a-8e5de42df8f2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Computer Password Change Via Ksetup.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities", - "event_ids": [ - "4688" - ], - "id": "756c6a71-c6c7-f447-b851-823221c5d2fc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Potentially Suspicious Rundll32 Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.", - "event_ids": [ - "4688" - ], - "id": "c70669f8-ed0f-df3b-f2a4-6e8605285bb1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "New DLL Registered Via Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", - "event_ids": [ - "4688" - ], - "id": "3acb1e73-2bdc-efdf-3865-3967cf6ce445", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "T1216" - ], - "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "event_ids": [ - "4688" - ], - "id": "16277ba9-49fc-5f62-bf22-e5c2952e32ea", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "DLL Execution via Rasautou.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the SysInternals Procdump utility", - "event_ids": [ - "4688" - ], - "id": "9dd8cfb3-e15d-dfe4-ac54-004a540f3279", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "TA0006", - "T1003" - ], - "title": "Procdump Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "event_ids": [ - "4688" - ], - "id": "897d8214-575a-533d-6b1e-a21219da4532", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548" - ], - "title": "Regedit as Trusted Installer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "event_ids": [ - "4688" - ], - "id": "40795b72-f1da-c1a0-035c-56ecfca25ca3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1518" - ], - "title": "Detected Windows Software Discovery" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of NSudo tool for command execution", - "event_ids": [ - "4688" - ], - "id": "09a60700-1c45-a4bf-7b17-5d1e036f4b78", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "PUA - NSudo Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "event_ids": [ - "4688" - ], - "id": "f5d5ba97-4424-eaa9-ead1-528529dbee28", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass WSReset" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "event_ids": [ - "4688" - ], - "id": "02224309-c907-6de7-60e0-09470aa6d721", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Replace.exe Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", - "event_ids": [ - "4688" - ], - "id": "74dee6c8-810b-ae34-e12e-ab1a91355d18", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Suspicious Rundll32 Execution With Image Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "event_ids": [ - "4688" - ], - "id": "1245d006-c502-7e4c-66d3-55cfd5aa5fc4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0009", - "T1185" - ], - "title": "Browser Started with Remote Debugging" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", - "event_ids": [ - "4688" - ], - "id": "0052946a-1593-6881-f638-b14ac2efcff8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0004", - "T1059" - ], - "title": "PUA - Wsudo Suspicious Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", - "event_ids": [ - "4688" - ], - "id": "a20a870a-fc43-6932-6410-116f3d5e0221", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "T1202" - ], - "title": "Potentially Suspicious Child Process Of VsCode" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "event_ids": [ - "4688" - ], - "id": "4aab609a-ee21-b8ac-c046-68400df5cd4e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1529" - ], - "title": "Suspicious Execution of Shutdown to Log Out" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "event_ids": [ - "4688" - ], - "id": "a407b6c9-ae1a-6fb2-a44d-24de12a2e2f7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1134.002", - "T1134" - ], - "title": "PUA - AdvancedRun Suspicious Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,\nsuch as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications\ncontaining VBScript or JScript. Threat actors often abuse this lolbin utility to download and\nexecute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.\n", - "event_ids": [ - "4688" - ], - "id": "a641f121-9379-33a5-1c52-cda13641658a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1140", - "T1218.005", - "TA0002", - "T1059.007", - "cve.2020-1599", - "T1218", - "T1059" - ], - "title": "MSHTA Execution with Suspicious File Extensions" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.", - "event_ids": [ - "4688" - ], - "id": "9936b6f6-994d-8664-d072-7e6900571270", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003.004", - "T1003.005", - "car.2013-07-001", - "T1003" - ], - "title": "Dumping of Sensitive Hives Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of WMIC to query information on a remote system", - "event_ids": [ - "4688" - ], - "id": "55f4543b-1bd2-73c3-dbda-2fed3f373efa", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "WMIC Remote Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.", - "event_ids": [ - "4688" - ], - "id": "b229510a-6249-effe-47a7-1453bddf03a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "AddinUtil.EXE Execution From Uncommon Directory" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.", - "event_ids": [ - "4688" - ], - "id": "62b1b4bc-937a-d9ed-a691-7887aae49630", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of \"regsvr32.exe\".", - "event_ids": [ - "4688" - ], - "id": "64533e2e-fc62-38e3-32ed-413f474d82c7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Potentially Suspicious Child Process Of Regsvr32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\nThis utility can be abused in order to run custom COM object created in the registry.\n", - "event_ids": [ - "4688" - ], - "id": "9229b93f-725b-ba48-a5e2-fd3ba4c5751b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "COM Object Execution via Xwizard.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects netsh commands that turns off the Windows firewall", - "event_ids": [ - "4688" - ], - "id": "228eaacb-c113-c297-5804-6247ce9a2393", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "attack.s0108", - "T1562" - ], - "title": "Firewall Disabled via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", - "event_ids": [ - "4688" - ], - "id": "850febcc-7dad-d3e9-05e3-1c69b3ba2db3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Use of Pcalua For Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS.\n", - "event_ids": [ - "4688" - ], - "id": "33667ca9-e2d9-2762-b163-7e71780bc3b1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Process Memory Dump Via Dotnet-Dump" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "event_ids": [ - "4688" - ], - "id": "7fd1971c-8117-58b7-9bfd-d42cda435945", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0006", - "T1212" - ], - "title": "Suspicious NTLM Authentication on the Printer Spooler Service" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "event_ids": [ - "4688" - ], - "id": "b99e1330-4add-8df6-a3ab-1425cde93e31", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1119", - "TA0006", - "T1552.001", - "T1552" - ], - "title": "Automated Collection Command Prompt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of bitsadmin downloading a file", - "event_ids": [ - "4688" - ], - "id": "7a530794-a84d-d066-45bb-1d94d7f2dfc0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "attack.s0190", - "T1036.003", - "T1036" - ], - "title": "File Download Via Bitsadmin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", - "event_ids": [ - "4688" - ], - "id": "767261e0-460c-37f0-aadd-2d3d361db835", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1083" - ], - "title": "DirLister Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "event_ids": [ - "4688" - ], - "id": "f57976f9-310f-c36f-c17a-0efb253e7f94", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Execution via WorkFolders.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "event_ids": [ - "4688" - ], - "id": "1eb3ba13-9019-0f5c-55d6-f83e89f4a2ea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1563.002", - "T1021.001", - "car.2013-07-002", - "T1563", - "T1021" - ], - "title": "Suspicious RDP Redirect Using TSCON" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", - "event_ids": [ - "4688" - ], - "id": "bc230d45-327b-2042-de48-73c5a52eb131", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059" - ], - "title": "Add Insecure Download Source To Winget" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", - "event_ids": [ - "4688" - ], - "id": "04ee126c-89e1-9dfa-1863-5f42fde61c35", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1222.001", - "T1222" - ], - "title": "Suspicious Recursive Takeown" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", - "event_ids": [ - "4688" - ], - "id": "49fcee15-4a91-2599-357b-6a1abe3d7cf4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003", - "T1218" - ], - "title": "Suspicious MSHTA Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when an admin share is mounted using net.exe", - "event_ids": [ - "4688" - ], - "id": "70e8ecd5-c850-e676-1c25-2bdb4f5ef98c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Windows Admin Share Mount Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", - "event_ids": [ - "4688" - ], - "id": "e5c800a5-3e9b-b168-6ef9-6f47f8a19124", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007" - ], - "title": "HackTool - SharpLDAPmonitor Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to environment variables related to ETW logging via the CommandLine.\nThis could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.\n", - "event_ids": [ - "4688" - ], - "id": "2d61b1f3-942f-cd54-c470-efc9dad10255", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562" - ], - "title": "ETW Logging Tamper In .NET Processes Via CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "event_ids": [ - "4688" - ], - "id": "5385a182-a453-d329-5d89-d768e2b73e28", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Execution Of Non-Existing File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", - "event_ids": [ - "4688" - ], - "id": "457a72af-e7d7-48c0-0f9f-cd793a1a2584", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1539", - "T1555.003", - "TA0009", - "T1005", - "T1555" - ], - "title": "SQLite Chromium Profile Data DB Access" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.\nThis facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.\n", - "event_ids": [ - "4688" - ], - "id": "16cf2db0-5355-1ded-b4a7-522991ff6460", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053.005", - "TA0005", - "T1218", - "TA0011", - "T1105", - "T1053" - ], - "title": "Scheduled Task Creation with Curl and PowerShell Execution Combo" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [ - "4688" - ], - "id": "e8fdfc6d-5256-c3f4-7858-a45724bce385", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Stdin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible payload obfuscation via the commandline", - "event_ids": [ - "4688" - ], - "id": "6edef6e7-c67d-20e2-44cd-62afc03872c2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Potential Dosfuscation Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "event_ids": [ - "4688" - ], - "id": "52b94cb0-304c-59f3-ca56-497db104688c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003.003", - "T1003" - ], - "title": "VolumeShadowCopy Symlink Creation Via Mklink" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "event_ids": [ - "4688" - ], - "id": "ae6cf4fd-c5fb-db3d-3aec-31478d51a921", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1218" - ], - "title": "Sdiagnhost Calling Suspicious Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "event_ids": [ - "4688" - ], - "id": "41405b7a-f9bc-bce2-50ed-abfca5390f19", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Suspicious Scheduled Task Creation Involving Temp Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect suspicious parent processes of well-known Windows processes", - "event_ids": [ - "4688" - ], - "id": "cf1c2cd4-ba84-1a2d-fdbf-f970eacc2ed9", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.003", - "T1036.005", - "T1036" - ], - "title": "Windows Processes Suspicious Parent Directory" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the addition of a new rule to the Windows firewall via netsh", - "event_ids": [ - "4688" - ], - "id": "5a3de052-774a-c805-ef2c-a9b71abecc0a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "attack.s0246", - "T1562" - ], - "title": "New Firewall Rule Added Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "event_ids": [ - "4688" - ], - "id": "66033013-9870-9cb6-fd4b-54502ef0aa79", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.", - "event_ids": [ - "4688" - ], - "id": "773a2339-22b1-7f0c-c821-a5831b6a43cc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Potentially Suspicious Office Document Executed From Trusted Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.", - "event_ids": [ - "4688" - ], - "id": "ba17b43d-ff78-598e-3e48-6f7f77abce52", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.009", - "T1218" - ], - "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "event_ids": [ - "4688" - ], - "id": "a3eb659a-2a75-984c-1dd1-a034449b5d3a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Suspicious Splwow64 Without Params" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the \"FileFix\" social engineering technique,\nwhere users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.\nThe technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.\n", - "event_ids": [ - "4688" - ], - "id": "0b4162ed-2534-2656-6d4a-8d2ad218617b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.004", - "T1204" - ], - "title": "FileFix - Suspicious Child Process from Browser File Upload Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "event_ids": [ - "4688" - ], - "id": "86bcf883-2f53-b6b7-c766-0240f0ce79cf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Use of TTDInject.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe", - "event_ids": [ - "4688" - ], - "id": "a84f4bc1-ba9a-517d-9339-0a232578cf27", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "event_ids": [ - "4688" - ], - "id": "45b0c0bb-7d7a-7e71-e757-cdd2508c0105", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1046" - ], - "title": "PUA - Nmap/Zenmap Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "event_ids": [ - "4688" - ], - "id": "549eb2a1-da80-3ed5-9385-6358ef00fe24", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1134.001", - "T1134.003", - "T1134" - ], - "title": "HackTool - SharpImpersonation Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "event_ids": [ - "4688" - ], - "id": "03f7ca7a-c93c-f02e-e9b4-d9b00a382023", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "stp.1u", - "T1059" - ], - "title": "Operator Bloopers Cobalt Strike Commands" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects powershell scripts that import modules from suspicious directories", - "event_ids": [ - "4688" - ], - "id": "d671a75d-7b95-f624-cf04-8c7814fca3aa", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "event_ids": [ - "4688" - ], - "id": "4aed73e4-2a5e-b456-3e10-0b58348a0620", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", - "event_ids": [ - "4688" - ], - "id": "50bb828c-a04e-d207-bb34-71d9f1144a73", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0002", - "T1047" - ], - "title": "Computer System Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the extensions of the file is suspicious", - "event_ids": [ - "4688" - ], - "id": "28c8ac5c-4774-b281-e7e4-3445164e0180", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process related to rasdial.exe", - "event_ids": [ - "4688" - ], - "id": "60b34e33-95fe-6beb-2917-eb4309e6dcd8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059" - ], - "title": "Suspicious RASdial Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to disable security event logging by adding the `MiniNt` registry key.\nThis key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.\nAdversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.\n", - "event_ids": [ - "4688" - ], - "id": "847d9f6f-a38e-7aa1-9da8-20f3f4c1d416", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1112", - "car.2022-03-001", - "T1562" - ], - "title": "Security Event Logging Disabled via MiniNt Registry Key - Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Gpg4win to decrypt files", - "event_ids": [ - "4688" - ], - "id": "f539aaee-c369-f209-b744-3e1b8b37c936", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "File Decryption Using Gpg4win" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", - "event_ids": [ - "4688" - ], - "id": "b9b053da-68a6-d372-9780-828406597122", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1047", - "T1220", - "TA0002", - "T1059.005", - "T1059.007", - "T1059" - ], - "title": "Potential SquiblyTwo Technique Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "event_ids": [ - "4688" - ], - "id": "962de487-869e-eec3-a641-839d9af9c49d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects AdFind execution with common flags seen used during attacks", - "event_ids": [ - "4688" - ], - "id": "241ae810-4742-fb7e-24a5-9fe5b120827a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1018", - "T1087.002", - "T1482", - "T1069.002", - "stp.1u", - "T1069", - "T1087" - ], - "title": "PUA - AdFind Suspicious Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "event_ids": [ - "4688" - ], - "id": "e9c3cf8c-ba2f-d937-b4c5-8f5e3f692a11", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1217" - ], - "title": "Suspicious Where Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", - "event_ids": [ - "4688" - ], - "id": "d7bb3d76-50b6-1c43-cbaf-4f1600e03c9c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "T1059.001", - "T1059" - ], - "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "event_ids": [ - "4688" - ], - "id": "f0e123c3-0e38-7799-a7bb-c5682449e2e8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "InfDefaultInstall.exe .inf Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "event_ids": [ - "4688" - ], - "id": "274285c4-15a3-9ee1-1a76-fa05fa2b17e1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548.002", - "T1548" - ], - "title": "Bypass UAC via Fodhelper.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "event_ids": [ - "4688" - ], - "id": "e394e239-a5c1-5879-edab-2c697795ff9e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", - "event_ids": [ - "4688" - ], - "id": "125653c0-b2ab-c23a-d7aa-6a45f2add313", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1112", - "T1574" - ], - "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "event_ids": [ - "4688" - ], - "id": "905bbb47-6ae3-1ee8-e0d8-092361cf61e7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1053.005", - "T1059.001", - "T1053", - "T1059" - ], - "title": "Scheduled Task Executing Encoded Payload from Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "event_ids": [ - "4688" - ], - "id": "ba8fde0b-93d2-2680-ea4d-b260729bf75e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "All Backups Deleted Via Wbadmin.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.\n", - "event_ids": [ - "4688" - ], - "id": "f82366e8-2ece-fea5-4f56-18d49f3c6aef", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "HackTool - RemoteKrbRelay Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.", - "event_ids": [ - "4688" - ], - "id": "7ba37b73-d32a-9fdc-27f1-372220985b67", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", - "event_ids": [ - "4688" - ], - "id": "a9d391c2-0efd-3d38-0c33-49f93ab68df6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1059", - "T1562.001", - "T1562" - ], - "title": "HackTool - Stracciatella Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "event_ids": [ - "4688" - ], - "id": "e09795ef-2d7f-3f65-8286-c3267b89622e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Curl.EXE Download" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\nInitial baselining of the allowed extension list is required.\n", - "event_ids": [ - "4688" - ], - "id": "a5621ded-7646-ab81-f618-d9132148ad46", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", - "event_ids": [ - "4688" - ], - "id": "31616502-c261-6b78-a809-4408f88bc4fb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1132.001", - "T1132" - ], - "title": "Gzip Archive Decode Via PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "event_ids": [ - "4688" - ], - "id": "90b43135-d789-00ee-977c-ed235554c372", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Obfuscated PowerShell Code" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", - "event_ids": [ - "4688" - ], - "id": "a860f5c4-f0f1-4566-1d72-4ff887bc2538", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "PUA - Nimgrab Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", - "event_ids": [ - "4688" - ], - "id": "b881e130-b2f3-59a2-f31f-1ab4f003c199", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Suspicious Mstsc.EXE Execution With Local RDP File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", - "event_ids": [ - "4688" - ], - "id": "d3b62eee-982b-e3f3-e106-d83048e4cf0d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "HackTool - Pypykatz Credentials Dumping Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "event_ids": [ - "4688" - ], - "id": "e690ad80-ba5d-6c78-f689-97c9bdad6517", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1566" - ], - "title": "Phishing Pattern ISO in Archive" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "event_ids": [ - "4688" - ], - "id": "a296b8da-2f61-8a80-7fa6-f2063c0b5969", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Ie4uinit Lolbin Use From Invalid Path" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", - "event_ids": [ - "4688" - ], - "id": "6ed0a1fe-48ad-ebd5-4596-bd6f5005bbe0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Python Function Execution Security Warning Disabled In Excel" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", - "event_ids": [ - "4688" - ], - "id": "80fc60a3-3570-d8c6-9ee9-d527bfd15b84", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082" - ], - "title": "Uncommon System Information Discovery Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.", - "event_ids": [ - "4688" - ], - "id": "84d137d9-0fe0-de23-4c5c-4530db9c5575", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053.005", - "TA0005", - "T1036.004", - "T1036.005", - "T1036", - "T1053" - ], - "title": "Scheduled Task Creation Masquerading as System Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [ - "4688" - ], - "id": "1c5c23b8-d4a3-0d4b-6116-74f8ddd96546", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "event_ids": [ - "4688" - ], - "id": "7ec29146-f989-0673-b4a4-9bcc03b31194", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - AnyDesk Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "event_ids": [ - "4688" - ], - "id": "256784a9-8cdb-2cfd-8363-95ac15a61e9c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1133" - ], - "title": "Unusual Child Process of dns.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", - "event_ids": [ - "4688" - ], - "id": "5ced154c-67dd-89a9-5337-0da89bcd4cdc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1587.001", - "T1587" - ], - "title": "Potential Privilege Escalation To LOCAL SYSTEM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands\n", - "event_ids": [ - "4688" - ], - "id": "9295c6c5-8012-1bb1-6460-1440670cc734", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1505.003", - "T1505" - ], - "title": "Webshell Tool Reconnaissance Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", - "event_ids": [ - "4688" - ], - "id": "5a867cd0-5780-c09f-9e82-86aaaca431f5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "car.2016-03-001" - ], - "title": "HackTool - SharpLdapWhoami Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "event_ids": [ - "4688" - ], - "id": "0ce3d50b-989b-895d-96cd-f820e09f2e18", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0005", - "TA0004", - "T1134", - "T1003", - "T1027" - ], - "title": "Suspicious SYSTEM User Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", - "event_ids": [ - "4688" - ], - "id": "b78e620c-3115-0c6d-ea3e-4ad5d55c1217", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0007", - "T1033" - ], - "title": "Whoami.EXE Execution From Privileged Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", - "event_ids": [ - "4688" - ], - "id": "e1344b7a-c6ce-4117-4e54-c1865cba57df", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Uninstall Sysinternals Sysmon" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.\n", - "event_ids": [ - "4688" - ], - "id": "d0de4ba1-77ce-d47b-23ee-62cdcbc849a6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.002", - "T1204" - ], - "title": "Potential Suspicious Browser Launch From Document Reader Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "event_ids": [ - "4688" - ], - "id": "0ea4a0ee-5c69-9f71-3691-d203eb76c9fc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "New Root Certificate Installed Via CertMgr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "event_ids": [ - "4688" - ], - "id": "9fc9be53-5de8-99c5-66a1-0045cf52ff03", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.002", - "T1552" - ], - "title": "Enumeration for Credentials in Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "event_ids": [ - "4688" - ], - "id": "3d973370-afd2-629f-985f-7e5ba8e42f71", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "PUA - NirCmd Execution As LOCAL SYSTEM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "event_ids": [ - "4688" - ], - "id": "476ef906-3f50-4b93-19a2-cf02ea63f392", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "TA0004", - "T1053.005", - "T1053" - ], - "title": "Uncommon One Time Only Scheduled Task At 00:00" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of X509Enrollment", - "event_ids": [ - "4688" - ], - "id": "5e80556b-2efe-2558-9119-c09636c4c9e4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "Suspicious X509Enrollment - Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.", - "event_ids": [ - "4688" - ], - "id": "a564e04a-c562-3596-74f2-efb859c61856", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Potential Adplus.EXE Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "event_ids": [ - "4688" - ], - "id": "de663faa-aac0-dab6-a4b3-8d8c8a00ef96", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090.001", - "T1090" - ], - "title": "PUA - Chisel Tunneling Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.", - "event_ids": [ - "4688" - ], - "id": "101d5724-f172-6946-1713-7b535e7c5af9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005" - ], - "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", - "event_ids": [ - "4688" - ], - "id": "c4d044b3-d308-8957-f679-6b4a595d47a7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.002", - "attack.g0046", - "car.2013-05-002", - "T1204" - ], - "title": "Suspicious Binary In User Directory Spawned From Office Application" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "event_ids": [ - "4688" - ], - "id": "23c16dc8-5f28-940b-9094-092e89b8727f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "attack.s0190", - "T1036.003", - "T1036" - ], - "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", - "event_ids": [ - "4688" - ], - "id": "5ee853eb-9d4f-e140-fd4d-c6c6e65e27bf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Add Windows Capability Via PowerShell Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "event_ids": [ - "4688" - ], - "id": "469a9d6a-0e9f-492d-9e3a-e0f35762874e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1555.003", - "T1555" - ], - "title": "Potential Browser Data Stealing" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", - "event_ids": [ - "4688" - ], - "id": "1bd2b1a4-7ec2-8aac-b8fa-fa17526df88a", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "Start Windows Service Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of KeyScrambler.exe", - "event_ids": [ - "4688" - ], - "id": "b2e90afd-fc69-1c5c-0457-d908fe3c4335", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "TA0004", - "T1203", - "T1574.001", - "T1574" - ], - "title": "Potentially Suspicious Child Process of KeyScrambler.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", - "event_ids": [ - "4688" - ], - "id": "b7987e8f-8f8a-20ea-821c-fa454516f624", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Malicious Windows Script Components File Execution by TAEF Detection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", - "event_ids": [ - "4688" - ], - "id": "fd14e822-33da-bc04-253d-2c8cc8659a30", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\n", - "event_ids": [ - "4688" - ], - "id": "912e3077-a6e6-c6a3-649e-01cf0d496eb3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1546.011", - "T1546" - ], - "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.", - "event_ids": [ - "4688" - ], - "id": "42b13785-107e-7eb5-074f-9d1ca751c065", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "TA0002", - "T1059" - ], - "title": "Elevated System Shell Spawned From Uncommon Parent Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "event_ids": [ - "4688" - ], - "id": "e57cc75a-d93a-26d1-615c-9a093649f70a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disabled IE Security Features" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "event_ids": [ - "4688" - ], - "id": "e16f3826-f705-a1c0-36a7-5d8d869e3ca9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0006", - "T1218", - "T1003.001", - "T1003" - ], - "title": "Time Travel Debugging Utility Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "event_ids": [ - "4688" - ], - "id": "6b789465-3c6e-9af1-e00a-929db8f324d1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1053.005", - "T1059.001", - "T1053", - "T1059" - ], - "title": "Suspicious Schtasks Execution AppData Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "event_ids": [ - "4688" - ], - "id": "5485eaef-6cb2-5361-f012-c32a0798ac29", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010" - ], - "title": "Suspicious PowerShell Mailbox Export to Share" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state", - "event_ids": [ - "4688" - ], - "id": "3223b8fb-0180-c340-24b5-fc4699287906", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1059" - ], - "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a renamed \"cloudflared\" binary.", - "event_ids": [ - "4688" - ], - "id": "c4597337-053d-373e-4faa-cc0e1796fde6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090.001", - "T1090" - ], - "title": "Renamed Cloudflared.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.", - "event_ids": [ - "4688" - ], - "id": "2f7ca8a6-7f75-cecd-494a-76a83910eac9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "event_ids": [ - "4688" - ], - "id": "b38e988d-9ea4-447b-cc36-a30c9c3801e1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1566", - "T1566.001", - "TA0001" - ], - "title": "Suspicious Microsoft OneNote Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "event_ids": [ - "4688" - ], - "id": "3679f255-d90a-49da-389c-bb16db65853c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548.002", - "T1548" - ], - "title": "Always Install Elevated MSI Spawned Cmd And Powershell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.", - "event_ids": [ - "4688" - ], - "id": "6b615673-d368-2deb-8281-a7ff75887a8c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "PowerShell Execution With Potential Decryption Capabilities" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", - "event_ids": [ - "4688" - ], - "id": "0d996232-49fa-9bae-0ee6-ad86ec993064", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "TA0007", - "T1018" - ], - "title": "Suspicious Scan Loop Network" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Advanced Port Scanner.", - "event_ids": [ - "4688" - ], - "id": "3ea85a25-dba7-a10e-8a48-9aa4dc65abb9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1046", - "T1135" - ], - "title": "PUA - Advanced Port Scanner Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "event_ids": [ - "4688" - ], - "id": "af675749-89e4-ecbe-08aa-846a61be3500", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1016" - ], - "title": "Firewall Configuration Discovery Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"msedge_proxy.exe\" to download arbitrary files", - "event_ids": [ - "4688" - ], - "id": "d6d1a63b-5f0f-795e-fe18-4c2e1784568d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.\nThreat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.\n", - "event_ids": [ - "4688" - ], - "id": "bb67b9c1-36b4-5057-bac0-7c90c9147791", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070" - ], - "title": "IIS WebServer Log Deletion via CommandLine Utilities" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", - "event_ids": [ - "4688" - ], - "id": "be45d499-4cd7-c4a6-727e-e52c6770468e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "TA0007", - "T1087.002", - "T1087" - ], - "title": "Active Directory Structure Export Via Csvde.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "event_ids": [ - "4688" - ], - "id": "c9e0d554-2be2-3ae9-6b9c-e80fde3df203", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Suspicious TSCON Start as SYSTEM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "event_ids": [ - "4688" - ], - "id": "f7214fe4-985b-b820-4816-01cc5cd40601", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "HackTool - SafetyKatz Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", - "event_ids": [ - "4688" - ], - "id": "4295ffa5-ee9c-252b-51b9-150363e6906b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1071.001", - "T1219", - "T1071" - ], - "title": "Renamed Visual Studio Code Tunnel Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", - "event_ids": [ - "4688" - ], - "id": "ff580d50-30ff-1e98-ec8c-c70512d70b55", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1074.001", - "T1074" - ], - "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious file downloads directly from IP addresses using Wget.exe", - "event_ids": [ - "4688" - ], - "id": "bb4392f4-17a5-e69c-88cd-53551c758da9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious File Download From IP Via Wget.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", - "event_ids": [ - "4688" - ], - "id": "974ebcbe-549c-386f-ffce-c5c6e2fbe2d8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Raccine Uninstall" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the enabling of the Windows Recall feature via registry manipulation.\nWindows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" value, or setting it to 0.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\n", - "event_ids": [ - "4688" - ], - "id": "3be2ca2a-e70a-49c3-7d32-ac25c979e199", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1113" - ], - "title": "Windows Recall Feature Enabled Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"reg.exe\" to disable security services such as Windows Defender.", - "event_ids": [ - "4688" - ], - "id": "8ba4f215-e4a8-8858-ae46-4785a18094c6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Security Service Disabled Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Chromium based browser in headless mode", - "event_ids": [ - "4688" - ], - "id": "c2ba2ab9-14d6-22d6-50e6-def8d485c093", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105", - "T1564.003", - "T1564" - ], - "title": "Browser Execution In Headless Mode" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "event_ids": [ - "4688" - ], - "id": "20f83d4c-6338-a0c0-b882-c4c1997c025f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Download and Execute Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of regsvr32 where the DLL is located in a highly suspicious locations", - "event_ids": [ - "4688" - ], - "id": "f0f9d4eb-6b2b-b7dd-4bba-a3e2739203f4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Regsvr32 Execution From Highly Suspicious Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of attrib.exe to hide files from users.", - "event_ids": [ - "4688" - ], - "id": "3fc98f17-3322-83c7-6332-d7813d88d4f1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "T1564" - ], - "title": "Hiding Files with Attrib.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "event_ids": [ - "4688" - ], - "id": "c50000d8-b326-29d3-f4c2-7f15bb158633", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Use NTFS Short Name in Image" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", - "event_ids": [ - "4688" - ], - "id": "7e7e5959-545c-8b4a-b17b-3ab2d88b6129", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1518.001", - "T1518" - ], - "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", - "event_ids": [ - "4688" - ], - "id": "e90d5723-9e13-61f4-569b-d8b4ac050c09", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of wmic to start or stop a service", - "event_ids": [ - "4688" - ], - "id": "36fe1761-03ba-cf23-48dc-4de20028381f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Service Started/Stopped Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\nPrior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\nUse this rule to detect instances of older versions of Anydesk using the compromised certificate\nThis is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.\n", - "event_ids": [ - "4688" - ], - "id": "2bd79a93-cca3-3280-f400-f38c499e263e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0001" - ], - "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "event_ids": [ - "4688" - ], - "id": "bedacc2c-35b3-fa81-61dc-a81f0369247e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", - "event_ids": [ - "4688" - ], - "id": "1a42614f-8e9e-d03e-5c6e-b4003ed85cf7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Arbitrary File Download Via PresentationHost.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "event_ids": [ - "4688" - ], - "id": "f7b452f3-c372-03f2-644e-7be14a8e5b73", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "car.2016-03-001" - ], - "title": "WhoAmI as Parameter" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", - "event_ids": [ - "4688" - ], - "id": "b408292c-4fa0-410a-a192-4228c81af02e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1548.002", - "T1548" - ], - "title": "Explorer NOUACCHECK Flag" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", - "event_ids": [ - "4688" - ], - "id": "22698f6a-6197-0acb-d0f8-39939e9af18f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087", - "T1087.001", - "T1087.002" - ], - "title": "Suspicious Use of PsLogList" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious IIS native-code module installations via command line", - "event_ids": [ - "4688" - ], - "id": "144c93b7-e660-277e-cd3c-0141893803ea", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1505.003", - "T1505" - ], - "title": "IIS Native-Code Module Command Line Installation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", - "event_ids": [ - "4688" - ], - "id": "2dca5a53-e0e7-287d-3c41-45e454bceadc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1071.001", - "T1219", - "T1071" - ], - "title": "Visual Studio Code Tunnel Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects encoded base64 MZ header in the commandline", - "event_ids": [ - "4688" - ], - "id": "2c104dbe-603a-a438-f3a4-85ff1018ffc1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Base64 MZ Header In CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.\n", - "event_ids": [ - "4688" - ], - "id": "37b23b1a-fcb3-7612-9af9-bcb48f1877d7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0006", - "TA0011", - "T1218", - "T1564.004", - "T1552.001", - "T1105", - "T1564", - "T1552" - ], - "title": "Remote File Download Via Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"\n", - "event_ids": [ - "4688" - ], - "id": "687991ec-6a52-9d7a-a775-7e80204757b3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects various execution patterns of the CrackMapExec pentesting framework", - "event_ids": [ - "4688" - ], - "id": "a4a76a8b-fc4f-2887-8edc-9a4d71e5c86b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "T1053", - "T1059.003", - "T1059.001", - "attack.s0106", - "T1059" - ], - "title": "HackTool - CrackMapExec Execution Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "event_ids": [ - "4688" - ], - "id": "bec3410f-d2b7-364a-dc0a-bef9eda222a0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like \"C:\\windows\\system32\\davclnt.dll,DavSetCookie\".\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).\n", - "event_ids": [ - "4688" - ], - "id": "f84fbf6b-fa1f-71fb-e2ca-4f67b2451fe6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1048.003", - "T1048" - ], - "title": "WebDav Client Execution Via Rundll32.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "event_ids": [ - "4688" - ], - "id": "b37bf4b0-3cd7-a1dd-ca56-4af874660093", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1016" - ], - "title": "Suspicious Network Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "event_ids": [ - "4688" - ], - "id": "097acc6f-8384-1ffd-c4af-993cdf49dff6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0007", - "T1482", - "T1087", - "T1087.001", - "T1087.002", - "T1069.001", - "T1069.002", - "T1069", - "T1059.001", - "T1059" - ], - "title": "Malicious PowerShell Commandlets - ProcessCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", - "event_ids": [ - "4688" - ], - "id": "4f66eca2-1272-c8d1-d056-e903294b1046", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "car.2016-03-001" - ], - "title": "Whoami Utility Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The OpenWith.exe executes other binary", - "event_ids": [ - "4688" - ], - "id": "2c25a504-0f86-ca3f-43e0-5a40240a81fd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "OpenWith.exe Executes Specified Binary" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "event_ids": [ - "4688" - ], - "id": "a40c99d5-1323-f65d-73d1-ca673940b7b2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0007", - "T1082", - "T1057", - "T1012", - "T1083", - "T1007" - ], - "title": "HackTool - PCHunter Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon child process of Setres.EXE.\nSetres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\nIt can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.\n", - "event_ids": [ - "4688" - ], - "id": "722c7611-6b69-b8f2-4972-c405ba40d9a7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "T1202" - ], - "title": "Uncommon Child Process Of Setres.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.\nSuccessful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.\n", - "event_ids": [ - "4688" - ], - "id": "b0559eb5-33e0-09c4-c9bb-88007b5981ca", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1068" - ], - "title": "HKTL - SharpSuccessor Privilege Escalation Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", - "event_ids": [ - "4688" - ], - "id": "a42438c9-7c08-7a7e-2791-43440efb6047", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1588.002", - "T1588" - ], - "title": "Potential Execution of Sysinternals Tools" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "event_ids": [ - "4688" - ], - "id": "1f76708c-e9a2-3032-ae39-9025038a90c4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1049", - "T1069.002", - "T1482", - "T1135", - "T1033", - "T1069" - ], - "title": "HackTool - SharpView Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", - "event_ids": [ - "4688" - ], - "id": "b85ec837-2a0a-7e8d-e3cb-a5f960e625e5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005" - ], - "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Microsoft Quick Assist tool \"QuickAssist.exe\". This utility can be used by attackers to gain remote access.\n", - "event_ids": [ - "4688" - ], - "id": "7eddf245-1436-4062-e0cb-f656cda705b9", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "QuickAssist Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "event_ids": [ - "4688" - ], - "id": "cee773e9-972f-17a6-5cec-90899c703f16", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Arbitrary File Download Via MSOHTMED.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.", - "event_ids": [ - "4688" - ], - "id": "bc5fbebe-3d3b-0833-ff7d-34a3c035c017", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Regsvr32 Execution From Potential Suspicious Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "event_ids": [ - "4688" - ], - "id": "bf85cbac-5a6f-8e8c-535a-0c786ee46919", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547" - ], - "title": "Suspicious GrpConv Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.\nAdversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.\nThis information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.\n", - "event_ids": [ - "4688" - ], - "id": "4bfb861e-7df2-1670-f8ba-15b3d32325bf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "TA0007", - "T1082" - ], - "title": "Potential Product Class Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line", - "event_ids": [ - "4688" - ], - "id": "e53219c7-ae63-0b28-f372-3dc6d8b00829", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Base64 Encoded IEX Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "event_ids": [ - "4688" - ], - "id": "9db1274b-d76a-ecf1-8433-113dd1782631", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Capture Credentials with Rpcping.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", - "event_ids": [ - "4688" - ], - "id": "c7a2ef80-f915-79f0-1ce3-bf61d570a990", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "Operator Bloopers Cobalt Strike Modules" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "event_ids": [ - "4688" - ], - "id": "991e932e-5798-025f-120d-6f19994ad2a4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "HackTool - CrackMapExec Process Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "event_ids": [ - "4688" - ], - "id": "3c74726b-21b2-7edc-9091-a8cb4cd92eb0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1574.011", - "T1574" - ], - "title": "Changing Existing Service ImagePath Value Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"hh.exe\" to open \".chm\" files.", - "event_ids": [ - "4688" - ], - "id": "cb0503aa-0857-ee4c-cde4-211dcf7917f8", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.001", - "T1218" - ], - "title": "HH.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "event_ids": [ - "4688" - ], - "id": "5400e5cd-e82b-a457-8209-7ea3515c05e4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "PowerShell SAM Copy" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", - "event_ids": [ - "4688" - ], - "id": "26de0206-5a40-c902-6fcf-8ab280a45735", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Potentially Suspicious Execution Of PDQDeployRunner" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", - "event_ids": [ - "4688" - ], - "id": "89dbe2e8-d793-a90f-ede7-4e29c886f987", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1069.002", - "T1482", - "T1069", - "T1087" - ], - "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects nltest commands that can be used for information discovery", - "event_ids": [ - "4688" - ], - "id": "b775be60-00d5-cb10-a24f-ba7f10563dcb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1016", - "T1482" - ], - "title": "Potential Recon Activity Via Nltest.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of various CLI utilities exfiltrating data via web requests", - "event_ids": [ - "4688" - ], - "id": "245dab46-e862-0264-ae5c-a935a1f94160", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential Data Exfiltration Activity Via CommandLine Tools" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "event_ids": [ - "4688" - ], - "id": "74925938-de32-0417-5a62-b63a5d0dd01a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1127", - "T1059.007", - "T1059" - ], - "title": "Node Process Executions" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the export of a crital Registry key to a file.", - "event_ids": [ - "4688" - ], - "id": "d68e9dcc-21b3-418c-4d05-669b4d9c0511", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "TA0007", - "T1012" - ], - "title": "Exports Critical Registry Keys To a File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", - "event_ids": [ - "4688" - ], - "id": "0922802a-a57f-bd7e-c635-64ffdf4824e9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious File Execution From Internet Hosted WebDav Share" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", - "event_ids": [ - "4688" - ], - "id": "ae7a6aa8-b9bd-4f34-f72a-5e9d33e9098c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "NtdllPipe Like Activity Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.", - "event_ids": [ - "4688" - ], - "id": "4308f710-0e58-712f-6781-9323b7dc779e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Insecure Transfer Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n", - "event_ids": [ - "4688" - ], - "id": "6ea28a10-22c9-94e3-ecf6-cd29b8bc75bd", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1133" - ], - "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Windows Credential Editor (WCE)", - "event_ids": [ - "4688" - ], - "id": "956c7de5-3b88-83e6-b1c1-c1d194e166d8", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "attack.s0005", - "T1003" - ], - "title": "HackTool - Windows Credential Editor (WCE) Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", - "event_ids": [ - "4688" - ], - "id": "34fbd3e7-f286-812f-f5a0-61d77817a0b4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Suspicious Download Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects wscript/cscript executions of scripts located in user directories", - "event_ids": [ - "4688" - ], - "id": "4b713aaa-d275-9bdc-3492-6a1d3582348c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059.007", - "T1059" - ], - "title": "Potential Dropper Script Execution Via WScript/CScript" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "event_ids": [ - "4688" - ], - "id": "4657b559-a0fa-d23b-e35c-9cde37b20f8c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Diantz Download and Compress Into a CAB File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects file downloads directly from IP address URL using curl.exe", - "event_ids": [ - "4688" - ], - "id": "4ed666e7-e78b-4b16-c4bd-1612077f0065", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "File Download From IP URL Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", - "event_ids": [ - "4688" - ], - "id": "8dd79010-f068-2bb3-d92f-2545a02ba504", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "New Root Certificate Installed Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", - "event_ids": [ - "4688" - ], - "id": "06d89cd2-498f-efd1-2df7-79500d0e99e0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "RDP Connection Allowed Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "event_ids": [ - "4688" - ], - "id": "03483409-2c67-3117-debd-eaa756713643", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Suspicious Schtasks Schedule Types" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "event_ids": [ - "4688" - ], - "id": "94e6ca30-ee68-9136-837c-513d6086ce6c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.", - "event_ids": [ - "4688" - ], - "id": "1cd7857a-df64-5472-b57d-5938f87f3e5c", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0003", - "TA0004" - ], - "title": "Suspicious Child Process Of Veeam Dabatase" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", - "event_ids": [ - "4688" - ], - "id": "fb65baaf-fbef-b775-a0f1-03268c7e5fa5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.007", - "T1218" - ], - "title": "Suspicious Msiexec Quiet Install From Remote Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "event_ids": [ - "4688" - ], - "id": "560853ca-0b24-2e95-ff72-810e13f675fa", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using NTFS Reparse Point - Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "event_ids": [ - "4688" - ], - "id": "f4e44868-e934-1170-ff1e-dc154741e18b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548.002", - "T1548" - ], - "title": "Always Install Elevated Windows Installer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "event_ids": [ - "4688" - ], - "id": "40457d53-1448-2b59-d171-3ec4d0c7e8b6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1485" - ], - "title": "Deleted Data Overwritten Via Cipher.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", - "event_ids": [ - "4688" - ], - "id": "ae6951e9-b0dd-cdaa-48f1-9c0ec91d0faf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", - "event_ids": [ - "4688" - ], - "id": "c748889d-9dac-b46a-4f1b-812efb97e670", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Service StartupType Change Via PowerShell Set-Service" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "event_ids": [ - "4688" - ], - "id": "cb1cfe0e-5561-53fd-9c94-ab43c3826cf5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1036", - "TA0005" - ], - "title": "Suspicious CodePage Switch Via CHCP" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "event_ids": [ - "4688" - ], - "id": "47705ba8-0a49-a7e0-328a-4001dcc919a4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using MSConfig Token Modification - Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "event_ids": [ - "4688" - ], - "id": "5b3bdcfc-fce3-bba8-39c8-ba8a4776d99e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "T1620", - "T1059" - ], - "title": "PowerShell Base64 Encoded Reflective Assembly Load" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", - "event_ids": [ - "4688" - ], - "id": "7516a7b1-84de-fe17-e375-6395aa84f270", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0001", - "T1047", - "T1059.001", - "T1059.003", - "T1059.005", - "T1059.007", - "T1218", - "T1218.001", - "T1218.010", - "T1218.011", - "T1566", - "T1566.001", - "T1059" - ], - "title": "Suspicious HH.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential process patterns related to Cobalt Strike beacon activity", - "event_ids": [ - "4688" - ], - "id": "c78a9b49-3e9d-b00c-9e65-90d9f30bbe50", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Potential CobaltStrike Process Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [ - "4688" - ], - "id": "5557e23a-e632-646a-e8ae-d0a476f8cea4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Clip" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "event_ids": [ - "4688" - ], - "id": "fae361cc-c4b0-0935-1b15-79113e3f6198", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using Consent and Comctl32 - Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the stopping of a Windows service via the \"net\" utility.", - "event_ids": [ - "4688" - ], - "id": "a0d8ce28-b409-13a0-c884-65166e1aa672", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Stop Windows Service Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "event_ids": [ - "4688" - ], - "id": "e6b6d67d-434b-039b-029d-55391089a033", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1218.003", - "T1218", - "T1548" - ], - "title": "Bypass UAC via CMSTP" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "event_ids": [ - "4688" - ], - "id": "226527e7-8837-a785-775d-0dfb86e3fa27", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Suspicious Process Parents" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of WMIC with the \"format\" flag to potentially load XSL files.\nAdversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.\n", - "event_ids": [ - "4688" - ], - "id": "d90fcd50-5835-4b80-6d1a-c708404a142c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1220" - ], - "title": "XSL Script Execution Via WMIC.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", - "event_ids": [ - "4688" - ], - "id": "fbf93b53-f074-9501-418b-f1d43360e2cb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Lolbin Unregmp2.exe Use As Proxy" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "event_ids": [ - "4688" - ], - "id": "f2a1b260-bd4a-52e8-6aea-b4ce040025e5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "File Download Using Notepad++ GUP Utility" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", - "event_ids": [ - "4688" - ], - "id": "22cc197f-f74f-a4e3-7021-a3b56dee5864", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Potential Product Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "event_ids": [ - "4688" - ], - "id": "ab4d23c2-9f69-e6fd-d546-041e823f0147", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", - "event_ids": [ - "4688" - ], - "id": "0ac2cb1c-3284-c46e-dd61-1fd81302ad3c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.004", - "T1552" - ], - "title": "PowerShell Get-Process LSASS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of winget to add new potentially suspicious download sources", - "event_ids": [ - "4688" - ], - "id": "c9b38950-be40-a8b2-9d01-5912034351f3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059" - ], - "title": "Add Potential Suspicious New Download Source To Winget" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "event_ids": [ - "4688" - ], - "id": "65bb4129-82c6-f4f5-d2e1-7089e8799d2e", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.005", - "T1070" - ], - "title": "Unmount Share Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "event_ids": [ - "4688" - ], - "id": "0e524b9d-1e47-2065-5827-2b8d0125307c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204.002", - "T1047", - "T1218.010", - "TA0002", - "TA0005", - "T1218", - "T1204" - ], - "title": "Suspicious WMIC Execution Via Office Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "event_ids": [ - "4688" - ], - "id": "a3bc9093-f23e-f622-8deb-a18609cc33d8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "TA0004", - "TA0006", - "TA0007", - "T1047", - "T1053", - "T1059.003", - "T1059.001", - "T1110", - "T1201", - "T1059" - ], - "title": "HackTool - CrackMapExec Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", - "event_ids": [ - "4688" - ], - "id": "e158c0fd-66a1-71d4-8c4c-0728569ed574", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "UtilityFunctions.ps1 Proxy Dll" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "event_ids": [ - "4688" - ], - "id": "a4547750-0b4d-019c-4808-0da01680cddb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547" - ], - "title": "Suspicious Driver Install by pnputil.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "event_ids": [ - "4688" - ], - "id": "fc5c47f8-9b56-8d98-de6d-cd2b31c648f1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious Encoded PowerShell Command Line" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", - "event_ids": [ - "4688" - ], - "id": "b23c27a3-ce02-1abb-0aa3-f1376bd9d0bd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "HackTool - UACMe Akagi Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "load malicious registered COM objects", - "event_ids": [ - "4688" - ], - "id": "a405c36d-82ac-5145-4a6a-8451f4ed7205", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Rundll32 Registered COM Objects" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "event_ids": [ - "4688" - ], - "id": "f671b855-3ea9-045a-c84d-36fc3884e2c7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "TA0002", - "T1574.001", - "T1574" - ], - "title": "Tasks Folder Evasion" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Well-known DNS Exfiltration tools execution", - "event_ids": [ - "4688" - ], - "id": "e44a6a45-107b-0cdb-3b8a-61b2e33d55d7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1048.001", - "TA0011", - "T1071.004", - "T1132.001", - "T1048", - "T1132", - "T1071" - ], - "title": "DNS Exfiltration and Tunneling Tools Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "event_ids": [ - "4688" - ], - "id": "ae9cee89-1554-68ec-26d5-616c9e234796", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "DLL Sideloading by VMware Xfer Utility" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "event_ids": [ - "4688" - ], - "id": "1f9094b1-f522-539a-f715-fd13acf3cd22", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "T1542.001", - "T1542" - ], - "title": "UEFI Persistence Via Wpbbin - ProcessCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "event_ids": [ - "4688" - ], - "id": "01184351-0c59-01e2-23f8-68eb74e51558", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1555.004", - "T1555" - ], - "title": "Suspicious Key Manager Access" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", - "event_ids": [ - "4688" - ], - "id": "737bbf5e-7b83-3600-ebcc-76fd8f9c65ef", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "T1564" - ], - "title": "Use Icacls to Hide File to Everyone" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell script execution via input stream redirect", - "event_ids": [ - "4688" - ], - "id": "112d0b77-1699-f5e9-45f6-7e80e17de0a0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059" - ], - "title": "Run PowerShell Script from Redirected Input Stream" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", - "event_ids": [ - "4688" - ], - "id": "09d5f483-1225-411f-dfcc-1fa1550bd9a6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0006", - "T1036", - "T1003.001", - "T1003" - ], - "title": "Suspicious DumpMinitool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential RDP Session Hijacking activity on Windows systems", - "event_ids": [ - "4688" - ], - "id": "679db9c2-6669-dc7b-3b9c-a20f4d600b28", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Potential RDP Session Hijacking Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "event_ids": [ - "4688" - ], - "id": "17babac2-1f37-4875-6354-a2ba383af162", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "Local Groups Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "event_ids": [ - "4688" - ], - "id": "c4e3bdbb-aa79-5067-6b21-87a8fa83ae97", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112", - "T1562.001", - "T1562" - ], - "title": "Reg Add Suspicious Paths" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Microsoft bash launcher with the \"-c\" flag.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", - "event_ids": [ - "4688" - ], - "id": "6068456f-1654-f0e0-1573-add14847b216", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Indirect Inline Command Execution Via Bash.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", - "event_ids": [ - "4688" - ], - "id": "ee690e64-5c3d-8ec8-e9eb-fd7af8b36bf0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Service StartupType Change Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", - "event_ids": [ - "4688" - ], - "id": "802f2f6f-fab8-e8d2-bb45-6ad7a2f8f4a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.007", - "T1218" - ], - "title": "DllUnregisterServer Function Call Via Msiexec.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", - "event_ids": [ - "4688" - ], - "id": "48279b22-db22-17e5-5146-824c1f8d07db", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Arbitrary File Download Via Squirrel.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks", - "event_ids": [ - "4688" - ], - "id": "f8095356-407c-fb04-afa9-b637495e8d2b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potentially Suspicious Cabinet File Expansion" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "event_ids": [ - "4688" - ], - "id": "532fbfdd-28df-ea62-93c5-a2d9f558f9d7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "TA0004", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "T1053.005", - "T1059.001", - "T1053", - "T1059" - ], - "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables", - "event_ids": [ - "4688" - ], - "id": "962dcd71-b0d7-ad49-1fe6-2966daf7a411", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Script Interpreter Execution From Suspicious Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an uncommon parent process of \"LINK.EXE\".\nLink.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\nMultiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\nThis would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\nBy filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.\n", - "event_ids": [ - "4688" - ], - "id": "f2200f88-34e8-ad86-b006-fc01b177fad9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Uncommon Link.EXE Parent Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "event_ids": [ - "4688" - ], - "id": "b2376187-e8e7-aeeb-fb7e-7636ad9dadc9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1110.002", - "T1110" - ], - "title": "HackTool - Hashcat Password Cracker Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", - "event_ids": [ - "4688" - ], - "id": "e20cb030-7e44-e3e0-0314-4f07eae201d0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.004", - "T1027" - ], - "title": "Dynamic .NET Compilation Via Csc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)\n", - "event_ids": [ - "4688" - ], - "id": "40508368-741e-4fc4-bc48-e76128b330d2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "File Download Using ProtocolHandler.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "event_ids": [ - "4688" - ], - "id": "b89edd67-19bc-8e17-7967-2c47614dadee", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0007", - "T1505.003", - "T1018", - "T1033", - "T1087", - "T1505" - ], - "title": "Webshell Detection With Command Line Keywords" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process run from unusual locations", - "event_ids": [ - "4688" - ], - "id": "1e2a7e53-8c4f-8c72-f7cc-26dca620d1c8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "car.2013-05-002" - ], - "title": "Suspicious Process Start Locations" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", - "event_ids": [ - "4688" - ], - "id": "e51338a7-866e-5cc3-f8f9-7b12fc3aa56b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0009", - "T1114", - "T1059" - ], - "title": "Exchange PowerShell Snap-Ins Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious and uncommon child processes of WmiPrvSE", - "event_ids": [ - "4688" - ], - "id": "19090407-d63d-5d05-f03e-f254980d972c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1047", - "T1204.002", - "T1218.010", - "T1204", - "T1218" - ], - "title": "Suspicious WmiPrvSE Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\nThis technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.\n", - "event_ids": [ - "4688" - ], - "id": "c833260b-e625-9fc5-e600-302e176fb76e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0007", - "T1552" - ], - "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", - "event_ids": [ - "4688" - ], - "id": "d4107fed-b19a-c873-993e-db24e6528e9f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1132.001", - "T1132" - ], - "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a specific OneLiner to download and execute powershell modules in memory.", - "event_ids": [ - "4688" - ], - "id": "5656cdf4-b7e5-dbcf-3fc4-2d935d5999cd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059.001", - "T1562.001", - "T1059", - "T1562" - ], - "title": "Obfuscated PowerShell OneLiner Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "event_ids": [ - "4688" - ], - "id": "55fe02b2-c0a4-cac3-dc5e-e79d58f78620", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "HackTool - Sliver C2 Implant Activity Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).\nThis can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.\n", - "event_ids": [ - "4688" - ], - "id": "3becf1a9-6869-2795-e158-31485eae103f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.001", - "T1552" - ], - "title": "Potential PowerShell Console History Access Attempt via History File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects audio capture via PowerShell Cmdlet.", - "event_ids": [ - "4688" - ], - "id": "3b83d907-4a3c-e167-7892-6f19c85d3edd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1123" - ], - "title": "Audio Capture via PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of reg.exe to export registry paths associated with third-party credentials.\nCredential stealers have been known to use this technique to extract sensitive information from the registry.\n", - "event_ids": [ - "4688" - ], - "id": "c870786e-ac3c-7be8-93ba-79705472c787", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.002", - "T1552" - ], - "title": "Registry Export of Third-Party Credentials" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "event_ids": [ - "4688" - ], - "id": "812c76e3-a745-515e-484b-d64d6f64c779", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.003", - "T1546" - ], - "title": "WMI Backdoor Exchange Transport Agent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "event_ids": [ - "4688" - ], - "id": "0a1228c0-6754-8156-d07f-6aa2daece740", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Gpscript Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects nltest commands that can be used for information discovery", - "event_ids": [ - "4688" - ], - "id": "b5e72364-d1d6-72a1-ec13-abf98d0aaa74", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1016", - "T1018", - "T1482" - ], - "title": "Nltest.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "event_ids": [ - "4688" - ], - "id": "6b169ef1-e760-a417-0794-dc36e56ea984", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "event_ids": [ - "4688" - ], - "id": "83e16972-fa32-9c0e-e39d-25254c56a9ff", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1555", - "cve.2021-35211" - ], - "title": "Suspicious Serv-U Process Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects ScreenConnect program starts that establish a remote access to a system.", - "event_ids": [ - "4688" - ], - "id": "16e1adf7-4ed1-54b8-0031-41fd83c53349", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1133" - ], - "title": "Remote Access Tool - ScreenConnect Installation Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"forfiles\" with the \"/c\" flag.\nWhile this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.\nCan be used to bypass application whitelisting.\n", - "event_ids": [ - "4688" - ], - "id": "140c6c67-8cac-1d16-5654-bf2221dc7542", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Forfiles Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user downloads a file by using CertOC.exe", - "event_ids": [ - "4688" - ], - "id": "ae801fc7-f16f-247e-f3da-918f64136e9d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "File Download via CertOC.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file which might contain a malicious action.", - "event_ids": [ - "4688" - ], - "id": "711f2e81-bb48-8eaf-84ad-7a331ee0cd95", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Response File Execution Via Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "event_ids": [ - "4688" - ], - "id": "4033fb39-b0df-89aa-584b-12d73c5e5bd6", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Files Added To An Archive Using Rar.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", - "event_ids": [ - "4688" - ], - "id": "2c2b3870-6e31-b098-9771-e14231da412e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Tamper Windows Defender Remove-MpPreference" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "event_ids": [ - "4688" - ], - "id": "18739cbf-55f7-1dda-7985-1f08fc87ea5f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1526", - "T1087", - "T1083" - ], - "title": "PUA - Seatbelt Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.", - "event_ids": [ - "4688" - ], - "id": "96fd693f-cd31-d232-84e6-212a9dd1c530", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "File Download From Browser Process Via Inline URL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious command lines used in Covenant luanchers", - "event_ids": [ - "4688" - ], - "id": "12b4859c-0eeb-091f-3b96-09ffcd5e9a9a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1059.001", - "T1564.003", - "T1564", - "T1059" - ], - "title": "HackTool - Covenant PowerShell Launcher" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "event_ids": [ - "4688" - ], - "id": "c94695cb-a047-b9fd-ad81-7c51224d6fd0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002" - ], - "title": "Execute Pcwrun.EXE To Leverage Follina" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "event_ids": [ - "4688" - ], - "id": "ec21a11c-311b-e205-6bb5-57d26e408fcb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Encoded Command Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.", - "event_ids": [ - "4688" - ], - "id": "6e3409a5-e74b-e405-2f94-d7be95561e7e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "event_ids": [ - "4688" - ], - "id": "b5028244-965b-dd46-d698-f480c7c963e5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0007", - "T1505.003", - "T1018", - "T1033", - "T1087", - "T1505" - ], - "title": "Chopper Webshell Process Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects file execution using the msdeploy.exe lolbin", - "event_ids": [ - "4688" - ], - "id": "c0cc4271-ed56-6236-e21a-e9db92f30d97", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Execute Files with Msdeploy.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", - "event_ids": [ - "4688" - ], - "id": "ebcee1df-9cac-a989-982c-08e181e9d5a8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "event_ids": [ - "4688" - ], - "id": "452b2159-5e6e-c494-63b9-b385d6195f58", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1566.001", - "T1566" - ], - "title": "Suspicious Double Extension File Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", - "event_ids": [ - "4688" - ], - "id": "b3de6fc6-2aa5-32aa-2172-7e989f524bb1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Invoke-WebRequest Execution With DirectIP" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function", - "event_ids": [ - "4688" - ], - "id": "afdc65aa-8680-da5e-c417-fc0432a76cd1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Advpack Call Via Rundll32.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", - "event_ids": [ - "4688" - ], - "id": "be028779-def3-3fc8-e466-1ed868806e63", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "cve.2023-21746" - ], - "title": "HackTool - LocalPotato Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "event_ids": [ - "4688" - ], - "id": "835eeb0d-312a-9bdf-62f1-ae4e172e57cb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Potential Arbitrary Command Execution Using Msdt.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", - "event_ids": [ - "4688" - ], - "id": "132686cd-ea41-e5c8-8c22-5211ea3bfb5d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Remote Access Tool - NetSupport Execution From Unusual Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\n", - "event_ids": [ - "4688" - ], - "id": "5139400c-0a53-d802-9187-cd5a90a2b9d5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Uncommon AddinUtil.EXE CommandLine Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "event_ids": [ - "4688" - ], - "id": "5c8771ec-db48-4d8e-8701-02680fde2531", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1615" - ], - "title": "Gpresult Display Group Policy Information" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", - "event_ids": [ - "4688" - ], - "id": "1bc24d28-b7b8-e116-11bd-46368cdb03ac", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", - "event_ids": [ - "4688" - ], - "id": "17d5818d-8b83-0d06-600a-d4adc1b2f136", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002" - ], - "title": "Wab/Wabmig Unusual Parent Or Child Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "event_ids": [ - "4688" - ], - "id": "039cf906-44b1-1f3a-cc07-9f2cf592d320", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1486" - ], - "title": "Suspicious Reg Add BitLocker" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "event_ids": [ - "4688" - ], - "id": "683820e7-ec9c-fd2b-4e30-d67656765081", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential arbitrary file download using a Microsoft Office application", - "event_ids": [ - "4688" - ], - "id": "16ff576e-457b-7067-2eac-58bb28e7a9dd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Potential Arbitrary File Download Using Office Application" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", - "event_ids": [ - "4688" - ], - "id": "2e35d215-673f-ecff-67ad-c9fc3e4ffb87", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.004", - "T1070" - ], - "title": "File Deletion Via Del" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "event_ids": [ - "4688" - ], - "id": "9c2f40db-46e4-85f0-3104-427e61b344a1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Suspicious Program Names" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "event_ids": [ - "4688" - ], - "id": "5054d08a-687f-e98a-b2ca-ebbe7e3035b0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1546.008", - "T1546" - ], - "title": "Suspicious Debugger Registration Cmdline" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the Installation of a Exchange Transport Agent", - "event_ids": [ - "4688" - ], - "id": "5bc86f64-e263-f14b-6525-bacad0b088ad", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1505.002", - "T1505" - ], - "title": "MSExchange Transport Agent Installation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\nAttackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.\n", - "event_ids": [ - "4688" - ], - "id": "12bc26c7-41c4-101d-3d26-8419d0725870", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "event_ids": [ - "4688" - ], - "id": "2b62781d-0af4-f828-f915-7b0039020526", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - Simple Help Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "event_ids": [ - "4688" - ], - "id": "77303e46-58e3-05a8-24a1-2274aa37201c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1556.002", - "T1556" - ], - "title": "Dropping Of Password Filter DLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.\n", - "event_ids": [ - "4688" - ], - "id": "3e94a11b-52b5-7f93-d623-5ba15ab8f4aa", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Uncommon Child Process Of AddinUtil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "event_ids": [ - "4688" - ], - "id": "ccbdac70-917f-7393-ee60-cc1586b03137", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "Suspicious New Service Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n", - "event_ids": [ - "4688" - ], - "id": "dc6be7ef-4455-6b20-2304-ef99f8413cbf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0040", - "T1489", - "T1562.001", - "T1562" - ], - "title": "Suspicious Windows Service Tampering" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious script executions from temporary folder", - "event_ids": [ - "4688" - ], - "id": "18f506e1-2726-f3fa-8429-f7b06ce69825", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Suspicious Script Execution From Temp Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "event_ids": [ - "4688" - ], - "id": "d2fc7f9b-7773-8c83-5bf3-d977a655e6e0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Taskmgr as LOCAL_SYSTEM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible password spraying attempts using Dsacls", - "event_ids": [ - "4688" - ], - "id": "3dce4add-2a09-340f-3b2e-5d79b18a4adb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Password Spraying Attempt Using Dsacls.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "event_ids": [ - "4688" - ], - "id": "7d6acc1b-aef6-8fb8-8b37-50e258273f6a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Net WebClient Casing Anomalies" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.\n", - "event_ids": [ - "4688" - ], - "id": "9610d848-8049-b860-c3ee-235db9eccfc4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Suspicious Uninstall of Windows Defender Feature via PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse", - "event_ids": [ - "4688" - ], - "id": "c60e39f2-5135-0c04-8c79-a2730ff4a37a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1548.002", - "T1548" - ], - "title": "PowerShell Web Access Feature Enabled Via DISM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "event_ids": [ - "4688" - ], - "id": "655cb0fd-79c4-949b-b842-e1fcf2e1e527", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1072", - "TA0005", - "T1218" - ], - "title": "Suspicious Csi.exe Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)", - "event_ids": [ - "4688" - ], - "id": "095ae799-3f3b-554f-3c83-f8d48e711e72", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0003", - "TA0004" - ], - "title": "Suspicious Processes Spawned by Java.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", - "event_ids": [ - "4688" - ], - "id": "b176b53d-4619-d65f-baf1-b3a4f1ec0b12", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216.001", - "T1216" - ], - "title": "Pubprn.vbs Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect attacker collecting audio via SoundRecorder application.", - "event_ids": [ - "4688" - ], - "id": "ebef59bf-5a12-af67-8a95-a282ae4bdaf6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1123" - ], - "title": "Audio Capture via SoundRecorder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "event_ids": [ - "4688" - ], - "id": "ea83af54-6f44-4f59-df6c-6d8669775fcd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204", - "T1566.001", - "TA0002", - "TA0001", - "T1566" - ], - "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "event_ids": [ - "4688" - ], - "id": "3682c181-3b54-0cf3-cfdb-1d800bb7b125", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Disable Windows IIS HTTP Logging" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious file downloads from file sharing domains using wget.exe", - "event_ids": [ - "4688" - ], - "id": "85360622-4657-c400-b38e-9dc13bdb53f6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "event_ids": [ - "4688" - ], - "id": "042378e6-098f-7fa7-3390-6dea36ffe86a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Explorer Process Tree Break" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\nThis was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.\n", - "event_ids": [ - "4688" - ], - "id": "6cf859b8-6805-3164-4f58-acb0feb11cbf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.006", - "T1552" - ], - "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n", - "event_ids": [ - "4688" - ], - "id": "d1521b48-cb82-dd9a-0d90-4e3a69b29fb2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1528" - ], - "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process", - "event_ids": [ - "4688" - ], - "id": "f9884b6b-0ac3-139d-1ebe-a5587c9a51fd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.005", - "T1218" - ], - "title": "Potential LethalHTA Technique Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "event_ids": [ - "4688" - ], - "id": "0114b671-6245-50f6-97b3-693945ab45cc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "event_ids": [ - "4688" - ], - "id": "1e03e881-94a8-1c6c-d90d-47c97d22bb89", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.004", - "T1070" - ], - "title": "Suspicious Ping/Del Command Combination" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects addition of users to the local administrator group via \"Net\" or \"Add-LocalGroupMember\".", - "event_ids": [ - "4688" - ], - "id": "dd05faca-794f-ae1f-a880-bb0237d1443f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added to Local Administrators Group" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [ - "4688" - ], - "id": "612594ec-e080-cbd7-b223-76411581dea7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR+ Launcher" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "event_ids": [ - "4688" - ], - "id": "17bc9aa9-eb49-a701-4cab-cbcaea111644", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1018", - "T1087.002", - "T1482", - "T1069.002", - "T1069", - "T1087" - ], - "title": "Renamed AdFind Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "event_ids": [ - "4688" - ], - "id": "471f9aca-34da-a143-18bc-d54d121778dd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "DLL Loaded via CertOC.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "event_ids": [ - "4688" - ], - "id": "7d84c2d9-4528-bdae-4cc2-945948102cbd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1190", - "TA0001", - "TA0003", - "TA0004" - ], - "title": "Suspicious Processes Spawned by WinRM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "event_ids": [ - "4688" - ], - "id": "31ca06b4-e4e7-1456-557e-809415680296", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218.005", - "T1218" - ], - "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.\n", - "event_ids": [ - "4688" - ], - "id": "dd16066a-afda-2bf2-7735-9dbc86c6cd0a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1547.001", - "T1047", - "T1547" - ], - "title": "Suspicious Autorun Registry Modified via WMI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Attackers may leverage fsutil to enumerated connected drives.", - "event_ids": [ - "4688" - ], - "id": "0521efb1-8519-4e3b-16a4-d3b360abc475", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1120" - ], - "title": "Fsutil Drive Enumeration" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", - "event_ids": [ - "4688" - ], - "id": "65188275-2c87-e92b-f463-550b550ef7f5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Python Inline Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "event_ids": [ - "4688" - ], - "id": "912866aa-0cd5-dcb6-e1d4-a0b6cbbdc575", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.005", - "T1027" - ], - "title": "PUA - DefenderCheck Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user downloads a file from an IP based URL using CertOC.exe", - "event_ids": [ - "4688" - ], - "id": "67db6bcf-cb5b-3e0b-2ba8-4afd9e5ca3a8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0002", - "T1105" - ], - "title": "File Download From IP Based URL Via CertOC.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of msiexec.exe from an uncommon directory", - "event_ids": [ - "4688" - ], - "id": "c043e0b2-a5f8-ebe1-e99b-54303aa6f2ad", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.005", - "T1036" - ], - "title": "Potential MsiExec Masquerading" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name", - "event_ids": [ - "4688" - ], - "id": "61427f33-35de-ec51-6afd-e44b8ccf9023", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "TA0006", - "T1003" - ], - "title": "Potential SysInternals ProcDump Evasion" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "event_ids": [ - "4688" - ], - "id": "57e2b3e2-fb28-0497-4729-aa536a2a5089", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0008", - "T1021.003", - "T1021" - ], - "title": "MMC20 Lateral Movement" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "event_ids": [ - "4688" - ], - "id": "686228e1-28f8-b922-43d9-3b2fb663b67e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1570", - "TA0002", - "T1569.002", - "T1021", - "T1569" - ], - "title": "Rundll32 Execution Without Parameters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", - "event_ids": [ - "4688" - ], - "id": "82956673-bd55-9f29-96a4-e5bdd4083071", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", - "event_ids": [ - "4688" - ], - "id": "e96c2fac-d250-ed6f-8382-328d4faa876d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1587.001", - "TA0002", - "T1569.002", - "T1587", - "T1569" - ], - "title": "PUA - CsExec Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "event_ids": [ - "4688" - ], - "id": "a7e6a51e-0f36-3f14-8b9b-12110ce23ff3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "Root Certificate Installed From Susp Locations" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nThis string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.\n", - "event_ids": [ - "4688" - ], - "id": "9040711a-5958-aed6-ca57-ab80997eb33c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1528" - ], - "title": "Potentially Suspicious JWT Token Search Via CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "event_ids": [ - "4688" - ], - "id": "e9206567-a61e-a398-07ce-db2684eef47d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1127", - "T1059" - ], - "title": "SQL Client Tools PowerShell Session Detection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n", - "event_ids": [ - "4688" - ], - "id": "c757a371-d2db-6f87-21a1-9951c4a5e35a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090.001", - "T1090" - ], - "title": "Cloudflared Portable Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a potentially suspicious execution from an uncommon folder.", - "event_ids": [ - "4688" - ], - "id": "a9dad077-e2f9-a739-8ac0-eb0e6dcbdebb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Process Execution From A Potentially Suspicious Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of a ClickOnce deployment application", - "event_ids": [ - "4688" - ], - "id": "66a0246c-c8ba-1f83-d729-7de76ec64ee7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005" - ], - "title": "Potentially Suspicious Child Process Of ClickOnce Application" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"", - "event_ids": [ - "4688" - ], - "id": "8b1a1dbd-8084-e219-f9ee-15c286aab6c9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.", - "event_ids": [ - "4688" - ], - "id": "36f17029-664a-9448-86bb-81a24da07e7e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Uncommon Child Process Of Conhost.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "event_ids": [ - "4688" - ], - "id": "65dc2fc6-8f96-eccf-0cba-714a1f3af110", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Invoke-WebRequest Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Use of the commandline to shutdown or reboot windows", - "event_ids": [ - "4688" - ], - "id": "b74fe142-8535-448b-b2ff-c6de4a5a5133", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1529" - ], - "title": "Suspicious Execution of Shutdown" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Dsacls to grant over permissive permissions", - "event_ids": [ - "4688" - ], - "id": "a81385de-1365-3d8d-2778-5d914a66d61e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension", - "event_ids": [ - "4688" - ], - "id": "8974c35e-3161-6538-c0ef-b12e467718a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1176.001", - "T1176" - ], - "title": "Chromium Browser Instance Executed With Custom Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "event_ids": [ - "4688" - ], - "id": "bc5cba6d-bdf9-70db-83d3-ffea696528e5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", - "event_ids": [ - "4688" - ], - "id": "d9100b89-baa5-8f0b-5a28-90217fe41a0f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Suspicious Greedy Compression Using Rar.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.", - "event_ids": [ - "4688" - ], - "id": "d6a4c9bc-d5cf-bd43-fc5b-0a8b0a3c125f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "T1219" - ], - "title": "Suspicious Velociraptor Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "event_ids": [ - "4688" - ], - "id": "c3cf2db9-adff-41bb-ab07-0ed4770b5b47", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Suspicious Schtasks Schedule Type With High Privileges" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", - "event_ids": [ - "4688" - ], - "id": "b089b249-149b-dfae-0fa9-53aef8435346", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Mstsc.EXE Execution With Local RDP File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "event_ids": [ - "4688" - ], - "id": "f54d52ff-5047-da16-21d1-67d79aacd624", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable Windows Defender AV Security Monitoring" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", - "event_ids": [ - "4688" - ], - "id": "07d9d3ee-e3e8-9005-68ba-2e1c50fd018b", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1112", - "TA0005" - ], - "title": "Registry Modification Via Regini.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.\nAn example would be a threat actor creating a new user via the net command and providing the password inline\n", - "event_ids": [ - "4688" - ], - "id": "48f9e545-da57-e944-30a6-d6ed66b4f001", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002" - ], - "title": "Weak or Abused Passwords In CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.\n", - "event_ids": [ - "4688" - ], - "id": "cf789cc6-bba4-88f6-106b-660f61364506", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "event_ids": [ - "4688" - ], - "id": "86e778e7-ed84-5e14-0732-2e352101ac62", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1218.011", - "TA0005", - "T1218" - ], - "title": "Rundll32 InstallScreenSaver Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.", - "event_ids": [ - "4688" - ], - "id": "57428c1a-2716-80c7-6059-bb8408c50569", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Rebuild Performance Counter Values Via Lodctr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system\n", - "event_ids": [ - "4688" - ], - "id": "9ee3416d-660e-2be4-06ed-73f1dce70009", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0007", - "T1505.003", - "T1018", - "T1033", - "T1087", - "T1505" - ], - "title": "Webshell Hacking Activity Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of CoercedPotato, a tool for privilege escalation", - "event_ids": [ - "4688" - ], - "id": "75a96fdd-ec6a-1351-5cf2-00b8606831fe", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1055" - ], - "title": "HackTool - CoercedPotato Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "event_ids": [ - "4688" - ], - "id": "9137ba87-68d5-272d-9ada-3803321cb4c4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Direct Autorun Keys Modification" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", - "event_ids": [ - "4688" - ], - "id": "d8a821b1-813e-ed4c-5b7d-a4bf59182a64", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "HackTool - SharpEvtMute Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.", - "event_ids": [ - "4688" - ], - "id": "0fea9c26-5302-3b51-7884-b9ed47e74157", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1102", - "T1090", - "T1572" - ], - "title": "Cloudflared Tunnel Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of \"GoogleUpdate.exe\"", - "event_ids": [ - "4688" - ], - "id": "54947316-2baa-1515-3a10-8569020a445a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potentially Suspicious GoogleUpdate Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process dump via legitimate sqldumper.exe binary", - "event_ids": [ - "4688" - ], - "id": "38362740-fe8e-6e9d-79ad-a290fe8d5190", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Dumping Process via Sqldumper.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"whoami.exe\" with the \"/FO\" flag to choose CSV as output format or with redirection options to export the results to a file for later use.", - "event_ids": [ - "4688" - ], - "id": "9e0f0c37-ffdb-1903-192f-5f8056bd407a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "car.2016-03-001" - ], - "title": "Whoami.EXE Execution With Output Option" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt", - "event_ids": [ - "4688" - ], - "id": "be9b6aa2-633a-7833-43a7-f807dc2aa023", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "car.2019-04-001", - "T1548" - ], - "title": "Potentially Suspicious Event Viewer Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of whoami.exe with suspicious parent processes.", - "event_ids": [ - "4688" - ], - "id": "5a52bc92-7713-3fca-6d54-f03845a88c47", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "car.2016-03-001" - ], - "title": "Whoami.EXE Execution Anomaly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "event_ids": [ - "4688" - ], - "id": "9069f74a-131e-643b-86fc-0f23d29805d7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "SafeBoot Registry Key Deleted Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "event_ids": [ - "4688" - ], - "id": "1f5db239-6608-ab63-3f89-95375c7872fc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Suspicious Control Panel DLL Load" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect execution of suspicious double extension files in ParentCommandLine", - "event_ids": [ - "4688" - ], - "id": "775d4bc1-d404-6927-6dc7-c22d00029c37", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.007", - "T1036" - ], - "title": "Suspicious Parent Double Extension File Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "event_ids": [ - "4688" - ], - "id": "0e51a9f2-52ef-1f9a-cd41-f229ac148283", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1112", - "TA0005" - ], - "title": "Suspicious Registry Modification From ADS Via Regini.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects active directory enumeration activity using known AdFind CLI flags", - "event_ids": [ - "4688" - ], - "id": "5a05c10d-f2a5-f434-4d63-63cd535745b6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1087" - ], - "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"", - "event_ids": [ - "4688" - ], - "id": "c53a6656-ecdc-89f8-742f-0455f2ed3c64", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Stop Windows Service Via PowerShell Stop-Service" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.\n", - "event_ids": [ - "4688" - ], - "id": "ac70393b-10a3-1934-e063-2bff18e8a37c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0043", - "T1595" - ], - "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", - "event_ids": [ - "4688" - ], - "id": "4ab524c0-380a-d654-f00f-0309d495eae1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1557.001", - "T1557" - ], - "title": "HackTool - ADCSPwn Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)\n", - "event_ids": [ - "4688" - ], - "id": "54b11eae-5cc5-72a8-7b50-b842a057933e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002" - ], - "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of LiveKD based on PE metadata or image name", - "event_ids": [ - "4688" - ], - "id": "4015c0bf-a80a-7b4f-cff2-cb50ea14b40f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Memory Dumping Activity Via LiveKD" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "event_ids": [ - "4688" - ], - "id": "5f94c12e-15a0-28ec-cd81-8049ae6c625d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Audit Policy Tampering Via Auditpol" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", - "event_ids": [ - "4688" - ], - "id": "9e12c2cd-fa32-33a2-e894-455cfcbb3680", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.009", - "T1027" - ], - "title": "Powershell Token Obfuscation - Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.", - "event_ids": [ - "4688" - ], - "id": "ece63b49-157b-d1fb-61c5-0cf5c0182409", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "T1059" - ], - "title": "PowerShell Base64 Encoded WMI Classes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "event_ids": [ - "4688" - ], - "id": "b206cc55-bd72-1034-393c-cb8b9e643aa0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "TA0006", - "T1003" - ], - "title": "Renamed CreateDump Utility Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the presence of \"UWhRC....AAYBAAAA\" pattern in command line.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.\nIf you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,\nor checking for the presence of such records through the `nslookup` command.\n", - "event_ids": [ - "4688" - ], - "id": "c642ffbe-eb4e-5b90-c10a-de01f70dcb68", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0003", - "TA0004", - "T1557.001", - "T1187", - "T1557" - ], - "title": "Attempts of Kerberos Coercion Via DNS SPN Spoofing" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Extract data from cab file and hide it in an alternate data stream", - "event_ids": [ - "4688" - ], - "id": "5df3c3b4-3daf-3385-fdf0-4b5612003633", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Suspicious Extrac32 Alternate Data Stream Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", - "event_ids": [ - "4688" - ], - "id": "87086e53-d522-cb93-c0a0-04cd9f2e91d3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0043", - "T1593.003", - "T1593" - ], - "title": "Suspicious Git Clone" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", - "event_ids": [ - "4688" - ], - "id": "79657164-232b-d42a-7eab-1d9b88196e7a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detection of unusual child processes by different system processes", - "event_ids": [ - "4688" - ], - "id": "4411c966-d5e0-1715-f458-2221d89b7eee", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548" - ], - "title": "Abused Debug Privilege by Arbitrary Parent Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "event_ids": [ - "4688" - ], - "id": "ced3b93a-d1cc-dab7-fe8c-be95fd649ff3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Code Execution via Pcwutl.dll" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\nThis rule might require some initial baselining to align with some third party tooling in the user environment.\n", - "event_ids": [ - "4688" - ], - "id": "c063426c-1b9b-025d-71cc-5097a233285d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Execution of Suspicious File Type Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.", - "event_ids": [ - "4688" - ], - "id": "f827f8f1-fb4f-4e87-e688-b05d54c996ad", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0002", - "T1053.005", - "TA0011", - "T1053" - ], - "title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", - "event_ids": [ - "4688" - ], - "id": "0d0facfd-ddef-e44b-f118-c42aff14db7a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "T1059" - ], - "title": "PowerShell Base64 Encoded Invoke Keyword" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.\nAttackers might abuse this in order to bypass application whitelisting.\n", - "event_ids": [ - "4688" - ], - "id": "e56b0b7d-eb03-5756-d3c4-1b29390fa86e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "T1027.004", - "T1027" - ], - "title": "Potential Application Whitelisting Bypass via Dnx.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", - "event_ids": [ - "4688" - ], - "id": "1ee3a188-7a90-b357-3e25-dd202515f11d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1069.001", - "T1069" - ], - "title": "Permission Check Via Accesschk.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a Windows command line executable started from MMC", - "event_ids": [ - "4688" - ], - "id": "cf0e4cea-8b93-73a0-c4f6-1d496da38fea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.003", - "T1021" - ], - "title": "MMC Spawning Windows Shell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", - "event_ids": [ - "4688" - ], - "id": "00ca290b-102c-83b3-ff90-2781c070cf8e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0003", - "T1219.002", - "T1219" - ], - "title": "Potential Amazon SSM Agent Hijacking" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "event_ids": [ - "4688" - ], - "id": "04aeef7e-daa9-3212-481e-808d0386c3a2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1115" - ], - "title": "PowerShell Get-Clipboard Cmdlet Via CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.\n", - "event_ids": [ - "4688" - ], - "id": "c5afc50a-fb5c-5df5-9dbe-3d574bc0fa64", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0002", - "T1204.002", - "T1204" - ], - "title": "Suspicious LNK Command-Line Padding with Whitespace Characters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a ping command that uses a hex encoded IP address", - "event_ids": [ - "4688" - ], - "id": "8f1f0cfc-418f-58d0-6c0a-aa9299b3d5e5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1140", - "T1027" - ], - "title": "Ping Hex IP" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "event_ids": [ - "4688" - ], - "id": "7d08c255-caa9-d1ce-ba23-4030c6718e0b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0007", - "T1040" - ], - "title": "Potential Network Sniffing Activity Using Network Tools" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.\n", - "event_ids": [ - "4688" - ], - "id": "48e84a4f-20a1-de9f-6a28-37b0494dedfc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "LSASS Dump Keyword In CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "event_ids": [ - "4688" - ], - "id": "bb0b061c-443d-7026-485e-32bd309fb7d9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562" - ], - "title": "Windows Firewall Disabled via PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", - "event_ids": [ - "4688" - ], - "id": "3d04a8d4-c258-0c3b-8665-5803d5ceba7f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "event_ids": [ - "4688" - ], - "id": "04f5d1ee-1b2f-dc73-a3fd-a7277cb56195", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Potential Renamed Rundll32 Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the BCP utility in order to export data from the database.\nAttackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.\n", - "event_ids": [ - "4688" - ], - "id": "c7c4727f-4a16-4625-f1f0-4d6a7b7eb808", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0010", - "T1048" - ], - "title": "Data Export From MSSQL Table Via BCP.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.\n", - "event_ids": [ - "4688" - ], - "id": "8578ef59-9a77-e58f-416e-a109c066b60e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], "tags": [ "TA0005", - "T1036.003", - "T1036" - ], - "title": "LOL-Binary Copied From System Directory" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "event_ids": [ - "4688" - ], - "id": "ed8f1915-a7b9-2b25-cfbe-702f1a275a5d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ "T1211", - "T1059", - "TA0005", - "TA0003", - "TA0002" - ], - "title": "Writing Of Malicious Files To The Fonts Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", - "event_ids": [ - "4688" - ], - "id": "96951861-e068-11a1-bdd8-1fdc951102b8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Usage Of Web Request Commands And Cmdlets" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" with \"INSTALLDRIVER\" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.", - "event_ids": [ - "4688" - ], - "id": "adc0be0e-1fd7-a7d2-38cd-74c936dcd78f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Driver/DLL Installation Via Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)", - "event_ids": [ - "4688" - ], - "id": "bb3d59c6-7ec7-685a-4ae1-f39045534f39", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Uncommon Child Processes Of SndVol.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.", - "event_ids": [ - "4688" - ], - "id": "84707330-6ce4-b159-4432-712646f49a7b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.", - "event_ids": [ - "4688" - ], - "id": "42e5d701-5c5b-c050-7996-f166b0907531", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "event_ids": [ - "4688" - ], - "id": "9a2d19cf-4378-c7a2-7a77-b268c7875c7c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218" - ], - "title": "MpiExec Lolbin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC", - "event_ids": [ - "4688" - ], - "id": "09c3b6b8-4904-bec5-4fc1-d69447e6ff3b", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "New Process Created Via Taskmgr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\nSharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.\n", - "event_ids": [ - "4688" - ], - "id": "e653c5ce-5d53-8f18-097d-affbeeb0425a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1134.001", - "T1134.003", - "T1134" - ], - "title": "HackTool - SharpDPAPI Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", - "event_ids": [ - "4688" - ], - "id": "835ff144-018a-4ec5-3788-ea773f0fd869", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "PUA - DIT Snapshot Viewer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the start of a non built-in assistive technology applications via \"Atbroker.EXE\".", - "event_ids": [ - "4688" - ], - "id": "d5a94ccf-58fd-7481-3683-e59fbf33e8c1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "event_ids": [ - "4688" - ], - "id": "145ace9e-159a-7105-5f01-b8880c351067", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Service Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"ConfigSecurityPolicy.EXE\", a binary part of Windows Defender used to manage settings in Windows Defender.\nUsers can configure different pilot collections for each of the co-management workloads.\nIt can be abused by attackers in order to upload or download files.\n", - "event_ids": [ - "4688" - ], - "id": "956a39b3-a319-4b78-6305-a216732d379e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1567" - ], - "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.\n", - "event_ids": [ - "4688" - ], - "id": "cd36cd3c-17cb-d0c6-1e77-c74a5a6e96fe", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1564", - "T1059" - ], - "title": "Potentially Suspicious Execution From Parent Process In Public Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands", - "event_ids": [ - "4688" - ], - "id": "7c9f3379-969f-2e9a-5a03-cc75e44fffd0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Suspicious Command Patterns In Scheduled Task Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", - "event_ids": [ - "4688" - ], - "id": "37ebc902-d86f-808a-3790-0d2051db2e46", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1059.001", - "T1027", - "T1059" - ], - "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)\n", - "event_ids": [ - "4688" - ], - "id": "bd0d2f25-0055-04fe-5229-5ddc996bcdaa", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Sensitive File Access Via Volume Shadow Copy Backup" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of PowerShell commands that attempt to install MSI packages via the\nWindows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.\nThis could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.\nAnd the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.\n", - "event_ids": [ - "4688" - ], - "id": "67cbe37e-314f-cce4-2882-0cb45993a3c5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1218", - "TA0011", - "T1105", - "T1059" - ], - "title": "PowerShell MSI Install via WindowsInstaller COM From Remote Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", - "event_ids": [ - "4688" - ], - "id": "52926c4e-2c91-7854-02bb-6edbfebd425e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1036.003" - ], - "title": "Potential Homoglyph Attack Using Lookalike Characters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"rundll32\" with potential obfuscated ordinal calls", - "event_ids": [ - "4688" - ], - "id": "b7049a0d-bb27-adf6-2c62-501b4398af4d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.010", - "T1027" - ], - "title": "Potential Obfuscated Ordinal Call Via Rundll32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", - "event_ids": [ - "4688" - ], - "id": "c03c42ba-1e4e-45c3-c0ba-c8d38b077ee7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1027", - "TA0005", - "TA0002", - "T1140", - "T1059.001", - "T1059" - ], - "title": "Base64 Encoded PowerShell Command Detected" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "event_ids": [ - "4688" - ], - "id": "b8f11c05-4178-dd22-a155-a560b4974008", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0042", - "T1105", - "T1608" - ], - "title": "Suspicious Download from Office Domain" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", - "event_ids": [ - "4688" - ], - "id": "a7ed3875-d941-ac17-9f8a-7828f6a11738", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1566.001", - "TA0002", - "T1203", - "T1059.003", - "attack.g0032", - "T1566", - "T1059" - ], - "title": "Suspicious HWP Sub Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\nOne of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\nThe tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.\n", - "event_ids": [ - "4688" - ], - "id": "db8f163e-5399-d993-524b-d1c4ad63c442", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.threat-hunting" - ], - "title": "Potential DLL Injection Via AccCheckConsole" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.", - "event_ids": [ - "4688" - ], - "id": "27d72949-e67d-d712-e695-b0f3fe1d1428", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", "T1562.001", "T1562" ], - "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule detects the execution of Run Once task as configured in the registry", - "event_ids": [ - "4688" - ], - "id": "aa8af443-e70d-a6a2-5903-1c62f232c0ed", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Run Once Task Execution as Configured in Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "event_ids": [ - "4688" - ], - "id": "f483b0b8-2606-8691-2edb-5c64c3a7347e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1095" - ], - "title": "PUA - Netcat Suspicious Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Cmdl32 with the \"/vpn\" and \"/lan\" flags.\nAttackers can abuse this utility in order to download arbitrary files via a configuration file.\nInspect the location and the content of the file passed as an argument in order to determine if it is suspicious.\n", - "event_ids": [ - "4688" - ], - "id": "9c5b92ea-7921-f006-6f7b-a5f9ce49a774", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "T1202" - ], - "title": "Potential Arbitrary File Download Via Cmdl32.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"curl.exe\" with a potential custom \"User-Agent\". Attackers can leverage this to download or exfiltrate data via \"curl\" to a domain that only accept specific \"User-Agent\" strings", - "event_ids": [ - "4688" - ], - "id": "73a60f51-08e7-e491-9edb-b2f38dcaa09c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Curl Web Request With Potential Custom User-Agent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"cmdkey.exe\" to add generic credentials.\nAs an example, this can be used before connecting to an RDP session via command line interface.\n", - "event_ids": [ - "4688" - ], - "id": "06860765-c664-13b1-1bba-4ae0606ad697", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.005", - "T1003" - ], - "title": "New Generic Credentials Added Via Cmdkey.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", - "event_ids": [ - "4688" - ], - "id": "0e400d25-3298-763d-1813-3fe64dbdb2b0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "event_ids": [ - "4688" - ], - "id": "c095d894-f021-b42f-054d-9727ada91e6a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0011", - "T1104", - "T1105", - "T1059" - ], - "title": "PowerShell DownloadFile" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"BitLockerToGo.EXE\".\nBitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\nThis is a rarely used application and usage of it at all is worth investigating.\nMalware such as Lumma stealer has been seen using this process as a target for process hollowing.\n", - "event_ids": [ - "4688" - ], - "id": "7c5a0957-44c3-19d6-fbb2-bf2ea7ba0a36", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "BitLockerTogo.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", - "event_ids": [ - "4688" - ], - "id": "93586827-5f54-fc91-0b2f-338fd5365694", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "7Zip Compressing Dump Files" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", - "event_ids": [ - "4688" - ], - "id": "c9c7afb7-56ad-a3b2-ad8a-727beaa81d41", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "PUA - RunXCmd Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "event_ids": [ - "4688" - ], - "id": "c321b26c-a257-c5cc-1fb8-5496e91a7381", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.004", - "T1027" - ], - "title": "Visual Basic Command Line Compiler Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "event_ids": [ - "4688" - ], - "id": "d5e7858d-f6fa-9fe9-e747-ff3a3312244e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Definition Files Removed" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a potential command line flag anomaly related to \"regsvr32\" in which the \"/i\" flag is used without the \"/n\" which should be uncommon.", - "event_ids": [ - "4688" - ], - "id": "0b0db942-3c12-3469-b96f-420423d80dbb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Potential Regsvr32 Commandline Flag Anomaly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects WMI script event consumers", - "event_ids": [ - "4688" - ], - "id": "87226774-feb7-cb9f-bb57-e19cc4fbfb1a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1546.003", - "T1546" - ], - "title": "WMI Persistence - Script Event Consumer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "event_ids": [ - "4688" - ], - "id": "a5a31ba8-6ecb-ba33-f271-5a50afc76d9b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218" - ], - "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects indicators of a UAC bypass method by mocking directories", - "event_ids": [ - "4688" - ], - "id": "6ffb15be-b4f1-f105-4d90-0797b05c1838", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1548.002", - "T1548" - ], - "title": "TrustedPath UAC Bypass Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "event_ids": [ - "4688" - ], - "id": "389f8439-d42b-53a1-cb96-9387255a319f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1216", - "T1059" - ], - "title": "Execute Code with Pester.bat as Parent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", - "event_ids": [ - "4688" - ], - "id": "b9675cf5-52dc-a941-e484-247f3640e055", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1059.005", - "T1059.001", - "T1218", - "T1059" - ], - "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "event_ids": [ - "4688" - ], - "id": "775ae677-184d-c90f-016f-f337fd79aa75", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004" - ], - "title": "Suspicious RunAs-Like Flag Combination" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\n", - "event_ids": [ - "4688" - ], - "id": "dff28edb-8cbf-0aa6-a92e-123f013ce755", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "System File Execution Location Anomaly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "event_ids": [ - "4688" - ], - "id": "a81ad1b6-b20d-14f9-7c3a-e41f81fd519f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0002", - "T1615", - "T1059.005", - "T1059" - ], - "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "event_ids": [ - "4688" - ], - "id": "3425d55a-86e5-737e-7213-a8a416faeb89", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218.003", - "attack.g0069", - "car.2019-04-001", - "T1218" - ], - "title": "CMSTP Execution Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n", - "event_ids": [ - "4688" - ], - "id": "b3e6207b-ca8e-5b69-8194-cd66e4bdfc3e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090.001", - "T1090" - ], - "title": "Cloudflared Quick Tunnel Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "event_ids": [ - "4688" - ], - "id": "296d5364-4c6f-d2ea-601c-12477b9e4053", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027.005", - "T1027", - "T1059" - ], - "title": "HackTool - CrackMapExec PowerShell Obfuscation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.", - "event_ids": [ - "4688" - ], - "id": "953dba36-324e-646a-d6e5-ef62aedd2205", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.", - "event_ids": [ - "4688" - ], - "id": "a6a65b53-c476-cb1e-8267-5383b33c0dc1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Odbcconf.EXE Suspicious DLL Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"ftp.exe\" script with the \"-s\" or \"/s\" flag and any child processes ran by \"ftp.exe\".", - "event_ids": [ - "4688" - ], - "id": "26132f4c-3dfc-593f-2d62-2e8ff59e0720", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "TA0005", - "T1202" - ], - "title": "Potential Arbitrary Command Execution Via FTP.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [ - "4688" - ], - "id": "0b1a8cb5-34ab-b019-66ad-98f7c43bb8ff", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.\n", - "event_ids": [ - "4688" - ], - "id": "705fa07c-8ce4-2fcc-9d33-de2ac20c6369", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055.001", - "T1055" - ], - "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "event_ids": [ - "4688" - ], - "id": "f35bf333-81f6-500b-dc59-92da984b5ea2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Certreq Command to Download" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.", - "event_ids": [ - "4688" - ], - "id": "a49d1313-b65e-0401-130b-8e929805577f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "event_ids": [ - "4688" - ], - "id": "7ff57038-20dd-b144-f4f9-fe2fb075e004", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Suspicious Mofcomp Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "event_ids": [ - "4688" - ], - "id": "d6a5fc1c-e0e9-bcc2-daed-22823802b707", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Run PowerShell Script from ADS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a new service using the \"sc.exe\" utility.", - "event_ids": [ - "4688" - ], - "id": "9030c2bf-bf5b-cbfb-9cfc-e37534d2031a", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "New Service Creation Using Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of \"aspnet_compiler.exe\".", - "event_ids": [ - "4688" - ], - "id": "300b2c4e-03e9-b2ee-c6c3-9c87971d4bf2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Suspicious Child Process of AspNetCompiler" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", - "event_ids": [ - "4688" - ], - "id": "f8039355-05ea-ab7a-159d-51b07b17da1e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.\n", - "event_ids": [ - "4688" - ], - "id": "0c504797-106a-bd3f-6172-cebfb63391b1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1135" - ], - "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", - "event_ids": [ - "4688" - ], - "id": "f9b2ffc9-5ec5-9898-b546-301c85fa3892", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1069.002", - "T1482", - "T1087", - "T1069" - ], - "title": "Active Directory Database Snapshot Via ADExplorer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", - "event_ids": [ - "4688" - ], - "id": "974c3659-4c63-c8c0-e3e1-1cedf5c38b24", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "Read Contents From Stdin Via Cmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", - "event_ids": [ - "4688" - ], - "id": "98622a71-2d8e-2959-2a0c-8caffeacea13", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "event_ids": [ - "4688" - ], - "id": "024e903d-9124-23ff-2ce8-f59651a961ea", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0006", - "T1557.001", - "T1557" - ], - "title": "Potential SMB Relay Attack Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", - "event_ids": [ - "4688" - ], - "id": "9bfa1ffb-5b30-0951-fa5a-9746a98f1a6a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Sysinternals PsSuspend Suspicious Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.", - "event_ids": [ - "4688" - ], - "id": "e669c0f5-387a-753e-708c-1ab656e547cf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"finger.exe\" utility.\nFinger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\nDue to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.\n", - "event_ids": [ - "4688" - ], - "id": "1e5c4cf4-c566-7068-d0ce-7a2eeabfc733", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Finger.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "event_ids": [ - "4688" - ], - "id": "f477a622-8a8a-8528-fd42-9362defe645e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1055.001", - "T1218.013", - "T1218", - "T1055" - ], - "title": "Mavinject Inject DLL Into Running Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "event_ids": [ - "4688" - ], - "id": "f4d831e1-972e-94c7-61af-2c756813c8af", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Remote File Download Via Desktopimgdownldr Utility" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", - "event_ids": [ - "4688" - ], - "id": "63a8494a-3c4b-3902-2efc-f0ed49065b75", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548.002", - "T1548" - ], - "title": "Sdclt Child Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.", - "event_ids": [ - "4688" - ], - "id": "97051c88-88d9-2462-99f0-99115c8013c9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects new process creation using WMIC via the \"process call create\" flag", - "event_ids": [ - "4688" - ], - "id": "cac49200-88c2-7917-c315-8a2e0981b42a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "car.2016-03-002" - ], - "title": "New Process Created Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service", - "event_ids": [ - "4688" - ], - "id": "fa8c67ae-ace2-9a11-43d7-c5b5954ce489", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1102" - ], - "title": "Suspicious Child Process Of Manage Engine ServiceDesk" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"\n", - "event_ids": [ - "4688" - ], - "id": "fb0cc82e-63f9-6098-cd32-7f78429aeb7a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "File Download Via InstallUtil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "event_ids": [ - "4688" - ], - "id": "f97091ca-49b9-ea39-1091-bc06ed73b48f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021" - ], - "title": "Privilege Escalation via Named Pipe Impersonation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", - "event_ids": [ - "4688" - ], - "id": "0005a605-5e4a-5704-75bf-485dbd31aa9a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1482" - ], - "title": "Domain Trust Discovery Via Dsquery" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", - "event_ids": [ - "4688" - ], - "id": "031e5974-b1b0-7293-81e5-57a3c3009f63", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "File Encoded To Base64 Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "event_ids": [ - "4688" - ], - "id": "555c9e0e-bd1c-accd-f824-11a77ca76819", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Suspicious Diantz Alternate Data Stream Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "event_ids": [ - "4688" - ], - "id": "cc44ef1f-3f00-4bc6-c537-2858c567e845", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Execution of Powershell Script in Public Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension", - "event_ids": [ - "4688" - ], - "id": "7f7e34fc-8a05-170b-7892-a5b0aefe2983", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059.007", - "T1059" - ], - "title": "Cscript/Wscript Uncommon Script Extension Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "event_ids": [ - "4688" - ], - "id": "24c9aace-94e9-d8a7-f3fc-58eaff2eefea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "attack.s0190", - "T1036.003", - "T1036" - ], - "title": "File With Suspicious Extension Downloaded Via Bitsadmin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", - "event_ids": [ - "4688" - ], - "id": "6c78dafc-594b-ab99-d6da-cafcb37ab087", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007" - ], - "title": "DriverQuery.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "event_ids": [ - "4688" - ], - "id": "90622c98-76d8-785d-1539-e8120fa53bc6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003", - "T1003.003", - "attack.s0404" - ], - "title": "Esentutl Gather Credentials" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", - "event_ids": [ - "4688" - ], - "id": "6375eb27-4436-c582-1f6d-066ebfb78131", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Execute From Alternate Data Streams" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "event_ids": [ - "4688" - ], - "id": "e768da19-d0fa-86b7-d2c1-93535bdac05e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1484.001", - "T1484" - ], - "title": "Modify Group Policy Settings" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\n", - "event_ids": [ - "4688" - ], - "id": "efdfbdd6-7e24-de87-fab4-a6218c8d0740", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0006", - "T1649" - ], - "title": "HackTool - Certipy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "event_ids": [ - "4688" - ], - "id": "18dfc536-9538-c1a3-545c-82b5c749672c", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1587", - "TA0042" - ], - "title": "HackTool - PurpleSharp Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.\nThis way we are also able to catch cases in which the attacker has renamed the procdump executable.\n", - "event_ids": [ - "4688" - ], - "id": "16b983b0-2a6e-197e-d708-3468b8785eb6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "TA0006", - "T1003.001", - "car.2013-05-009", - "T1003" - ], - "title": "Potential LSASS Process Dump Via Procdump" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", - "event_ids": [ - "4688" - ], - "id": "49f7221b-6487-9808-ded9-4019dfe83e80", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1134.001", - "T1134.003", - "T1134" - ], - "title": "HackTool - Impersonate Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\nThis detection focuses on the keywords that the attacker might use as a filter.\n", - "event_ids": [ - "4688" - ], - "id": "90bfcc44-6d97-c258-a28e-a17300913661", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1518.001", - "T1518" - ], - "title": "Security Tools Keyword Lookup Via Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible execution via LNK file accessed on a WebDAV server.", - "event_ids": [ - "4688" - ], - "id": "a2325ec9-0dd9-e21d-c39b-3e8dc0f36213", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1204", - "T1059" - ], - "title": "Potentially Suspicious WebDAV LNK Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of rundll32 with a command line that doesn't contain a common extension", - "event_ids": [ - "4688" - ], - "id": "d6ede5f4-8daa-4a92-6e5f-9cd3ca86089c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Rundll32 Execution With Uncommon DLL Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "event_ids": [ - "4688" - ], - "id": "e5dce32e-6986-6417-4a01-aea6093f1e87", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105", - "TA0005", - "T1564.004", - "T1564" - ], - "title": "PrintBrm ZIP Creation of Extraction" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "event_ids": [ - "4688" - ], - "id": "891ece81-d720-ce9c-fe02-6e491c7adb14", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0011", - "T1059.003", - "T1059.001", - "T1105", - "T1059" - ], - "title": "Command Line Execution with Suspicious URL and AppData Strings" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", - "event_ids": [ - "4688" - ], - "id": "68ab3429-7cf4-3d41-5a38-9474fcad4f66", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Potential Download/Upload Activity Using Type Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the export of the target Registry key to a file.", - "event_ids": [ - "4688" - ], - "id": "033b2a23-2b9c-4ad7-db96-f2f2a509169c", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "TA0007", - "T1012" - ], - "title": "Exports Registry Key To a File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", - "event_ids": [ - "4688" - ], - "id": "0fe943e0-d659-589c-d734-689f0f7de8e7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Powershell Defender Disable Scan Feature" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.", - "event_ids": [ - "4688" - ], - "id": "77495bbc-a90d-6112-a1bf-c357d3b901fd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "LOLBIN Execution From Abnormal Drive" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", - "event_ids": [ - "4688" - ], - "id": "4c7b96eb-1897-7935-762d-58700203bb94", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Winrar Compressing Dump Files" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", - "event_ids": [ - "4688" - ], - "id": "a3af3078-fe5d-0755-0f26-3833f03a1a6a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Query Usage To Exfil Data" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", - "event_ids": [ - "4688" - ], - "id": "3a1e9d54-cfc2-0052-abc5-2271eee0dd8c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Suspicious Process Created Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", - "event_ids": [ - "4688" - ], - "id": "0cc20ab0-4c30-c947-6985-884817d59f4a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "T1564" - ], - "title": "Set Suspicious Files as System Files Using Attrib.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "event_ids": [ - "4688" - ], - "id": "6b74eb79-fb17-b0d5-5a82-d54803b88ead", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082" - ], - "title": "Suspicious Kernel Dump Using Dtrace" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Xwizard tool from a non-default directory.\nWhen executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\".\n", - "event_ids": [ - "4688" - ], - "id": "a45e9350-b577-e20b-ed84-113a3b5c3e3a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "Xwizard.EXE Execution From Non-Default Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "event_ids": [ - "4688" - ], - "id": "8a1ff7a8-dc08-8d51-6f44-ebf8369d583a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Cmd.EXE Missing Space Characters Execution Anomaly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "event_ids": [ - "4688" - ], - "id": "94528740-76e2-5bfd-e3d5-a6fc1aea5bcd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Use of OpenConsole" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".", - "event_ids": [ - "4688" - ], - "id": "315b342a-decc-2f38-398f-41e5c8fdb4ed", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added To Highly Privileged Group" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "event_ids": [ - "4688" - ], - "id": "9974aa8a-7f9d-e45d-d1f2-353a893b2572", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", - "event_ids": [ - "4688" - ], - "id": "6be0f4bd-c96b-6215-65ad-e38299aa0561", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1055" - ], - "title": "Process Creation Using Sysnative Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", - "event_ids": [ - "4688" - ], - "id": "8356394a-a08b-72f9-f2f5-217abc6c1976", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006" - ], - "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [ - "4688" - ], - "id": "14fd1424-cb14-6945-1567-9017b4b23da5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use MSHTA" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "event_ids": [ - "4688" - ], - "id": "430ca46d-025b-b3cc-6fac-e01c57fee153", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1112", - "TA0005" - ], - "title": "Imports Registry Key From an ADS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.", - "event_ids": [ - "4688" - ], - "id": "c7b9e6e8-4212-b14e-b622-503d7c760107", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "TA0004", - "T1053.005", - "attack.s0111", - "car.2013-08-001", - "stp.1u", - "T1053" - ], - "title": "Scheduled Task Creation Via Schtasks.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "event_ids": [ - "4688" - ], - "id": "915fc7ae-b034-c5e8-9b05-e19566db49fb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Usage Of ShellExec_RunDLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to the \"terminate\" function via wmic in order to kill an application", - "event_ids": [ - "4688" - ], - "id": "aed91788-6fab-61d2-104a-3a1ea483f8fd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Application Terminated Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects commands that temporarily turn off Volume Snapshots", - "event_ids": [ - "4688" - ], - "id": "1f7c1ba3-2f41-4b49-17f6-5a4719527d57", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disabled Volume Snapshots" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", - "event_ids": [ - "4688" - ], - "id": "b68cfad0-0e22-e824-aed8-8c1c3d1accdc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Use of Remote.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", - "event_ids": [ - "4688" - ], - "id": "08cdc165-8915-fdf4-625a-7c4f625d5efe", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Persistence Via TypedPaths - CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "event_ids": [ - "4688" - ], - "id": "9b584978-0d93-f10c-988d-ff3657f59e09", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055" - ], - "title": "HackTool - DInjector PowerShell Cradle Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "event_ids": [ - "4688" - ], - "id": "f5338a44-bd1b-81a7-3b76-7e2efbe1ce0d", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "HackTool - Inveigh Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", - "event_ids": [ - "4688" - ], - "id": "13ca85ff-edb5-1f6f-fc72-7387eced96e9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0011", - "T1218.011", - "T1071", - "T1218" - ], - "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", - "event_ids": [ - "4688" - ], - "id": "909ad08b-a33e-57b8-8a0e-98a42a566b03", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0002", - "T1552.004", - "T1059.001", - "T1552", - "T1059" - ], - "title": "Certificate Exported Via PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Download or Copy file with Extrac32", - "event_ids": [ - "4688" - ], - "id": "1a6983b5-f09c-767b-3ebe-349e7cde3c8e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Extrac32 Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "event_ids": [ - "4688" - ], - "id": "3559f022-c7da-a217-5e49-9934bcf0b06b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Service Registry Key Deleted Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "event_ids": [ - "4688" - ], - "id": "06305885-4321-1104-1a1d-5f6dcddf76af", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "TA0006", - "T1003.001", - "T1218", - "T1003" - ], - "title": "Process Access via TrolleyExpress Exclusion" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file with a non-\".rsp\" extension.", - "event_ids": [ - "4688" - ], - "id": "bf24bd95-9545-2701-9d44-5f8a6769a3bb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Suspicious Response File Execution Via Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "event_ids": [ - "4688" - ], - "id": "2c256f43-053a-3f93-b183-27b3a5d312ed", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using DismHost" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.\n", - "event_ids": [ - "4688" - ], - "id": "4b892866-fe93-c61b-f506-c8fd8948a868", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0003", - "T1546.007", - "attack.s0108", - "T1546" - ], - "title": "Potential Persistence Via Netsh Helper DLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the IEExec utility to download and execute files", - "event_ids": [ - "4688" - ], - "id": "b7adfc19-5e32-e2d7-a70c-a28e9a844564", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "File Download And Execution Via IEExec.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", - "event_ids": [ - "4688" - ], - "id": "7aeff814-b27b-e580-603c-4c71d478a677", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Delete Important Scheduled Task" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations", - "event_ids": [ - "4688" - ], - "id": "852227cc-1888-1ad5-93f1-633e3dc46869", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "TA0007", - "TA0005", - "T1082", - "T1564", - "T1543" - ], - "title": "PUA - System Informer Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", - "event_ids": [ - "4688" - ], - "id": "afee1b7e-2430-1880-34e2-eb2ae5bf07ff", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059" - ], - "title": "Install New Package Via Winget Local Manifest" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", - "event_ids": [ - "4688" - ], - "id": "58f6b474-361b-17a1-718b-461048f72ee2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1543.003", - "T1574.011", - "T1574", - "T1543" - ], - "title": "Potential Persistence Attempt Via Existing Service Tampering" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "event_ids": [ - "4688" - ], - "id": "cb8f70fe-80c4-48c0-0473-656666b52064", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0003", - "TA0004" - ], - "title": "Suspicious Shells Spawn by Java Utility Keytool" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Use of hostname to get information", - "event_ids": [ - "4688" - ], - "id": "70d8280e-179e-392c-fb0d-96528c5d36cc", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082" - ], - "title": "Suspicious Execution of Hostname" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.\nAn attacker might use this technique via the command line to bypass defenses before executing payloads.\n", - "event_ids": [ - "4688" - ], - "id": "118c7926-b646-c48e-0be5-da48f765543e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of LiveKD with the \"-m\" flag to potentially dump the kernel memory", - "event_ids": [ - "4688" - ], - "id": "37cf7844-0508-0f79-123b-7bb4a92b5bf3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Kernel Memory Dump Via LiveKD" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "event_ids": [ - "4688" - ], - "id": "892fa867-a4bc-7858-dc5f-0f959244b3ca", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Microsoft IIS Service Account Password Dumped" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "event_ids": [ - "4688" - ], - "id": "c888539c-8fb0-45df-4874-934d5b1edf1c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1046", - "T1135" - ], - "title": "PUA - Advanced IP Scanner Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon and potentially suspicious one-liner command containing both \"ping\" and \"copy\" at the same time, which is usually used by malware.\n", - "event_ids": [ - "4688" - ], - "id": "3efca659-a57d-a642-952a-5f476a210a07", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.004", - "T1070" - ], - "title": "Potentially Suspicious Ping/Copy Command Combination" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "event_ids": [ - "4688" - ], - "id": "c2caccdd-305a-c468-590f-90ca119d0475", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Use NTFS Short Name in Command Line" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", - "event_ids": [ - "4688" - ], - "id": "a0d3fa7f-7155-4aef-0428-ccfae2e54d9f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.004", - "T1070" - ], - "title": "Greedy File Deletion Using Del" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects events that appear when a user click on a link file with a powershell command in it", - "event_ids": [ - "4688" - ], - "id": "49da8649-c56c-f962-aade-f62bb1cd465c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Hidden Powershell in Link File Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\nWhen the job runs on the system the command specified in the BITS job will be executed.\nThis can be abused by actors to create a backdoor within the system and for persistence.\nIt will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.\n", - "event_ids": [ - "4688" - ], - "id": "b6abae48-2937-b8aa-70ef-ae27212059c5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1197" - ], - "title": "Monitoring For Persistence Via BITS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "event_ids": [ - "4688" - ], - "id": "82fb76c3-b42b-096c-0e6c-8733e1993492", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocation From Script Engines" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", - "event_ids": [ - "4688" - ], - "id": "740e34bc-7ca6-ebba-db66-9b466f9c7558", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "TA0010", - "T1560", - "T1560.001" - ], - "title": "Compressed File Extraction Via Tar.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious file download from file sharing domains using curl.exe", - "event_ids": [ - "4688" - ], - "id": "ebccbc0b-0513-7912-7679-1ff5d676842e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", - "event_ids": [ - "4688" - ], - "id": "7a6b455d-a8d7-2cba-6d4e-05d8c6c9278c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "REGISTER_APP.VBS Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "event_ids": [ - "4688" - ], - "id": "b0fec5a0-3b3f-9e6c-b5b1-bdabd28f18ee", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Rar Usage with Password and Compression Level" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "event_ids": [ - "4688" - ], - "id": "af422edd-75d2-0585-95bf-c4e72291a69e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "attack.s0190", - "T1036.003", - "T1036" - ], - "title": "File Download Via Bitsadmin To An Uncommon Target Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", - "event_ids": [ - "4688" - ], - "id": "4b8e07ad-57d3-608d-6f9e-31047dfeb0de", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "event_ids": [ - "4688" - ], - "id": "15e3c45c-06b7-5da5-4bc0-66cf00fcc185", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0003", - "TA0004" - ], - "title": "Shell Process Spawned by Java.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a share is mounted using the \"net.exe\" utility", - "event_ids": [ - "4688" - ], - "id": "3037cec2-08d0-f4a4-91c3-668db3535704", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Windows Share Mount Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "event_ids": [ - "4688" - ], - "id": "61dd8b58-6c93-639f-6342-1ba077ce0f45", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1546.008", - "TA0004", - "T1546" - ], - "title": "Persistence Via Sticky Key Backdoor" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", - "event_ids": [ - "4688" - ], - "id": "6a04614f-59c7-e8c1-6a54-5cc3b4eb1810", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0009", - "T1185", - "T1564.003", - "T1564" - ], - "title": "Potential Data Stealing Via Chromium Headless Debugging" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", - "event_ids": [ - "4688" - ], - "id": "b4f46720-2a2a-38d0-a77b-cd70dfbd3151", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1070.001", - "T1562", - "T1070" - ], - "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", - "event_ids": [ - "4688" - ], - "id": "acf0cb14-e141-75f6-8a56-a843022146d1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1106" - ], - "title": "Potential WinAPI Calls Via CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", - "event_ids": [ - "4688" - ], - "id": "69f1f3b5-0009-eed3-f99e-e0db531c168b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0001", - "T1047", - "T1059.001", - "T1059.003", - "T1059.005", - "T1059.007", - "T1218", - "T1218.001", - "T1218.010", - "T1218.011", - "T1566", - "T1566.001", - "T1059" - ], - "title": "HTML Help HH.EXE Suspicious Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", - "event_ids": [ - "4688" - ], - "id": "814014e5-bfa2-e72a-4f31-6155fab87672", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell IEX Execution Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "event_ids": [ - "4688" - ], - "id": "e0a1f78a-c161-fbe3-4ec6-e151177ec4f1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007" - ], - "title": "Obfuscated IP Download Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE\nCheck if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)\n", - "event_ids": [ - "4688" - ], - "id": "233231d1-9636-f53b-5bc9-0b43d4d9a539", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.001", - "T1087.002", - "T1087" - ], - "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects email exfiltration via powershell cmdlets", - "event_ids": [ - "4688" - ], - "id": "693a4b33-a1e3-3dbb-ecc3-19d6fbc9601a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010" - ], - "title": "Email Exifiltration Via Powershell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a set of suspicious network related commands often used in recon stages", - "event_ids": [ - "4688" - ], - "id": "cf674881-75bf-1708-a3d3-daf22e485a07", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087", - "T1082", - "car.2016-03-001" - ], - "title": "Network Reconnaissance Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "event_ids": [ - "4688" - ], - "id": "02c0a52b-6536-ca47-ce99-cea982b9008a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0007", - "T1082", - "T1087", - "T1046" - ], - "title": "HackTool - winPEAS Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"systeminfo\" command to retrieve information", - "event_ids": [ - "4688" - ], - "id": "4304f0ae-3682-de08-b8f4-d768ac9cb749", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082" - ], - "title": "Suspicious Execution of Systeminfo" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", - "event_ids": [ - "4688" - ], - "id": "d39155d0-4154-66c0-1d94-6c61d77f27e7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Execution of InstallUtil Without Log" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation\n", - "event_ids": [ - "4688" - ], - "id": "5bdc7357-a9e6-95bc-a7cd-c6e0022b3299", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0001", - "T1505.003", - "T1190", - "T1505" - ], - "title": "Suspicious Process By Web Server Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n", - "event_ids": [ - "4688" - ], - "id": "70fe889c-0d1e-71e8-542d-a7ca05a0fef6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Cscript/Wscript Potentially Suspicious Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", - "event_ids": [ - "4688" - ], - "id": "36d25ea3-c267-467d-2607-8791f67b7e4e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007" - ], - "title": "Potential Recon Activity Using DriverQuery.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "event_ids": [ - "4688" - ], - "id": "deb3c0f1-0961-ecf5-5c89-8c7640d2b22f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "event_ids": [ - "4688" - ], - "id": "bbc6093d-c0e1-e946-62dd-d27307534a1f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0006", - "T1040" - ], - "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.\n", - "event_ids": [ - "4688" - ], - "id": "4bf1a6ac-2f14-c4e7-4339-5a28683aa92f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Suspicious Process Suspension via WERFaultSecure through EDR-Freeze" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", - "event_ids": [ - "4688" - ], - "id": "15f30e45-8a75-9af7-3703-c6af70b3d9f5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "DSInternals Suspicious PowerShell Cmdlets" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", - "event_ids": [ - "4688" - ], - "id": "a6b2ba82-448c-971d-4112-1464c1588d84", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\nWindows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.\n", - "event_ids": [ - "4688" - ], - "id": "7987377e-ddde-302c-5a17-7723837a1d38", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0008", - "T1210" - ], - "title": "HackTool - SharpWSUS/WSUSpendu Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.\nNode.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.\nAdversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.\nBecause Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.\n", - "event_ids": [ - "4688" - ], - "id": "5b59cdaa-a618-5038-0573-2902a6798a29", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.007", - "T1059" - ], - "title": "NodeJS Execution of JavaScript File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", - "event_ids": [ - "4688" - ], - "id": "eacb8d30-18b2-df70-fb8e-b5b8bb773983", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Potential Arbitrary DLL Load Using Winword" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.", - "event_ids": [ - "4688" - ], - "id": "2eed1cc9-eaed-d468-3184-02f80bf78c3d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1005" - ], - "title": "Veeam Backup Database Suspicious Query" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "event_ids": [ - "4688" - ], - "id": "8b3afca9-f927-14ee-58f5-238c5f845d71", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0040", - "T1070", - "T1485" - ], - "title": "Fsutil Suspicious Invocation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects python spawning a pretty tty", - "event_ids": [ - "4688" - ], - "id": "4e16e266-e27d-ab29-fd78-e04352a8aee7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Python Spawning Pretty TTY on Windows" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "event_ids": [ - "4688" - ], - "id": "e3c946f5-fbf9-ed84-e993-6f80a6467aae", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "AgentExecutor PowerShell Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects inline execution of PowerShell code from a file", - "event_ids": [ - "4688" - ], - "id": "58d3ef60-05d8-9a87-7fde-3bd696dba247", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Powershell Inline Execution From A File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "event_ids": [ - "4688" - ], - "id": "5e078b34-047a-505f-5c16-344bc38300ff", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1049" - ], - "title": "System Network Connections Discovery Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "event_ids": [ - "4688" - ], - "id": "874b58be-13ea-f81c-3413-0356498356e2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Script Event Consumer Spawning Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.\n", - "event_ids": [ - "4688" - ], - "id": "54a21dac-be5a-04d2-da18-4bdd55216fa0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "CodePage Modification Via MODE.COM To Russian Language" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "event_ids": [ - "4688" - ], - "id": "c4306817-4a47-606b-e363-d48b4d305f82", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1505.004", - "T1505" - ], - "title": "Suspicious IIS Module Registration" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of powershell commands from headless ConHost window.\nThe \"--headless\" flag hides the windows from the user upon execution.\n", - "event_ids": [ - "4688" - ], - "id": "0df72588-414b-1bc3-7b9d-ea4a01af56db", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059.001", - "T1059.003", - "T1564.003", - "T1059", - "T1564" - ], - "title": "Powershell Executed From Headless ConHost Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.", - "event_ids": [ - "4688" - ], - "id": "7b1d6a26-339a-db21-8b7d-55f848967cdd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0002", - "T1059.001", - "T1105", - "T1059" - ], - "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of SecurityXploded Tools", - "event_ids": [ - "4688" - ], - "id": "0cb1943b-75df-d254-4a36-58c1dc6a3f97", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1555" - ], - "title": "HackTool - SecurityXploded Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", - "event_ids": [ - "4688" - ], - "id": "73845b5a-3c6f-eabe-4bcd-e9581c82d899", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005" - ], - "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", - "event_ids": [ - "4688" - ], - "id": "a4c2d962-184c-6b0f-6155-edee8fac04c8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0008", - "T1021.001", - "T1112", - "T1021" - ], - "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", - "event_ids": [ - "4688" - ], - "id": "a23f9412-323f-fd1c-1c72-ac38fdedc079", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.003", - "T1546" - ], - "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", - "event_ids": [ - "4688" - ], - "id": "2660fe06-fcf6-19f2-3233-b50236d5ff13", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Boot Configuration Tampering Via Bcdedit.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "event_ids": [ - "4688" - ], - "id": "ef92722b-fb96-33d7-d77b-f6770ac84d0f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090.003", - "T1090" - ], - "title": "Tor Client/Browser Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "event_ids": [ - "4688" - ], - "id": "9a0eb817-c07f-1061-89e6-3f30825c8e37", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003", - "T1003.001" - ], - "title": "Potential Credential Dumping Via LSASS Process Clone" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon child processes of \"DefaultPack.EXE\" binary as a proxy to launch other programs", - "event_ids": [ - "4688" - ], - "id": "91d53283-959d-c486-79b7-288d5aa3be9c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1218", - "TA0005", - "TA0002" - ], - "title": "Uncommon Child Process Of Defaultpack.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"gpg.exe\" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.", - "event_ids": [ - "4688" - ], - "id": "69ecc75a-13a3-371f-01a6-fcb003da67b4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1486" - ], - "title": "Portable Gpg.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a system command via the ScreenConnect RMM service.", - "event_ids": [ - "4688" - ], - "id": "fa02ff62-1ebd-d56a-ffa0-8accc97eeec4", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "Remote Access Tool - ScreenConnect Remote Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "event_ids": [ - "4688" - ], - "id": "2dadd86d-ec91-774c-96a2-b80b47515d60", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "New Kernel Driver Via SC.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the deletion of backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "event_ids": [ - "4688" - ], - "id": "133b31a6-d87d-34ee-0699-ac8c9dce764b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Windows Backup Deleted Via Wbadmin.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", - "event_ids": [ - "4688" - ], - "id": "6e250513-0f66-ed08-f2e8-81c7884c15a3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Suspicious DLL Loaded via CertOC.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.\n", - "event_ids": [ - "4688" - ], - "id": "b1293fae-fc5a-74c7-dfc9-3ad02ce661b2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1047", - "T1098" - ], - "title": "Password Set to Never Expire via WMI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The Devtoolslauncher.exe executes other binary", - "event_ids": [ - "4688" - ], - "id": "415d9b8e-8ea7-ce1d-44e5-f124d411e636", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Devtoolslauncher.exe Executes Specified Binary" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n", - "event_ids": [ - "4688" - ], - "id": "d2fa11c1-82e2-42db-8f24-39f38b6ea6ba", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1217" - ], - "title": "File And SubFolder Enumeration Via Dir Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection.\nThis rule looks for the execution of binaries that are named similarly to Sysinternals tools.\nAdversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.\n", - "event_ids": [ - "4688" - ], - "id": "31a31ff3-32c0-0f43-bbec-b089825d4c52", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "T1202", - "T1036.005", - "T1036" - ], - "title": "Potential Binary Impersonating Sysinternals Tools" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "event_ids": [ - "4688" - ], - "id": "6b7e9ce2-c343-23e5-2bf3-223f82753b6f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0008", - "T1021.002", - "T1218.011", - "T1218", - "T1021" - ], - "title": "Rundll32 UNC Path Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect filter driver unloading activity via fltmc.exe", - "event_ids": [ - "4688" - ], - "id": "bd94e379-d774-a7fa-3d0c-ce6765196ac0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070", - "T1562", - "T1562.002" - ], - "title": "Filter Driver Unloaded Via Fltmc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", - "event_ids": [ - "4688" - ], - "id": "33de75b5-e77d-234d-db45-228cb5921cdd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Use of Scriptrunner.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", - "event_ids": [ - "4688" - ], - "id": "55da7839-272c-d651-9349-c6e62c955734", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Sysinternals PsService Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", - "event_ids": [ - "4688" - ], - "id": "055ae5db-808f-a1cc-57ac-99f0fadbab7f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Sysmon Configuration Update" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "event_ids": [ - "4688" - ], - "id": "d60bae71-ab70-95e8-ce1c-c0226f62a597", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053" - ], - "title": "HackTool - SharPersist Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the `wmic` command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.\n", - "event_ids": [ - "4688" - ], - "id": "f880519f-4419-7762-c6d0-7676fd2192a9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0007", - "T1047", - "T1082" - ], - "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "event_ids": [ - "4688" - ], - "id": "fb7a3239-94db-7a87-e1de-97016c713f32", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004" - ], - "title": "UAC Bypass Using Event Viewer RecentViews" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Shadow Copies deletion using operating systems utilities", - "event_ids": [ - "4688" - ], - "id": "0cad8839-9b0c-0a2c-8b61-c2b539604a10", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0040", - "T1070", - "T1490" - ], - "title": "Shadow Copies Deletion Using Operating Systems Utilities" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "event_ids": [ - "4688" - ], - "id": "08a52423-1768-5eb8-726f-bfae99db5f64", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using PkgMgr and DISM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe", - "event_ids": [ - "4688" - ], - "id": "2c2fe733-6ef3-9d44-210c-fb4011ee1944", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious File Download From IP Via Wget.EXE - Paths" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "event_ids": [ - "4688" - ], - "id": "1f2eb669-e0a1-6d98-cf43-82b1f083fb23", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003", - "T1003.002", - "T1003.003" - ], - "title": "Shadow Copies Creation Using Operating Systems Utilities" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of cmdkey to look for cached credentials on the system", - "event_ids": [ - "4688" - ], - "id": "e1b669ee-98b7-25ba-818f-8198fdb19b0d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.005", - "T1003" - ], - "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", - "event_ids": [ - "4688" - ], - "id": "fdd2fe27-5f29-7b4f-0381-22bac2ea7c0a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008" - ], - "title": "Mstsc.EXE Execution From Uncommon Parent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL\n", - "event_ids": [ - "4688" - ], - "id": "7466d932-270d-a4c2-5851-05e1557ee730", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the stopping of a Windows service via the \"sc.exe\" utility", - "event_ids": [ - "4688" - ], - "id": "115267f9-0227-94b2-f6ef-56939bd2c693", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Stop Windows Service Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious mshta process execution patterns", - "event_ids": [ - "4688" - ], - "id": "01ee4326-bf63-03dc-3a07-97129ea929cb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1106" - ], - "title": "Suspicious Mshta.EXE Execution Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "event_ids": [ - "4688" - ], - "id": "fa60721b-3812-856b-d15f-7c528214d125", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Execution via stordiag.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "event_ids": [ - "4688" - ], - "id": "aac97665-0e43-e14b-bc3c-bbefd72790dd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002" - ], - "title": "Execute MSDT Via Answer File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "event_ids": [ - "4688" - ], - "id": "56fda9b4-d3c0-2709-26ea-b109bdafb5c2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.007", - "T1218" - ], - "title": "Msiexec Quiet Installation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.\nThis behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.\nAttackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.\n", - "event_ids": [ - "4688" - ], - "id": "287709ae-0175-f8df-11fc-9ec74c46d8c9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "TA0007", - "T1047", - "T1112", - "T1012" - ], - "title": "Registry Manipulation via WMI Stdregprov" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment", - "event_ids": [ - "4688" - ], - "id": "5cba86ae-86b3-1aba-fe62-8b82c1fb1f92", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1087" - ], - "title": "PUA - AdFind.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "event_ids": [ - "4688" - ], - "id": "c9ee66ac-639b-5403-8384-6c70ecdcddc1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Potential Privilege Escalation via Service Permissions Weakness" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", - "event_ids": [ - "4688" - ], - "id": "df2b1ca6-a4d3-e875-ca48-ed65bd486a5f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.001", - "T1021" - ], - "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "event_ids": [ - "4688" - ], - "id": "27cc5ada-12cd-ee4a-3260-a00437b0ac13", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using IEInstal - Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.\n", - "event_ids": [ - "4688" - ], - "id": "5c3a9984-9934-58ca-15e5-cc96b8da7455", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087" - ], - "title": "HackTool - SOAPHound Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "event_ids": [ - "4688" - ], - "id": "541e3fb5-f235-d13c-cd97-2e31f774193b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "Potential UAC Bypass Via Sdclt.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious msiexec process starts with web addresses as parameter", - "event_ids": [ - "4688" - ], - "id": "570163b5-0034-92d2-919d-b0027cb8ee68", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.007", - "TA0011", - "T1105", - "T1218" - ], - "title": "MsiExec Web Install" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", - "event_ids": [ - "4688" - ], - "id": "44150656-1e8d-43ca-eebd-2f773849d62a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", - "event_ids": [ - "4688" - ], - "id": "2a6f617c-481d-6799-1fd1-f7e0a24d76bf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "HackTool - PowerTool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\n", - "event_ids": [ - "4688" - ], - "id": "9990ea1d-fc80-2490-3c4f-8237e8bfbc7f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Suspicious AddinUtil.EXE CommandLine Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", - "event_ids": [ - "4688" - ], - "id": "e0c7a46a-e1c5-f3fd-6202-5fcf88ffeb16", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", - "event_ids": [ - "4688" - ], - "id": "55a1a7a8-02ee-7df8-a5e6-387dda75fc16", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Indirect Command Execution From Script File Via Bash.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\nThis behavior has been observed in-the-wild by different threat actors.\n", - "event_ids": [ - "4688" - ], - "id": "2510ad44-2338-340a-8439-d99181aef4f2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", - "event_ids": [ - "4688" - ], - "id": "8f82ce6b-dc46-1b1e-3024-baa24253e735", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055.001", - "T1055" - ], - "title": "Potential DLL Injection Or Execution Using Tracker.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", - "event_ids": [ - "4688" - ], - "id": "f4b28578-b356-1cbb-4554-acd9a8b62c9b", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002" - ], - "title": "Indirect Command Execution By Program Compatibility Wizard" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "event_ids": [ - "4688" - ], - "id": "0a237495-b305-87bb-8e26-417ba98a4546", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0003", - "T1546.008", - "car.2014-11-003", - "car.2014-11-008", - "T1546" - ], - "title": "Sticky Key Like Backdoor Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods", - "event_ids": [ - "4688" - ], - "id": "06624157-0db4-9e8c-200f-fcfe2788d3e4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "HackTool - Doppelanger LSASS Dumper Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [ - "4688" - ], - "id": "d2f4e6f8-8091-3df9-bc05-f48b7a951ac8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", - "event_ids": [ - "4688" - ], - "id": "3644cb9d-2e13-2dcc-497a-9eb0710ac9b8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0003", - "T1546.008", - "T1546" - ], - "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "event_ids": [ - "4688" - ], - "id": "27bbbc51-2674-7c64-0d12-3844deb6cb4b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1218" - ], - "title": "Suspicious MSDT Parent Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\nIt replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.\n", - "event_ids": [ - "4688" - ], - "id": "4620f95a-0964-646b-6b21-78a838f03ac3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055.012", - "T1055" - ], - "title": "HackTool - HollowReaper Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "event_ids": [ - "4688" - ], - "id": "9bce1ab7-f1d3-6e4c-e5ae-6cdb2b974218", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1048" - ], - "title": "Tap Installer Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "event_ids": [ - "4688" - ], - "id": "3c178fa3-3914-652f-7007-f1d6f385c2ed", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Remote Code Execute via Winrm.vbs" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "event_ids": [ - "4688" - ], - "id": "e51a363c-2979-56e7-4526-c49be62e6062", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Add SafeBoot Keys Via Reg Utility" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.\nBy setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events\nfrom being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.\n", - "event_ids": [ - "4688" - ], - "id": "900cc808-eb18-0106-55ac-478667fa36d5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disabling Windows Defender WMI Autologger Session via Reg.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.", - "event_ids": [ - "4688" - ], - "id": "5602c07f-c042-d14f-190e-cf750711227e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.002", - "TA0005", - "T1218.014", - "T1036.002", - "T1036", - "T1204", - "T1218" - ], - "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", - "event_ids": [ - "4688" - ], - "id": "a69dee50-f5d1-178f-3794-9e06d089fc93", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1048" - ], - "title": "Suspicious Redirection to Local Admin Share" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "event_ids": [ - "4688" - ], - "id": "9a71e218-8397-8c6b-22e0-fc805c7e6571", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "Suspicious Service Path Modification" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", - "event_ids": [ - "4688" - ], - "id": "fdb2c7f2-63dc-72cd-5261-f3ab65d5d157", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", - "event_ids": [ - "4688" - ], - "id": "b77adf00-db71-5767-769e-2ba7c942d820", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Lolbin Runexehelper Use As Proxy" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution GMER tool based on image and hash fields.", - "event_ids": [ - "4688" - ], - "id": "52ddd559-9234-130a-cd5d-8be4384d1224", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "HackTool - GMER Rootkit Detector and Remover Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\nRMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\nHowever, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.\n", - "event_ids": [ - "4688" - ], - "id": "3ab572a4-6b9c-6004-a772-cf0ce1400109", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0005", - "T1219.002", - "T1036.003", - "T1036", - "T1219" - ], - "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", - "event_ids": [ - "4688" - ], - "id": "51e070ce-c40e-99ba-6652-7a5ac4f85fea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0002", - "T1615", - "T1059.005", - "T1059" - ], - "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "event_ids": [ - "4688" - ], - "id": "bb0ae7bd-c963-0404-061e-ae3c6b866830", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1055" - ], - "title": "Suspect Svchost Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects presence of a potentially xor encoded powershell command", - "event_ids": [ - "4688" - ], - "id": "45f32609-3f8a-58cd-cf4b-13e480be32b3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059.001", - "T1140", - "T1027", - "T1059" - ], - "title": "Suspicious XOR Encoded PowerShell Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [ - "4688" - ], - "id": "b7f2ba3f-b64d-9b62-1e90-ebefd17f3b94", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a new service using powershell.", - "event_ids": [ - "4688" - ], - "id": "97bbdb27-032d-af8b-7a1a-2e826f3f9b02", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "New Service Creation Using PowerShell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", - "event_ids": [ - "4688" - ], - "id": "f3baa8fc-8db9-1300-7b37-53785ce88ee9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Sensitive File Dump Via Wbadmin.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "event_ids": [ - "4688" - ], - "id": "011b5544-f9c6-7b7c-5114-f1cbce8b511a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Rundll32 Execution Without CommandLine Parameters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.", - "event_ids": [ - "4688" - ], - "id": "fc4ecc21-82a9-f983-5331-c9e94cfc7cfd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1102", - "T1090", - "T1572" - ], - "title": "Cloudflared Tunnel Connections Cleanup" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.", - "event_ids": [ - "4688" - ], - "id": "0c6e9a79-2e34-53ee-92c8-a3b0e05011d0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0043", - "T1595" - ], - "title": "PUA - PingCastle Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", - "event_ids": [ - "4688" - ], - "id": "28b7f50a-c189-4a2f-314e-b19aa4b63468", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1539", - "TA0009", - "T1005" - ], - "title": "SQLite Firefox Profile Data DB Access" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "event_ids": [ - "4688" - ], - "id": "f3a177b8-4d9d-843b-e8b0-8a6dac39b8ae", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090" - ], - "title": "PUA- IOX Tunneling Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.\nThese parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.\nThis technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.\n", - "event_ids": [ - "4688" - ], - "id": "7997ec07-1c34-0bba-64bc-d699a65b149f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219", - "T1105" - ], - "title": "Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", - "event_ids": [ - "4688" - ], - "id": "685a2b5a-0d1d-e78a-174a-b35f1069684b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0043", - "TA0007", - "TA0006", - "TA0040" - ], - "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", - "event_ids": [ - "4688" - ], - "id": "7a1b8071-8f13-c99a-439b-e2769871d008", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1047", - "T1204.002", - "T1218.010", - "T1204", - "T1218" - ], - "title": "Suspicious Microsoft Office Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.\nLaZagne has been leveraged multiple times by threat actors in order to dump credentials.\n", - "event_ids": [ - "4688" - ], - "id": "be78b4b9-f54e-84e0-b62f-872d92b15df9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006" - ], - "title": "HackTool - LaZagne Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", - "event_ids": [ - "4688" - ], - "id": "fbf11b3a-b52f-1a2a-a481-d059609954fa", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1555.003", - "T1555" - ], - "title": "PUA - WebBrowserPassView Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "event_ids": [ - "4688" - ], - "id": "b1b4e91a-f98e-efe3-e440-4baf203a621a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0003", - "TA0005", - "TA0006", - "TA0004", - "T1562.002", - "T1547.001", - "T1505.005", - "T1556.002", - "T1562", - "T1574.007", - "T1564.002", - "T1546.008", - "T1546.007", - "T1547.014", - "T1547.010", - "T1547.002", - "T1557", - "T1082", - "T1564", - "T1505", - "T1556", - "T1574", - "T1546", - "T1547" - ], - "title": "Potential Suspicious Activity Using SeCEdit" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "event_ids": [ - "4688" - ], - "id": "aab62ba9-1795-b6b5-47f8-75e49b89b59d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Dism Remove Online Package" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Commandline to launch powershell with a base64 payload", - "event_ids": [ - "4688" - ], - "id": "5464890a-e53b-c991-756a-8ac37655adca", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious Execution of Powershell with Base64" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", - "event_ids": [ - "4688" - ], - "id": "fb3e5ab0-ed05-d894-23b3-a28ca8b237ba", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1140", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", - "event_ids": [ - "4688" - ], - "id": "eae2fe25-e367-9c8d-111c-fe4507f8e1be", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "TA0010", - "T1560", - "T1560.001" - ], - "title": "Compressed File Creation Via Tar.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious execution of the Qemu utility in a Windows environment.\nThreat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.\n", - "event_ids": [ - "4688" - ], - "id": "ecd9d96b-cb0c-0ae0-cdc4-1614f22b8e06", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090", - "T1572" - ], - "title": "Potentially Suspicious Usage Of Qemu" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "event_ids": [ - "4688" - ], - "id": "3681f000-5b6c-d6a6-3a0f-8240c1325dc3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "ShimCache Flush" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", - "event_ids": [ - "4688" - ], - "id": "9221ea23-8f7a-5f6e-cde6-763911fe289d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [ - "4688" - ], - "id": "f52ac08e-65ef-a059-20d3-1eca726c6659", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\nAttackers often try to enumerate the services currently running on a system in order to find different attack vectors.\n", - "event_ids": [ - "4688" - ], - "id": "75a50ccd-ba64-66cd-de19-003e2f044761", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1003", - "TA0006" - ], - "title": "Interesting Service Enumeration Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line parameters or strings often used by crypto miners", - "event_ids": [ - "4688" - ], - "id": "c3538d2c-107c-a590-509c-957631b1eaf2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1496" - ], - "title": "Potential Crypto Mining Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "event_ids": [ - "4688" - ], - "id": "7cd5f138-8005-2cb8-cb41-d6b0365b8e5f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.002", - "T1552" - ], - "title": "Enumeration for 3rd Party Creds From CLI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "event_ids": [ - "4688" - ], - "id": "3b38d2cf-7ccd-53a3-5491-424880982502", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1218", - "TA0005", - "TA0002" - ], - "title": "Uncommon Child Process Of Appvlp.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", - "event_ids": [ - "4688" - ], - "id": "e2ad4178-62be-451e-624c-06ea47918a7a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055" - ], - "title": "Dllhost.EXE Execution Anomaly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", - "event_ids": [ - "4688" - ], - "id": "7fba96c8-5c12-aafa-9f68-5c0c7fd6e592", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "TA0006", - "T1003" - ], - "title": "DumpMinitool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", - "event_ids": [ - "4688" - ], - "id": "69775960-6b6d-e4c6-a758-e539859c34d4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Remote Access Tool - RURAT Execution From Unusual Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of FSharp Interpreters \"FsiAnyCpu.exe\" and \"FSi.exe\"\nBoth can be used for AWL bypass and to execute F# code via scripts or inline.\n", - "event_ids": [ - "4688" - ], - "id": "5c7dd694-d4dd-a0a8-ea44-8357ca998b69", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Use of FSharp Interpreters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "event_ids": [ - "4688" - ], - "id": "9493969e-1bc7-42fc-ede3-cbd493d3e20a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.006", - "T1021" - ], - "title": "HackTool - WinRM Access Via Evil-WinRM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "event_ids": [ - "4688" - ], - "id": "6c75d760-680d-9c24-79e3-123491563466", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious Desktopimgdownldr Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", - "event_ids": [ - "4688" - ], - "id": "cfe8471d-2e7f-9e55-aa92-3b117789d6a6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0005", - "TA0011", - "T1090" - ], - "title": "New Port Forwarding Rule Added Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.", - "event_ids": [ - "4688" - ], - "id": "468cc04c-7017-cf17-29f4-4d2845397d91", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1113" - ], - "title": "Screen Capture Activity Via Psr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", - "event_ids": [ - "4688" - ], - "id": "378bed70-399f-408f-0667-aa91c755a606", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Wscript Shell Run In CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.", - "event_ids": [ - "4688" - ], - "id": "c9a20835-ce7c-8118-9269-64b5a5e8cbb5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects child processes of the \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) which can abused to execute arbitrary binaries.", - "event_ids": [ - "4688" - ], - "id": "62ff6ff0-2ab6-4498-2d8a-7aaf4d8bdbb1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Potential Mftrace.EXE Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", - "event_ids": [ - "4688" - ], - "id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Suspicious CustomShellHost Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", - "event_ids": [ - "4688" - ], - "id": "584c503a-bcee-ab44-f773-dea130827275", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Potential AMSI Bypass Via .NET Reflection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension", - "event_ids": [ - "4688" - ], - "id": "bb8639b3-534e-d193-84ff-570b4a6eb383", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1176.001", - "T1176" - ], - "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"curl.exe\" with the \"insecure\" flag over proxy or DOH.", - "event_ids": [ - "4688" - ], - "id": "b1d59fa0-c42c-0efd-027d-d7721d153420", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.", - "event_ids": [ - "4688" - ], - "id": "9fac7dce-b844-3db0-da6c-98df4b015954", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0043", - "T1590.001", - "T1590" - ], - "title": "PUA - Crassus Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "event_ids": [ - "4688" - ], - "id": "99b507ef-fee7-2f19-767e-66439dad9d9f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Suspicious Cabinet File Execution Via Msdt.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", - "event_ids": [ - "4688" - ], - "id": "3d30b2bb-135f-d972-364f-9e41f8aa609b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Arbitrary Binary Execution Using GUP Utility" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process spawning from an Outlook process.", - "event_ids": [ - "4688" - ], - "id": "ce29d50b-8a96-dc9b-96a1-3acbb2b68039", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.002", - "T1204" - ], - "title": "Suspicious Outlook Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the removal or uninstallation of an application via \"Wmic.EXE\".", - "event_ids": [ - "4688" - ], - "id": "4f8de5d6-a332-76fb-d759-219688d83254", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Application Removed Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag", - "event_ids": [ - "4688" - ], - "id": "33f733e0-fb92-860f-da22-47ee0186c951", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "car.2016-03-001" - ], - "title": "Enumerate All Information With Whoami.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "event_ids": [ - "4688" - ], - "id": "af00bb3c-d23f-1210-525a-d8eaf94dd907", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1555.004", - "T1555" - ], - "title": "Windows Credential Manager Access via VaultCmd" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule", - "event_ids": [ - "4688" - ], - "id": "982b7732-cb4f-a678-742f-12975f002ced", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Firewall Rule Update Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.", - "event_ids": [ - "4688" - ], - "id": "7d713cf5-4d56-75d5-a689-0206993c4d03", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.007", - "T1059" - ], - "title": "Potentially Suspicious Inline JavaScript Execution via NodeJS Binary" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", - "event_ids": [ - "4688" - ], - "id": "7aaa460d-7613-e1bd-01a0-3c17a897a9d2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0002" - ], - "title": "Potential Discovery Activity Via Dnscmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "event_ids": [ - "4688" - ], - "id": "088e72dd-07b4-8c9a-4e3a-f8b72d98def0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0008", - "T1059.001", - "T1021.006", - "T1059", - "T1021" - ], - "title": "Remote PowerShell Session Host Process (WinRM)" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "event_ids": [ - "4688" - ], - "id": "f57937ba-e844-d5ff-1b06-4ca216d0b747", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Abuse of Service Permissions to Hide Services Via Set-Service" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "event_ids": [ - "4688" - ], - "id": "6608cba0-3816-77a3-31ab-3b70c790f18c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.004", - "T1552" - ], - "title": "Private Keys Reconnaissance Via CommandLine Tools" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects some Empire PowerShell UAC bypass methods", - "event_ids": [ - "4688" - ], - "id": "5ccc4b5a-ddf6-63e0-3b00-82be3eb56506", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "car.2019-04-001", - "T1548" - ], - "title": "HackTool - Empire PowerShell UAC Bypass" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\nAutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\nAttackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.\n", - "event_ids": [ - "4688" - ], - "id": "6c6e8f1c-70aa-c21c-7860-3cd72022adb7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Renamed AutoIt Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a copy command or a copy utility execution to or from an Admin share or remote", - "event_ids": [ - "4688" - ], - "id": "6646eced-c21d-4c5f-dae2-0a7a43be1d5c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0009", - "TA0010", - "T1039", - "T1048", - "T1021.002", - "T1021" - ], - "title": "Copy From Or To Admin Share Or Sysvol Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", - "event_ids": [ - "4688" - ], - "id": "cda8f35e-7183-91df-da4b-c9598a42fd3b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Suspicious AgentExecutor PowerShell Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the PowerShell command lines with special characters", - "event_ids": [ - "4688" - ], - "id": "8f07f78d-22f4-9cc9-b3fb-8d8c7b056395", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1027", - "T1059.001", - "T1059" - ], - "title": "Potential PowerShell Command Line Obfuscation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell download and execution cradles.", - "event_ids": [ - "4688" - ], - "id": "7c4af673-03d0-fd2c-2562-41ee96b4d36e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "PowerShell Download and Execution Cradles" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", - "event_ids": [ - "4688" - ], - "id": "351d47d4-a048-9463-4aea-54964c77adee", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0005", - "TA0011", - "T1090" - ], - "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\nThis is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\nIn order to dump the process memory or perform other nefarious actions.\n", - "event_ids": [ - "4688" - ], - "id": "0f054564-5b4b-f7e3-ffa7-a1afda6c3715", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1003", - "TA0006" - ], - "title": "Loaded Module Enumeration Via Tasklist.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an uncommon svchost parent process", - "event_ids": [ - "4688" - ], - "id": "057c8ea6-1759-bf0b-4271-d71dfc700239", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.005", - "T1036" - ], - "title": "Uncommon Svchost Parent Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", - "event_ids": [ - "4688" - ], - "id": "63efb70a-b106-3e6a-fe1d-b3c49558ebd0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "Potential CommandLine Path Traversal Via Cmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.", - "event_ids": [ - "4688" - ], - "id": "46903700-a139-8e57-f71a-3b0e0c0b1fb5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059.007", - "TA0005", - "T1218.005", - "T1027.004", - "T1218", - "T1027", - "T1059" - ], - "title": "Csc.EXE Execution Form Potentially Suspicious Parent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\nThis could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.\n", - "event_ids": [ - "4688" - ], - "id": "5cf7d531-3e77-6eb0-d0e7-497c9a6520f2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562" - ], - "title": "Write Protect For Storage Disabled" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "event_ids": [ - "4688" - ], - "id": "43286cfb-09a6-4e2e-a895-f3c073eeb9f1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "event_ids": [ - "4688" - ], - "id": "1c39c2aa-7a13-2826-f8c5-48a453dfd562", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003.003", - "car.2013-07-001", - "attack.s0404", - "T1003" - ], - "title": "Copying Sensitive Files with Credential Data" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential abuse of the \"register_app.vbs\" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.", - "event_ids": [ - "4688" - ], - "id": "6855348e-9e88-3b8c-cd96-7a09bd19a04d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Register_App.Vbs LOLScript Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", - "event_ids": [ - "4688" - ], - "id": "1c799762-beac-3409-8ab4-09485fc2ca91", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", - "event_ids": [ - "4688" - ], - "id": "7a110d73-1faa-19d5-10aa-bd44ad1e783f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "TA0005", - "T1218", - "T1202", - "T1059" - ], - "title": "Uncommon Child Process Of BgInfo.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.", - "event_ids": [ - "4688" - ], - "id": "0fd941d7-3dec-afd3-d991-d693f0a6dff8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Change PowerShell Policies to an Insecure Level" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", - "event_ids": [ - "4688" - ], - "id": "401fb350-d891-c9ac-1ba7-13d9cce53c20", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "PowerShell Set-Acl On Windows Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", - "event_ids": [ - "4688" - ], - "id": "e3cb371f-ecf2-9b45-e6ff-67bb63f48a48", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.001", - "T1218" - ], - "title": "Remote CHM File Download/Execution Via HH.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "event_ids": [ - "4688" - ], - "id": "403a879a-c765-af55-2a45-cce39e1f5cdb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Script Run in AppData" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", - "event_ids": [ - "4688" - ], - "id": "58180213-29ed-6aa8-7558-806ba2830b7f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Nslookup PowerShell Download Cradle - ProcessCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.\nThis detection assumes that PowerShell commands are passed via the CommandLine.\n", - "event_ids": [ - "4688" - ], - "id": "52aeb4d7-4368-4da4-c717-f3b016a01d64", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Potential PowerShell Execution Via DLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "event_ids": [ - "4688" - ], - "id": "04c281fd-ba4b-8255-087a-ace794d28c8e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1572" - ], - "title": "Potential RDP Tunneling Via SSH" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of malicious OneNote documents that contain embedded scripts.\nWhen a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.\n", - "event_ids": [ - "4688" - ], - "id": "a7aba663-3da2-bc96-f8c3-acd95b2b3052", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.001", - "T1218" - ], - "title": "OneNote.EXE Execution of Malicious Embedded Scripts" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "event_ids": [ - "4688" - ], - "id": "62e77033-e379-af4f-5bc4-a7f722328265", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential NTLM Coercion Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "event_ids": [ - "4688" - ], - "id": "bddf8e50-854c-b536-b42e-72e80d7115da", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.001", - "T1546" - ], - "title": "Change Default File Association To Executable Via Assoc" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.", - "event_ids": [ - "4688" - ], - "id": "88ecfa5d-38dc-041a-fc73-6a0436a3d27f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious child process of userinit", - "event_ids": [ - "4688" - ], - "id": "fc42ea9c-4c0d-4a66-b3b7-34b2a831f588", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055" - ], - "title": "Suspicious Userinit Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "event_ids": [ - "4688" - ], - "id": "35f42a49-bad0-2ba7-87b0-62e78681838e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Delete All Scheduled Tasks" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.\n", - "event_ids": [ - "4688" - ], - "id": "7f54442b-227f-edd9-29d8-f6dc27ca512e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Uncommon Sigverif.EXE Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Notepad to open a file that has the string \"password\" which may indicate unauthorized access to credentials or suspicious activity.", - "event_ids": [ - "4688" - ], - "id": "88058179-1331-afd7-eaea-6a77664d95dc", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1083" - ], - "title": "Notepad Password Files Discovery" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to query system information directly from the Windows Registry.", - "event_ids": [ - "4688" - ], - "id": "62c2be2f-ba0e-142b-7bf8-cf4b2b8a6bf5", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082" - ], - "title": "System Information Discovery via Registry Queries" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", - "event_ids": [ - "4688" - ], - "id": "0d186f78-d83c-0c4b-100c-cbdc93891947", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Potential SPN Enumeration Via Setspn.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of winget to add new additional download sources", - "event_ids": [ - "4688" - ], - "id": "d8e1c729-6e00-4d1f-0af5-f58bd233d23a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059" - ], - "title": "Add New Download Source To Winget" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", - "event_ids": [ - "4688" - ], - "id": "325e649b-61c6-7c91-88ba-f2873675b355", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Suspicious Provlaunch.EXE Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location", - "event_ids": [ - "4688" - ], - "id": "d14f893b-1931-f274-ce30-147d8cca81fb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.009", - "T1218" - ], - "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "event_ids": [ - "4688" - ], - "id": "79562785-6cc3-acf1-853a-e4758e918d32", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Start of NT Virtual DOS Machine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.\n", - "event_ids": [ - "4688" - ], - "id": "de9e4f46-8404-a8bb-7f5a-78bc21b25a9e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Uncommon FileSystem Load Attempt By Format.com" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"jsc.exe\" (JScript Compiler).\nAttacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.\n", - "event_ids": [ - "4688" - ], - "id": "4acb4c4c-6e64-9353-58fa-113832d88626", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "JScript Compiler Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "event_ids": [ - "4688" - ], - "id": "39a37f01-5f47-60db-1809-3aef76fc537a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0006", - "T1557.001", - "T1557" - ], - "title": "HackTool - Impacket Tools Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious parent process for cmd.exe", - "event_ids": [ - "4688" - ], - "id": "370b959a-526f-4355-c41d-8388206d423a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Unusual Parent Process For Cmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.", - "event_ids": [ - "4688" - ], - "id": "11009f2c-2e92-f0a7-40e3-76f389110133", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state", - "event_ids": [ - "4688" - ], - "id": "2f54a1b2-dad9-be0e-bdd0-a299137396ac", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1059" - ], - "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "event_ids": [ - "4688" - ], - "id": "3870935a-4632-088f-5f37-1baf2d7d56fe", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003" - ], - "title": "Suspicious WindowsTerminal Child Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", - "event_ids": [ - "4688" - ], - "id": "80e2dcdb-b882-51ac-b1e2-8440243a0492", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.004", - "T1070" - ], - "title": "Directory Removal Via Rmdir" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes of WinRAR.exe.", - "event_ids": [ - "4688" - ], - "id": "c57b53ed-b127-34e4-6906-e0e36b11d5ed", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1203" - ], - "title": "Potentially Suspicious Child Process Of WinRAR.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "event_ids": [ - "4688" - ], - "id": "6f1c48cf-ca24-9def-3a7c-bd81baec1f58", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using ChangePK and SLUI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the recovery of files from backups via \"wbadmin.exe\".\nAttackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.\n", - "event_ids": [ - "4688" - ], - "id": "5202675a-41e6-e644-d9e9-47e5f945d40a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "File Recovery From Backup Via Wbadmin.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).", - "event_ids": [ - "4688" - ], - "id": "7799eb33-05b6-9a35-9e50-e2da961e40bb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Chromium Browser Headless Execution To Mockbin Like Site" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.", - "event_ids": [ - "4688" - ], - "id": "e5fef5f3-db95-fac1-d6a8-ebe5cea61016", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1505.003", - "T1190", - "TA0001", - "TA0003", - "TA0004", - "T1505" - ], - "title": "Suspicious Child Process Of SQL Server" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", - "event_ids": [ - "4688" - ], - "id": "a7926fae-e53c-6ad5-0a66-a32cbf78f1bf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "event_ids": [ - "4688" - ], - "id": "11f0b956-1d1f-35ac-0745-953256f95462", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "T1136" - ], - "title": "New User Created Via Net.EXE With Never Expire Option" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", - "event_ids": [ - "4688" - ], - "id": "432d294d-a306-5b48-a105-306e9dfd78cf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1053.002", - "T1053" - ], - "title": "Interactive AT Job" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", - "event_ids": [ - "4688" - ], - "id": "7ebc545f-8b8d-1d34-7a2e-99467ab1008d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1112", - "TA0005" - ], - "title": "Potential Suspicious Registry File Imported Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", - "event_ids": [ - "4688" - ], - "id": "8d302e8b-d95c-0027-59e0-a3c179726623", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Powershell Base64 Encoded MpPreference Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "event_ids": [ - "4688" - ], - "id": "a7598bcd-02ee-2b0a-092f-27aeb1e15e94", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002" - ], - "title": "Wab Execution From Non Default Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "event_ids": [ - "4688" - ], - "id": "1ee586c3-86e8-4b2c-b33f-80c524292d5e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Uninstall Crowdstrike Falcon Sensor" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", - "event_ids": [ - "4688" - ], - "id": "9b9bf6cd-1e4c-25a1-5857-4e6793b53d32", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Potential AMSI Bypass Using NULL Bits" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.\n", - "event_ids": [ - "4688" - ], - "id": "502f2034-8929-9fd1-10fc-732a817671b7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "New Capture Session Launched Via DXCap.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", - "event_ids": [ - "4688" - ], - "id": "693159ba-e2b9-cb03-30d0-5234a23b26d7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", - "event_ids": [ - "4688" - ], - "id": "4c9296a3-a93c-d142-7e16-69111f075e7f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Service DACL Abuse To Hide Services Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n", - "event_ids": [ - "4688" - ], - "id": "f7115cfd-3899-16ef-c89b-2db0aa711a9c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.005", - "T1036" - ], - "title": "Suspicious Process Masquerading As SvcHost.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", - "event_ids": [ - "4688" - ], - "id": "2cc522c8-300b-2344-e384-3db7df590412", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Potential Command Line Path Traversal Evasion Attempt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", - "event_ids": [ - "4688" - ], - "id": "4329e2b7-363d-b9dc-cbd5-6bbcc79a1b5b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Php Inline Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "event_ids": [ - "4688" - ], - "id": "62ed175b-c554-0c7c-9804-0a1628688796", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1218", - "TA0005" - ], - "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", - "event_ids": [ - "4688" - ], - "id": "3135cfd1-5a2f-468b-9cf2-fbf03902985f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Potential Fake Instance Of Hxtsr.EXE Executed" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "event_ids": [ - "4688" - ], - "id": "e6f654c0-1d07-0204-f77c-f791d88e44d0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "attack.g0047", - "T1021.005", - "T1021" - ], - "title": "Suspicious UltraVNC Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "event_ids": [ - "4688" - ], - "id": "627c728d-1a1a-0871-ead7-d1537f0a152b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Schtasks Creation Or Modification With SYSTEM Privileges" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", - "event_ids": [ - "4688" - ], - "id": "09815188-8262-0a9b-c00c-460108a51499", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "event_ids": [ - "4688" - ], - "id": "1704d7d3-0c6c-8a4d-b02a-55dd951e5f61", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential PowerShell Downgrade Attack" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", - "event_ids": [ - "4688" - ], - "id": "fbee28d8-8e92-176d-b6bc-0532d9a98eac", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0006", - "T1036", - "T1003.001", - "car.2013-05-009", - "T1003" - ], - "title": "Process Memory Dump Via Comsvcs.DLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.\n", - "event_ids": [ - "4688" - ], - "id": "9acd1f19-c194-7c55-3130-8479b170af87", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "Suspicious Calculator Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.\n", - "event_ids": [ - "4688" - ], - "id": "dfd2290c-5c82-62f3-7643-4df329d43ce1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1021.003", - "TA0008", - "T1021" - ], - "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", - "event_ids": [ - "4688" - ], - "id": "98e8d981-f4c4-0375-e252-80c62c6ff415", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Use of VSIISExeLauncher.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced", - "event_ids": [ - "4688" - ], - "id": "6408b665-07d6-1525-496f-24511bfff69c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "TA0008", - "T1550.003", - "T1558", - "T1550" - ], - "title": "HackTool - KrbRelayUp Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n", - "event_ids": [ - "4688" - ], - "id": "ac2323f5-a7b6-baa6-4cb6-1df6089d834d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0007", - "TA0003", - "TA0004", - "T1622", - "T1564", - "T1543" - ], - "title": "PUA - Process Hacker Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "event_ids": [ - "4688" - ], - "id": "e78082d8-696f-c684-d72a-e1b29ffbcc74", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1203", - "TA0002" - ], - "title": "Java Running with Remote Debugging" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.", - "event_ids": [ - "4688" - ], - "id": "8bb8dbbf-4781-7bf2-3340-f3b39cc8501a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1220" - ], - "title": "Remote XSL Execution Via Msxsl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of a scheduled task with a GUID like name", - "event_ids": [ - "4688" - ], - "id": "470da37d-268f-d626-f90a-04ef23655a27", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Suspicious Scheduled Task Name As GUID" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", - "event_ids": [ - "4688" - ], - "id": "5dd528dc-d144-18ab-88ff-fca3158b68c5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Certificate Exported Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "event_ids": [ - "4688" - ], - "id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "DeviceCredentialDeployment Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe", - "event_ids": [ - "4688" - ], - "id": "47beff1b-e312-3476-6c22-0805b517fa1f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218" - ], - "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.", - "event_ids": [ - "4688" - ], - "id": "bde2aa8e-57e6-7c83-466b-dfdcf1a7de29", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1053.005", - "T1059.001", - "T1059", - "T1053" - ], - "title": "Scheduled Task Executing Payload from Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow", - "event_ids": [ - "4688" - ], - "id": "6fed31ac-e26c-8668-fed8-9145c0f0cb2b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1036" - ], - "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Windows Kernel Debugger \"kd.exe\".", - "event_ids": [ - "4688" - ], - "id": "5f7d7535-bf69-3a27-8300-415e9b0ed170", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004" - ], - "title": "Windows Kernel Debugger Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a renamed ProcDump executable.\nThis often done by attackers or malware in order to evade defensive mechanisms.\n", - "event_ids": [ - "4688" - ], - "id": "a6320654-afe9-8fa6-7fdc-3270c5a552d2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.003", - "T1036" - ], - "title": "Renamed ProcDump Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", - "event_ids": [ - "4688" - ], - "id": "ae609e1c-eb91-f3a5-50b2-e6d70abc4c8b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.003", - "T1036", - "T1027.005", - "T1027" - ], - "title": "PUA - Potential PE Metadata Tamper Using Rcedit" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "event_ids": [ - "4688" - ], - "id": "ba78b609-b5f0-41e2-1081-e3424cdfe02d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216.001", - "T1216" - ], - "title": "Launch-VsDevShell.PS1 Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", - "event_ids": [ - "4688" - ], - "id": "602c5e30-f2c0-b275-aab7-2e95c70b2883", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Ruby Inline Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential execution of MeshAgent which is a tool used for remote access.\nHistorical data shows that threat actors rename MeshAgent binary to evade detection.\nMatching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.\n", - "event_ids": [ - "4688" - ], - "id": "8137d225-9af4-eac6-7709-6bcb96a183f2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - Potential MeshAgent Execution - Windows" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\nAttackers often time use this technique to extract specific information they require in their reconnaissance phase.\n", - "event_ids": [ - "4688" - ], - "id": "afc0e7da-4e96-1953-3fa3-8e9112c06c1c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1057" - ], - "title": "Recon Command Output Piped To Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"cdb.exe\" to launch arbitrary processes or commands from a debugger script file", - "event_ids": [ - "4688" - ], - "id": "67e63fd2-26a0-1961-477b-8f6b517ae20b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1106", - "TA0005", - "T1218", - "T1127" - ], - "title": "Potential Binary Proxy Execution Via Cdb.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n", - "event_ids": [ - "4688" - ], - "id": "b4e3c1f6-6ba1-48f2-3b3a-a5183ddadbb3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562" - ], - "title": "HackTool - EDRSilencer Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.", - "event_ids": [ - "4688" - ], - "id": "f4ef60dd-b493-97a1-92db-e8a8146be6a4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Scripting/CommandLine Process Spawned Regsvr32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", - "event_ids": [ - "4688" - ], - "id": "617ab1b8-544d-3774-60f6-7fcbd7612a8f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0043", - "TA0007", - "TA0040" - ], - "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious or uncommon parent processes of PowerShell", - "event_ids": [ - "4688" - ], - "id": "a453a0f3-e93d-a242-f111-8c1267906414", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Parent Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "event_ids": [ - "4688" - ], - "id": "614f34c3-e108-8880-5b20-f3df7e3ccd9e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", - "event_ids": [ - "4688" - ], - "id": "a0fca779-5f2b-605b-e4a3-04829ce8bca5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Sysprep on AppData Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".", - "event_ids": [ - "4688" - ], - "id": "4c2ffc3b-017b-451b-81bb-1739d5d5b1d8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0008", - "T1133", - "T1136.001", - "T1021.001", - "T1136", - "T1021" - ], - "title": "User Added to Remote Desktop Users Group" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "event_ids": [ - "4688" - ], - "id": "eac79e1c-5b45-db94-6b62-f7581c5ed0cb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "attack.s0190", - "T1036.003", - "T1036" - ], - "title": "Suspicious Download From Direct IP Via Bitsadmin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", - "event_ids": [ - "4688" - ], - "id": "5ede905b-ba07-4607-d2f1-ae3b552a752f", - "level": "informational", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Suspicious High IntegrityLevel Conhost Legacy Option" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "event_ids": [ - "4688" - ], - "id": "1ff691f3-1574-b038-89dd-518a27855b80", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1112", - "TA0005" - ], - "title": "Imports Registry Key From a File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", - "event_ids": [ - "4688" - ], - "id": "d873d8e0-160c-2599-93cf-2700ca72b2d2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1572" - ], - "title": "PUA - Ngrok Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\nAdversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\n", - "event_ids": [ - "4688" - ], - "id": "1ba53115-a14d-1c17-6fc0-2239bc5c4ed6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1220" - ], - "title": "Msxsl.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious call to the \"ShellExec_RunDLL\" exported function of SHELL32.DLL through the ordinal number to launch other commands.\nAdversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.\n", - "event_ids": [ - "4688" - ], - "id": "afe56692-d76f-5259-cd59-c1032f5cf01b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", - "event_ids": [ - "4688" - ], - "id": "06d1ba8b-f692-36bb-8b57-6c340c87d71b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1587.001", - "T1587" - ], - "title": "Potential PsExec Remote Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to disable windows recovery environment using Reagentc.\nReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).\nIt allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.\n", - "event_ids": [ - "4688" - ], - "id": "7e941643-69fc-290f-3b49-eee5d24adde8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Windows Recovery Environment Disabled Via Reagentc" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "event_ids": [ - "4688" - ], - "id": "176cddad-09e5-95d1-e061-52b79cdbd6b7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "TA0008", - "T1021.003", - "T1021" - ], - "title": "HackTool - Potential Impacket Lateral Movement Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of 3proxy, a tiny free proxy server", - "event_ids": [ - "4688" - ], - "id": "e43a9b6c-3df8-4f97-b870-474e24033f49", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1572" - ], - "title": "PUA - 3Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", - "event_ids": [ - "4688" - ], - "id": "35e14148-f5cd-9d4d-90bb-e63d555a1a02", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "event_ids": [ - "4688" - ], - "id": "598ec0b9-1b1e-4814-86ae-15ef649eb159", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Copy From VolumeShadowCopy Via Cmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects WmiPrvSE spawning a process", - "event_ids": [ - "4688" - ], - "id": "26773337-b821-6c5b-2c1f-2e6cca581b84", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "WmiPrvSE Spawned A Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of Windows Defender \"OfflineScannerShell.exe\" from its non standard directory.\nThe \"OfflineScannerShell.exe\" binary is vulnerable to DLL side loading and will load any DLL named \"mpclient.dll\" from the current working directory.\n", - "event_ids": [ - "4688" - ], - "id": "bbfa2296-5f8e-96c6-f1fd-0e0bcda268dc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", - "event_ids": [ - "4688" - ], - "id": "f096d3e4-a0dc-1035-8028-34c72c5504c6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090" - ], - "title": "PUA - NPS Tunneling Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"Wlrmdr.exe\" with the \"-u\" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.\nThis detection also focuses on any uncommon child processes spawned from \"Wlrmdr.exe\" as a supplement for those that posses \"ParentImage\" telemetry.\n", - "event_ids": [ - "4688" - ], - "id": "0331991b-8942-aa87-70c4-84360f95b7ce", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "event_ids": [ - "4688" - ], - "id": "e9360920-9296-fc5f-1231-e443387e7381", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "HackTool - KrbRelay Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.\n", - "event_ids": [ - "4688" - ], - "id": "a7c815fc-1c17-fb9b-3993-9508f7fe6f3f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "HackTool - SharpMove Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", - "event_ids": [ - "4688" - ], - "id": "95c13570-33d5-adaa-36e9-f489d326fd40", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0007", - "T1033" - ], - "title": "Security Privileges Enumeration Via Whoami.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", - "event_ids": [ - "4688" - ], - "id": "0bcdf0e5-9683-7f59-4ca8-8903a6ca8c0d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "event_ids": [ - "4688" - ], - "id": "77f6e2f1-7fec-6f30-aa0e-cec73ad32fc1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1110", - "T1110.001" - ], - "title": "HackTool - Hydra Password Bruteforce Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", - "event_ids": [ - "4688" - ], - "id": "6acffd8c-96c9-9d3b-9d69-0e0f332209c3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Process Proxy Execution Via Squirrel.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", - "event_ids": [ - "4688" - ], - "id": "7d442414-1318-9f2d-6f0c-65ff86c357de", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.002", - "T1036" - ], - "title": "Potential Defense Evasion Via Right-to-Left Override" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "event_ids": [ - "4688" - ], - "id": "687367a8-d423-cb00-4753-adfcbf3ef580", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Suspicious Modification Of Scheduled Tasks" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.", - "event_ids": [ - "4688" - ], - "id": "ded5cb8d-2fb5-7bbb-b00c-0009dc64f546", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Process Launched Without Image Name" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "event_ids": [ - "4688" - ], - "id": "b6a72c86-b6bb-0d2a-1470-ab688583f615", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", - "event_ids": [ - "4688" - ], - "id": "db4d52b7-af14-c61b-c1e1-5b52f036b5e0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Potentially Suspicious Electron Application CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.", - "event_ids": [ - "4688" - ], - "id": "53c6b925-8f6a-b834-1463-b4dade337d85", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Non Interactive PowerShell Process Spawned" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.\n", - "event_ids": [ - "4688" - ], - "id": "1f7106cd-f5e2-0696-4238-9f85251a052c", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0006", - "TA0011", - "T1218", - "T1564.004", - "T1552.001", - "T1105", - "T1552", - "T1564" - ], - "title": "Insensitive Subfolder Search Via Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "event_ids": [ - "4688" - ], - "id": "4dbb6aeb-a6f4-b360-d399-0b08844976b6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Kavremover Dropped Binary LOLBIN Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "event_ids": [ - "4688" - ], - "id": "b192c555-7ec6-6836-9df6-a81347c77e35", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "HackTool - Quarks PwDump Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Use of reg to get MachineGuid information", - "event_ids": [ - "4688" - ], - "id": "01ee1af2-8f96-35c2-ce46-97013e496a07", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082" - ], - "title": "Suspicious Query of MachineGUID" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious powershell command line parameters used in Empire", - "event_ids": [ - "4688" - ], - "id": "5f6038bc-96f3-de3a-2b59-fb22aefe871a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "HackTool - Empire PowerShell Launch Parameters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.\n", - "event_ids": [ - "4688" - ], - "id": "c1477cd5-ccf1-5649-1688-b3fc9ce45594", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070", - "T1562.006", - "car.2016-04-002", - "T1562" - ], - "title": "ETW Trace Evasion Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "event_ids": [ - "4688" - ], - "id": "62995636-6f75-677a-428e-531368fbda08", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "CobaltStrike Load by Rundll32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "event_ids": [ - "4688" - ], - "id": "1ec0b8fb-050d-074d-7209-6c4c724f24cb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - AnyDesk Silent Installation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", - "event_ids": [ - "4688" - ], - "id": "a6a22651-ffaa-7713-8313-46ce8a85ad64", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.010", - "T1562" - ], - "title": "LSA PPL Protection Disabled Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "event_ids": [ - "4688" - ], - "id": "063b6d5e-3f4e-c3a0-f506-0f8296b9eec4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "PsExec Service Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", - "event_ids": [ - "4688" - ], - "id": "481a16ec-1b88-6a7a-78b7-eedff1d69951", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "T1202" - ], - "title": "WSL Child Process Anomaly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "event_ids": [ - "4688" - ], - "id": "91a429e4-2bb4-05ef-b164-545b86f9ba8e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Winrar Execution in Non-Standard Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", - "event_ids": [ - "4688" - ], - "id": "101b11d6-0200-6a9a-daea-aaebf8b49bca", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potentially Suspicious Windows App Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "event_ids": [ - "4688" - ], - "id": "f95fb96e-dacc-23fa-9a80-f509e7973c9f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Verclsid.exe Runs COM Object" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as other files", - "event_ids": [ - "4688" - ], - "id": "de7bed2f-8da9-bfd3-f7af-a1a8e5ff462d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Regsvr32 DLL Execution With Suspicious File Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "event_ids": [ - "4688" - ], - "id": "9d6f9951-dc6f-66b5-290e-ff79c75550f6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Suspicious Rundll32 Activity Invoking Sys File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", - "event_ids": [ - "4688" - ], - "id": "42949869-416c-aa49-476a-3f2a4b57aa8c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Logged-On User Password Change Via Ksetup.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of PktMon, a tool that captures network packets.", - "event_ids": [ - "4688" - ], - "id": "94ae2cf8-1a32-d069-3ee0-eaae5f14745e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1040" - ], - "title": "PktMon.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "event_ids": [ - "4688" - ], - "id": "9550441e-5f01-6f0a-60db-abd27009e95d", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "DumpStack.log Defender Evasion" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "event_ids": [ - "4688" - ], - "id": "8a9278f4-40c8-30f3-c1ab-7dc224491477", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.006", - "T1552" - ], - "title": "Findstr GPP Passwords" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "event_ids": [ - "4688" - ], - "id": "cec3aeb1-8e95-5fa2-4566-9463115e48b2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "Suspicious GUP Usage" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of NimScan, a portscanner utility.\nIn early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.\nThis rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.\n", - "event_ids": [ - "4688" - ], - "id": "e922cc27-53d4-6ba7-9673-6c91fc2bc3ca", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1046" - ], - "title": "PUA - NimScan Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", - "event_ids": [ - "4688" - ], - "id": "fd5780a1-437f-d735-9ec2-8ed852b7c70f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Potential Credential Dumping Via WER" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Attackers can use print.exe for remote file copy", - "event_ids": [ - "4688" - ], - "id": "6e8f01f5-1282-1217-9c7a-9b84824e30a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Abusing Print Executable" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an uncommon child process of \"odbcconf.exe\" binary which normally shouldn't have any child processes.", - "event_ids": [ - "4688" - ], - "id": "e05fd36e-2242-ac32-2c73-8e345a62cc85", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Uncommon Child Process Spawned By Odbcconf.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", - "event_ids": [ - "4688" - ], - "id": "9d637e7d-578d-a370-8149-78de1277654c", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1124" - ], - "title": "Discovery of a System Time" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the Sharp Chisel via the commandline arguments", - "event_ids": [ - "4688" - ], - "id": "b580d34f-60c7-757b-d2d5-f622237ad56f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090.001", - "T1090" - ], - "title": "HackTool - SharpChisel Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "event_ids": [ - "4688" - ], - "id": "9acd90a3-770d-023f-0b71-92c461984dcc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1203", - "TA0004", - "T1068" - ], - "title": "Suspicious Spool Service Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", - "event_ids": [ - "4688" - ], - "id": "98aa5a08-85d3-1d55-d8be-07f7570e76ad", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential PowerShell Obfuscation Via Reversed Commands" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the installation of VsCode tunnel (code-tunnel) as a service.", - "event_ids": [ - "4688" - ], - "id": "b9112bca-62a9-013b-2fba-56019745171c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1071.001", - "T1071" - ], - "title": "Visual Studio Code Tunnel Service Installation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "event_ids": [ - "4688" - ], - "id": "91dc62f7-9e6b-59c0-27d2-ccac03bed57c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Non-privileged Usage of Reg or Powershell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "event_ids": [ - "4688" - ], - "id": "61e02907-aae8-db6e-46be-fbbed3a0a0d3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "PUA - NirCmd Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "event_ids": [ - "4688" - ], - "id": "9d1b91e6-c352-6742-5913-b8046ff77518", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "Bypass UAC via WSReset.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", - "event_ids": [ - "4688" - ], - "id": "1c7255e9-5677-0dce-20d7-83f42f4a517c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Perl Inline Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "event_ids": [ - "4688" - ], - "id": "1cc14403-ea65-fe73-9eab-a49768dbd354", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "TA0006", - "T1003" - ], - "title": "CreateDump Process Dump" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.", - "event_ids": [ - "4688" - ], - "id": "cb9078dd-dd0d-01f3-eee3-a3dfddf5858e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious Execution Location Of Wermgr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.", - "event_ids": [ - "4688" - ], - "id": "7badcd39-a428-768b-6bd0-e5db3b7fa90e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002" - ], - "title": "Proxy Execution Via Wuauclt.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", - "event_ids": [ - "4688" - ], - "id": "9443f6eb-9423-8b8f-335d-61cab9a1d680", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", - "event_ids": [ - "4688" - ], - "id": "813c544e-381d-625e-3470-9a243b7ce88e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Use Short Name Path in Image" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "event_ids": [ - "4688" - ], - "id": "f8836306-dba7-b71c-033f-6a42b39ae975", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Tools Using ComputerDefaults" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", - "event_ids": [ - "4688" - ], - "id": "42dffab1-87eb-35dd-8aad-81c3744a89ed", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential Encoded PowerShell Patterns In CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n", - "event_ids": [ - "4688" - ], - "id": "e2ba6258-28e5-71a1-3cb2-d13b881841dc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0040", - "T1112", - "T1491.001", - "T1491" - ], - "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "event_ids": [ - "4688" - ], - "id": "30f60c05-7105-c523-3ab6-698b29aebbce", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1567" - ], - "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "event_ids": [ - "4688" - ], - "id": "37366c60-8aea-e3e5-bae7-3c24e54f629b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.001", - "T1087.002", - "T1482", - "T1069.001", - "T1069.002", - "TA0002", - "T1059.001", - "T1069", - "T1087", - "T1059" - ], - "title": "HackTool - Bloodhound/Sharphound Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", - "event_ids": [ - "4688" - ], - "id": "39720fd3-7163-2a97-3e2d-287a6b761820", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "HackTool - Jlaive In-Memory Assembly Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", - "event_ids": [ - "4688" - ], - "id": "3412c13e-f0d6-c967-da33-0c43c8817356", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070", - "T1562", - "T1562.002" - ], - "title": "Sysmon Driver Unloaded Via Fltmc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", - "event_ids": [ - "4688" - ], - "id": "bee3c5b9-5fce-49e8-2301-d000d81eba6e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002" - ], - "title": "ImagingDevices Unusual Parent/Child Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "event_ids": [ - "4688" - ], - "id": "091f16dc-7243-8589-626d-3f1fa16f326b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1202", - "T1027.003", - "T1027" - ], - "title": "Findstr Launching .lnk File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.\nCurrently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.\n", - "event_ids": [ - "4688" - ], - "id": "183b6ab0-741c-5a2c-a72d-660f201d5710", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious program execution in Outlook temp folder", - "event_ids": [ - "4688" - ], - "id": "c4a80f4d-4976-2f43-f3ef-3feed52e43dd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1566.001", - "T1566" - ], - "title": "Suspicious Execution From Outlook Temporary Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "event_ids": [ - "4688" - ], - "id": "32f1537a-1af8-ef18-4ff0-71b68b6b84ec", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021" - ], - "title": "Potential Remote Desktop Tunneling" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of javascript code using \"mshta.exe\".", - "event_ids": [ - "4688" - ], - "id": "40dc8b10-369e-d60a-531b-a6d6de0bad18", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.005", - "T1218" - ], - "title": "Suspicious JavaScript Execution Via Mshta.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.\n", - "event_ids": [ - "4688" - ], - "id": "864f6704-33c0-cdec-c3fa-ae453ca199c1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.003", - "T1036" - ], - "title": "Suspicious Copy From or To System Directory" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", - "event_ids": [ - "4688" - ], - "id": "9fc52937-cf49-786a-b1b0-3dfe6dd280ec", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1018" - ], - "title": "Share And Session Enumeration Using Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", - "event_ids": [ - "4688" - ], - "id": "c77efdd5-f664-66dc-23fb-73ab8e695b53", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Process Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", - "event_ids": [ - "4688" - ], - "id": "e9ec99cd-f425-c533-3e51-bf39335dbe29", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "HackTool - HandleKatz LSASS Dumper Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", - "event_ids": [ - "4688" - ], - "id": "e88b49c4-9d10-2b2d-da20-8934c2de27db", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1018" - ], - "title": "PUA - Adidnsdump Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "event_ids": [ - "4688" - ], - "id": "f0dcd1c8-56d8-8dd0-b4d1-4e8b9a04a6c6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Parameter Substring" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", - "event_ids": [ - "4688" - ], - "id": "c73c2af1-f71f-fcf6-7d69-8930f2b95d96", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055" - ], - "title": "Suspicious Rundll32 Invoking Inline VBScript" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", - "event_ids": [ - "4688" - ], - "id": "ac47d4f8-20cb-1fa8-ac93-07a08745efe7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", - "event_ids": [ - "4688" - ], - "id": "c2a0770d-11ab-758f-a9ed-de4bbee89af7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Potential Persistence Via Microsoft Compatibility Appraiser" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential web shell execution from the ScreenConnect server process.", - "event_ids": [ - "4688" - ], - "id": "e8e1c7ac-50e7-03e1-c3d6-e1192efc4260", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1190" - ], - "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of SoftPerfect's \"netscan.exe\". An application for scanning networks.\nIt is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.\n", - "event_ids": [ - "4688" - ], - "id": "d14c21ed-9fb4-dd37-d9a0-df7cd5f8092b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1046" - ], - "title": "PUA - SoftPerfect Netscan Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "event_ids": [ - "4688" - ], - "id": "6cbe870d-ed2f-e585-6d9e-201323d379a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Service Security Descriptor Tampering Via Sc.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "event_ids": [ - "4688" - ], - "id": "1a4e84c2-b143-1ac5-61c9-00faf74cb62a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Msbuild Execution By Uncommon Parent Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) child process", - "event_ids": [ - "4688" - ], - "id": "65769ded-2258-284c-b61d-e79567f5efc0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1055", - "T1036" - ], - "title": "Suspicious Child Process Of Wermgr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "event_ids": [ - "4688" - ], - "id": "e0e9ccfe-20b3-2dca-ffe5-0e6c86ad22bc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "T1059" - ], - "title": "Potential PowerShell Obfuscation Via WCHAR/CHAR" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", - "event_ids": [ - "4688" - ], - "id": "5fc3dbcc-6777-a314-9939-6cb33e4afe74", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090", - "attack.s0040" - ], - "title": "HackTool - Htran/NATBypass Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.", - "event_ids": [ - "4688" - ], - "id": "0931c657-0f5b-cc80-ce24-bb4f81b15b02", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574", - "TA0002" - ], - "title": "Regsvr32 DLL Execution With Uncommon Extension" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", - "event_ids": [ - "4688" - ], - "id": "5705250b-888d-01e5-36cf-4302564a99bf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.006", - "T1552" - ], - "title": "LSASS Process Reconnaissance Via Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Execution of plink to perform data exfiltration and tunneling", - "event_ids": [ - "4688" - ], - "id": "2eaa1baa-a2c9-b59b-efa8-825ca75ad2d8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1572" - ], - "title": "Potential RDP Tunneling Via Plink" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", - "event_ids": [ - "4688" - ], - "id": "c4cc0668-2b35-4884-9119-8a558a544a6d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Sysinternals PsSuspend Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"", - "event_ids": [ - "4688" - ], - "id": "589134cd-5a71-4868-1ad1-623db28a1d75", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005" - ], - "title": "Potential ShellDispatch.DLL Functionality Abuse" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "event_ids": [ - "4688" - ], - "id": "ae65ef8c-318b-89f9-30d3-1f3bcfab81e9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Possible Privilege Escalation via Weak Service Permissions" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "event_ids": [ - "4688" - ], - "id": "aa1b5f1a-0f18-adfb-7274-ca82c7711c36", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1115" - ], - "title": "Data Copied To Clipboard Via Clip.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files", - "event_ids": [ - "4688" - ], - "id": "234669a1-2f84-3670-fbb6-7636e8b78731", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105", - "T1564.003", - "T1564" - ], - "title": "File Download with Headless Browser" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "event_ids": [ - "4688" - ], - "id": "5b838545-abaf-44b0-643d-b363389ecb5e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "T1218" - ], - "title": "Suspicious Regsvr32 Execution From Remote Share" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", - "event_ids": [ - "4688" - ], - "id": "53138fa3-42f4-bab3-4939-cdc55f014842", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.006", - "T1564" - ], - "title": "Virtualbox Driver Installation or Starting of VMs" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PowerShell execution to set the ACL of a file or a folder", - "event_ids": [ - "4688" - ], - "id": "ebd8be0a-94fe-a103-a2bd-e48cc9af988d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "PowerShell Script Change Permission Via Set-Acl" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Windows Defender MpCmdRun.EXE to download files", - "event_ids": [ - "4688" - ], - "id": "b331fafb-1ddd-52ca-9bc6-1ef1b08828b0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0011", - "T1105" - ], - "title": "File Download Via Windows Defender MpCmpRun.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to \"LoadAssemblyFromPath\" or \"LoadAssemblyFromNS\" that are part of the \"CL_LoadAssembly.ps1\" script. This can be abused to load different assemblies and bypass App locker controls.", - "event_ids": [ - "4688" - ], - "id": "a14e43f1-2c46-bf33-4ae5-b72dec4e8f0f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Assembly Loading Via CL_LoadAssembly.ps1" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "event_ids": [ - "4688" - ], - "id": "24194c4a-9136-8ccc-cb24-c32ee6a83d2f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1587.001", - "T1587" - ], - "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "event_ids": [ - "4688" - ], - "id": "0aae20f4-4b90-f3db-47a1-d0032e30ccfd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1119" - ], - "title": "Recon Information for Export with Command Prompt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\nThis technique were seen used by threat actors and ransomware strains in order to evade defenses.\n", - "event_ids": [ - "4688" - ], - "id": "676111e7-0d6f-b5f4-e267-6399b5052fdc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.001", - "T1562.002", - "car.2016-04-002", - "T1562", - "T1070" - ], - "title": "Suspicious Eventlog Clearing or Configuration Change Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", - "event_ids": [ - "4688" - ], - "id": "8750a67b-7c72-11af-21f3-3e37ed642ab4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0006", - "T1040" - ], - "title": "New Network Trace Capture Started Via Netsh.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", - "event_ids": [ - "4688" - ], - "id": "3e293b2c-b40f-53b9-4e78-e7ad13badd8a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Conhost Spawned By Uncommon Parent Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", - "event_ids": [ - "4688" - ], - "id": "1d0387b6-6de7-eb5c-ffe9-ee892ff26f07", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "File Decoded From Base64/Hex Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "event_ids": [ - "4688" - ], - "id": "6fb2f8df-d6fd-c7e4-80e4-ba8fc1466ccc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "T1560" - ], - "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"RegAsm.exe\" without a commandline flag or file, which might indicate potential process injection activity.\nUsually \"RegAsm.exe\" should point to a dedicated DLL file or call the help with the \"/?\" flag.\n", - "event_ids": [ - "4688" - ], - "id": "4865bce7-425b-5efe-ad03-7dfe40725e2b", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.009", - "T1218" - ], - "title": "RegAsm.EXE Execution Without CommandLine Flags or Files" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", - "event_ids": [ - "4688" - ], - "id": "c5a82926-ad38-8cac-850a-dcc4d26f5660", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "TA0005", - "T1218", - "T1202", - "T1059" - ], - "title": "Suspicious Child Process Of BgInfo.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", - "event_ids": [ - "4688" - ], - "id": "a649199e-56ae-51bf-53e5-69e87b06e563", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1106", - "T1059.003", - "T1218.011", - "T1059", - "T1218" - ], - "title": "HackTool - RedMimicry Winnti Playbook Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "event_ids": [ - "4688" - ], - "id": "f9558484-5f9f-17f3-06a0-774afccc35e1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1216", - "T1059" - ], - "title": "Execute Code with Pester.bat" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "event_ids": [ - "4688" - ], - "id": "a2c55c02-a430-f460-3ee3-924318d48700", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1124" - ], - "title": "Use of W32tm as Timer" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"curl.exe\" with the \"file://\" protocol handler in order to read local files.", - "event_ids": [ - "4688" - ], - "id": "0ac56170-1ec2-0fcb-1654-0178ffa1487b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Local File Read Using Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection\n", - "event_ids": [ - "4688" - ], - "id": "0e292cea-6680-a95e-46e2-4b938a65597e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", - "event_ids": [ - "4688" - ], - "id": "39bd9b2b-7c43-e7a8-e882-3de14365ae19", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218" - ], - "title": "Arbitrary MSI Download Via Devinit.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe", - "event_ids": [ - "4688" - ], - "id": "a404c83b-51de-a308-f6fc-659d55a00b6c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious File Download From IP Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the Microsoft signed script \"CL_mutexverifiers\" to proxy the execution of additional PowerShell script commands", - "event_ids": [ - "4688" - ], - "id": "844df162-c07b-4b60-29d1-adf324d785f5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a Powershell process that contains download commands in its command line string", - "event_ids": [ - "4688" - ], - "id": "f57205aa-67a6-4a69-582c-08eb0b786b58", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "PowerShell Download Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"aspnet_compiler.exe\" which can be abused to compile and execute C# code.", - "event_ids": [ - "4688" - ], - "id": "e20075e6-6784-9276-2205-4f452684a4cc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "AspNetCompiler Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.", - "event_ids": [ - "4688" - ], - "id": "cb760152-8522-8711-dfe0-de3bafb00e2e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Rundll32 Spawned Via Explorer.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)\n", - "event_ids": [ - "4688" - ], - "id": "a138f860-6c01-6ff3-2c12-046799df8672", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Suspicious Electron Application Child Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "event_ids": [ - "4688" - ], - "id": "a56ae12f-67c8-f625-2279-f5290ba86fa9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Signing Bypass Via Windows Developer Features" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\nVShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\nattackers can leverage this parameter to proxy the execution of malware.\n", - "event_ids": [ - "4688" - ], - "id": "b31f0683-91b2-ad1b-a771-24124f22e83e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Proxy Execution via Vshadow" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Local accounts, System Owner/User discovery using operating systems utilities", - "event_ids": [ - "4688" - ], - "id": "70d8efc3-4098-d71c-be3c-59f75ccb6019", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033", - "T1087.001", - "T1087" - ], - "title": "Local Accounts Discovery" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "event_ids": [ - "4688" - ], - "id": "5161ecbd-ced9-5f55-3dba-cfb5e38cf9d1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1059" - ], - "title": "VMToolsd Suspicious Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "event_ids": [ - "4688" - ], - "id": "3098e48f-fecd-881b-462e-38104798a111", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Schtasks From Suspicious Folders" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "event_ids": [ - "4688" - ], - "id": "be670d5c-31eb-7391-4d2e-d122c89cd5bb", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003", - "T1558.003", - "TA0008", - "T1550.003", - "T1550", - "T1558" - ], - "title": "HackTool - Rubeus Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "event_ids": [ - "4688" - ], - "id": "d8582a0e-2c3c-6716-d6d8-a79c4ce5ff75", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.001", - "T1087" - ], - "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "event_ids": [ - "4688" - ], - "id": "2116c0b4-e272-0fc0-40da-107d4cbaa911", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Use of VisualUiaVerifyNative.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "event_ids": [ - "4688" - ], - "id": "926d4093-40e5-c7e0-f87e-01b94cbb63a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Workstation Locking via Rundll32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", - "event_ids": [ - "4688" - ], - "id": "2a048dab-1493-f4cf-68dc-2fc90db2a471", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "T1202" - ], - "title": "Suspicious ZipExec Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "event_ids": [ - "4688" - ], - "id": "d7156c2d-f3d8-5088-3d92-b5b7ee49cb65", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1546.002", - "T1546" - ], - "title": "Suspicious ScreenSave Change by Reg.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "event_ids": [ - "4688" - ], - "id": "d9d5da14-1719-381f-170e-e347318f764f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1059", - "T1202" - ], - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "event_ids": [ - "4688" - ], - "id": "db43d94f-ee5a-913b-3a86-2e1cb07e39a4", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "HackTool - F-Secure C3 Load by Rundll32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", - "event_ids": [ - "4688" - ], - "id": "ac40503f-520c-79c6-d0e8-3a32c8cec7eb", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "car.2016-03-002" - ], - "title": "Hardware Model Reconnaissance Via Wmic.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", - "event_ids": [ - "4688" - ], - "id": "ee05c67c-d79d-1e0c-e803-8cac4c11384d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Process Memory Dump via RdrLeakDiag.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "event_ids": [ - "4688" - ], - "id": "9eaaf7c3-c142-31ba-f615-52ed6de31344", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.006", - "T1552" - ], - "title": "Suspicious SYSVOL Domain Group Policy Access" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", - "event_ids": [ - "4688" - ], - "id": "f94fdc78-2a2f-b107-8abe-c68c288a8e0c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1059", - "T1202" - ], - "title": "Suspicious Remote Child Process From Outlook" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "event_ids": [ - "4688" - ], - "id": "2211d14a-9a4c-d937-2a25-6428d586be6c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Use Of The SFTP.EXE Binary As A LOLBIN" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"curl.exe\" with the \"-c\" flag in order to save cookie data.", - "event_ids": [ - "4688" - ], - "id": "ec0626ac-00c0-7cf3-223c-20d71ccd38c0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "Potential Cookies Session Hijacking" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential commandline obfuscation using known escape characters", - "event_ids": [ - "4688" - ], - "id": "77f78d0c-79a5-d749-2130-9bea40bef10a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1140" - ], - "title": "Potential Commandline Obfuscation Using Escape Characters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.\nThis action removes the \"Scan with Microsoft Defender\" option from the right-click menu for files, directories, and drives.\nAttackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.\n", - "event_ids": [ - "4688" - ], - "id": "2f67b2ed-f7b9-c3fd-7e0a-a17cb1920bab", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Context Menu Removed" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", - "event_ids": [ - "4688" - ], - "id": "0e017e81-3278-cb76-d706-690f05a18a0e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential Powershell ReverseShell Connection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"VSDiagnostics.exe\" with the \"start\" command in order to launch and proxy arbitrary binaries.", - "event_ids": [ - "4688" - ], - "id": "ef5024d5-3303-f180-2b6c-186303099c26", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", - "event_ids": [ - "4688" - ], - "id": "57fc2f43-fec9-1e23-2c1e-a5bddad94af2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", - "event_ids": [ - "4688" - ], - "id": "57b77c31-00b9-0cc8-2bba-b8620f34a730", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1036.005", - "T1053.005", - "T1053", - "T1036" - ], - "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "event_ids": [ - "4688" - ], - "id": "da22844e-bd3b-4e67-433c-ff26e343600e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "Potential Arbitrary Code Execution Via Node.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "event_ids": [ - "4688" - ], - "id": "86d129d1-cd78-4f07-9be8-edf76d9e2131", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1134.004", - "T1134" - ], - "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "event_ids": [ - "4688" - ], - "id": "0c52293c-57fb-c251-5f09-4da3e0776891", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.007", - "T1218" - ], - "title": "Suspicious Msiexec Execute Arbitrary DLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "event_ids": [ - "4688" - ], - "id": "a2dbf468-e91d-96e1-aaa1-d7a9e2cfb209", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1567.002", - "T1567" - ], - "title": "PUA - Rclone Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "event_ids": [ - "4688" - ], - "id": "c6bdb310-216f-075c-19c4-3873b8a1a516", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Potential Tampering With Security Products Via WMIC" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", - "event_ids": [ - "4688" - ], - "id": "153a349d-2f66-9cce-ff30-aebbad4e103b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0005", - "T1218", - "T1105" - ], - "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the files are located in potentially suspicious locations", - "event_ids": [ - "4688" - ], - "id": "09f25420-43e9-2a11-7301-c1c851349604", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", - "event_ids": [ - "4688" - ], - "id": "115e60c2-cee5-d274-5b18-9313cca77106", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1005" - ], - "title": "Esentutl Steals Browser Information" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "event_ids": [ - "4688" - ], - "id": "512d7248-20c4-a7bb-650b-19b15c46e2a2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Suspicious VBoxDrvInst.exe Parameters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "event_ids": [ - "4688" - ], - "id": "550c629f-0dc6-83a7-efce-0afef9c45e4c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1127", - "T1059" - ], - "title": "Detection of PowerShell Execution via Sqlps.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n", - "event_ids": [ - "4688" - ], - "id": "310bf792-4e0d-b9ba-7dea-7512f8953921", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Enable LM Hash Storage - ProcCreation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detection well-known mimikatz command line arguments", - "event_ids": [ - "4688" - ], - "id": "b0b6f0e2-8ed1-fa15-6ebb-cf992c0fd7ea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003.002", - "T1003.004", - "T1003.005", - "T1003.006", - "T1003" - ], - "title": "HackTool - Mimikatz Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence", - "event_ids": [ - "4688" - ], - "id": "4b8c4cc7-a599-dafe-263f-ff5cb96a6967", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1037.001", - "T1037" - ], - "title": "Potential Persistence Via Logon Scripts - CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "event_ids": [ - "4688" - ], - "id": "c9722d26-25e3-6e45-3950-85182a7a1b35", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Microsoft IIS Connection Strings Decryption" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", - "event_ids": [ - "4688" - ], - "id": "7e75fbd5-4501-e7c8-deb1-b24ea8448793", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Fsutil Behavior Set SymlinkEvaluation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "event_ids": [ - "4688" - ], - "id": "54783800-bea8-9a66-c11d-9aab8da467eb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218.011", - "T1218" - ], - "title": "Shell32 DLL Execution in Suspicious Directory" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "event_ids": [ - "4688" - ], - "id": "1a00950e-36a2-0312-33ae-1d272dc02169", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033" - ], - "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "event_ids": [ - "4688" - ], - "id": "d9505c25-324b-3a98-4f63-55ba6b677e07", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1134.001", - "T1134.002", - "T1134" - ], - "title": "Potential Meterpreter/CobaltStrike Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", - "event_ids": [ - "4688" - ], - "id": "d6747b91-0f0d-b0e6-e128-10f8dd2feb2e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070", - "TA0003", - "T1542.003", - "T1542" - ], - "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "event_ids": [ - "4688" - ], - "id": "82652023-b2bf-3126-09bb-f4495914f471", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "attack.s0190", - "T1036.003", - "T1036" - ], - "title": "File Download Via Bitsadmin To A Suspicious Target Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "event_ids": [ - "4688" - ], - "id": "40c1ee69-dcc9-b5a4-614c-60aa83c693d0", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "cve.2022-41120", - "T1068", - "TA0004" - ], - "title": "HackTool - SysmonEOP Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a service binary running in a suspicious directory", - "event_ids": [ - "4688" - ], - "id": "4083d5ce-5bfd-6eca-7ad7-6ab633bbc01f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Suspicious Service Binary Directory" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "event_ids": [ - "4688" - ], - "id": "4ca79cb2-f424-4b29-861c-91cc27599d11", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Taskkill Symantec Endpoint Protection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "event_ids": [ - "4688" - ], - "id": "fbb20f1c-c29f-e4fb-e289-3fd4de5feda4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033" - ], - "title": "User Discovery And Export Via Get-ADUser Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "event_ids": [ - "4688" - ], - "id": "5e22c0e7-bde8-560d-0187-ee4134940af6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1563.002", - "T1563" - ], - "title": "Potential MSTSC Shadowing Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "event_ids": [ - "4688" - ], - "id": "1fb003fd-3505-dd3d-39c9-067a836b7257", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Suspicious Process Patterns NTDS.DIT Exfil" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.", - "event_ids": [ - "4688" - ], - "id": "88689b5a-5cf9-4b6b-f596-66cc471db969", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1071.001", - "T1071" - ], - "title": "Visual Studio Code Tunnel Shell Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", - "event_ids": [ - "4688" - ], - "id": "59996aa8-9ca2-1ef7-5102-ad18e12d4402", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", - "event_ids": [ - "4688" - ], - "id": "1adbdfce-5fe9-9717-cc78-42b380893e97", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.001", - "T1546" - ], - "title": "Change Default File Association Via Assoc" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "event_ids": [ - "4688" - ], - "id": "0d101a61-8aa2-979a-93db-fff8ad1a96aa", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574" - ], - "title": "DLL Execution Via Register-cimprovider.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of Gpg4win to encrypt files", - "event_ids": [ - "4688" - ], - "id": "5159a920-5ab6-272b-4cd3-a3ea17a108ea", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "File Encryption Using Gpg4win" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of \"Ilasm.EXE\" in order to compile C# intermediate (IL) code to EXE or DLL.", - "event_ids": [ - "4688" - ], - "id": "5ea0b54f-98b4-7cc7-6c38-01a53470b4e4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1127" - ], - "title": "C# IL Code Compilation Via Ilasm.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", - "event_ids": [ - "4688" - ], - "id": "2138917f-b5cd-6181-bcf6-8039bc43c6a2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Powershell Defender Exclusion" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", - "event_ids": [ - "4688" - ], - "id": "8d0b4349-4a33-f9c1-b911-e922e9ed2f63", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0008" - ], - "title": "HackTool - Wmiexec Default Powershell Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", - "event_ids": [ - "4688" - ], - "id": "4f9a9515-6240-4eb8-beb5-f86cb1f08036", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1033" - ], - "title": "Group Membership Reconnaissance Via Whoami.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", - "event_ids": [ - "4688" - ], - "id": "dd4ac92f-1ad9-9f2e-e7b1-574030f25c36", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Arbitrary File Download Via MSPUB.EXE" + "title": "Microsoft Malware Protection Engine Crash" }, { "category": "", "channel": [ - "Microsoft-Windows-SmbClient/Security" + "Application" ], - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", "event_ids": [ - "31017" + "1000" ], - "id": "610c6a10-ca67-69c5-0f6d-761487fb3b37", - "level": "medium", - "service": "smbclient-security", + "id": "fcc29ed2-c7fa-1b44-6db4-de352c7cf1b8", + "level": "high", + "service": "application", "subcategory_guids": [], "tags": [ "TA0006", - "T1110.001", - "T1110" + "T1003.001", + "T1003" ], - "title": "Suspicious Rejected SMB Guest Logon From IP" + "title": "Potential Credential Dumping Via WER - Application" }, { "category": "", "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + "Application" ], - "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", - "event_ids": [ - "2032", - "2060" - ], - "id": "e2592615-38d5-5099-c59f-83ab34a11d9a", - "level": "low", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", - "event_ids": [ - "2033", - "2059" - ], - "id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69", + "description": "Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.\n", + "event_ids": [], + "id": "b0f698cd-af36-2a37-ce9f-2ab614a8b808", "level": "high", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", - "event_ids": [ - "2009" - ], - "id": "33a69619-460b-90f5-19b1-2f34036caf0a", - "level": "low", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "The Windows Defender Firewall Service Failed To Load Group Policy" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\n", - "event_ids": [ - "2004", - "2071", - "2097" - ], - "id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd", - "level": "medium", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.", - "event_ids": [ - "2004", - "2071", - "2097" - ], - "id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4", - "level": "high", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", - "event_ids": [ - "2006", - "2052" - ], - "id": "55827aab-4062-032f-35e7-2406dc57c35e", - "level": "medium", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects when a rule has been added to the Windows Firewall exception list", - "event_ids": [ - "2004", - "2071", - "2097" - ], - "id": "a1dbd390-a4c5-755a-1b1f-a76aabbecbbc", - "level": "medium", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" - ], - "description": "Detects activity when the settings of the Windows firewall have been changed", - "event_ids": [ - "2002", - "2003", - "2008", - "2082", - "2083" - ], - "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", - "level": "low", - "service": "firewall-as", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Windows Firewall Settings Have Been Changed" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "22f82564-4b51-e901-bf00-ea94ff39b468", - "level": "critical", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "T1486", - "TA0040" - ], - "title": "Antivirus Ransomware Detection" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", - "level": "critical", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1203", - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Antivirus Exploitation Framework Detection" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", - "level": "high", - "service": "windefend", + "service": "application", "subcategory_guids": [], "tags": [ "TA0042", "T1588" ], - "title": "Antivirus Relevant File Paths Alerts" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", - "level": "critical", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003", - "T1558", - "T1003.001", - "T1003.002" - ], - "title": "Antivirus Password Dumper Detection" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1505.003", - "T1505" - ], - "title": "Antivirus Web Shell Detection" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1204" - ], - "title": "Antivirus Hacktool Detection" + "title": "Relevant Anti-Virus Signature Keywords In Application Log" }, { "category": "", "channel": [ "Application" ], - "description": "Detects MSI package installation from suspicious locations", + "description": "An application has been removed. Check if it is critical.", "event_ids": [ - "1040", - "1042" + "1034", + "11724" ], - "id": "96acd930-342e-66ca-9855-1285ba8a40ed", - "level": "medium", + "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", + "level": "low", "service": "application", "subcategory_guids": [], "tags": [ - "TA0002" + "TA0040", + "T1489" ], - "title": "MSI Installation From Suspicious Locations" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "event_ids": [ - "1033" - ], - "id": "655bf214-78ac-5d4f-27ac-4e0ede9b68a5", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Atera Agent Installation" + "title": "Application Uninstalled" }, { "category": "", @@ -28992,20 +2769,39 @@ "channel": [ "Application" ], - "description": "An application has been removed. Check if it is critical.", + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", "event_ids": [ - "1034", - "11724" + "1033" ], - "id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c", - "level": "low", + "id": "655bf214-78ac-5d4f-27ac-4e0ede9b68a5", + "level": "high", "service": "application", "subcategory_guids": [], "tags": [ - "TA0040", - "T1489" + "TA0011", + "T1219.002", + "T1219" ], - "title": "Application Uninstalled" + "title": "Atera Agent Installation" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects MSI package installation from suspicious locations", + "event_ids": [ + "1040", + "1042" + ], + "id": "96acd930-342e-66ca-9855-1285ba8a40ed", + "level": "medium", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "MSI Installation From Suspicious Locations" }, { "category": "", @@ -29027,218 +2823,6 @@ ], "title": "Backup Catalog Deleted" }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", - "event_ids": [ - "865", - "866", - "867", - "868", - "882" - ], - "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1072" - ], - "title": "Restricted Software Access By SRP" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.", - "event_ids": [ - "18456" - ], - "id": "2aec0e1c-e7f6-3837-d7f2-ee1c5cac7032", - "level": "medium", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1110" - ], - "title": "MSSQL Server Failed Logon From External Network" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects failed logon attempts from clients to MSSQL server.", - "event_ids": [ - "18456" - ], - "id": "03e217c6-de25-3afa-3833-6c534a6576f0", - "level": "low", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1110" - ], - "title": "MSSQL Server Failed Logon" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\n", - "event_ids": [ - "15457" - ], - "id": "11635209-eef1-b93a-98bf-33b80e5065a1", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "MSSQL XPCmdshell Option Change" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "event_ids": [ - "33205" - ], - "id": "824a7eb7-81e3-6b27-2ede-6fd2d58348b4", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "MSSQL SPProcoption Set" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as \"DROP TABLE\" or \"DROP DATABASE\".\n", - "event_ids": [ - "33205" - ], - "id": "ca403782-4ab3-76a6-b804-069219ccbd7f", - "level": "medium", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0010", - "TA0040", - "T1485" - ], - "title": "MSSQL Destructive Query" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "event_ids": [ - "33205" - ], - "id": "d17d99ad-18e9-67e1-6163-054f210fee16", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "MSSQL Add Account To Sysadmin Role" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "event_ids": [ - "33205" - ], - "id": "bc1445fe-1749-b913-f147-64575e1d9ac1", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "MSSQL XPCmdshell Suspicious Execution" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "event_ids": [ - "33205" - ], - "id": "e485c12e-8840-1b24-61f7-697e480d63b1", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "MSSQL Disable Audit Settings" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "event_ids": [ - "325" - ], - "id": "a050e701-373d-fc52-c345-8fbf933e1b82", - "level": "medium", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "Dump Ntds.dit To Suspicious Location" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "event_ids": [ - "216", - "325", - "326", - "327" - ], - "id": "b8d0d560-906d-670f-cd10-32ed9179f21a", - "level": "medium", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.003", - "T1003" - ], - "title": "Ntdsutil Abuse" - }, { "category": "", "channel": [ @@ -29314,826 +2898,1892 @@ "channel": [ "Application" ], - "description": "Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.\n", - "event_ids": [], - "id": "b0f698cd-af36-2a37-ce9f-2ab614a8b808", + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "event_ids": [ + "33205" + ], + "id": "bc1445fe-1749-b913-f147-64575e1d9ac1", "level": "high", "service": "application", "subcategory_guids": [], "tags": [ - "TA0042", - "T1588" + "TA0002" ], - "title": "Relevant Anti-Virus Signature Keywords In Application Log" + "title": "MSSQL XPCmdshell Suspicious Execution" }, { "category": "", "channel": [ "Application" ], - "description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", "event_ids": [ - "1000" + "33205" ], - "id": "fcc29ed2-c7fa-1b44-6db4-de352c7cf1b8", + "id": "e485c12e-8840-1b24-61f7-697e480d63b1", "level": "high", "service": "application", "subcategory_guids": [], "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Potential Credential Dumping Via WER - Application" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "event_ids": [ - "1000" - ], - "id": "24cdd840-5da1-6c12-5b58-4da49cc4b11a", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1211", - "T1562.001", - "T1562" - ], - "title": "Microsoft Malware Protection Engine Crash" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects \"RegAsm.exe\" initiating a network connection to public IP adresses", - "event_ids": [ - "5156" - ], - "id": "a0e133b9-f055-5011-01e6-75ed480ad2da", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.009", - "T1218" - ], - "title": "RegAsm.EXE Initiating Network Connection To Public IP" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.", - "event_ids": [ - "5156" - ], - "id": "8cf1b63a-f161-0e51-a9d2-cc697d06a5a4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0011" - ], - "title": "Office Application Initiated Network Connection Over Uncommon Ports" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", - "event_ids": [ - "5156" - ], - "id": "3c6c2271-decf-a5c0-b983-edaa9cf7077d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0011", - "T1218.011", - "T1218" - ], - "title": "Outbound Network Connection To Public IP Via Winlogon" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a possible remote connections to Silenttrinity c2", - "event_ids": [ - "5156" - ], - "id": "f96b2d35-57da-bef8-3624-73634617eac6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1127.001", - "T1127" - ], - "title": "Silenttrinity Stager Msbuild Activity" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.", - "event_ids": [ - "5156" - ], - "id": "34ba9d0c-a415-a91a-013b-30158906f18c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n", - "event_ids": [ - "5156" - ], - "id": "510d0486-0545-9178-93cb-5f5a8c75930b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0011" - ], - "title": "Suspicious Wordpad Outbound Connections" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\nThis could indicate a potential command and control communication as this tool doesn't usually initiate network activity.\n", - "event_ids": [ - "5156" - ], - "id": "8d993d6b-e44b-0df0-91c0-6093975b69f8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Network Connection Initiated By AddinUtil.EXE" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by Cmstp.EXE\nIts uncommon for \"cmstp.exe\" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.\n", - "event_ids": [ - "5156" - ], - "id": "41d54b25-deb6-4ea3-fbac-3f5b6e200939", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.003", - "T1218" - ], - "title": "Outbound Network Connection Initiated By Cmstp.EXE" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a rundll32 that communicates with public IP addresses", - "event_ids": [ - "5156" - ], - "id": "4a7137e3-d863-49dd-6199-5ca7722de62e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "TA0002", - "T1218" - ], - "title": "Rundll32 Internet Connection" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.\n", - "event_ids": [ - "5156" - ], - "id": "1ba0b3d6-e0f7-98e9-4611-b307922a0766", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases\n", - "event_ids": [ - "5156" - ], - "id": "7ac85830-5907-5206-2d25-490b3ace5587", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0011", - "T1571" - ], - "title": "Potentially Suspicious Malware Callback Communication" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.\n", - "event_ids": [ - "5156" - ], - "id": "b2c34a06-251e-87ee-2d3e-fae878185d34", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087" - ], - "title": "Uncommon Connection to Active Directory Web Services" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.", - "event_ids": [ - "5156" - ], - "id": "cb64ddfa-8325-dc30-db3f-e546a9b1eba5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1046" - ], - "title": "Python Initiated Connection" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "event_ids": [ - "5156" - ], - "id": "5049ed9f-e700-a499-9498-5e648851d2ad", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1572", - "TA0008", - "T1021.001", - "car.2013-07-002", - "T1021" - ], - "title": "RDP to HTTP or HTTPS Target Ports" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.\nThis rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\nThis rule will require an initial baseline and tuning that is specific to your organization.\n", - "event_ids": [ - "5156" - ], - "id": "7c154a7f-01a0-3b2e-927d-32c452139322", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1203" - ], - "title": "Office Application Initiated Network Connection To Non-Local IP" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "event_ids": [ - "5156" - ], - "id": "81ca22c3-fdfd-6c3a-051f-dc404488536c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1572", - "TA0008", - "T1021.001", - "car.2013-07-002", - "T1021" - ], - "title": "RDP Over Reverse SSH Tunnel" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by the certutil.exe utility.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", - "event_ids": [ - "5156" - ], - "id": "bc5e54c2-1b8d-cb27-3079-f47318f4ccc7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Uncommon Network Connection Initiated By Certutil.EXE" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "event_ids": [ - "5156" - ], - "id": "94af51b6-e4c1-f780-3f48-90c3d7e35ea4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1048.003", - "T1048" - ], - "title": "Suspicious Outbound SMTP Connections" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by \"Regsvr32.exe\"", - "event_ids": [ - "5156" - ], - "id": "6814d247-c70b-e49e-6553-149fc21c3a81", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1559.001", - "TA0005", - "T1218.010", - "T1218", - "T1559" - ], - "title": "Network Connection Initiated By Regsvr32.EXE" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.\n", - "event_ids": [ - "5156" - ], - "id": "7e448677-939e-f6d0-e901-91843a3888d7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Local Network Connection Initiated By Script Interpreter" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "event_ids": [ - "5156" - ], - "id": "1487f05c-b749-4322-d657-d20a2eea7e47", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Outbound Network Connection Initiated By Script Interpreter" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.\n", - "event_ids": [ - "5156" - ], - "id": "5a099129-36a4-b13b-5345-9f37b231fb5c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Remote Access Tool - AnyDesk Incoming Connection" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\nAn initial baseline is required before using this utility to exclude third party RDP tooling that you might use.\n", - "event_ids": [ - "5156" - ], - "id": "e02f9ef8-2edb-79a4-0626-b506436d7ebe", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.001", - "car.2013-07-002", - "T1021" - ], - "title": "Outbound RDP Connections Over Non-Standard Tools" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects outbound network connection initiated by Microsoft Dialer.\nThe Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.\nThis is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is \"Rhadamanthys\"\n", - "event_ids": [ - "5156" - ], - "id": "fa5330d2-19f1-4167-52a0-fb622b6425f8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0011", - "T1071.001", - "T1071" - ], - "title": "Outbound Network Connection Initiated By Microsoft Dialer" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", - "event_ids": [ - "5156" - ], - "id": "7c743e5c-7a9d-ba96-9ada-1d17687e2a6d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558", - "TA0008", - "T1550.003", - "T1550" - ], - "title": "Uncommon Outbound Kerberos Connection" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects programs that connect to uncommon destination ports", - "event_ids": [ - "5156" - ], - "id": "7983db98-5767-b29d-2652-a01fd3e751ad", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0011", - "T1571" - ], - "title": "Communication To Uncommon Destination Ports" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects network connections from the Equation Editor process \"eqnedt32.exe\".", - "event_ids": [ - "5156" - ], - "id": "141fe5f1-4de3-21fd-1b09-8d53f1019340", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1203" - ], - "title": "Network Connection Initiated By Eqnedt32.EXE" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.\n", - "event_ids": [ - "5156" - ], - "id": "0f4d93f0-a1eb-e6cb-7d79-f38cc95a9a55", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Network Connection Initiated By IMEWDBLD.EXE" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "event_ids": [ - "5156" - ], - "id": "e2d0c6fb-f0de-9cce-076d-f755f6ae4956", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1055", - "T1218", - "TA0002", "TA0005" ], - "title": "Microsoft Sync Center Suspicious Network Connections" + "title": "MSSQL Disable Audit Settings" }, { - "category": "network_connection", + "category": "", + "channel": [ + "Application" + ], + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "event_ids": [ + "33205" + ], + "id": "824a7eb7-81e3-6b27-2ede-6fd2d58348b4", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0003" + ], + "title": "MSSQL SPProcoption Set" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "event_ids": [ + "33205" + ], + "id": "d17d99ad-18e9-67e1-6163-054f210fee16", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0003" + ], + "title": "MSSQL Add Account To Sysadmin Role" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\n", + "event_ids": [ + "15457" + ], + "id": "11635209-eef1-b93a-98bf-33b80e5065a1", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "MSSQL XPCmdshell Option Change" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects failed logon attempts from clients to MSSQL server.", + "event_ids": [ + "18456" + ], + "id": "03e217c6-de25-3afa-3833-6c534a6576f0", + "level": "low", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1110" + ], + "title": "MSSQL Server Failed Logon" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.", + "event_ids": [ + "18456" + ], + "id": "2aec0e1c-e7f6-3837-d7f2-ee1c5cac7032", + "level": "medium", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1110" + ], + "title": "MSSQL Server Failed Logon From External Network" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as \"DROP TABLE\" or \"DROP DATABASE\".\n", + "event_ids": [ + "33205" + ], + "id": "ca403782-4ab3-76a6-b804-069219ccbd7f", + "level": "medium", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0010", + "TA0040", + "T1485" + ], + "title": "MSSQL Destructive Query" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", + "event_ids": [ + "865", + "866", + "867", + "868", + "882" + ], + "id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1072" + ], + "title": "Restricted Software Access By SRP" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", + "event_ids": [ + "325" + ], + "id": "a050e701-373d-fc52-c345-8fbf933e1b82", + "level": "medium", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "Dump Ntds.dit To Suspicious Location" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "event_ids": [ + "216", + "325", + "326", + "327" + ], + "id": "b8d0d560-906d-670f-cd10-32ed9179f21a", + "level": "medium", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Ntdsutil Abuse" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", + "event_ids": [ + "401" + ], + "id": "5cfde458-a9e1-f4b7-92cd-959ead47bdd3", + "level": "medium", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Suspicious AppX Package Installation Attempt" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package deployment that was blocked by AppLocker policy", + "event_ids": [ + "412" + ], + "id": "a902397c-6118-0a8f-7fab-3f8142297d80", + "level": "medium", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Deployment AppX Package Was Blocked By AppLocker" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "event_ids": [ + "854" + ], + "id": "a3dbb89a-aebc-03c7-295b-ad18d5c7924b", + "level": "medium", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Uncommon AppX Package Locations" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n", + "event_ids": [ + "854" + ], + "id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960", + "level": "high", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Suspicious Remote AppX Package Locations" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package deployment that was blocked by the local computer policy", + "event_ids": [ + "441", + "442", + "453", + "454" + ], + "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", + "level": "medium", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Deployment Of The AppX Package Was Blocked By The Policy" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "event_ids": [ + "854" + ], + "id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a", + "level": "high", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Suspicious AppX Package Locations" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppXDeploymentServer/Operational" + ], + "description": "Detects potential installation or installation attempts of known malicious appx packages", + "event_ids": [ + "400", + "401" + ], + "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", + "level": "medium", + "service": "appxdeployment-server", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Potential Malicious AppX Package Installation Attempts" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Diagnosis-Scripted/Operational" + ], + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "event_ids": [ + "101" + ], + "id": "b0e8486c-73f6-e1ba-9684-acba841c2719", + "level": "high", + "service": "diagnosis-scripted", + "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "Loading Diagcab Package From Remote Path" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", + "event_ids": [ + "16403" + ], + "id": "26844668-ef48-7a97-5687-9533e59288b7", + "level": "high", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "BITS Transfer Job Download To Potential Suspicious Folder" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", + "event_ids": [ + "16403" + ], + "id": "b37c7d8f-22b8-a92d-1d1c-593de0fa759e", + "level": "medium", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects the creation of a new bits job by PowerShell", + "event_ids": [ + "3" + ], + "id": "23d76ee6-e5fc-fb90-961a-4b412b97cc94", + "level": "low", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "New BITS Job Created Via PowerShell" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects BITS transfer job downloading files from a file sharing domain.", + "event_ids": [ + "16403" + ], + "id": "4f9e9e60-c580-dd4e-4f06-42a016217d0e", + "level": "high", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "BITS Transfer Job Download From File Sharing Domains" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", + "event_ids": [ + "16403" + ], + "id": "5e8a986a-7579-0482-f86e-ad63f6341cd1", + "level": "high", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "BITS Transfer Job Download From Direct IP" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "event_ids": [ + "16403" + ], + "id": "8a389ad3-d0c7-ef8c-1fb3-5bb7e31bcf7f", + "level": "medium", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Bits-Client/Operational" + ], + "description": "Detects the creation of a new bits job by Bitsadmin", + "event_ids": [ + "3" + ], + "id": "f72c1543-44f6-f836-c0da-9bab33600dac", + "level": "low", + "service": "bits-client", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "New BITS Job Created Via Bitsadmin" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppLocker/MSI and Script", + "Microsoft-Windows-AppLocker/EXE and DLL", + "Microsoft-Windows-AppLocker/Packaged app-Deployment", + "Microsoft-Windows-AppLocker/Packaged app-Execution" + ], + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "event_ids": [ + "8004", + "8007", + "8022", + "8025" + ], + "id": "da0e47f5-493f-9da4-b041-8eb762761118", + "level": "medium", + "service": "applocker", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1204.002", + "T1059.001", + "T1059.003", + "T1059.005", + "T1059.006", + "T1059.007", + "T1059", + "T1204" + ], + "title": "File Was Not Allowed To Run" + }, + { + "category": "", "channel": [ "sec" ], - "description": "Detects a network connection that is initiated by the \"notepad.exe\" process.\nThis might be a sign of process injection from a beacon process or something similar.\nNotepad rarely initiates a network communication except when printing documents for example.\n", + "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", "event_ids": [ - "5156" + "4699" ], - "id": "e6f76f81-e758-4001-122c-58a3ceef02f9", - "level": "high", + "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "car.2013-08-001", + "T1053.005", + "detection.threat-hunting", + "T1053" + ], + "title": "Scheduled Task Deletion" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.\nThis event is best correlated and used as an enrichment to determine the potential lateral movement activity.\n", + "event_ids": [ + "4624" + ], + "id": "910ec16d-6957-01b7-39a8-5e676e459cac", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0004", + "detection.threat-hunting", + "TA0003", + "T1546.003", + "T1546" + ], + "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n", + "event_ids": [ + "4663" + ], + "id": "7619b716-8052-6323-d9c7-87923ef591e6", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555.003", + "detection.threat-hunting", + "T1555" + ], + "title": "Access To Browser Credential Files By Uncommon Applications - Security" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", + "event_ids": [ + "4688" + ], + "id": "9938bbf1-ddc1-5cb0-3fc5-5f55abdba2c0", + "level": "low", "service": "", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0011", - "TA0002", - "TA0005", - "T1055" + "TA0009", + "T1560.001", + "detection.threat-hunting", + "T1560" ], - "title": "Network Connection Initiated Via Notepad.EXE" + "title": "Password Protected Compressed File Extraction Via 7Zip" }, { - "category": "", + "category": "process_creation", "channel": [ - "Microsoft-Windows-DriverFrameworks-UserMode/Operational" + "sec" ], - "description": "Detects plugged/unplugged USB devices", + "description": "Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.\n", "event_ids": [ - "2003", - "2100", - "2102" + "4688" ], - "id": "12717514-9380-dabc-12b9-113f524ec3ac", - "level": "low", - "service": "driver-framework", - "subcategory_guids": [], - "tags": [ - "TA0001", - "T1200" - ], - "title": "USB Device Plugged" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task", - "event_ids": [ - "129" - ], - "id": "d5a3d13e-7db3-bcf5-824a-789488ab40fd", - "level": "medium", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Scheduled Task Executed Uncommon LOLBIN" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "event_ids": [ - "129" - ], - "id": "c1fd9ca2-a3f8-1adc-0f1d-1d6099f5d827", - "level": "medium", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Scheduled Task Executed From A Suspicious Location" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", - "event_ids": [ - "141" - ], - "id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940", - "level": "high", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Important Scheduled Task Deleted" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "event_ids": [ - "400" - ], - "id": "315f165d-92fd-170d-d80b-0f16f9cf5384", + "id": "592e613b-8b20-792b-c8be-b55cf0bbe6a4", "level": "medium", "service": "", - "subcategory_guids": [], + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1127", + "T1218", + "detection.threat-hunting" + ], + "title": "Microsoft Workflow Compiler Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a file or folder's permissions being modified or tampered with.", + "event_ids": [ + "4688" + ], + "id": "2fbf12bc-cfa8-081e-6e1c-f7a08543c781", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1222.001", + "detection.threat-hunting", + "T1222" + ], + "title": "File or Folder Permissions Modifications" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.\n\nFrom the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.\n 1. Compressed file opened using 7zip.\n 2. Compressed file opened using WinRar.\n 3. Compressed file opened using native windows File Explorer capabilities.\n\nWhen the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter.\"\n", + "event_ids": [ + "4688" + ], + "id": "e86bcb59-4f56-b91f-1c5f-100512b9d367", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "detection.threat-hunting" + ], + "title": "Manual Execution of Script Inside of a Compressed File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects remote binary or command execution via the ScreenConnect Service.\nUse this rule in order to hunt for potentially anomalous executions originating from ScreenConnect\n", + "event_ids": [ + "4688" + ], + "id": "fc780b12-2819-3958-745b-4cd4c6b66435", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.threat-hunting" + ], + "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes spawned by PowerShell.\nUse this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.\n", + "event_ids": [ + "4688" + ], + "id": "56ff2d1a-cadd-2622-f049-458f96d44a39", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], "tags": [ "TA0002", "T1059.001", "detection.threat-hunting", "T1059" ], - "title": "Uncommon PowerShell Hosts" + "title": "Potentially Suspicious PowerShell Child Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of curl.exe with custom useragent options", + "event_ids": [ + "4688" + ], + "id": "e0489e47-4c09-f300-bf19-14475e09c953", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071.001", + "detection.threat-hunting", + "T1071" + ], + "title": "Curl.EXE Execution With Custom UserAgent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", + "event_ids": [ + "4688" + ], + "id": "d11c691d-7387-9895-7369-83c0abfbfba7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.004", + "detection.threat-hunting", + "T1027" + ], + "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.", + "event_ids": [ + "4688" + ], + "id": "1907e117-0636-2197-9e4a-c6f58a1f30e7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1570", + "detection.threat-hunting" + ], + "title": "SMB over QUIC Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript", + "event_ids": [ + "4688" + ], + "id": "5742c4d7-6bb8-d4c7-1abf-eedde7c178df", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059.007", + "detection.threat-hunting", + "T1059" + ], + "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a child \"explorer.exe\" process from a shell like process such as \"cmd.exe\" or \"powershell.exe\".\nAttackers can use \"explorer.exe\" for evading defense mechanisms by proxying the execution through the latter.\nWhile this is often a legitimate action, this rule can be use to hunt for anomalies.\nMuddy Waters threat actor was seeing using this technique.\n", + "event_ids": [ + "4688" + ], + "id": "4519a945-f840-1570-0add-773bb923bedc", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "detection.threat-hunting" + ], + "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the Ammy Admin RMM agent for remote management.", + "event_ids": [ + "4688" + ], + "id": "b7469b0d-0e65-e130-f73c-9b9ccd3b363b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "detection.threat-hunting" + ], + "title": "Remote Access Tool - Ammy Admin Agent Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.\n", + "event_ids": [ + "4688" + ], + "id": "8a0a2c60-bc08-2e90-8f92-1da8d1f8499b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "T1202", + "detection.threat-hunting" + ], + "title": "Arbitrary Command Execution Using WSL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.\n\nAction1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.\nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n\nHunting Opportunity 1- Weed Out The Noise\n\nWhen threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name \"test_app_1\":\n\nParentCommandLine: \"C:\\WINDOWS\\Action1\\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0\"\n\nAfter establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.\n\nHunting Opportunity 2 - Remote Sessions On Out Of Office Hours\n\nIf you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.\n", + "event_ids": [ + "4688" + ], + "id": "441ef2d8-5da0-7432-b390-b778f9f5c77b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "detection.threat-hunting", + "T1219" + ], + "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects child processes of \"dfsvc\" which indicates a ClickOnce deployment execution.", + "event_ids": [ + "4688" + ], + "id": "7482a6b9-2304-1d3c-7835-d804bcf7672f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "detection.threat-hunting" + ], + "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the \"SET\" internal command of Cmd.EXE with the /p flag followed directly by an \"=\" sign.\nAttackers used this technique along with an append redirection operator \">>\" in order to update the content of a file indirectly.\nEx: cmd /c >> example.txt set /p=\"test data\". This will append \"test data\" to contents of \"example.txt\".\nThe typical use case of the \"set /p=\" command is to prompt the user for input.\n", + "event_ids": [ + "4688" + ], + "id": "b3580f6e-3488-e1e8-ec74-68176667ab9e", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "detection.threat-hunting" + ], + "title": "Potential File Override/Append Via SET Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "event_ids": [ + "4688" + ], + "id": "1a3d7d59-1928-edd5-afaa-ffb4018bf777", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1007", + "detection.threat-hunting" + ], + "title": "SC.EXE Query Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", + "event_ids": [ + "4688" + ], + "id": "168763f9-a5fa-29af-e778-ed5054fe3044", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082", + "detection.threat-hunting" + ], + "title": "CMD Shell Output Redirect" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location.\nWhen Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.\n", + "event_ids": [ + "4688" + ], + "id": "e75ce043-bf1d-9f0c-e8bf-f149e9bd5283", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "detection.threat-hunting" + ], + "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the \"iexpress.exe\" utility creating self-extracting packages.\nAttackers where seen leveraging \"iexpress\" to compile packages on the fly via \".sed\" files.\nInvestigate the command line options provided to \"iexpress\" and in case of a \".sed\" file, check the contents and legitimacy of it.\n", + "event_ids": [ + "4688" + ], + "id": "bc8a6370-9950-1a63-7ece-7feed9d18e57", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "detection.threat-hunting" + ], + "title": "New Self Extracting Package Created Via IExpress.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"Net.EXE\".", + "event_ids": [ + "4688" + ], + "id": "e0f16539-f1cb-5cb9-0004-f3a040346952", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1007", + "T1049", + "T1018", + "T1135", + "T1201", + "T1069.001", + "T1069.002", + "T1087.001", + "T1087.002", + "TA0008", + "T1021.002", + "attack.s0039", + "detection.threat-hunting", + "T1087", + "T1069", + "T1021" + ], + "title": "Net.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a CodePage modification using the \"mode.com\" utility.\nThis behavior has been used by threat actors behind Dharma ransomware.\n", + "event_ids": [ + "4688" + ], + "id": "b25c6710-2d0f-f815-6c97-ba13c1680f88", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "detection.threat-hunting" + ], + "title": "CodePage Modification Via MODE.COM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"taskkill.exe\" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.\nAttackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.\n", + "event_ids": [ + "4688" + ], + "id": "2f97f9ce-7a7d-959a-856a-f32ca7058c3e", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489", + "detection.threat-hunting" + ], + "title": "Process Terminated Via Taskkill" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.\n", + "event_ids": [ + "4688" + ], + "id": "28780094-1850-b624-cda8-9bec4509c976", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1552", + "TA0006", + "detection.threat-hunting" + ], + "title": "EventLog Query Requests By Builtin Utilities" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session", + "event_ids": [ + "4688" + ], + "id": "f2b2d6f5-92ed-d0f5-25fe-38019bd55906", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.threat-hunting" + ], + "title": "Import New Module Via PowerShell CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", + "event_ids": [ + "4688" + ], + "id": "a8683f51-05f0-cb77-d513-48b731911be3", + "level": "informational", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1057", + "detection.threat-hunting" + ], + "title": "Suspicious Tasklist Discovery Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls of DLLs exports by ordinal numbers via rundll32.dll.", + "event_ids": [ + "4688" + ], + "id": "20c51c2f-7e3d-8f18-01f5-ef39633f31f9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "detection.threat-hunting", + "T1218" + ], + "title": "DLL Call by Ordinal Via Rundll32.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument that is no longer supported.\n", + "event_ids": [ + "4688" + ], + "id": "8a9c93e5-e67a-2190-d912-b0f9a3711b17", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.threat-hunting" + ], + "title": "Cab File Extraction Via Wusa.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential CommandLine obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "event_ids": [ + "4688" + ], + "id": "1c28655b-a54c-2619-b61d-1b3307a9d6dd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "detection.threat-hunting" + ], + "title": "Potential CommandLine Obfuscation Using Unicode Characters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.\n", + "event_ids": [ + "4688" + ], + "id": "eccdceeb-5139-9a2f-8bfd-9235f5a36687", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "detection.threat-hunting" + ], + "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to the \"New-NetFirewallRule\" cmdlet from PowerShell in order to add a new firewall rule with an \"Allow\" action.\n", + "event_ids": [ + "4688" + ], + "id": "9a19f541-5164-a71e-b29a-91d7d34d09e6", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1562.004", + "detection.threat-hunting", + "T1562" + ], + "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", + "event_ids": [ + "4688" + ], + "id": "78135073-a4b1-9708-8e2f-dced9caf0c32", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "detection.threat-hunting", + "T1564" + ], + "title": "Set Files as System Files Using Attrib.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line usage of \"findstr\" to search for the \"passwords\" keyword in a variety of different languages", + "event_ids": [ + "4688" + ], + "id": "377979aa-f6e3-79ac-c29c-43d82f8e48a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.001", + "detection.threat-hunting", + "T1552" + ], + "title": "Potential Password Reconnaissance Via Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"schtasks.exe\" from a parent that is located in a potentially suspicious location.\nMultiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.\n", + "event_ids": [ + "4688" + ], + "id": "f0e5d329-4070-a553-6ff1-1842415b9bc8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "detection.threat-hunting", + "T1053" + ], + "title": "Scheduled Task Creation From Potential Suspicious Parent Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.\nUse this rule to hunt for potentially suspicious activity stemming from uncommon folders.\n", + "event_ids": [ + "4688" + ], + "id": "d8d3e301-168c-b875-ade4-7962ec221634", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "detection.threat-hunting" + ], + "title": "Potential Suspicious Execution From GUID Like Folder Names" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"Extexport.exe\".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.\nIt can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names \"mozcrt19.dll\", \"mozsqlite3.dll\", or \"sqlite.dll\".\nArbitrary DLLs can also be loaded if a specific number of flags was provided.\n", + "event_ids": [ + "4688" + ], + "id": "27784707-1245-1352-019e-2ece1694aa9e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "detection.threat-hunting" + ], + "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of processes with image paths starting with WebDAV shares (\\\\), which might indicate malicious file execution from remote web shares.\nExecution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.\nExploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.\n", + "event_ids": [ + "4688" + ], + "id": "b84be625-d670-8b06-9f7d-13ccfe3a5785", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0008", + "T1105", + "detection.threat-hunting" + ], + "title": "Process Execution From WebDAV Share" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", + "event_ids": [ + "4688" + ], + "id": "7b704219-d3dd-93d1-6237-a4541abf28ed", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "detection.threat-hunting" + ], + "title": "Suspicious New Instance Of An Office COM Object" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of well known tools that can be abused for data exfiltration and tunneling.", + "event_ids": [ + "4688" + ], + "id": "613ea969-381a-6723-e44f-9202a3e64638", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "TA0011", + "T1041", + "T1572", + "T1071.001", + "detection.threat-hunting", + "T1071" + ], + "title": "Tunneling Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects any child process spawning from \"Diskshadow.exe\". This could be due to executing Diskshadow in interpreter mode or script mode and using the \"exec\" flag to launch other applications.", + "event_ids": [ + "4688" + ], + "id": "65955846-8a6d-8beb-af3d-ad2cdaf58f82", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002", + "detection.threat-hunting" + ], + "title": "Diskshadow Child Process Spawned" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag. Attackers often abuse \"diskshadow\" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.\n", + "event_ids": [ + "4688" + ], + "id": "0d73093a-d5b0-8bc8-7a92-c4be8f638bf7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002", + "detection.threat-hunting" + ], + "title": "Diskshadow Script Mode Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.\n", + "event_ids": [ + "4688" + ], + "id": "a1facc19-608b-ffb7-9591-3063f27baa01", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "TA0002", + "T1059", + "detection.threat-hunting" + ], + "title": "Elevated System Shell Spawned" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.\nWindows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.\nWhen investigating, examine:\n- Commands using short paths to access sensitive directories or files\n- Web servers on Windows (especially Apache) where short filenames could bypass security controls\n- Correlation with other suspicious behaviors\n- baseline of short name usage in your environment and look for deviations\n", + "event_ids": [ + "4688" + ], + "id": "ee28ff63-eaf6-56ee-7406-da65896bc0e5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "detection.threat-hunting", + "T1564" + ], + "title": "Use Short Name Path in Command Line" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the invocation of PowerShell commands with references to classes from the \"System.Security.Cryptography\" namespace.\nThe PowerShell namespace \"System.Security.Cryptography\" provides classes for on-the-fly encryption and decryption.\nThese can be used for example in decrypting malicious payload for defense evasion.\n", + "event_ids": [ + "4688" + ], + "id": "73e99dad-5a1b-32af-36f2-0339c13763b4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1059.001", + "T1027.010", + "detection.threat-hunting", + "T1059", + "T1027" + ], + "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors\n", + "event_ids": [ + "4688" + ], + "id": "612adf3c-4f2f-852b-487d-3930de4337ed", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1505.003", + "detection.threat-hunting", + "T1505" + ], + "title": "Execution From Webserver Root Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", + "event_ids": [ + "4688" + ], + "id": "c86d9b72-174d-552f-255d-2e3818a6b891", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1567", + "T1105", + "detection.threat-hunting" + ], + "title": "Potential Data Exfiltration Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects file download using curl.exe", + "event_ids": [ + "4688" + ], + "id": "8a760077-f6df-d8ae-baaa-b183b988ac04", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "detection.threat-hunting" + ], + "title": "File Download Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", + "event_ids": [ + "4688" + ], + "id": "68f79cf9-60cf-aed6-ab55-707e40c4057d", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "detection.threat-hunting" + ], + "title": "Curl.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,\nand GPU driver products/versions.\n", + "event_ids": [ + "4688" + ], + "id": "5e3a93fe-fb7d-ad20-c7e2-e8712a13aefb", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082", + "detection.threat-hunting" + ], + "title": "System Information Discovery Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", + "event_ids": [ + "4688" + ], + "id": "9d361072-2d35-e275-87b6-4915aa2beab8", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "detection.threat-hunting", + "T1059" + ], + "title": "Unusually Long PowerShell CommandLine" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the creation of a scheduled task via Registry keys.", + "event_ids": [ + "4657" + ], + "id": "c6cda933-68be-134e-fe2e-71ee945f0f69", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "TA0004", + "attack.s0111", + "T1053.005", + "car.2013-08-001", + "detection.threat-hunting", + "T1053" + ], + "title": "Scheduled Task Created - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "event_ids": [ + "4657" + ], + "id": "f9252ab9-0f85-c10d-fd51-576b83182926", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "detection.threat-hunting" + ], + "title": "Service Binary in User Controlled Folder" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry keys related to \"Trusted Location\" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.", + "event_ids": [ + "4657" + ], + "id": "d4bfa0d5-6f83-cac0-c838-2d05d677611f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "detection.threat-hunting" + ], + "title": "Microsoft Office Trusted Location Updated" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n", + "event_ids": [ + "4657" + ], + "id": "c4b8f7e9-f874-4e2b-4320-dd805a1bbf21", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "detection.threat-hunting", + "TA0002" + ], + "title": "Command Executed Via Run Dialog Box - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.", + "event_ids": [ + "4657" + ], + "id": "1ce6a719-c7b0-11e7-2b9f-37facf10d1d4", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "detection.threat-hunting" + ], + "title": "Shell Context Menu Command Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the setting of a registry inside the \"\\Shell\\Open\\Command\" value with PowerShell classes from the \"System.Security.Cryptography\" namespace.\nThe PowerShell namespace \"System.Security.Cryptography\" provides classes for on-the-fly encryption and decryption.\nThese can be used for example in decrypting malicious payload for defense evasion.\n", + "event_ids": [ + "4657" + ], + "id": "aa71f12d-30c7-985b-9784-b26e948f0f5d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1059.001", + "T1027.010", + "T1547.001", + "detection.threat-hunting", + "T1059", + "T1027", + "T1547" + ], + "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, { "category": "ps_classic_start", @@ -30156,27 +4806,69 @@ ], "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "event_ids": [ + "400" + ], + "id": "315f165d-92fd-170d-d80b-0f16f9cf5384", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "detection.threat-hunting", + "T1059" + ], + "title": "Uncommon PowerShell Hosts" + }, { "category": "ps_script", "channel": [ "pwsh", "pwsh" ], - "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n", + "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" cmdlet in order to compress folders and files.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", "event_ids": [ "4104" ], - "id": "87face0d-1383-7cc4-2da9-2a5da8b81325", - "level": "medium", + "id": "c0483a49-1049-db52-97c5-ed73a6063b93", + "level": "low", "service": "", "subcategory_guids": [], "tags": [ "TA0010", - "T1048.003", - "detection.threat-hunting", - "T1048" + "T1560", + "detection.threat-hunting" ], - "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" + "title": "Compress-Archive Cmdlet Execution" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "PowerShell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", + "event_ids": [ + "4104" + ], + "id": "6e77c76e-375f-3378-fb5b-0d55e078f8ad", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.004", + "detection.threat-hunting", + "T1070" + ], + "title": "Use Of Remove-Item to Delete File - ScriptBlock" }, { "category": "ps_script", @@ -30199,6 +4891,50 @@ ], "title": "SMB over QUIC Via PowerShell Script" }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects when a powershell script contains calls to the \"New-NetFirewallRule\" cmdlet in order to add a new firewall rule with an \"Allow\" action.\n", + "event_ids": [ + "4104" + ], + "id": "40fd8a4e-3820-0edf-530e-53785ee863e9", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "detection.threat-hunting", + "T1562" + ], + "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.", + "event_ids": [ + "4104" + ], + "id": "822b05a7-afa1-99c7-fc49-578330c9bf81", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1012", + "T1007", + "detection.threat-hunting" + ], + "title": "Potential Registry Reconnaissance Via PowerShell Script" + }, { "category": "ps_script", "channel": [ @@ -30245,6 +4981,28 @@ ], "title": "WinAPI Library Calls Via PowerShell Scripts" }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\nAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n", + "event_ids": [ + "4104" + ], + "id": "87face0d-1383-7cc4-2da9-2a5da8b81325", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1048.003", + "detection.threat-hunting", + "T1048" + ], + "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" + }, { "category": "ps_script", "channel": [ @@ -30267,93 +5025,6 @@ ], "title": "Windows Mail App Mailbox Access Via PowerShell Script" }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.", - "event_ids": [ - "4104" - ], - "id": "822b05a7-afa1-99c7-fc49-578330c9bf81", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1012", - "T1007", - "detection.threat-hunting" - ], - "title": "Potential Registry Reconnaissance Via PowerShell Script" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" cmdlet in order to compress folders and files.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", - "event_ids": [ - "4104" - ], - "id": "c0483a49-1049-db52-97c5-ed73a6063b93", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1560", - "detection.threat-hunting" - ], - "title": "Compress-Archive Cmdlet Execution" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "PowerShell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", - "event_ids": [ - "4104" - ], - "id": "6e77c76e-375f-3378-fb5b-0d55e078f8ad", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.004", - "detection.threat-hunting", - "T1070" - ], - "title": "Use Of Remove-Item to Delete File - ScriptBlock" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects when a powershell script contains calls to the \"New-NetFirewallRule\" cmdlet in order to add a new firewall rule with an \"Allow\" action.\n", - "event_ids": [ - "4104" - ], - "id": "40fd8a4e-3820-0edf-530e-53785ee863e9", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.004", - "detection.threat-hunting", - "T1562" - ], - "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" - }, { "category": "ps_module", "channel": [ @@ -30377,1149 +5048,6 @@ ], "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", - "event_ids": [ - "4688" - ], - "id": "9d361072-2d35-e275-87b6-4915aa2beab8", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "detection.threat-hunting", - "T1059" - ], - "title": "Unusually Long PowerShell CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"taskkill.exe\" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.\nAttackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.\n", - "event_ids": [ - "4688" - ], - "id": "2f97f9ce-7a7d-959a-856a-f32ca7058c3e", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489", - "detection.threat-hunting" - ], - "title": "Process Terminated Via Taskkill" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.\n", - "event_ids": [ - "4688" - ], - "id": "a1facc19-608b-ffb7-9591-3063f27baa01", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "TA0002", - "T1059", - "detection.threat-hunting" - ], - "title": "Elevated System Shell Spawned" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a file or folder's permissions being modified or tampered with.", - "event_ids": [ - "4688" - ], - "id": "2fbf12bc-cfa8-081e-6e1c-f7a08543c781", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1222.001", - "detection.threat-hunting", - "T1222" - ], - "title": "File or Folder Permissions Modifications" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", - "event_ids": [ - "4688" - ], - "id": "68f79cf9-60cf-aed6-ab55-707e40c4057d", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105", - "detection.threat-hunting" - ], - "title": "Curl.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects remote binary or command execution via the ScreenConnect Service.\nUse this rule in order to hunt for potentially anomalous executions originating from ScreenConnect\n", - "event_ids": [ - "4688" - ], - "id": "fc780b12-2819-3958-745b-4cd4c6b66435", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.threat-hunting" - ], - "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls of DLLs exports by ordinal numbers via rundll32.dll.", - "event_ids": [ - "4688" - ], - "id": "20c51c2f-7e3d-8f18-01f5-ef39633f31f9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "detection.threat-hunting", - "T1218" - ], - "title": "DLL Call by Ordinal Via Rundll32.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the invocation of PowerShell commands with references to classes from the \"System.Security.Cryptography\" namespace.\nThe PowerShell namespace \"System.Security.Cryptography\" provides classes for on-the-fly encryption and decryption.\nThese can be used for example in decrypting malicious payload for defense evasion.\n", - "event_ids": [ - "4688" - ], - "id": "73e99dad-5a1b-32af-36f2-0339c13763b4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1059.001", - "T1027.010", - "detection.threat-hunting", - "T1059", - "T1027" - ], - "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a child \"explorer.exe\" process from a shell like process such as \"cmd.exe\" or \"powershell.exe\".\nAttackers can use \"explorer.exe\" for evading defense mechanisms by proxying the execution through the latter.\nWhile this is often a legitimate action, this rule can be use to hunt for anomalies.\nMuddy Waters threat actor was seeing using this technique.\n", - "event_ids": [ - "4688" - ], - "id": "4519a945-f840-1570-0add-773bb923bedc", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "detection.threat-hunting" - ], - "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.\n", - "event_ids": [ - "4688" - ], - "id": "28780094-1850-b624-cda8-9bec4509c976", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1552", - "TA0006", - "detection.threat-hunting" - ], - "title": "EventLog Query Requests By Builtin Utilities" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.\nUse this rule to hunt for potentially suspicious activity stemming from uncommon folders.\n", - "event_ids": [ - "4688" - ], - "id": "d8d3e301-168c-b875-ade4-7962ec221634", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "detection.threat-hunting" - ], - "title": "Potential Suspicious Execution From GUID Like Folder Names" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential CommandLine obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", - "event_ids": [ - "4688" - ], - "id": "1c28655b-a54c-2619-b61d-1b3307a9d6dd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "detection.threat-hunting" - ], - "title": "Potential CommandLine Obfuscation Using Unicode Characters" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location.\nWhen Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.\n", - "event_ids": [ - "4688" - ], - "id": "e75ce043-bf1d-9f0c-e8bf-f149e9bd5283", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "detection.threat-hunting" - ], - "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", - "event_ids": [ - "4688" - ], - "id": "168763f9-a5fa-29af-e778-ed5054fe3044", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082", - "detection.threat-hunting" - ], - "title": "CMD Shell Output Redirect" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"schtasks.exe\" from a parent that is located in a potentially suspicious location.\nMultiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.\n", - "event_ids": [ - "4688" - ], - "id": "f0e5d329-4070-a553-6ff1-1842415b9bc8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "detection.threat-hunting", - "T1053" - ], - "title": "Scheduled Task Creation From Potential Suspicious Parent Location" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session", - "event_ids": [ - "4688" - ], - "id": "f2b2d6f5-92ed-d0f5-25fe-38019bd55906", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.threat-hunting" - ], - "title": "Import New Module Via PowerShell CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the Ammy Admin RMM agent for remote management.", - "event_ids": [ - "4688" - ], - "id": "b7469b0d-0e65-e130-f73c-9b9ccd3b363b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "detection.threat-hunting" - ], - "title": "Remote Access Tool - Ammy Admin Agent Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.\n", - "event_ids": [ - "4688" - ], - "id": "592e613b-8b20-792b-c8be-b55cf0bbe6a4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1127", - "T1218", - "detection.threat-hunting" - ], - "title": "Microsoft Workflow Compiler Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a CodePage modification using the \"mode.com\" utility.\nThis behavior has been used by threat actors behind Dharma ransomware.\n", - "event_ids": [ - "4688" - ], - "id": "b25c6710-2d0f-f815-6c97-ba13c1680f88", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "detection.threat-hunting" - ], - "title": "CodePage Modification Via MODE.COM" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the \"SET\" internal command of Cmd.EXE with the /p flag followed directly by an \"=\" sign.\nAttackers used this technique along with an append redirection operator \">>\" in order to update the content of a file indirectly.\nEx: cmd /c >> example.txt set /p=\"test data\". This will append \"test data\" to contents of \"example.txt\".\nThe typical use case of the \"set /p=\" command is to prompt the user for input.\n", - "event_ids": [ - "4688" - ], - "id": "b3580f6e-3488-e1e8-ec74-68176667ab9e", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "detection.threat-hunting" - ], - "title": "Potential File Override/Append Via SET Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", - "event_ids": [ - "4688" - ], - "id": "7b704219-d3dd-93d1-6237-a4541abf28ed", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "detection.threat-hunting" - ], - "title": "Suspicious New Instance Of An Office COM Object" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.", - "event_ids": [ - "4688" - ], - "id": "1907e117-0636-2197-9e4a-c6f58a1f30e7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1570", - "detection.threat-hunting" - ], - "title": "SMB over QUIC Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument that is no longer supported.\n", - "event_ids": [ - "4688" - ], - "id": "8a9c93e5-e67a-2190-d912-b0f9a3711b17", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.threat-hunting" - ], - "title": "Cab File Extraction Via Wusa.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of well known tools that can be abused for data exfiltration and tunneling.", - "event_ids": [ - "4688" - ], - "id": "613ea969-381a-6723-e44f-9202a3e64638", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "TA0011", - "T1041", - "T1572", - "T1071.001", - "detection.threat-hunting", - "T1071" - ], - "title": "Tunneling Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", - "event_ids": [ - "4688" - ], - "id": "c86d9b72-174d-552f-255d-2e3818a6b891", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1567", - "T1105", - "detection.threat-hunting" - ], - "title": "Potential Data Exfiltration Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the \"iexpress.exe\" utility creating self-extracting packages.\nAttackers where seen leveraging \"iexpress\" to compile packages on the fly via \".sed\" files.\nInvestigate the command line options provided to \"iexpress\" and in case of a \".sed\" file, check the contents and legitimacy of it.\n", - "event_ids": [ - "4688" - ], - "id": "bc8a6370-9950-1a63-7ece-7feed9d18e57", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "detection.threat-hunting" - ], - "title": "New Self Extracting Package Created Via IExpress.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line usage of \"findstr\" to search for the \"passwords\" keyword in a variety of different languages", - "event_ids": [ - "4688" - ], - "id": "377979aa-f6e3-79ac-c29c-43d82f8e48a7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.001", - "detection.threat-hunting", - "T1552" - ], - "title": "Potential Password Reconnaissance Via Findstr.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.\n", - "event_ids": [ - "4688" - ], - "id": "8a0a2c60-bc08-2e90-8f92-1da8d1f8499b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "T1202", - "detection.threat-hunting" - ], - "title": "Arbitrary Command Execution Using WSL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", - "event_ids": [ - "4688" - ], - "id": "78135073-a4b1-9708-8e2f-dced9caf0c32", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "detection.threat-hunting", - "T1564" - ], - "title": "Set Files as System Files Using Attrib.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects any child process spawning from \"Diskshadow.exe\". This could be due to executing Diskshadow in interpreter mode or script mode and using the \"exec\" flag to launch other applications.", - "event_ids": [ - "4688" - ], - "id": "65955846-8a6d-8beb-af3d-ad2cdaf58f82", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002", - "detection.threat-hunting" - ], - "title": "Diskshadow Child Process Spawned" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"Net.EXE\".", - "event_ids": [ - "4688" - ], - "id": "e0f16539-f1cb-5cb9-0004-f3a040346952", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1007", - "T1049", - "T1018", - "T1135", - "T1201", - "T1069.001", - "T1069.002", - "T1087.001", - "T1087.002", - "TA0008", - "T1021.002", - "attack.s0039", - "detection.threat-hunting", - "T1069", - "T1087", - "T1021" - ], - "title": "Net.EXE Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects file download using curl.exe", - "event_ids": [ - "4688" - ], - "id": "8a760077-f6df-d8ae-baaa-b183b988ac04", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105", - "detection.threat-hunting" - ], - "title": "File Download Via Curl.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", - "event_ids": [ - "4688" - ], - "id": "9938bbf1-ddc1-5cb0-3fc5-5f55abdba2c0", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560.001", - "detection.threat-hunting", - "T1560" - ], - "title": "Password Protected Compressed File Extraction Via 7Zip" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag. Attackers often abuse \"diskshadow\" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.\n", - "event_ids": [ - "4688" - ], - "id": "0d73093a-d5b0-8bc8-7a92-c4be8f638bf7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002", - "detection.threat-hunting" - ], - "title": "Diskshadow Script Mode Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors\n", - "event_ids": [ - "4688" - ], - "id": "612adf3c-4f2f-852b-487d-3930de4337ed", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1505.003", - "detection.threat-hunting", - "T1505" - ], - "title": "Execution From Webserver Root Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.\n\nAction1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.\nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n\nHunting Opportunity 1- Weed Out The Noise\n\nWhen threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name \"test_app_1\":\n\nParentCommandLine: \"C:\\WINDOWS\\Action1\\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0\"\n\nAfter establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.\n\nHunting Opportunity 2 - Remote Sessions On Out Of Office Hours\n\nIf you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.\n", - "event_ids": [ - "4688" - ], - "id": "441ef2d8-5da0-7432-b390-b778f9f5c77b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1219.002", - "detection.threat-hunting", - "T1219" - ], - "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.\nWindows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.\nWhen investigating, examine:\n- Commands using short paths to access sensitive directories or files\n- Web servers on Windows (especially Apache) where short filenames could bypass security controls\n- Correlation with other suspicious behaviors\n- baseline of short name usage in your environment and look for deviations\n", - "event_ids": [ - "4688" - ], - "id": "ee28ff63-eaf6-56ee-7406-da65896bc0e5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "detection.threat-hunting", - "T1564" - ], - "title": "Use Short Name Path in Command Line" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript", - "event_ids": [ - "4688" - ], - "id": "5742c4d7-6bb8-d4c7-1abf-eedde7c178df", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059.007", - "detection.threat-hunting", - "T1059" - ], - "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", - "event_ids": [ - "4688" - ], - "id": "d11c691d-7387-9895-7369-83c0abfbfba7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.004", - "detection.threat-hunting", - "T1027" - ], - "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of processes with image paths starting with WebDAV shares (\\\\), which might indicate malicious file execution from remote web shares.\nExecution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.\nExploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.\n", - "event_ids": [ - "4688" - ], - "id": "b84be625-d670-8b06-9f7d-13ccfe3a5785", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0008", - "T1105", - "detection.threat-hunting" - ], - "title": "Process Execution From WebDAV Share" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of curl.exe with custom useragent options", - "event_ids": [ - "4688" - ], - "id": "e0489e47-4c09-f300-bf19-14475e09c953", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1071.001", - "detection.threat-hunting", - "T1071" - ], - "title": "Curl.EXE Execution With Custom UserAgent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", - "event_ids": [ - "4688" - ], - "id": "1a3d7d59-1928-edd5-afaa-ffb4018bf777", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1007", - "detection.threat-hunting" - ], - "title": "SC.EXE Query Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "event_ids": [ - "4688" - ], - "id": "a8683f51-05f0-cb77-d513-48b731911be3", - "level": "informational", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1057", - "detection.threat-hunting" - ], - "title": "Suspicious Tasklist Discovery Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious child processes spawned by PowerShell.\nUse this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.\n", - "event_ids": [ - "4688" - ], - "id": "56ff2d1a-cadd-2622-f049-458f96d44a39", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "detection.threat-hunting", - "T1059" - ], - "title": "Potentially Suspicious PowerShell Child Processes" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.\n\nFrom the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.\n 1. Compressed file opened using 7zip.\n 2. Compressed file opened using WinRar.\n 3. Compressed file opened using native windows File Explorer capabilities.\n\nWhen the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter.\"\n", - "event_ids": [ - "4688" - ], - "id": "e86bcb59-4f56-b91f-1c5f-100512b9d367", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "detection.threat-hunting" - ], - "title": "Manual Execution of Script Inside of a Compressed File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects calls to the \"New-NetFirewallRule\" cmdlet from PowerShell in order to add a new firewall rule with an \"Allow\" action.\n", - "event_ids": [ - "4688" - ], - "id": "9a19f541-5164-a71e-b29a-91d7d34d09e6", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1562.004", - "detection.threat-hunting", - "T1562" - ], - "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects child processes of \"dfsvc\" which indicates a ClickOnce deployment execution.", - "event_ids": [ - "4688" - ], - "id": "7482a6b9-2304-1d3c-7835-d804bcf7672f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "detection.threat-hunting" - ], - "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of \"Extexport.exe\".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.\nIt can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names \"mozcrt19.dll\", \"mozsqlite3.dll\", or \"sqlite.dll\".\nArbitrary DLLs can also be loaded if a specific number of flags was provided.\n", - "event_ids": [ - "4688" - ], - "id": "27784707-1245-1352-019e-2ece1694aa9e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "detection.threat-hunting" - ], - "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.\n", - "event_ids": [ - "4688" - ], - "id": "eccdceeb-5139-9a2f-8bfd-9235f5a36687", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "detection.threat-hunting" - ], - "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,\nand GPU driver products/versions.\n", - "event_ids": [ - "4688" - ], - "id": "5e3a93fe-fb7d-ad20-c7e2-e8712a13aefb", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1082", - "detection.threat-hunting" - ], - "title": "System Information Discovery Via Wmic.EXE" - }, { "category": "", "channel": [ @@ -31547,45 +5075,25 @@ "channel": [ "sec" ], - "description": "Detects network connections from \"dfsvc.exe\" used to handled ClickOnce applications to non-local IPs", + "description": "Detects Dllhost.EXE initiating a network connection to a non-local IP address.\nAside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.\nAn initial baseline is recommended before deployment.\n", "event_ids": [ "5156" ], - "id": "713fd43d-88e4-6801-2eac-756d06792d4f", + "id": "1062d249-f014-9faf-044e-2b75d6f9763f", "level": "medium", "service": "", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", + "T1218", "TA0002", - "T1203", - "detection.threat-hunting" - ], - "title": "Dfsvc.EXE Network Connection To Non-Local IPs" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects a network connection that was initiated from a PowerShell process.\nOften times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.\nUse this rule as a basis for hunting for anomalies.\n", - "event_ids": [ - "5156" - ], - "id": "9e00ae65-e5aa-2c89-c7a1-7b6ee0e194f5", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", + "T1559.001", "detection.threat-hunting", - "T1059" + "T1559" ], - "title": "Network Connection Initiated By PowerShell Process" + "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" }, { "category": "network_connection", @@ -31632,6 +5140,29 @@ ], "title": "Msiexec.EXE Initiated Network Connection Over HTTP" }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a network connection initiated by the \"hh.exe\" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.\n", + "event_ids": [ + "5156" + ], + "id": "13790f2d-97b2-d1a0-6624-1061d7ccbb8c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.001", + "detection.threat-hunting", + "T1218" + ], + "title": "HH.EXE Initiated HTTP Network Connection" + }, { "category": "network_connection", "channel": [ @@ -31659,226 +5190,700 @@ "channel": [ "sec" ], - "description": "Detects Dllhost.EXE initiating a network connection to a non-local IP address.\nAside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.\nAn initial baseline is recommended before deployment.\n", + "description": "Detects network connections from \"dfsvc.exe\" used to handled ClickOnce applications to non-local IPs", "event_ids": [ "5156" ], - "id": "1062d249-f014-9faf-044e-2b75d6f9763f", + "id": "713fd43d-88e4-6801-2eac-756d06792d4f", "level": "medium", "service": "", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1218", "TA0002", - "T1559.001", - "detection.threat-hunting", - "T1559" + "T1203", + "detection.threat-hunting" ], - "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" + "title": "Dfsvc.EXE Network Connection To Non-Local IPs" }, { "category": "network_connection", "channel": [ "sec" ], - "description": "Detects a network connection initiated by the \"hh.exe\" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.\n", + "description": "Detects a network connection that was initiated from a PowerShell process.\nOften times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.\nUse this rule as a basis for hunting for anomalies.\n", "event_ids": [ "5156" ], - "id": "13790f2d-97b2-d1a0-6624-1061d7ccbb8c", - "level": "medium", + "id": "9e00ae65-e5aa-2c89-c7a1-7b6ee0e194f5", + "level": "low", "service": "", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], - "tags": [ - "TA0005", - "T1218.001", - "detection.threat-hunting", - "T1218" - ], - "title": "HH.EXE Initiated HTTP Network Connection" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the creation of a scheduled task via Registry keys.", - "event_ids": [ - "4657" - ], - "id": "c6cda933-68be-134e-fe2e-71ee945f0f69", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], "tags": [ "TA0002", - "TA0003", - "TA0004", - "attack.s0111", - "T1053.005", - "car.2013-08-001", + "T1059.001", "detection.threat-hunting", - "T1053" + "T1059" ], - "title": "Scheduled Task Created - Registry" + "title": "Network Connection Initiated By PowerShell Process" }, { - "category": "registry_set", + "category": "", "channel": [ - "sec" + "Microsoft-Windows-CodeIntegrity/Operational" ], - "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n", + "description": "Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.\n", "event_ids": [ - "4657" + "3033", + "3034" ], - "id": "c4b8f7e9-f874-4e2b-4320-dd805a1bbf21", + "id": "f45ca591-7575-818e-9a07-7493461a33c3", "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], + "service": "codeintegrity-operational", + "subcategory_guids": [], "tags": [ - "detection.threat-hunting", "TA0002" ], - "title": "Command Executed Via Run Dialog Box - Registry" + "title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" }, { - "category": "registry_set", + "category": "", "channel": [ - "sec" + "Microsoft-Windows-CodeIntegrity/Operational" ], - "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n", + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.", "event_ids": [ - "4657" - ], - "id": "f9252ab9-0f85-c10d-fd51-576b83182926", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "3077" ], + "id": "a4736e84-f507-2e6b-bc7a-573328447cbf", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], "tags": [ - "TA0005", - "T1112", - "detection.threat-hunting" + "TA0004", + "T1543" ], - "title": "Service Binary in User Controlled Folder" + "title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" }, { - "category": "registry_set", + "category": "", "channel": [ - "sec" + "Microsoft-Windows-CodeIntegrity/Operational" ], - "description": "Detects changes to the registry keys related to \"Trusted Location\" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.", + "description": "Detects loaded unsigned image on the system", "event_ids": [ - "4657" - ], - "id": "d4bfa0d5-6f83-cac0-c838-2d05d677611f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "3037" ], + "id": "d6ea0e4a-9918-a082-1c5d-bd5d2a4f0b76", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], "tags": [ - "TA0005", - "T1112", - "detection.threat-hunting" + "TA0004" ], - "title": "Microsoft Office Trusted Location Updated" + "title": "CodeIntegrity - Unsigned Image Loaded" }, { - "category": "registry_set", + "category": "", "channel": [ - "sec" + "Microsoft-Windows-CodeIntegrity/Operational" ], - "description": "Detects the setting of a registry inside the \"\\Shell\\Open\\Command\" value with PowerShell classes from the \"System.Security.Cryptography\" namespace.\nThe PowerShell namespace \"System.Security.Cryptography\" provides classes for on-the-fly encryption and decryption.\nThese can be used for example in decrypting malicious payload for defense evasion.\n", + "description": "Detects the load of a revoked kernel driver", "event_ids": [ - "4657" - ], - "id": "aa71f12d-30c7-985b-9784-b26e948f0f5d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "3021", + "3022" ], + "id": "4764bb53-3383-ae11-5351-b67f0001d2a5", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], "tags": [ - "TA0005", - "T1059.001", - "T1027.010", - "T1547.001", - "detection.threat-hunting", - "T1547", - "T1059", - "T1027" + "TA0004" ], - "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" + "title": "CodeIntegrity - Revoked Kernel Driver Loaded" }, { - "category": "registry_set", + "category": "", "channel": [ - "sec" + "Microsoft-Windows-CodeIntegrity/Operational" ], - "description": "Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.", + "description": "Detects blocked image load events with revoked certificates by code integrity.", "event_ids": [ - "4657" + "3036" ], - "id": "1ce6a719-c7b0-11e7-2b9f-37facf10d1d4", + "id": "6f9f7b5c-f44b-fe0a-bcb2-ff4a09bd4ccf", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "CodeIntegrity - Blocked Image Load With Revoked Certificate" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], + "description": "Detects loaded kernel modules that did not meet the WHQL signing requirements.", + "event_ids": [ + "3082", + "3083" + ], + "id": "b1f60092-6ced-8775-b5dd-ac15a042e292", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], + "description": "Detects the presence of a loaded unsigned kernel module on the system.", + "event_ids": [ + "3001" + ], + "id": "23f17a2b-73ca-e465-e823-bb1d47543f6d", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "CodeIntegrity - Unsigned Kernel Module Loaded" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], + "description": "Detects block events for files that are disallowed by code integrity for protected processes", + "event_ids": [ + "3104" + ], + "id": "c2644e00-b2a8-1e98-7dfc-bbef3a929767", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], + "description": "Detects blocked load attempts of revoked drivers", + "event_ids": [ + "3023" + ], + "id": "3838c754-9c4c-f500-6c7d-4c73b29717a9", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1543" + ], + "title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CodeIntegrity/Operational" + ], + "description": "Detects image load events with revoked certificates by code integrity.", + "event_ids": [ + "3032", + "3035" + ], + "id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb", + "level": "high", + "service": "codeintegrity-operational", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "CodeIntegrity - Revoked Image Loaded" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DriverFrameworks-UserMode/Operational" + ], + "description": "Detects plugged/unplugged USB devices", + "event_ids": [ + "2003", + "2100", + "2102" + ], + "id": "12717514-9380-dabc-12b9-113f524ec3ac", "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], + "service": "driver-framework", + "subcategory_guids": [], "tags": [ - "TA0003", - "detection.threat-hunting" + "TA0001", + "T1200" ], - "title": "Shell Context Menu Command Tampering" + "title": "USB Device Plugged" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "event_ids": [ + "3008" + ], + "id": "e1b0fd63-1017-1597-ec08-3f9e1021e564", + "level": "high", + "service": "dns-client", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1090.003", + "T1090" + ], + "title": "Query Tor Onion Address - DNS Client" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], + "description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.", + "event_ids": [ + "3008" + ], + "id": "9b3ffe56-a479-9b35-d590-9b94c2f7fa35", + "level": "medium", + "service": "dns-client", + "subcategory_guids": [], + "tags": [ + "TA0011" + ], + "title": "DNS Query To Put.io - DNS Client" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "event_ids": [ + "3008" + ], + "id": "f0b3a5e9-e4ee-ed23-3b27-4dd30c5974c8", + "level": "critical", + "service": "dns-client", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1071.004", + "T1071" + ], + "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "event_ids": [ + "3008" + ], + "id": "2abf05fa-98f2-d00b-6a6a-12d07e55233e", + "level": "high", + "service": "dns-client", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1567.002", + "T1567" + ], + "title": "DNS Query for Anonfiles.com Domain - DNS Client" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], + "description": "Detects DNS queries for subdomains related to MEGA sharing website", + "event_ids": [ + "3008" + ], + "id": "14b17417-8ae7-ff8e-fe36-28aaa337ccd5", + "level": "medium", + "service": "dns-client", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1567.002", + "T1567" + ], + "title": "DNS Query To MEGA Hosting Website - DNS Client" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS Client Events/Operational" + ], + "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", + "event_ids": [ + "3008" + ], + "id": "ec3b018a-d4dd-2d51-4a63-50d078f737dd", + "level": "low", + "service": "dns-client", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1567.002", + "T1567" + ], + "title": "DNS Query To Ufile.io - DNS Client" }, { "category": "", "channel": [ "sec" ], - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", "event_ids": [ - "4699" + "5145" ], - "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", + "id": "f252afa3-fe83-562c-01c0-1334f55af84c", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "TA0008", + "T1021.002", + "T1021" + ], + "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", + "event_ids": [ + "4673" + ], + "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\n", + "event_ids": [ + "4719" + ], + "id": "83d7b3c2-220e-60e8-4aad-98e206e841ba", "level": "low", "service": "security", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE922F-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0002", - "TA0004", - "car.2013-08-001", - "T1053.005", - "detection.threat-hunting", - "T1053" + "TA0005", + "T1562.002", + "T1562" ], - "title": "Scheduled Task Deletion" + "title": "Windows Event Auditing Disabled" }, { "category": "", "channel": [ "sec" ], - "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "event_ids": [ + "4697" + ], + "id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "event_ids": [ + "4662" + ], + "id": "5c8e2537-5c7f-56d8-de80-1f0746b61067", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.006", + "T1003" + ], + "title": "Active Directory Replication from Non Machine Account" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\n", + "event_ids": [ + "4720" + ], + "id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "T1136" + ], + "title": "Local User Creation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious processes logging on with explicit credentials", + "event_ids": [ + "4648" + ], + "id": "250cf413-1d30-38fd-4b41-ae5a92452700", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1078", + "TA0008" + ], + "title": "Suspicious Remote Logon with Explicit Credentials" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "event_ids": [ + "4611" + ], + "id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0004", + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Register new Logon Process by Rubeus" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "event_ids": [ + "5145" + ], + "id": "d415c82b-814d-5cdc-c2f2-a138115b878e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "DCERPC SMB Spoolss Named Pipe" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "event_ids": [ + "5145" + ], + "id": "9a0e08fc-d50e-2539-9da0-f2b04439c414", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0003", + "T1021.002", + "T1021" + ], + "title": "Remote Service Activity via SVCCTL Named Pipe" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "event_ids": [ + "4656", "4663" ], - "id": "7619b716-8052-6323-d9c7-87923ef591e6", - "level": "low", + "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012" + ], + "title": "Azure AD Health Service Agents Registry Keys Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects WRITE_DAC access to a domain object", + "event_ids": [ + "4662" + ], + "id": "09c08048-5eab-303f-dfe3-706a6052b6f9", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1222.001", + "T1222" + ], + "title": "AD Object WriteDAC Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n", + "event_ids": [ + "5038", + "6281" + ], + "id": "4f738466-2a14-5842-1eb3-481614770a49", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9212-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.001", + "T1027" + ], + "title": "Failed Code Integrity Checks" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects NetNTLM downgrade attack", + "event_ids": [ + "4657" + ], + "id": "68f0908b-8434-9199-f0a3-350c27ac97c4", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1112", + "T1562" + ], + "title": "NetNTLM Downgrade Attack" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "event_ids": [ + "4656", + "4663" + ], + "id": "de10da38-ee60-f6a4-7d70-4d308558158b", + "level": "critical", "service": "security", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", @@ -31888,22 +5893,1783 @@ ], "tags": [ "TA0006", - "T1555.003", - "detection.threat-hunting", - "T1555" + "T1003", + "attack.s0005" ], - "title": "Access To Browser Credential Files By Uncommon Applications - Security" + "title": "WCE wceaux.dll Access" }, { "category": "", "channel": [ "sec" ], - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.\nThis event is best correlated and used as an enrichment to determine the potential lateral movement activity.\n", + "description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.", + "event_ids": [ + "4800" + ], + "id": "c4d03743-7286-15e4-d317-c86d1b5fdc09", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE921C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040" + ], + "title": "Locked Workstation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "event_ids": [ + "4720" + ], + "id": "e5c627ea-fa27-df99-0573-e47092dc4a98", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "T1136.002", + "T1136" + ], + "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects well-known credential dumping tools execution via service execution events", + "event_ids": [ + "4697" + ], + "id": "633bd649-4b18-b5bd-d923-07caeccd1ee0", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0002", + "T1003.001", + "T1003.002", + "T1003.004", + "T1003.005", + "T1003.006", + "T1569.002", + "attack.s0005", + "T1569", + "T1003" + ], + "title": "Credential Dumping Tools Service Execution - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "event_ids": [ + "4656", + "4663" + ], + "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "LSASS Access From Non System Account" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "event_ids": [ + "4738", + "5136" + ], + "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1098", + "TA0003" + ], + "title": "Active Directory User Backdoors" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\n", + "event_ids": [ + "5136" + ], + "id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1484.001", + "T1484" + ], + "title": "Group Policy Abuse for Privilege Addition" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "event_ids": [ + "4697" + ], + "id": "8ec23dfa-00a7-2b09-1756-678e941d69b2", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Clip - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects service ticket requests using RC4 encryption type", + "event_ids": [ + "4769" + ], + "id": "2d20edf4-6141-35c5-e54f-3c578082d1d3", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Suspicious Kerberos RC4 Ticket Encryption" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\n", + "event_ids": [ + "4657" + ], + "id": "8948f034-2d45-47bc-c04b-14ab124247f3", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Exclusion List Modified" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", + "event_ids": [ + "5156" + ], + "id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Uncommon Outbound Kerberos Connection - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "event_ids": [ + "4697" + ], + "id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1543" + ], + "title": "Service Installed By Unusual Client - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n", + "event_ids": [ + "5441", + "5447" + ], + "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "HackTool - EDRSilencer Execution - Filter Added" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "event_ids": [ + "5145" + ], + "id": "93fd0f77-62da-26fb-3e96-71cde45a9680", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0003", + "car.2013-05-004", + "car.2015-04-001", + "T1053.002", + "T1053" + ], + "title": "Remote Task Creation via ATSVC Named Pipe" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "event_ids": [ + "5145" + ], + "id": "426009da-814c-c1c0-cf41-6631c9ff6a8e", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Suspicious PsExec Execution" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects non-system users failing to get a handle of the SCM database.", + "event_ids": [ + "4656" + ], + "id": "474caaa9-3115-c838-1509-59ffb6caecfc", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1010" + ], + "title": "SCM Database Handle Failure" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "event_ids": [ + "4697" + ], + "id": "e2755f38-e817-94c0-afef-acff29676b43", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1134.001", + "T1134.002", + "T1134" + ], + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "event_ids": [ + "4768" + ], + "id": "cd01c787-aad1-bbed-5842-aa8e58410aad", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1187" + ], + "title": "PetitPotam Suspicious Kerberos TGT Request" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "event_ids": [ + "4697" + ], + "id": "3dc2d411-4f0e-6564-d243-8351afd3d375", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use MSHTA - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "event_ids": [ + "4663" + ], + "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1528" + ], + "title": "Suspicious Teams Application Related ObjectAcess Event" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects certificate creation with template allowing risk permission subject", + "event_ids": [ + "4898", + "4899" + ], + "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9221-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0006" + ], + "title": "ADCS Certificate Template Configuration Vulnerability" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", + "event_ids": [ + "4699", + "4701" + ], + "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Important Scheduled Task Deleted/Disabled" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects process handle on LSASS process with certain access mask", + "event_ids": [ + "4656", + "4663" + ], + "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "car.2019-04-004", + "T1003.001", + "T1003" + ], + "title": "Potentially Suspicious AccessMask Requested From LSASS" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "event_ids": [ + "4697" + ], + "id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "event_ids": [ + "5145" + ], + "id": "85e72fe3-83af-8ed9-39d3-2883e46059f1", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021.003", + "T1021" + ], + "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects powershell script installed as a Service", + "event_ids": [ + "4697" + ], + "id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "PowerShell Scripts Installed as Services - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects possible addition of shadow credentials to an active directory object.", + "event_ids": [ + "5136" + ], + "id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1556" + ], + "title": "Possible Shadow Credentials Added" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "event_ids": [ + "4656" + ], + "id": "d81faa44-ff28-8f61-097b-92727b8af44b", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Password Dumper Activity on LSASS" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "event_ids": [ + "4661" + ], + "id": "93c95eee-748a-e1db-18a5-f40035167086", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1087" + ], + "title": "AD Privileged Users or Groups Reconnaissance" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "event_ids": [ + "5145" + ], + "id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.009", + "T1547" + ], + "title": "Windows Network Access Suspicious desktop.ini Action" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "event_ids": [ + "5156" + ], + "id": "810804a5-98c3-7e56-e8ed-8a95d72ad829", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0011", + "TA0008", + "T1090.001", + "T1090.002", + "T1021.001", + "car.2013-07-002", + "T1090", + "T1021" + ], + "title": "RDP over Reverse SSH Tunnel WFP" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "event_ids": [ + "4697" + ], + "id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "TA0008", + "T1021.002", + "T1543.003", + "T1569.002", + "T1543", + "T1569", + "T1021" + ], + "title": "CobaltStrike Service Installations - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "event_ids": [ + "4656", + "4663" + ], + "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012" + ], + "title": "Azure AD Health Monitoring Agent Registry Keys Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "event_ids": [ + "4656", + "4663" + ], + "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012" + ], + "title": "SysKey Registry Keys Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "event_ids": [ + "5136", + "5145" + ], + "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0008", + "T1053.005", + "T1053" + ], + "title": "Persistence and Execution at Scale via GPO Scheduled Task" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "event_ids": [ + "4616" + ], + "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9210-69AE-11D9-BED3-505054503030", + "69979849-797A-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.006", + "T1070" + ], + "title": "Unauthorized System Time Modification" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "event_ids": [ + "5379" + ], + "id": "77366099-d04a-214d-365c-c62c537df3ba", + "level": "high", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0001", + "T1027", + "T1566.001", + "T1566" + ], + "title": "Password Protected ZIP File Opened (Email Attachment)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects execution of Impacket's psexec.py.", + "event_ids": [ + "5145" + ], + "id": "24e370e0-b9f0-5851-0261-f984742ff2a1", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Impacket PsExec Execution" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "event_ids": [ + "4697" + ], + "id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "event_ids": [ + "4702" + ], + "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Suspicious Scheduled Task Update" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "event_ids": [ + "4697" + ], + "id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Stdin - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", + "event_ids": [ + "5447", + "5449" + ], + "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1134", + "T1134.001" + ], + "title": "HackTool - NoFilter Execution" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "event_ids": [ + "5156" + ], + "id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Remote PowerShell Sessions Network Connections (WinRM)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "event_ids": [ + "4697" + ], + "id": "89d88072-7a24-8218-a044-0c071bf36bf6", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Rundll32 - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "event_ids": [ + "4662" + ], + "id": "ec2275df-3a0a-933f-0573-490938cc47ef", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1546.003", + "T1546" + ], + "title": "WMI Persistence - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\n", + "event_ids": [ + "4663" + ], + "id": "d1909400-93d7-de3c-ba13-153c64499c7c", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Service Registry Key Read Access Request" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.\n", + "event_ids": [ + "4794" + ], + "id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "Password Change on Directory Service Restore Mode (DSRM) Account" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "event_ids": [ + "4656", + "4657", + "4663" + ], + "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1123" + ], + "title": "Processes Accessing the Microphone and Webcam" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "event_ids": [ + "5145" + ], + "id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003.001", + "T1003.003", + "T1003" + ], + "title": "Transferring Files with Credential Data via Network Shares" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "event_ids": [ + "5145" + ], + "id": "677980bc-7dcc-1f9a-e161-a7f310ec9652", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003.004", + "T1003.003", + "T1003" + ], + "title": "Possible Impacket SecretDump Remote Activity" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "event_ids": [ + "4741", + "4743" + ], + "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1207" + ], + "title": "Add or Remove Computer from DC" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "event_ids": [ + "5379" + ], + "id": "7e1daab0-3263-403e-ec26-de48e3bf22c3", + "level": "medium", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Password Protected ZIP File Opened" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "event_ids": [ + "4720" + ], + "id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "T1136" + ], + "title": "Hidden Local User Creation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "event_ids": [ + "4697" + ], + "id": "1b037a84-214e-b58a-53ae-949542063f1f", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1570", + "TA0002", + "T1569.002", + "T1021", + "T1569" + ], + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects non-system users performing privileged operation os the SCM database", + "event_ids": [ + "4674" + ], + "id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548" + ], + "title": "SCM Database Privileged Operation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "event_ids": [ + "4825" + ], + "id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f", + "level": "medium", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1021.001", + "T1021" + ], + "title": "Denied Access To Remote Desktop" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "event_ids": [ + "4697" + ], + "id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "event_ids": [ + "4697" + ], + "id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR+ Launcher - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.\n", + "event_ids": [ + "5157" + ], + "id": "764518e5-4160-b679-1946-cbd0e76705da", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect PetitPotam coerced authentication activity.", + "event_ids": [ + "5145" + ], + "id": "bcc12e55-1578-5174-2a47-98a6211a1c6c", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1187" + ], + "title": "Possible PetitPotam Coerce Authentication Attempt" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "event_ids": [ + "4662" + ], + "id": "c42c534d-16ae-877f-0722-6d6914090855", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.004", + "T1003" + ], + "title": "DPAPI Domain Backup Key Extraction" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "event_ids": [ + "4697" + ], + "id": "85e291ec-b85b-2553-1aba-03c9ad116b61", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0002", + "T1543.003", + "T1569.002", + "T1543", + "T1569" + ], + "title": "Remote Access Tool Services Have Been Installed - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects read access to a domain user from a non-machine account", + "event_ids": [ + "4662" + ], + "id": "fe814c5a-505f-a313-7d8c-030187c24e8e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1087" + ], + "title": "Potential AD User Enumeration From Non-Machine Account" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Mimikatz DC sync security events", + "event_ids": [ + "4662" + ], + "id": "daad2203-665f-294c-6d2f-f9272c3214f2", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "attack.s0002", + "T1003.006", + "T1003" + ], + "title": "Mimikatz DC Sync" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "event_ids": [ + "5145" + ], + "id": "7695295d-281f-23ce-d52e-8336ebd47532", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Protected Storage Service Access" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "event_ids": [ + "4704" + ], + "id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9231-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "Enabled User Right in AD to Control User Objects" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "event_ids": [ + "4706" + ], + "id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9230-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "A New Trust Was Created To A Domain" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects access to ADMIN$ network share", + "event_ids": [ + "5140" + ], + "id": "37b219bc-37bb-1261-f179-64307c1a1829", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9224-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Access To ADMIN$ Network Share" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects known sensitive file extensions accessed on a network share", + "event_ids": [ + "5145" + ], + "id": "4af39497-9655-9586-817d-94f0df38913f", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1039" + ], + "title": "Suspicious Access to Sensitive File Extensions" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when the password policy is enumerated.", + "event_ids": [ + "4661" + ], + "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1201" + ], + "title": "Password Policy Enumerated" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "RDP login with localhost source address may be a tunnelled login", "event_ids": [ "4624" ], - "id": "910ec16d-6957-01b7-39a8-5e676e459cac", + "id": "b3f33f69-1331-d3d0-eb62-81f477abad86", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "car.2013-07-002", + "T1021.001", + "T1021" + ], + "title": "RDP Login from Localhost" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", + "event_ids": [ + "4624" + ], + "id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0006", + "T1133", + "T1078", + "T1110" + ], + "title": "External Remote RDP Logon from Public IP" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "event_ids": [ + "4625" + ], + "id": "232ecd79-c09d-1323-8e7e-14322b766855", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1210", + "car.2013-07-002" + ], + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects activity when a member is removed from a security-enabled global group", + "event_ids": [ + "4729", + "633" + ], + "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "A Member Was Removed From a Security-Enabled Global Group" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects successful logon attempts performed with WMI", + "event_ids": [ + "4624" + ], + "id": "c310cab1-252e-1d98-6b6f-e6e60c88a374", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Successful Account Login Via WMI" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects logon events that specify new credentials", + "event_ids": [ + "4624" + ], + "id": "897e25ba-f935-3fd3-c6d5-f9abf379e831", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0008", + "T1550" + ], + "title": "Outgoing Logon with New Credentials" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "event_ids": [ + "4624" + ], + "id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0006", + "T1557.001", + "T1557" + ], + "title": "RottenPotato Like Attack Pattern" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "event_ids": [ + "4624" + ], + "id": "059e7255-411c-1666-a2e5-2e99e294e614", "level": "medium", "service": "security", "subcategory_guids": [ @@ -31911,13 +7677,1309 @@ ], "tags": [ "TA0008", - "TA0004", - "detection.threat-hunting", - "TA0003", - "T1546.003", - "T1546" + "T1550.002", + "T1550" ], - "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" + "title": "Pass the Hash Activity 2" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", + "event_ids": [ + "4624" + ], + "id": "5c67a566-7829-eb05-4a1f-0eb292ef993f", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0006", + "T1133", + "T1078", + "T1110" + ], + "title": "External Remote SMB Logon from Public IP" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects activity when a security-enabled global group is deleted", + "event_ids": [ + "4730", + "634" + ], + "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "A Security-Enabled Global Group Was Deleted" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\n", + "event_ids": [ + "4624" + ], + "id": "96896e3a-28de-da11-c7fd-0040868e3a2f", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0006", + "T1548" + ], + "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "event_ids": [ + "4624" + ], + "id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004" + ], + "title": "DiagTrackEoP Default Login Username" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", + "event_ids": [ + "4624" + ], + "id": "e8c130a4-cf04-543d-919b-76947bde76b8", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1134.001", + "stp.4u", + "T1134" + ], + "title": "Potential Access Token Abuse" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects activity when a member is added to a security-enabled global group", + "event_ids": [ + "4728", + "632" + ], + "id": "26767093-828c-2f39-bdd8-d0439e87307c", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "A Member Was Added to a Security-Enabled Global Group" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "event_ids": [ + "4624" + ], + "id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0001", + "T1078.001", + "T1078.002", + "T1078.003", + "car.2016-04-005", + "T1078" + ], + "title": "Admin User Remote Logon" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "event_ids": [ + "4624" + ], + "id": "20f4e87b-c272-42da-9a1f-ad54206e3622", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "attack.s0002", + "T1550.002", + "T1550" + ], + "title": "Successful Overpass the Hash Attempt" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.", + "event_ids": [ + "4625" + ], + "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0003", + "T1078", + "T1190", + "T1133" + ], + "title": "Failed Logon From Public IP" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n", + "event_ids": [ + "4656", + "4663" + ], + "id": "777523b0-14f8-1ca2-12c9-d668153661ff", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Exclusion Registry Key - Write Access Requested" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", + "event_ids": [ + "4768", + "4769", + "4771", + "675" + ], + "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030", + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1212" + ], + "title": "Kerberos Manipulation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n", + "event_ids": [ + "5136", + "5145" + ], + "id": "bc613d09-5a80-cad3-6f65-c5020f960511", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1484.001", + "T1547", + "T1484" + ], + "title": "Startup/Logon Script Added to Group Policy Object" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.", + "event_ids": [ + "4719" + ], + "id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE922F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Important Windows Event Auditing Disabled" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "event_ids": [], + "id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8", + "level": "critical", + "service": "security", + "subcategory_guids": [], + "tags": [ + "cve.2021-42278", + "cve.2021-42287", + "TA0003", + "TA0004", + "T1078" + ], + "title": "Win Susp Computer Name Containing Samtheadmin" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "event_ids": [ + "4624", + "4625", + "4776" + ], + "id": "8b40829b-4556-9bec-a8ad-905688497639", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0002", + "TA0009", + "TA0008", + "T1087", + "T1114", + "T1059", + "T1550.002", + "T1550" + ], + "title": "Hacktool Ruler" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "event_ids": [ + "4697" + ], + "id": "566fa294-85f7-af27-80c7-753d9941729b", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0006", + "T1040" + ], + "title": "Windows Pcap Drivers" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", + "event_ids": [ + "4634", + "4647" + ], + "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE9216-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1531" + ], + "title": "User Logoff Event" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "event_ids": [ + "5379" + ], + "id": "586bcb8e-f698-f372-54cf-ff08727352e7", + "level": "high", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0011", + "TA0005", + "T1027", + "T1105", + "T1036" + ], + "title": "Password Protected ZIP File Opened (Suspicious Filenames)" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity", + "event_ids": [ + "4732" + ], + "id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1078", + "TA0003", + "T1098" + ], + "title": "User Added to Local Administrator Group" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "event_ids": [ + "4738", + "4765", + "4766" + ], + "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1134.005", + "T1134" + ], + "title": "Addition of SID History to Active Directory Object" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "event_ids": [ + "4697" + ], + "id": "826feb8b-536b-0302-0b4e-bd34cc5c4923", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "event_ids": [ + "5145" + ], + "id": "308a3356-4624-7c95-24df-cf5a02e5eb56", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "First Time Seen Remote Named Pipe" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\n", + "event_ids": [ + "4697" + ], + "id": "15284efb-90de-5675-59c5-433d34675e8e", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1048" + ], + "title": "Tap Driver Installation - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "event_ids": [ + "4657", + "4663" + ], + "id": "249d836c-8857-1b98-5d7b-050c2d34e275", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Sysmon Channel Reference Deletion" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "event_ids": [ + "5136" + ], + "id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "event_ids": [ + "4738" + ], + "id": "2ea71437-cb4d-5a41-2431-1773fce76de8", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Weak Encryption Enabled and Kerberoast" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.\n", + "event_ids": [ + "4769" + ], + "id": "4386b4e0-f268-42a6-b91d-e3bb768976d6", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9240-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Kerberoasting Activity - Initial Query" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Alerts on Metasploit host's authentications on the domain.", + "event_ids": [ + "4624", + "4625", + "4776" + ], + "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Metasploit SMB Authentication" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the mount of an ISO image on an endpoint", + "event_ids": [ + "4663" + ], + "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1566.001", + "T1566" + ], + "title": "ISO Image Mounted" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "event_ids": [ + "4661" + ], + "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1069.002", + "attack.s0039", + "T1069", + "T1087" + ], + "title": "Reconnaissance Activity" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "event_ids": [ + "4904", + "4905" + ], + "id": "00f253a0-1035-e450-7f6e-e2291dee27ec", + "level": "informational", + "service": "security", + "subcategory_guids": [ + "0CCE922F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "VSSAudit Security Event Source Registration" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "event_ids": [ + "5136" + ], + "id": "925d441a-37b4-0afa-1d98-809b5df5fd06", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1001.003", + "TA0011", + "T1001" + ], + "title": "Suspicious LDAP-Attributes Used" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects DCShadow via create new SPN", + "event_ids": [ + "4742", + "5136" + ], + "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0005", + "T1207" + ], + "title": "Possible DC Shadow Attack" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "event_ids": [ + "4697" + ], + "id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1554" + ], + "title": "HybridConnectionManager Service Installation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n", + "event_ids": [ + "4720", + "4781" + ], + "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9235-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "New or Renamed User Account with '$' Character" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "event_ids": [ + "4697" + ], + "id": "660a0229-700e-8e43-40c7-fafe60c29491", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9211-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "event_ids": [ + "4673" + ], + "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0004", + "T1558.003", + "T1558" + ], + "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects handles requested to SAM registry hive", + "event_ids": [ + "4656" + ], + "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012", + "TA0006", + "T1552.002", + "T1552" + ], + "title": "SAM Registry Hive Handle Request" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", + "event_ids": [ + "4649" + ], + "id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558" + ], + "title": "Replay Attack Detected" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "event_ids": [ + "4692" + ], + "id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE922D-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.004", + "T1003" + ], + "title": "DPAPI Domain Master Key Backup Attempt" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "event_ids": [ + "1102", + "517" + ], + "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", + "level": "high", + "service": "security", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "car.2016-04-002", + "T1070" + ], + "title": "Security Eventlog Cleared" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "event_ids": [ + "5145" + ], + "id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "SMB Create Remote File Admin Share" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "event_ids": [ + "4657" + ], + "id": "107a403c-5a05-2568-95a7-a7329d714440", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "T1562" + ], + "title": "ETW Logging Disabled In .NET Processes - Registry" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", + "event_ids": [ + "4656", + "4658", + "4663" + ], + "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9223-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "TA0005", + "T1070.004", + "T1027.005", + "T1485", + "T1553.002", + "attack.s0195", + "T1553", + "T1070", + "T1027" + ], + "title": "Potential Secure Deletion with SDelete" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "event_ids": [ + "4698" + ], + "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Suspicious Scheduled Task Creation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "event_ids": [ + "4898", + "4899" + ], + "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9221-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0006" + ], + "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects external disk drives or plugged-in USB devices.", + "event_ids": [ + "6416" + ], + "id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9248-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1091", + "T1200", + "TA0008", + "TA0001" + ], + "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob\nmatching the pattern \"1UWhRCAAAAA...BAAAA\". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,\ncommonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to\nattacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.\nwhere adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nPlease investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.\n", + "event_ids": [ + "4662", + "5136", + "5137" + ], + "id": "19da3c91-0fcd-61d5-5b4f-bde550a79070", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE923B-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1557.003", + "TA0003", + "TA0004", + "T1557" + ], + "title": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "event_ids": [ + "4625", + "4776" + ], + "id": "655eb351-553b-501f-186e-aa9af13ecf43", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "TA0001", + "T1078" + ], + "title": "Account Tampering - Suspicious Failed Logon Reasons" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.\nThis may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.\n", + "event_ids": [ + "4768" + ], + "id": "15481d86-14a7-85e7-b1a2-ff2eab19060e", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Potential AS-REP Roasting via Kerberos TGT Requests" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects an installation of a device that is forbidden by the system policy", + "event_ids": [ + "6423" + ], + "id": "53f7ff98-38dd-f02c-0658-1debbf8deddc", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9248-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1200" + ], + "title": "Device Installation Blocked" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" + ], + "description": "Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.", + "event_ids": [ + "1007" + ], + "id": "aec05047-d4cd-8eed-6c67-40b018f64c6e", + "level": "medium", + "service": "certificateservicesclient-lifecycle-system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1649" + ], + "title": "Certificate Exported From Local Certificate Store" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-NTLM/Operational" + ], + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "event_ids": [ + "8002" + ], + "id": "c043d322-c767-faa8-92d4-381dcc35cab3", + "level": "low", + "service": "ntlm", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1550.002", + "T1550" + ], + "title": "NTLM Logon" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-NTLM/Operational" + ], + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "event_ids": [ + "8001" + ], + "id": "b416a5b9-a282-2826-bc58-8b8481d865f6", + "level": "medium", + "service": "ntlm", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Potential Remote Desktop Connection to Non-Domain Host" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-NTLM/Operational" + ], + "description": "Detects common NTLM brute force device names", + "event_ids": [ + "8004" + ], + "id": "b7a0fd59-bab8-fec2-28ad-548b2635d87f", + "level": "medium", + "service": "ntlm", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1110" + ], + "title": "NTLM Brute Force" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "event_ids": [ + "1001" + ], + "id": "ea429061-e3b4-fabd-8bd6-cb98772aeeba", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1211", + "T1562.001", + "T1562" + ], + "title": "Microsoft Malware Protection Engine Crash - WER" }, { "category": "", @@ -31942,21 +9004,24528 @@ { "category": "", "channel": [ - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + "Microsoft-Windows-Shell-Core/Operational" ], - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "event_ids": [ - "21" + "28115" ], - "id": "cfba8e23-d224-ff3b-7cb7-dbc6085172a0", - "level": "high", - "service": "terminalservices-localsessionmanager", + "id": "487f5b43-6155-d21c-7189-1a6108974f1b", + "level": "medium", + "service": "shell-core", "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "Suspicious Application Installed" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "event_ids": [ + "4688" + ], + "id": "9a8e6f2d-2a56-788b-343a-a50584a15079", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0007", + "TA0002", + "T1615", + "T1569.002", + "T1574.005", + "T1574", + "T1569" + ], + "title": "HackTool - SharpUp PrivEsc Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "event_ids": [ + "4688" + ], + "id": "35f42a49-bad0-2ba7-87b0-62e78681838e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Delete All Scheduled Tasks" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", + "event_ids": [ + "4688" + ], + "id": "06d89cd2-498f-efd1-2df7-79500d0e99e0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "RDP Connection Allowed Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension", + "event_ids": [ + "4688" + ], + "id": "8974c35e-3161-6538-c0ef-b12e467718a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1176.001", + "T1176" + ], + "title": "Chromium Browser Instance Executed With Custom Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "event_ids": [ + "4688" + ], + "id": "991e932e-5798-025f-120d-6f19994ad2a4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "HackTool - CrackMapExec Process Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "event_ids": [ + "4688" + ], + "id": "f95fb96e-dacc-23fa-9a80-f509e7973c9f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Verclsid.exe Runs COM Object" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"curl.exe\" with a potential custom \"User-Agent\". Attackers can leverage this to download or exfiltrate data via \"curl\" to a domain that only accept specific \"User-Agent\" strings", + "event_ids": [ + "4688" + ], + "id": "73a60f51-08e7-e491-9edb-b2f38dcaa09c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Curl Web Request With Potential Custom User-Agent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "event_ids": [ + "4688" + ], + "id": "94e6ca30-ee68-9136-837c-513d6086ce6c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", + "event_ids": [ + "4688" + ], + "id": "7d26daa9-542e-73b8-57cf-fd0cd8794d26", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Disable Important Scheduled Task" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.", + "event_ids": [ + "4688" + ], + "id": "f4ef60dd-b493-97a1-92db-e8a8146be6a4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Scripting/CommandLine Process Spawned Regsvr32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "event_ids": [ + "4688" + ], + "id": "c9ee66ac-639b-5403-8384-6c70ecdcddc1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Potential Privilege Escalation via Service Permissions Weakness" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "event_ids": [ + "4688" + ], + "id": "66033013-9870-9cb6-fd4b-54502ef0aa79", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "event_ids": [ + "4688" + ], + "id": "101b11d6-0200-6a9a-daea-aaebf8b49bca", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potentially Suspicious Windows App Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to the \"terminate\" function via wmic in order to kill an application", + "event_ids": [ + "4688" + ], + "id": "aed91788-6fab-61d2-104a-3a1ea483f8fd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Application Terminated Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", + "event_ids": [ + "4688" + ], + "id": "e3cb371f-ecf2-9b45-e6ff-67bb63f48a48", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.001", + "T1218" + ], + "title": "Remote CHM File Download/Execution Via HH.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "event_ids": [ + "4688" + ], + "id": "9b584978-0d93-f10c-988d-ff3657f59e09", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055" + ], + "title": "HackTool - DInjector PowerShell Cradle Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon and potentially suspicious one-liner command containing both \"ping\" and \"copy\" at the same time, which is usually used by malware.\n", + "event_ids": [ + "4688" + ], + "id": "3efca659-a57d-a642-952a-5f476a210a07", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.004", + "T1070" + ], + "title": "Potentially Suspicious Ping/Copy Command Combination" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", + "event_ids": [ + "4688" + ], + "id": "e644857f-3d08-b5e8-61be-9e01a3706716", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0004", + "T1046", + "T1082", + "T1106", + "T1518", + "T1548.002", + "T1552.001", + "T1555", + "T1555.003", + "T1548", + "T1552" + ], + "title": "HackTool - WinPwn Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell script execution via input stream redirect", + "event_ids": [ + "4688" + ], + "id": "112d0b77-1699-f5e9-45f6-7e80e17de0a0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059" + ], + "title": "Run PowerShell Script from Redirected Input Stream" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "event_ids": [ + "4688" + ], + "id": "b37bf4b0-3cd7-a1dd-ca56-4af874660093", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1016" + ], + "title": "Suspicious Network Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "event_ids": [ + "4688" + ], + "id": "98e8d981-f4c4-0375-e252-80c62c6ff415", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Use of VSIISExeLauncher.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "event_ids": [ + "4688" + ], + "id": "8b3afca9-f927-14ee-58f5-238c5f845d71", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0040", + "T1070", + "T1485" + ], + "title": "Fsutil Suspicious Invocation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of regsvr32 where the DLL is located in a highly suspicious locations", + "event_ids": [ + "4688" + ], + "id": "f0f9d4eb-6b2b-b7dd-4bba-a3e2739203f4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Regsvr32 Execution From Highly Suspicious Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", + "event_ids": [ + "4688" + ], + "id": "82956673-bd55-9f29-96a4-e5bdd4083071", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,\nsuch as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications\ncontaining VBScript or JScript. Threat actors often abuse this lolbin utility to download and\nexecute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.\n", + "event_ids": [ + "4688" + ], + "id": "a641f121-9379-33a5-1c52-cda13641658a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1140", + "T1218.005", + "TA0002", + "T1059.007", + "cve.2020-1599", + "T1059", + "T1218" + ], + "title": "MSHTA Execution with Suspicious File Extensions" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations", + "event_ids": [ + "4688" + ], + "id": "852227cc-1888-1ad5-93f1-633e3dc46869", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "TA0007", + "TA0005", + "T1082", + "T1564", + "T1543" + ], + "title": "PUA - System Informer Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "event_ids": [ + "4688" + ], + "id": "1e03e881-94a8-1c6c-d90d-47c97d22bb89", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.004", + "T1070" + ], + "title": "Suspicious Ping/Del Command Combination" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "event_ids": [ + "4688" + ], + "id": "9a0eb817-c07f-1061-89e6-3f30825c8e37", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003", + "T1003.001" + ], + "title": "Potential Credential Dumping Via LSASS Process Clone" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.", + "event_ids": [ + "4688" + ], + "id": "0fd941d7-3dec-afd3-d991-d693f0a6dff8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Change PowerShell Policies to an Insecure Level" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "event_ids": [ + "4688" + ], + "id": "fae361cc-c4b0-0935-1b15-79113e3f6198", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using Consent and Comctl32 - Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious command lines used in Covenant luanchers", + "event_ids": [ + "4688" + ], + "id": "12b4859c-0eeb-091f-3b96-09ffcd5e9a9a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1059.001", + "T1564.003", + "T1059", + "T1564" + ], + "title": "HackTool - Covenant PowerShell Launcher" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "event_ids": [ + "4688" + ], + "id": "5557e23a-e632-646a-e8ae-d0a476f8cea4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Clip" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "event_ids": [ + "4688" + ], + "id": "1ee586c3-86e8-4b2c-b33f-80c524292d5e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Uninstall Crowdstrike Falcon Sensor" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", + "event_ids": [ + "4688" + ], + "id": "0922802a-a57f-bd7e-c635-64ffdf4824e9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious File Execution From Internet Hosted WebDav Share" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", + "event_ids": [ + "4688" + ], + "id": "4295ffa5-ee9c-252b-51b9-150363e6906b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071.001", + "T1219", + "T1071" + ], + "title": "Renamed Visual Studio Code Tunnel Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "event_ids": [ + "4688" + ], + "id": "612594ec-e080-cbd7-b223-76411581dea7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR+ Launcher" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", + "event_ids": [ + "4688" + ], + "id": "e88b49c4-9d10-2b2d-da20-8934c2de27db", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1018" + ], + "title": "PUA - Adidnsdump Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", + "event_ids": [ + "4688" + ], + "id": "68ab3429-7cf4-3d41-5a38-9474fcad4f66", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Potential Download/Upload Activity Using Type Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", + "event_ids": [ + "4688" + ], + "id": "0bcdf0e5-9683-7f59-4ca8-8903a6ca8c0d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect suspicious parent processes of well-known Windows processes", + "event_ids": [ + "4688" + ], + "id": "cf1c2cd4-ba84-1a2d-fdbf-f970eacc2ed9", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.003", + "T1036.005", + "T1036" + ], + "title": "Windows Processes Suspicious Parent Directory" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", + "event_ids": [ + "4688" + ], + "id": "6ed0a1fe-48ad-ebd5-4596-bd6f5005bbe0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Python Function Execution Security Warning Disabled In Excel" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "event_ids": [ + "4688" + ], + "id": "532fbfdd-28df-ea62-93c5-a2d9f558f9d7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "TA0004", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "T1053.005", + "T1059.001", + "T1059", + "T1053" + ], + "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", + "event_ids": [ + "4688" + ], + "id": "fbee28d8-8e92-176d-b6bc-0532d9a98eac", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0006", + "T1036", + "T1003.001", + "car.2013-05-009", + "T1003" + ], + "title": "Process Memory Dump Via Comsvcs.DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "event_ids": [ + "4688" + ], + "id": "cb8f70fe-80c4-48c0-0473-656666b52064", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0003", + "TA0004" + ], + "title": "Suspicious Shells Spawn by Java Utility Keytool" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "event_ids": [ + "4688" + ], + "id": "b7f2ba3f-b64d-9b62-1e90-ebefd17f3b94", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", + "event_ids": [ + "4688" + ], + "id": "6cbe870d-ed2f-e585-6d9e-201323d379a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Service Security Descriptor Tampering Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", + "event_ids": [ + "4688" + ], + "id": "a9d391c2-0efd-3d38-0c33-49f93ab68df6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1059", + "T1562.001", + "T1562" + ], + "title": "HackTool - Stracciatella Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a Powershell process that contains download commands in its command line string", + "event_ids": [ + "4688" + ], + "id": "f57205aa-67a6-4a69-582c-08eb0b786b58", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Download Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "event_ids": [ + "4688" + ], + "id": "1a42614f-8e9e-d03e-5c6e-b4003ed85cf7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Arbitrary File Download Via PresentationHost.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"rundll32\" with potential obfuscated ordinal calls", + "event_ids": [ + "4688" + ], + "id": "b7049a0d-bb27-adf6-2c62-501b4398af4d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.010", + "T1027" + ], + "title": "Potential Obfuscated Ordinal Call Via Rundll32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Shadow Copies deletion using operating systems utilities", + "event_ids": [ + "4688" + ], + "id": "0cad8839-9b0c-0a2c-8b61-c2b539604a10", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0040", + "T1070", + "T1490" + ], + "title": "Shadow Copies Deletion Using Operating Systems Utilities" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"Wlrmdr.exe\" with the \"-u\" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.\nThis detection also focuses on any uncommon child processes spawned from \"Wlrmdr.exe\" as a supplement for those that posses \"ParentImage\" telemetry.\n", + "event_ids": [ + "4688" + ], + "id": "0331991b-8942-aa87-70c4-84360f95b7ce", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "event_ids": [ + "4688" + ], + "id": "d39155d0-4154-66c0-1d94-6c61d77f27e7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Execution of InstallUtil Without Log" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "event_ids": [ + "4688" + ], + "id": "7371bd41-e687-4fb7-9c66-a38b83560275", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Potential COM Objects Download Cradles Usage - Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "event_ids": [ + "4688" + ], + "id": "82652023-b2bf-3126-09bb-f4495914f471", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "attack.s0190", + "T1036.003", + "T1036" + ], + "title": "File Download Via Bitsadmin To A Suspicious Target Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "event_ids": [ + "4688" + ], + "id": "e51338a7-866e-5cc3-f8f9-7b12fc3aa56b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0009", + "T1114", + "T1059" + ], + "title": "Exchange PowerShell Snap-Ins Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon child process of Setres.EXE.\nSetres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\nIt can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.\n", + "event_ids": [ + "4688" + ], + "id": "722c7611-6b69-b8f2-4972-c405ba40d9a7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "T1202" + ], + "title": "Uncommon Child Process Of Setres.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "event_ids": [ + "4688" + ], + "id": "3679f255-d90a-49da-389c-bb16db65853c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548.002", + "T1548" + ], + "title": "Always Install Elevated MSI Spawned Cmd And Powershell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a renamed ProcDump executable.\nThis often done by attackers or malware in order to evade defensive mechanisms.\n", + "event_ids": [ + "4688" + ], + "id": "a6320654-afe9-8fa6-7fdc-3270c5a552d2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.003", + "T1036" + ], + "title": "Renamed ProcDump Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", + "event_ids": [ + "4688" + ], + "id": "c4cc0668-2b35-4884-9119-8a558a544a6d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Sysinternals PsSuspend Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "event_ids": [ + "4688" + ], + "id": "897d8214-575a-533d-6b1e-a21219da4532", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548" + ], + "title": "Regedit as Trusted Installer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.", + "event_ids": [ + "4688" + ], + "id": "0fea9c26-5302-3b51-7884-b9ed47e74157", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1102", + "T1090", + "T1572" + ], + "title": "Cloudflared Tunnel Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\nThis behavior has been observed in-the-wild by different threat actors.\n", + "event_ids": [ + "4688" + ], + "id": "2510ad44-2338-340a-8439-d99181aef4f2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "event_ids": [ + "4688" + ], + "id": "c9e0d554-2be2-3ae9-6b9c-e80fde3df203", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Suspicious TSCON Start as SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of winget to add new potentially suspicious download sources", + "event_ids": [ + "4688" + ], + "id": "c9b38950-be40-a8b2-9d01-5912034351f3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059" + ], + "title": "Add Potential Suspicious New Download Source To Winget" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", + "event_ids": [ + "4688" + ], + "id": "351d47d4-a048-9463-4aea-54964c77adee", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0005", + "TA0011", + "T1090" + ], + "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "event_ids": [ + "4688" + ], + "id": "9bce1ab7-f1d3-6e4c-e5ae-6cdb2b974218", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1048" + ], + "title": "Tap Installer Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\n", + "event_ids": [ + "4688" + ], + "id": "dff28edb-8cbf-0aa6-a92e-123f013ce755", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "System File Execution Location Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.", + "event_ids": [ + "4688" + ], + "id": "42e5d701-5c5b-c050-7996-f166b0907531", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "event_ids": [ + "4688" + ], + "id": "1eb3ba13-9019-0f5c-55d6-f83e89f4a2ea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1563.002", + "T1021.001", + "car.2013-07-002", + "T1563", + "T1021" + ], + "title": "Suspicious RDP Redirect Using TSCON" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "event_ids": [ + "4688" + ], + "id": "bec3410f-d2b7-364a-dc0a-bef9eda222a0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"msedge_proxy.exe\" to download arbitrary files", + "event_ids": [ + "4688" + ], + "id": "d6d1a63b-5f0f-795e-fe18-4c2e1784568d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "event_ids": [ + "4688" + ], + "id": "62e77033-e379-af4f-5bc4-a7f722328265", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential NTLM Coercion Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", + "event_ids": [ + "4688" + ], + "id": "09d5f483-1225-411f-dfcc-1fa1550bd9a6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0006", + "T1036", + "T1003.001", + "T1003" + ], + "title": "Suspicious DumpMinitool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "event_ids": [ + "4688" + ], + "id": "08cdc165-8915-fdf4-625a-7c4f625d5efe", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Persistence Via TypedPaths - CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file with a non-\".rsp\" extension.", + "event_ids": [ + "4688" + ], + "id": "bf24bd95-9545-2701-9d44-5f8a6769a3bb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Suspicious Response File Execution Via Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the stopping of a Windows service via the \"net\" utility.", + "event_ids": [ + "4688" + ], + "id": "a0d8ce28-b409-13a0-c884-65166e1aa672", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Stop Windows Service Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "event_ids": [ + "4688" + ], + "id": "55fe02b2-c0a4-cac3-dc5e-e79d58f78620", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "HackTool - Sliver C2 Implant Activity Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name", + "event_ids": [ + "4688" + ], + "id": "61427f33-35de-ec51-6afd-e44b8ccf9023", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "TA0006", + "T1003" + ], + "title": "Potential SysInternals ProcDump Evasion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "event_ids": [ + "4688" + ], + "id": "1c39c2aa-7a13-2826-f8c5-48a453dfd562", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003.003", + "car.2013-07-001", + "attack.s0404", + "T1003" + ], + "title": "Copying Sensitive Files with Credential Data" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", + "event_ids": [ + "4688" + ], + "id": "a860f5c4-f0f1-4566-1d72-4ff887bc2538", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "PUA - Nimgrab Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", + "event_ids": [ + "4688" + ], + "id": "42dffab1-87eb-35dd-8aad-81c3744a89ed", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential Encoded PowerShell Patterns In CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods", + "event_ids": [ + "4688" + ], + "id": "06624157-0db4-9e8c-200f-fcfe2788d3e4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "HackTool - Doppelanger LSASS Dumper Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", + "event_ids": [ + "4688" + ], + "id": "c4d044b3-d308-8957-f679-6b4a595d47a7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.002", + "attack.g0046", + "car.2013-05-002", + "T1204" + ], + "title": "Suspicious Binary In User Directory Spawned From Office Application" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell download and execution cradles.", + "event_ids": [ + "4688" + ], + "id": "7c4af673-03d0-fd2c-2562-41ee96b4d36e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "PowerShell Download and Execution Cradles" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Notepad to open a file that has the string \"password\" which may indicate unauthorized access to credentials or suspicious activity.", + "event_ids": [ + "4688" + ], + "id": "88058179-1331-afd7-eaea-6a77664d95dc", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1083" + ], + "title": "Notepad Password Files Discovery" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", + "event_ids": [ + "4688" + ], + "id": "0d186f78-d83c-0c4b-100c-cbdc93891947", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Potential SPN Enumeration Via Setspn.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "event_ids": [ + "4688" + ], + "id": "915fc7ae-b034-c5e8-9b05-e19566db49fb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Usage Of ShellExec_RunDLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.", + "event_ids": [ + "4688" + ], + "id": "cb760152-8522-8711-dfe0-de3bafb00e2e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Rundll32 Spawned Via Explorer.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension", + "event_ids": [ + "4688" + ], + "id": "7f7e34fc-8a05-170b-7892-a5b0aefe2983", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059.007", + "T1059" + ], + "title": "Cscript/Wscript Uncommon Script Extension Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "event_ids": [ + "4688" + ], + "id": "e16f3826-f705-a1c0-36a7-5d8d869e3ca9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0006", + "T1218", + "T1003.001", + "T1003" + ], + "title": "Time Travel Debugging Utility Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", + "event_ids": [ + "4688" + ], + "id": "f9b2ffc9-5ec5-9898-b546-301c85fa3892", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1069.002", + "T1482", + "T1087", + "T1069" + ], + "title": "Active Directory Database Snapshot Via ADExplorer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "event_ids": [ + "4688" + ], + "id": "3d973370-afd2-629f-985f-7e5ba8e42f71", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "PUA - NirCmd Execution As LOCAL SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "event_ids": [ + "4688" + ], + "id": "f7b452f3-c372-03f2-644e-7be14a8e5b73", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "car.2016-03-001" + ], + "title": "WhoAmI as Parameter" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", + "event_ids": [ + "4688" + ], + "id": "325e649b-61c6-7c91-88ba-f2873675b355", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Suspicious Provlaunch.EXE Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.", + "event_ids": [ + "4688" + ], + "id": "ba17b43d-ff78-598e-3e48-6f7f77abce52", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.009", + "T1218" + ], + "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "event_ids": [ + "4688" + ], + "id": "f93df83e-4e70-cffa-f5d8-2b7c77d7bb45", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "TA0005", + "T1202" + ], + "title": "Suspicious Runscripthelper.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of attrib.exe to hide files from users.", + "event_ids": [ + "4688" + ], + "id": "3fc98f17-3322-83c7-6332-d7813d88d4f1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "T1564" + ], + "title": "Hiding Files with Attrib.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", + "event_ids": [ + "4688" + ], + "id": "21d20eb3-388b-e372-90f5-c3da2c00dc9f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1047", + "T1562" + ], + "title": "Potential Windows Defender Tampering Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "event_ids": [ + "4688" + ], + "id": "5e078b34-047a-505f-5c16-344bc38300ff", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1049" + ], + "title": "System Network Connections Discovery Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", + "event_ids": [ + "4688" + ], + "id": "69775960-6b6d-e4c6-a758-e539859c34d4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Remote Access Tool - RURAT Execution From Unusual Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "event_ids": [ + "4688" + ], + "id": "ec21a11c-311b-e205-6bb5-57d26e408fcb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Encoded Command Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the export of a crital Registry key to a file.", + "event_ids": [ + "4688" + ], + "id": "d68e9dcc-21b3-418c-4d05-669b4d9c0511", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "TA0007", + "T1012" + ], + "title": "Exports Critical Registry Keys To a File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "event_ids": [ + "4688" + ], + "id": "b580d34f-60c7-757b-d2d5-f622237ad56f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090.001", + "T1090" + ], + "title": "HackTool - SharpChisel Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"forfiles\" with the \"/c\" flag.\nWhile this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.\nCan be used to bypass application whitelisting.\n", + "event_ids": [ + "4688" + ], + "id": "140c6c67-8cac-1d16-5654-bf2221dc7542", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Forfiles Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects presence of a potentially xor encoded powershell command", + "event_ids": [ + "4688" + ], + "id": "45f32609-3f8a-58cd-cf4b-13e480be32b3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059.001", + "T1140", + "T1027", + "T1059" + ], + "title": "Suspicious XOR Encoded PowerShell Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", + "event_ids": [ + "4688" + ], + "id": "6acffd8c-96c9-9d3b-9d69-0e0f332209c3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Process Proxy Execution Via Squirrel.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process dump via legitimate sqldumper.exe binary", + "event_ids": [ + "4688" + ], + "id": "38362740-fe8e-6e9d-79ad-a290fe8d5190", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Dumping Process via Sqldumper.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".", + "event_ids": [ + "4688" + ], + "id": "315b342a-decc-2f38-398f-41e5c8fdb4ed", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added To Highly Privileged Group" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "event_ids": [ + "4688" + ], + "id": "e09795ef-2d7f-3f65-8286-c3267b89622e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Curl.EXE Download" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible payload obfuscation via the commandline", + "event_ids": [ + "4688" + ], + "id": "6edef6e7-c67d-20e2-44cd-62afc03872c2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Potential Dosfuscation Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"ftp.exe\" script with the \"-s\" or \"/s\" flag and any child processes ran by \"ftp.exe\".", + "event_ids": [ + "4688" + ], + "id": "26132f4c-3dfc-593f-2d62-2e8ff59e0720", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "TA0005", + "T1202" + ], + "title": "Potential Arbitrary Command Execution Via FTP.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", + "event_ids": [ + "4688" + ], + "id": "ee05c67c-d79d-1e0c-e803-8cac4c11384d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Process Memory Dump via RdrLeakDiag.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "event_ids": [ + "4688" + ], + "id": "6b7e9ce2-c343-23e5-2bf3-223f82753b6f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0008", + "T1021.002", + "T1218.011", + "T1021", + "T1218" + ], + "title": "Rundll32 UNC Path Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables", + "event_ids": [ + "4688" + ], + "id": "962dcd71-b0d7-ad49-1fe6-2966daf7a411", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Script Interpreter Execution From Suspicious Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "event_ids": [ + "4688" + ], + "id": "476ef906-3f50-4b93-19a2-cf02ea63f392", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "TA0004", + "T1053.005", + "T1053" + ], + "title": "Uncommon One Time Only Scheduled Task At 00:00" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "event_ids": [ + "4688" + ], + "id": "e9c3cf8c-ba2f-d937-b4c5-8f5e3f692a11", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1217" + ], + "title": "Suspicious Where Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "event_ids": [ + "4688" + ], + "id": "905bbb47-6ae3-1ee8-e0d8-092361cf61e7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1053.005", + "T1059.001", + "T1053", + "T1059" + ], + "title": "Scheduled Task Executing Encoded Payload from Registry" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.\nAttackers might abuse this in order to bypass application whitelisting.\n", + "event_ids": [ + "4688" + ], + "id": "e56b0b7d-eb03-5756-d3c4-1b29390fa86e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "T1027.004", + "T1027" + ], + "title": "Potential Application Whitelisting Bypass via Dnx.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "event_ids": [ + "4688" + ], + "id": "4ab524c0-380a-d654-f00f-0309d495eae1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1557.001", + "T1557" + ], + "title": "HackTool - ADCSPwn Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "event_ids": [ + "4688" + ], + "id": "9a71e218-8397-8c6b-22e0-fc805c7e6571", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "Suspicious Service Path Modification" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "event_ids": [ + "4688" + ], + "id": "04f5d1ee-1b2f-dc73-a3fd-a7277cb56195", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Potential Renamed Rundll32 Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "event_ids": [ + "4688" + ], + "id": "d2fc7f9b-7773-8c83-5bf3-d977a655e6e0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Taskmgr as LOCAL_SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the stopping of a Windows service via the \"sc.exe\" utility", + "event_ids": [ + "4688" + ], + "id": "115267f9-0227-94b2-f6ef-56939bd2c693", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Stop Windows Service Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "event_ids": [ + "4688" + ], + "id": "f2a1b260-bd4a-52e8-6aea-b4ce040025e5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "File Download Using Notepad++ GUP Utility" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "event_ids": [ + "4688" + ], + "id": "a7926fae-e53c-6ad5-0a66-a32cbf78f1bf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "event_ids": [ + "4688" + ], + "id": "a3bc9093-f23e-f622-8deb-a18609cc33d8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "TA0004", + "TA0006", + "TA0007", + "T1047", + "T1053", + "T1059.003", + "T1059.001", + "T1110", + "T1201", + "T1059" + ], + "title": "HackTool - CrackMapExec Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", + "event_ids": [ + "4688" + ], + "id": "acf0cb14-e141-75f6-8a56-a843022146d1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1106" + ], + "title": "Potential WinAPI Calls Via CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects installation of a new shim using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\n", + "event_ids": [ + "4688" + ], + "id": "7d9d897f-58c0-2dae-d6f2-410c0f0f5e07", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1546.011", + "T1546" + ], + "title": "Potential Shim Database Persistence via Sdbinst.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects email exfiltration via powershell cmdlets", + "event_ids": [ + "4688" + ], + "id": "693a4b33-a1e3-3dbb-ecc3-19d6fbc9601a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010" + ], + "title": "Email Exifiltration Via Powershell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "event_ids": [ + "4688" + ], + "id": "926d4093-40e5-c7e0-f87e-01b94cbb63a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Workstation Locking via Rundll32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Xwizard tool from a non-default directory.\nWhen executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\".\n", + "event_ids": [ + "4688" + ], + "id": "a45e9350-b577-e20b-ed84-113a3b5c3e3a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "Xwizard.EXE Execution From Non-Default Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\nRMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\nHowever, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.\n", + "event_ids": [ + "4688" + ], + "id": "3ab572a4-6b9c-6004-a772-cf0ce1400109", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0005", + "T1219.002", + "T1036.003", + "T1219", + "T1036" + ], + "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", + "event_ids": [ + "4688" + ], + "id": "58f6b474-361b-17a1-718b-461048f72ee2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1543.003", + "T1574.011", + "T1543", + "T1574" + ], + "title": "Potential Persistence Attempt Via Existing Service Tampering" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\n", + "event_ids": [ + "4688" + ], + "id": "b4e3c1f6-6ba1-48f2-3b3a-a5183ddadbb3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "HackTool - EDRSilencer Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", + "event_ids": [ + "4688" + ], + "id": "481a16ec-1b88-6a7a-78b7-eedff1d69951", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "T1202" + ], + "title": "WSL Child Process Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "event_ids": [ + "4688" + ], + "id": "83e16972-fa32-9c0e-e39d-25254c56a9ff", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555", + "cve.2021-35211" + ], + "title": "Suspicious Serv-U Process Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "event_ids": [ + "4688" + ], + "id": "2b62781d-0af4-f828-f915-7b0039020526", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - Simple Help Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\nThis was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.\n", + "event_ids": [ + "4688" + ], + "id": "6cf859b8-6805-3164-4f58-acb0feb11cbf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.006", + "T1552" + ], + "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", + "event_ids": [ + "4688" + ], + "id": "50bb828c-a04e-d207-bb34-71d9f1144a73", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0002", + "T1047" + ], + "title": "Computer System Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence", + "event_ids": [ + "4688" + ], + "id": "4b8c4cc7-a599-dafe-263f-ff5cb96a6967", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1037.001", + "T1037" + ], + "title": "Potential Persistence Via Logon Scripts - CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation\n", + "event_ids": [ + "4688" + ], + "id": "5bdc7357-a9e6-95bc-a7cd-c6e0022b3299", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0001", + "T1505.003", + "T1190", + "T1505" + ], + "title": "Suspicious Process By Web Server Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", + "event_ids": [ + "4688" + ], + "id": "3a1e9d54-cfc2-0052-abc5-2271eee0dd8c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Suspicious Process Created Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "event_ids": [ + "4688" + ], + "id": "6a04614f-59c7-e8c1-6a54-5cc3b4eb1810", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0009", + "T1185", + "T1564.003", + "T1564" + ], + "title": "Potential Data Stealing Via Chromium Headless Debugging" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "event_ids": [ + "4688" + ], + "id": "560853ca-0b24-2e95-ff72-810e13f675fa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using NTFS Reparse Point - Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", + "event_ids": [ + "4688" + ], + "id": "c2a0770d-11ab-758f-a9ed-de4bbee89af7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Potential Persistence Via Microsoft Compatibility Appraiser" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "event_ids": [ + "4688" + ], + "id": "09815188-8262-0a9b-c00c-460108a51499", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.", + "event_ids": [ + "4688" + ], + "id": "88689b5a-5cf9-4b6b-f596-66cc471db969", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071.001", + "T1071" + ], + "title": "Visual Studio Code Tunnel Shell Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", + "event_ids": [ + "4688" + ], + "id": "e0a1f78a-c161-fbe3-4ec6-e151177ec4f1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007" + ], + "title": "Obfuscated IP Download Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "event_ids": [ + "4688" + ], + "id": "4657b559-a0fa-d23b-e35c-9cde37b20f8c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Diantz Download and Compress Into a CAB File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state", + "event_ids": [ + "4688" + ], + "id": "2f54a1b2-dad9-be0e-bdd0-a299137396ac", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1059" + ], + "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "event_ids": [ + "4688" + ], + "id": "24c9aace-94e9-d8a7-f3fc-58eaff2eefea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "attack.s0190", + "T1036.003", + "T1036" + ], + "title": "File With Suspicious Extension Downloaded Via Bitsadmin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of NSudo tool for command execution", + "event_ids": [ + "4688" + ], + "id": "09a60700-1c45-a4bf-7b17-5d1e036f4b78", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "PUA - NSudo Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", + "event_ids": [ + "4688" + ], + "id": "e1344b7a-c6ce-4117-4e54-c1865cba57df", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Uninstall Sysinternals Sysmon" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects encoded base64 MZ header in the commandline", + "event_ids": [ + "4688" + ], + "id": "2c104dbe-603a-a438-f3a4-85ff1018ffc1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Base64 MZ Header In CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "event_ids": [ + "4688" + ], + "id": "9fc9be53-5de8-99c5-66a1-0045cf52ff03", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.002", + "T1552" + ], + "title": "Enumeration for Credentials in Registry" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\n", + "event_ids": [ + "4688" + ], + "id": "13ca85ff-edb5-1f6f-fc72-7387eced96e9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0011", + "T1218.011", + "T1071", + "T1218" + ], + "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "event_ids": [ + "4688" + ], + "id": "f4e44868-e934-1170-ff1e-dc154741e18b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548.002", + "T1548" + ], + "title": "Always Install Elevated Windows Installer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "load malicious registered COM objects", + "event_ids": [ + "4688" + ], + "id": "a405c36d-82ac-5145-4a6a-8451f4ed7205", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0003", + "T1546.015", + "T1546" + ], + "title": "Rundll32 Registered COM Objects" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like \"C:\\windows\\system32\\davclnt.dll,DavSetCookie\".\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).\n", + "event_ids": [ + "4688" + ], + "id": "f84fbf6b-fa1f-71fb-e2ca-4f67b2451fe6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1048.003", + "T1048" + ], + "title": "WebDav Client Execution Via Rundll32.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "event_ids": [ + "4688" + ], + "id": "27bbbc51-2674-7c64-0d12-3844deb6cb4b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1218" + ], + "title": "Suspicious MSDT Parent Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.\n", + "event_ids": [ + "4688" + ], + "id": "cf789cc6-bba4-88f6-106b-660f61364506", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects user accept agreement execution in psexec commandline", + "event_ids": [ + "4688" + ], + "id": "adbf9c6f-f765-81c9-b566-460d75f15e4a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0008", + "T1569", + "T1021" + ], + "title": "Psexec Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.", + "event_ids": [ + "4688" + ], + "id": "1cd7857a-df64-5472-b57d-5938f87f3e5c", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0003", + "TA0004" + ], + "title": "Suspicious Child Process Of Veeam Dabatase" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", + "event_ids": [ + "4688" + ], + "id": "4f9a9515-6240-4eb8-beb5-f86cb1f08036", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033" + ], + "title": "Group Membership Reconnaissance Via Whoami.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\nThis rule might require some initial baselining to align with some third party tooling in the user environment.\n", + "event_ids": [ + "4688" + ], + "id": "c063426c-1b9b-025d-71cc-5097a233285d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Execution of Suspicious File Type Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "event_ids": [ + "4688" + ], + "id": "a3af3078-fe5d-0755-0f26-3833f03a1a6a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Query Usage To Exfil Data" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.\nSuccessful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.\n", + "event_ids": [ + "4688" + ], + "id": "b0559eb5-33e0-09c4-c9bb-88007b5981ca", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068" + ], + "title": "HKTL - SharpSuccessor Privilege Escalation Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Use of reg to get MachineGuid information", + "event_ids": [ + "4688" + ], + "id": "01ee1af2-8f96-35c2-ce46-97013e496a07", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082" + ], + "title": "Suspicious Query of MachineGUID" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "event_ids": [ + "4688" + ], + "id": "d8582a0e-2c3c-6716-d6d8-a79c4ce5ff75", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.001", + "T1087" + ], + "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.\n", + "event_ids": [ + "4688" + ], + "id": "b1293fae-fc5a-74c7-dfc9-3ad02ce661b2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1047", + "T1098" + ], + "title": "Password Set to Never Expire via WMI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "event_ids": [ + "4688" + ], + "id": "82fb76c3-b42b-096c-0e6c-8733e1993492", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocation From Script Engines" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.", + "event_ids": [ + "4688" + ], + "id": "a564e04a-c562-3596-74f2-efb859c61856", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Potential Adplus.EXE Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", + "event_ids": [ + "4688" + ], + "id": "7d442414-1318-9f2d-6f0c-65ff86c357de", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.002", + "T1036" + ], + "title": "Potential Defense Evasion Via Right-to-Left Override" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "event_ids": [ + "4688" + ], + "id": "a0fca779-5f2b-605b-e4a3-04829ce8bca5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Sysprep on AppData Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "event_ids": [ + "4688" + ], + "id": "86bcf883-2f53-b6b7-c766-0240f0ce79cf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Use of TTDInject.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", + "event_ids": [ + "4688" + ], + "id": "e5c800a5-3e9b-b168-6ef9-6f47f8a19124", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007" + ], + "title": "HackTool - SharpLDAPmonitor Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "event_ids": [ + "4688" + ], + "id": "44150656-1e8d-43ca-eebd-2f773849d62a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "event_ids": [ + "4688" + ], + "id": "20f83d4c-6338-a0c0-b882-c4c1997c025f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Download and Execute Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "event_ids": [ + "4688" + ], + "id": "c321b26c-a257-c5cc-1fb8-5496e91a7381", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.004", + "T1027" + ], + "title": "Visual Basic Command Line Compiler Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The Devtoolslauncher.exe executes other binary", + "event_ids": [ + "4688" + ], + "id": "415d9b8e-8ea7-ce1d-44e5-f124d411e636", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Devtoolslauncher.exe Executes Specified Binary" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\n", + "event_ids": [ + "4688" + ], + "id": "efdfbdd6-7e24-de87-fab4-a6218c8d0740", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0006", + "T1649" + ], + "title": "HackTool - Certipy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "event_ids": [ + "4688" + ], + "id": "cda8f35e-7183-91df-da4b-c9598a42fd3b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Suspicious AgentExecutor PowerShell Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.", + "event_ids": [ + "4688" + ], + "id": "84d137d9-0fe0-de23-4c5c-4530db9c5575", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053.005", + "TA0005", + "T1036.004", + "T1036.005", + "T1053", + "T1036" + ], + "title": "Scheduled Task Creation Masquerading as System Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "event_ids": [ + "4688" + ], + "id": "0d101a61-8aa2-979a-93db-fff8ad1a96aa", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574" + ], + "title": "DLL Execution Via Register-cimprovider.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"finger.exe\" utility.\nFinger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\nDue to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.\n", + "event_ids": [ + "4688" + ], + "id": "1e5c4cf4-c566-7068-d0ce-7a2eeabfc733", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Finger.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.\n", + "event_ids": [ + "4688" + ], + "id": "dd16066a-afda-2bf2-7735-9dbc86c6cd0a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1547.001", + "T1047", + "T1547" + ], + "title": "Suspicious Autorun Registry Modified via WMI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "event_ids": [ + "4688" + ], + "id": "32f1537a-1af8-ef18-4ff0-71b68b6b84ec", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021" + ], + "title": "Potential Remote Desktop Tunneling" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "event_ids": [ + "4688" + ], + "id": "637e9594-8499-4a83-1fec-53dd2ff90147", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0011", + "T1105" + ], + "title": "Curl Download And Execute Combination" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", + "event_ids": [ + "4688" + ], + "id": "afee1b7e-2430-1880-34e2-eb2ae5bf07ff", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059" + ], + "title": "Install New Package Via Winget Local Manifest" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).\nThe technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting\nmalformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection\nby hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with\nhidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.\n", + "event_ids": [ + "4688" + ], + "id": "74a80804-adfc-f831-6290-6ae386436db4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.010", + "T1218.007", + "TA0002", + "T1059.001", + "T1027", + "T1059", + "T1218" + ], + "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "event_ids": [ + "4688" + ], + "id": "7ec29146-f989-0673-b4a4-9bcc03b31194", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - AnyDesk Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "event_ids": [ + "4688" + ], + "id": "6f1c48cf-ca24-9def-3a7c-bd81baec1f58", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using ChangePK and SLUI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", + "event_ids": [ + "4688" + ], + "id": "42949869-416c-aa49-476a-3f2a4b57aa8c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Logged-On User Password Change Via Ksetup.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\n", + "event_ids": [ + "4688" + ], + "id": "5139400c-0a53-d802-9187-cd5a90a2b9d5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Uncommon AddinUtil.EXE CommandLine Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "event_ids": [ + "4688" + ], + "id": "14fd1424-cb14-6945-1567-9017b4b23da5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use MSHTA" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.", + "event_ids": [ + "4688" + ], + "id": "46903700-a139-8e57-f71a-3b0e0c0b1fb5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059.007", + "TA0005", + "T1218.005", + "T1027.004", + "T1218", + "T1059", + "T1027" + ], + "title": "Csc.EXE Execution Form Potentially Suspicious Parent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "event_ids": [ + "4688" + ], + "id": "da22844e-bd3b-4e67-433c-ff26e343600e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Potential Arbitrary Code Execution Via Node.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "event_ids": [ + "4688" + ], + "id": "c3cf2db9-adff-41bb-ab07-0ed4770b5b47", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Suspicious Schtasks Schedule Type With High Privileges" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"curl.exe\" with the \"file://\" protocol handler in order to read local files.", + "event_ids": [ + "4688" + ], + "id": "0ac56170-1ec2-0fcb-1654-0178ffa1487b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Local File Read Using Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential RDP Session Hijacking activity on Windows systems", + "event_ids": [ + "4688" + ], + "id": "679db9c2-6669-dc7b-3b9c-a20f4d600b28", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Potential RDP Session Hijacking Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.", + "event_ids": [ + "4688" + ], + "id": "5602c07f-c042-d14f-190e-cf750711227e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.002", + "TA0005", + "T1218.014", + "T1036.002", + "T1204", + "T1036", + "T1218" + ], + "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "event_ids": [ + "4688" + ], + "id": "43286cfb-09a6-4e2e-a895-f3c073eeb9f1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "event_ids": [ + "4688" + ], + "id": "775ae677-184d-c90f-016f-f337fd79aa75", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004" + ], + "title": "Suspicious RunAs-Like Flag Combination" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "event_ids": [ + "4688" + ], + "id": "5b3bdcfc-fce3-bba8-39c8-ba8a4776d99e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1620", + "T1059" + ], + "title": "PowerShell Base64 Encoded Reflective Assembly Load" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel", + "event_ids": [ + "4688" + ], + "id": "2dca5a53-e0e7-287d-3c41-45e454bceadc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071.001", + "T1219", + "T1071" + ], + "title": "Visual Studio Code Tunnel Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", + "event_ids": [ + "4688" + ], + "id": "94528740-76e2-5bfd-e3d5-a6fc1aea5bcd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Use of OpenConsole" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", + "event_ids": [ + "4688" + ], + "id": "df2b1ca6-a4d3-e875-ca48-ed65bd486a5f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.001", + "T1021" + ], + "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", + "event_ids": [ + "4688" + ], + "id": "055ae5db-808f-a1cc-57ac-99f0fadbab7f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Sysmon Configuration Update" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.\n", + "event_ids": [ + "4688" + ], + "id": "3e94a11b-52b5-7f93-d623-5ba15ab8f4aa", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Uncommon Child Process Of AddinUtil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "event_ids": [ + "4688" + ], + "id": "b5028244-965b-dd46-d698-f480c7c963e5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0007", + "T1505.003", + "T1018", + "T1033", + "T1087", + "T1505" + ], + "title": "Chopper Webshell Process Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", + "event_ids": [ + "4688" + ], + "id": "4c9296a3-a93c-d142-7e16-69111f075e7f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Service DACL Abuse To Hide Services Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "event_ids": [ + "4688" + ], + "id": "813c544e-381d-625e-3470-9a243b7ce88e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Use Short Name Path in Image" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", + "event_ids": [ + "4688" + ], + "id": "6b74eb79-fb17-b0d5-5a82-d54803b88ead", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082" + ], + "title": "Suspicious Kernel Dump Using Dtrace" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious file downloads from file sharing domains using wget.exe", + "event_ids": [ + "4688" + ], + "id": "85360622-4657-c400-b38e-9dc13bdb53f6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", + "event_ids": [ + "4688" + ], + "id": "6e250513-0f66-ed08-f2e8-81c7884c15a3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Suspicious DLL Loaded via CertOC.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "event_ids": [ + "4688" + ], + "id": "097acc6f-8384-1ffd-c4af-993cdf49dff6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069", + "T1059.001", + "T1059" + ], + "title": "Malicious PowerShell Commandlets - ProcessCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "event_ids": [ + "4688" + ], + "id": "7d84c2d9-4528-bdae-4cc2-945948102cbd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1190", + "TA0001", + "TA0003", + "TA0004" + ], + "title": "Suspicious Processes Spawned by WinRM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", + "event_ids": [ + "4688" + ], + "id": "d5e7858d-f6fa-9fe9-e747-ff3a3312244e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Definition Files Removed" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "event_ids": [ + "4688" + ], + "id": "57fc2f43-fec9-1e23-2c1e-a5bddad94af2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", + "event_ids": [ + "4688" + ], + "id": "3644cb9d-2e13-2dcc-497a-9eb0710ac9b8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0003", + "T1546.008", + "T1546" + ], + "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "event_ids": [ + "4688" + ], + "id": "891ece81-d720-ce9c-fe02-6e491c7adb14", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0011", + "T1059.003", + "T1059.001", + "T1105", + "T1059" + ], + "title": "Command Line Execution with Suspicious URL and AppData Strings" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the \"FileFix\" social engineering technique,\nwhere users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.\nThe technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.\n", + "event_ids": [ + "4688" + ], + "id": "0b4162ed-2534-2656-6d4a-8d2ad218617b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.004", + "T1204" + ], + "title": "FileFix - Suspicious Child Process from Browser File Upload Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", + "event_ids": [ + "4688" + ], + "id": "7a1b8071-8f13-c99a-439b-e2769871d008", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1047", + "T1204.002", + "T1218.010", + "T1218", + "T1204" + ], + "title": "Suspicious Microsoft Office Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nThis string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.\n", + "event_ids": [ + "4688" + ], + "id": "9040711a-5958-aed6-ca57-ab80997eb33c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1528" + ], + "title": "Potentially Suspicious JWT Token Search Via CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "event_ids": [ + "4688" + ], + "id": "63a8494a-3c4b-3902-2efc-f0ed49065b75", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548.002", + "T1548" + ], + "title": "Sdclt Child Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects nltest commands that can be used for information discovery", + "event_ids": [ + "4688" + ], + "id": "b5e72364-d1d6-72a1-ec13-abf98d0aaa74", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1016", + "T1018", + "T1482" + ], + "title": "Nltest.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "event_ids": [ + "4688" + ], + "id": "4ca79cb2-f424-4b29-861c-91cc27599d11", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Taskkill Symantec Endpoint Protection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.", + "event_ids": [ + "4688" + ], + "id": "62b1b4bc-937a-d9ed-a691-7887aae49630", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.\n", + "event_ids": [ + "4688" + ], + "id": "0c504797-106a-bd3f-6172-cebfb63391b1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1135" + ], + "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "event_ids": [ + "4688" + ], + "id": "ed8f1915-a7b9-2b25-cfbe-702f1a275a5d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1211", + "T1059", + "TA0005", + "TA0003", + "TA0002" + ], + "title": "Writing Of Malicious Files To The Fonts Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "event_ids": [ + "4688" + ], + "id": "a4547750-0b4d-019c-4808-0da01680cddb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547" + ], + "title": "Suspicious Driver Install by pnputil.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", + "event_ids": [ + "4688" + ], + "id": "39720fd3-7163-2a97-3e2d-287a6b761820", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "HackTool - Jlaive In-Memory Assembly Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "event_ids": [ + "4688" + ], + "id": "4aab609a-ee21-b8ac-c046-68400df5cd4e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1529" + ], + "title": "Suspicious Execution of Shutdown to Log Out" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "event_ids": [ + "4688" + ], + "id": "9550441e-5f01-6f0a-60db-abd27009e95d", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "DumpStack.log Defender Evasion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "event_ids": [ + "4688" + ], + "id": "a7598bcd-02ee-2b0a-092f-27aeb1e15e94", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002" + ], + "title": "Wab Execution From Non Default Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.", + "event_ids": [ + "4688" + ], + "id": "bc5fbebe-3d3b-0833-ff7d-34a3c035c017", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Regsvr32 Execution From Potential Suspicious Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "event_ids": [ + "4688" + ], + "id": "08a52423-1768-5eb8-726f-bfae99db5f64", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using PkgMgr and DISM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "event_ids": [ + "4688" + ], + "id": "2138917f-b5cd-6181-bcf6-8039bc43c6a2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Powershell Defender Exclusion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", + "event_ids": [ + "4688" + ], + "id": "e96c2fac-d250-ed6f-8382-328d4faa876d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1587.001", + "TA0002", + "T1569.002", + "T1587", + "T1569" + ], + "title": "PUA - CsExec Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"", + "event_ids": [ + "4688" + ], + "id": "589134cd-5a71-4868-1ad1-623db28a1d75", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005" + ], + "title": "Potential ShellDispatch.DLL Functionality Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", + "event_ids": [ + "4688" + ], + "id": "627c728d-1a1a-0871-ead7-d1537f0a152b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Schtasks Creation Or Modification With SYSTEM Privileges" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "event_ids": [ + "4688" + ], + "id": "b8f11c05-4178-dd22-a155-a560b4974008", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0042", + "T1105", + "T1608" + ], + "title": "Suspicious Download from Office Domain" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "event_ids": [ + "4688" + ], + "id": "9d1b91e6-c352-6742-5913-b8046ff77518", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "Bypass UAC via WSReset.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious file downloads directly from IP addresses using Wget.exe", + "event_ids": [ + "4688" + ], + "id": "bb4392f4-17a5-e69c-88cd-53551c758da9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious File Download From IP Via Wget.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Microsoft bash launcher with the \"-c\" flag.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", + "event_ids": [ + "4688" + ], + "id": "6068456f-1654-f0e0-1573-add14847b216", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Indirect Inline Command Execution Via Bash.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "event_ids": [ + "4688" + ], + "id": "87086e53-d522-cb93-c0a0-04cd9f2e91d3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0043", + "T1593.003", + "T1593" + ], + "title": "Suspicious Git Clone" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", + "event_ids": [ + "4688" + ], + "id": "132686cd-ea41-e5c8-8c22-5211ea3bfb5d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Remote Access Tool - NetSupport Execution From Unusual Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.", + "event_ids": [ + "4688" + ], + "id": "57428c1a-2716-80c7-6059-bb8408c50569", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Rebuild Performance Counter Values Via Lodctr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS.\n", + "event_ids": [ + "4688" + ], + "id": "33667ca9-e2d9-2762-b163-7e71780bc3b1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Process Memory Dump Via Dotnet-Dump" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.\nCurrently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.\n", + "event_ids": [ + "4688" + ], + "id": "183b6ab0-741c-5a2c-a72d-660f201d5710", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects audio capture via PowerShell Cmdlet.", + "event_ids": [ + "4688" + ], + "id": "3b83d907-4a3c-e167-7892-6f19c85d3edd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1123" + ], + "title": "Audio Capture via PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.\nThis action removes the \"Scan with Microsoft Defender\" option from the right-click menu for files, directories, and drives.\nAttackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.\n", + "event_ids": [ + "4688" + ], + "id": "2f67b2ed-f7b9-c3fd-7e0a-a17cb1920bab", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Context Menu Removed" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", + "event_ids": [ + "4688" + ], + "id": "e3c946f5-fbf9-ed84-e993-6f80a6467aae", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "AgentExecutor PowerShell Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "event_ids": [ + "4688" + ], + "id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "DeviceCredentialDeployment Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", + "event_ids": [ + "4688" + ], + "id": "8356394a-a08b-72f9-f2f5-217abc6c1976", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006" + ], + "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "event_ids": [ + "4688" + ], + "id": "430ca46d-025b-b3cc-6fac-e01c57fee153", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1112", + "TA0005" + ], + "title": "Imports Registry Key From an ADS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "event_ids": [ + "4688" + ], + "id": "49da8649-c56c-f962-aade-f62bb1cd465c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Hidden Powershell in Link File Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.\n", + "event_ids": [ + "4688" + ], + "id": "4bf1a6ac-2f14-c4e7-4339-5a28683aa92f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Process Suspension via WERFaultSecure through EDR-Freeze" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.", + "event_ids": [ + "4688" + ], + "id": "ece63b49-157b-d1fb-61c5-0cf5c0182409", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1059" + ], + "title": "PowerShell Base64 Encoded WMI Classes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "event_ids": [ + "4688" + ], + "id": "042378e6-098f-7fa7-3390-6dea36ffe86a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Explorer Process Tree Break" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe", + "event_ids": [ + "4688" + ], + "id": "2c2fe733-6ef3-9d44-210c-fb4011ee1944", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious File Download From IP Via Wget.EXE - Paths" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Attackers may leverage fsutil to enumerated connected drives.", + "event_ids": [ + "4688" + ], + "id": "0521efb1-8519-4e3b-16a4-d3b360abc475", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1120" + ], + "title": "Fsutil Drive Enumeration" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.\nThis facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.\n", + "event_ids": [ + "4688" + ], + "id": "16cf2db0-5355-1ded-b4a7-522991ff6460", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053.005", + "TA0005", + "T1218", + "TA0011", + "T1105", + "T1053" + ], + "title": "Scheduled Task Creation with Curl and PowerShell Execution Combo" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", + "event_ids": [ + "4688" + ], + "id": "fbf11b3a-b52f-1a2a-a481-d059609954fa", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555.003", + "T1555" + ], + "title": "PUA - WebBrowserPassView Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.", + "event_ids": [ + "4688" + ], + "id": "97051c88-88d9-2462-99f0-99115c8013c9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", + "event_ids": [ + "4688" + ], + "id": "7e7e5959-545c-8b4a-b17b-3ab2d88b6129", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1518.001", + "T1518" + ], + "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "event_ids": [ + "4688" + ], + "id": "cb1cfe0e-5561-53fd-9c94-ab43c3826cf5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1036", + "TA0005" + ], + "title": "Suspicious CodePage Switch Via CHCP" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "event_ids": [ + "4688" + ], + "id": "54783800-bea8-9a66-c11d-9aab8da467eb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218.011", + "T1218" + ], + "title": "Shell32 DLL Execution in Suspicious Directory" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "event_ids": [ + "4688" + ], + "id": "a2dbf468-e91d-96e1-aaa1-d7a9e2cfb209", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1567.002", + "T1567" + ], + "title": "PUA - Rclone Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", + "event_ids": [ + "4688" + ], + "id": "0e017e81-3278-cb76-d706-690f05a18a0e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential Powershell ReverseShell Connection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"\n", + "event_ids": [ + "4688" + ], + "id": "fb0cc82e-63f9-6098-cd32-7f78429aeb7a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "File Download Via InstallUtil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects inline execution of PowerShell code from a file", + "event_ids": [ + "4688" + ], + "id": "58d3ef60-05d8-9a87-7fde-3bd696dba247", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Powershell Inline Execution From A File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "event_ids": [ + "4688" + ], + "id": "9db1274b-d76a-ecf1-8433-113dd1782631", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Capture Credentials with Rpcping.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "event_ids": [ + "4688" + ], + "id": "58180213-29ed-6aa8-7558-806ba2830b7f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Nslookup PowerShell Download Cradle - ProcessCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "event_ids": [ + "4688" + ], + "id": "1a00950e-36a2-0312-33ae-1d272dc02169", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033" + ], + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n", + "event_ids": [ + "4688" + ], + "id": "70fe889c-0d1e-71e8-542d-a7ca05a0fef6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Cscript/Wscript Potentially Suspicious Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "event_ids": [ + "4688" + ], + "id": "27cc5ada-12cd-ee4a-3260-a00437b0ac13", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using IEInstal - Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", + "event_ids": [ + "4688" + ], + "id": "98aa5a08-85d3-1d55-d8be-07f7570e76ad", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential PowerShell Obfuscation Via Reversed Commands" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.\n", + "event_ids": [ + "4688" + ], + "id": "de9e4f46-8404-a8bb-7f5a-78bc21b25a9e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Uncommon FileSystem Load Attempt By Format.com" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"jsc.exe\" (JScript Compiler).\nAttacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.\n", + "event_ids": [ + "4688" + ], + "id": "4acb4c4c-6e64-9353-58fa-113832d88626", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "JScript Compiler Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Identifies the creation of local users via the net.exe command.", + "event_ids": [ + "4688" + ], + "id": "6770bbc3-76b1-d22f-6192-d180542dc2a2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "T1136" + ], + "title": "New User Created Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "event_ids": [ + "4688" + ], + "id": "550c629f-0dc6-83a7-efce-0afef9c45e4c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1127", + "T1059" + ], + "title": "Detection of PowerShell Execution via Sqlps.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "event_ids": [ + "4688" + ], + "id": "4b8e07ad-57d3-608d-6f9e-31047dfeb0de", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags\n", + "event_ids": [ + "4688" + ], + "id": "af3979fb-2ecb-3ae6-3f48-ca04d867be13", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Suspicious Windows Update Agent Empty Cmdline" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\n", + "event_ids": [ + "4688" + ], + "id": "dc6be7ef-4455-6b20-2304-ef99f8413cbf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0040", + "T1489", + "T1562.001", + "T1562" + ], + "title": "Suspicious Windows Service Tampering" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "event_ids": [ + "4688" + ], + "id": "9493969e-1bc7-42fc-ede3-cbd493d3e20a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.006", + "T1021" + ], + "title": "HackTool - WinRM Access Via Evil-WinRM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "event_ids": [ + "4688" + ], + "id": "f3a177b8-4d9d-843b-e8b0-8a6dac39b8ae", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], "tags": [ "TA0011", "T1090" ], - "title": "Ngrok Usage with Remote Desktop Service" + "title": "PUA- IOX Tunneling Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "event_ids": [ + "4688" + ], + "id": "ced3b93a-d1cc-dab7-fe8c-be95fd649ff3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Code Execution via Pcwutl.dll" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "event_ids": [ + "4688" + ], + "id": "86d129d1-cd78-4f07-9be8-edf76d9e2131", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1134.004", + "T1134" + ], + "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt", + "event_ids": [ + "4688" + ], + "id": "be9b6aa2-633a-7833-43a7-f807dc2aa023", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "car.2019-04-001", + "T1548" + ], + "title": "Potentially Suspicious Event Viewer Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Windows Kernel Debugger \"kd.exe\".", + "event_ids": [ + "4688" + ], + "id": "5f7d7535-bf69-3a27-8300-415e9b0ed170", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004" + ], + "title": "Windows Kernel Debugger Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "event_ids": [ + "4688" + ], + "id": "115e60c2-cee5-d274-5b18-9313cca77106", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1005" + ], + "title": "Esentutl Steals Browser Information" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "event_ids": [ + "4688" + ], + "id": "6fb2f8df-d6fd-c7e4-80e4-ba8fc1466ccc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "event_ids": [ + "4688" + ], + "id": "73845b5a-3c6f-eabe-4bcd-e9581c82d899", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005" + ], + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.", + "event_ids": [ + "4688" + ], + "id": "fc4ecc21-82a9-f983-5331-c9e94cfc7cfd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1102", + "T1090", + "T1572" + ], + "title": "Cloudflared Tunnel Connections Cleanup" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", + "event_ids": [ + "4688" + ], + "id": "a296b8da-2f61-8a80-7fa6-f2063c0b5969", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Ie4uinit Lolbin Use From Invalid Path" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "event_ids": [ + "4688" + ], + "id": "3559f022-c7da-a217-5e49-9934bcf0b06b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Service Registry Key Deleted Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "event_ids": [ + "4688" + ], + "id": "2e35d215-673f-ecff-67ad-c9fc3e4ffb87", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.004", + "T1070" + ], + "title": "File Deletion Via Del" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", + "event_ids": [ + "4688" + ], + "id": "8750a67b-7c72-11af-21f3-3e37ed642ab4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0006", + "T1040" + ], + "title": "New Network Trace Capture Started Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", + "event_ids": [ + "4688" + ], + "id": "d8a821b1-813e-ed4c-5b7d-a4bf59182a64", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "HackTool - SharpEvtMute Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", + "event_ids": [ + "4688" + ], + "id": "f4b28578-b356-1cbb-4554-acd9a8b62c9b", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002" + ], + "title": "Indirect Command Execution By Program Compatibility Wizard" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.\n", + "event_ids": [ + "4688" + ], + "id": "7f54442b-227f-edd9-29d8-f6dc27ca512e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Uncommon Sigverif.EXE Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", + "event_ids": [ + "4688" + ], + "id": "7ebc545f-8b8d-1d34-7a2e-99467ab1008d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1112", + "TA0005" + ], + "title": "Potential Suspicious Registry File Imported Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "event_ids": [ + "4688" + ], + "id": "91dc62f7-9e6b-59c0-27d2-ccac03bed57c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Non-privileged Usage of Reg or Powershell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "event_ids": [ + "4688" + ], + "id": "c2caccdd-305a-c468-590f-90ca119d0475", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Use NTFS Short Name in Command Line" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to \"LoadAssemblyFromPath\" or \"LoadAssemblyFromNS\" that are part of the \"CL_LoadAssembly.ps1\" script. This can be abused to load different assemblies and bypass App locker controls.", + "event_ids": [ + "4688" + ], + "id": "a14e43f1-2c46-bf33-4ae5-b72dec4e8f0f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Assembly Loading Via CL_LoadAssembly.ps1" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a ping command that uses a hex encoded IP address", + "event_ids": [ + "4688" + ], + "id": "8f1f0cfc-418f-58d0-6c0a-aa9299b3d5e5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1140", + "T1027" + ], + "title": "Ping Hex IP" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", + "event_ids": [ + "4688" + ], + "id": "28b7f50a-c189-4a2f-314e-b19aa4b63468", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1539", + "TA0009", + "T1005" + ], + "title": "SQLite Firefox Profile Data DB Access" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "event_ids": [ + "4688" + ], + "id": "c4306817-4a47-606b-e363-d48b4d305f82", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1505.004", + "T1505" + ], + "title": "Suspicious IIS Module Registration" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", + "event_ids": [ + "4688" + ], + "id": "95c13570-33d5-adaa-36e9-f489d326fd40", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0007", + "T1033" + ], + "title": "Security Privileges Enumeration Via Whoami.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.\nAn example would be a threat actor creating a new user via the net command and providing the password inline\n", + "event_ids": [ + "4688" + ], + "id": "48f9e545-da57-e944-30a6-d6ed66b4f001", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002" + ], + "title": "Weak or Abused Passwords In CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "event_ids": [ + "4688" + ], + "id": "b6a72c86-b6bb-0d2a-1470-ab688583f615", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of rundll32 with a command line that doesn't contain a common extension", + "event_ids": [ + "4688" + ], + "id": "d6ede5f4-8daa-4a92-6e5f-9cd3ca86089c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Rundll32 Execution With Uncommon DLL Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects various execution patterns of the CrackMapExec pentesting framework", + "event_ids": [ + "4688" + ], + "id": "a4a76a8b-fc4f-2887-8edc-9a4d71e5c86b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "T1053", + "T1059.003", + "T1059.001", + "attack.s0106", + "T1059" + ], + "title": "HackTool - CrackMapExec Execution Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious execution of the Qemu utility in a Windows environment.\nThreat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.\n", + "event_ids": [ + "4688" + ], + "id": "ecd9d96b-cb0c-0ae0-cdc4-1614f22b8e06", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090", + "T1572" + ], + "title": "Potentially Suspicious Usage Of Qemu" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects file execution using the msdeploy.exe lolbin", + "event_ids": [ + "4688" + ], + "id": "c0cc4271-ed56-6236-e21a-e9db92f30d97", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Execute Files with Msdeploy.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects port forwarding activity via SSH.exe", + "event_ids": [ + "4688" + ], + "id": "9f52bf0b-cd07-33a3-f9c1-6cf08889812a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0008", + "T1572", + "T1021.001", + "T1021.004", + "T1021" + ], + "title": "Port Forwarding Activity Via SSH.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "event_ids": [ + "4688" + ], + "id": "5b838545-abaf-44b0-643d-b363389ecb5e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Suspicious Regsvr32 Execution From Remote Share" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "event_ids": [ + "4688" + ], + "id": "4e18ea92-76c9-f5f4-1980-ea4c976954af", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the presence of \"UWhRC....AAYBAAAA\" pattern in command line.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.\nIf you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,\nor checking for the presence of such records through the `nslookup` command.\n", + "event_ids": [ + "4688" + ], + "id": "c642ffbe-eb4e-5b90-c10a-de01f70dcb68", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0003", + "TA0004", + "T1557.001", + "T1187", + "T1557" + ], + "title": "Attempts of Kerberos Coercion Via DNS SPN Spoofing" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution GMER tool based on image and hash fields.", + "event_ids": [ + "4688" + ], + "id": "52ddd559-9234-130a-cd5d-8be4384d1224", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "HackTool - GMER Rootkit Detector and Remover Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "event_ids": [ + "4688" + ], + "id": "693159ba-e2b9-cb03-30d0-5234a23b26d7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.", + "event_ids": [ + "4688" + ], + "id": "7ba37b73-d32a-9fdc-27f1-372220985b67", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "event_ids": [ + "4688" + ], + "id": "ac47d4f8-20cb-1fa8-ac93-07a08745efe7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect filter driver unloading activity via fltmc.exe", + "event_ids": [ + "4688" + ], + "id": "bd94e379-d774-a7fa-3d0c-ce6765196ac0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070", + "T1562", + "T1562.002" + ], + "title": "Filter Driver Unloaded Via Fltmc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)\n", + "event_ids": [ + "4688" + ], + "id": "54b11eae-5cc5-72a8-7b50-b842a057933e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002" + ], + "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", + "event_ids": [ + "4688" + ], + "id": "86b3dc5a-8aaa-c378-77ea-e9d3d850d487", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Potential Rundll32 Execution With DLL Stored In ADS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "event_ids": [ + "4688" + ], + "id": "03f7ca7a-c93c-f02e-e9b4-d9b00a382023", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "stp.1u", + "T1059" + ], + "title": "Operator Bloopers Cobalt Strike Commands" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.\nAn attacker might use this technique via the command line to bypass defenses before executing payloads.\n", + "event_ids": [ + "4688" + ], + "id": "118c7926-b646-c48e-0be5-da48f765543e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "event_ids": [ + "4688" + ], + "id": "e8fdfc6d-5256-c3f4-7858-a45724bce385", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Stdin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files", + "event_ids": [ + "4688" + ], + "id": "234669a1-2f84-3670-fbb6-7636e8b78731", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "T1564.003", + "T1564" + ], + "title": "File Download with Headless Browser" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "event_ids": [ + "4688" + ], + "id": "e9206567-a61e-a398-07ce-db2684eef47d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1127", + "T1059" + ], + "title": "SQL Client Tools PowerShell Session Detection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "event_ids": [ + "4688" + ], + "id": "570163b5-0034-92d2-919d-b0027cb8ee68", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.007", + "TA0011", + "T1105", + "T1218" + ], + "title": "MsiExec Web Install" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "event_ids": [ + "4688" + ], + "id": "bfa46528-db30-f4b6-d9b2-afca48a92538", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Suspicious Reg Add Open Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.\nLaZagne has been leveraged multiple times by threat actors in order to dump credentials.\n", + "event_ids": [ + "4688" + ], + "id": "be78b4b9-f54e-84e0-b62f-872d92b15df9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006" + ], + "title": "HackTool - LaZagne Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", + "event_ids": [ + "4688" + ], + "id": "b4f46720-2a2a-38d0-a77b-cd70dfbd3151", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1070.001", + "T1562", + "T1070" + ], + "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "event_ids": [ + "4688" + ], + "id": "5400e5cd-e82b-a457-8209-7ea3515c05e4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "PowerShell SAM Copy" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.", + "event_ids": [ + "4688" + ], + "id": "88ecfa5d-38dc-041a-fc73-6a0436a3d27f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "event_ids": [ + "4688" + ], + "id": "02224309-c907-6de7-60e0-09470aa6d721", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Replace.exe Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of bitsadmin downloading a file", + "event_ids": [ + "4688" + ], + "id": "7a530794-a84d-d066-45bb-1d94d7f2dfc0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "attack.s0190", + "T1036.003", + "T1036" + ], + "title": "File Download Via Bitsadmin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment", + "event_ids": [ + "4688" + ], + "id": "5cba86ae-86b3-1aba-fe62-8b82c1fb1f92", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1087" + ], + "title": "PUA - AdFind.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", + "event_ids": [ + "4688" + ], + "id": "34fbd3e7-f286-812f-f5a0-61d77817a0b4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Suspicious Download Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "event_ids": [ + "4688" + ], + "id": "cc44ef1f-3f00-4bc6-c537-2858c567e845", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Execution of Powershell Script in Public Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Extract data from cab file and hide it in an alternate data stream", + "event_ids": [ + "4688" + ], + "id": "5df3c3b4-3daf-3385-fdf0-4b5612003633", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Suspicious Extrac32 Alternate Data Stream Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "event_ids": [ + "4688" + ], + "id": "974ebcbe-549c-386f-ffce-c5c6e2fbe2d8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Raccine Uninstall" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "event_ids": [ + "4688" + ], + "id": "02c0a52b-6536-ca47-ce99-cea982b9008a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0007", + "T1082", + "T1087", + "T1046" + ], + "title": "HackTool - winPEAS Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "event_ids": [ + "4688" + ], + "id": "68ad4ec6-5204-d63f-155f-0ad495ef92b3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090" + ], + "title": "PUA - Fast Reverse Proxy (FRP) Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", + "event_ids": [ + "4688" + ], + "id": "9fc52937-cf49-786a-b1b0-3dfe6dd280ec", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1018" + ], + "title": "Share And Session Enumeration Using Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "event_ids": [ + "4688" + ], + "id": "a7e6a51e-0f36-3f14-8b9b-12110ce23ff3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "Root Certificate Installed From Susp Locations" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential arbitrary file download using a Microsoft Office application", + "event_ids": [ + "4688" + ], + "id": "16ff576e-457b-7067-2eac-58bb28e7a9dd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Potential Arbitrary File Download Using Office Application" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.\n", + "event_ids": [ + "4688" + ], + "id": "740e34bc-7ca6-ebba-db66-9b466f9c7558", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "TA0010", + "T1560", + "T1560.001" + ], + "title": "Compressed File Extraction Via Tar.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"cloudflared\" binary from a non standard location.\n", + "event_ids": [ + "4688" + ], + "id": "c757a371-d2db-6f87-21a1-9951c4a5e35a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090.001", + "T1090" + ], + "title": "Cloudflared Portable Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "event_ids": [ + "4688" + ], + "id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Suspicious CustomShellHost Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\nIt replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.\n", + "event_ids": [ + "4688" + ], + "id": "4620f95a-0964-646b-6b21-78a838f03ac3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055.012", + "T1055" + ], + "title": "HackTool - HollowReaper Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "event_ids": [ + "4688" + ], + "id": "d873d8e0-160c-2599-93cf-2700ca72b2d2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1572" + ], + "title": "PUA - Ngrok Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of malicious OneNote documents that contain embedded scripts.\nWhen a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.\n", + "event_ids": [ + "4688" + ], + "id": "a7aba663-3da2-bc96-f8c3-acd95b2b3052", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.001", + "T1218" + ], + "title": "OneNote.EXE Execution of Malicious Embedded Scripts" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state", + "event_ids": [ + "4688" + ], + "id": "3223b8fb-0180-c340-24b5-fc4699287906", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1059" + ], + "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "event_ids": [ + "4688" + ], + "id": "f5d5ba97-4424-eaa9-ead1-528529dbee28", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass WSReset" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "event_ids": [ + "4688" + ], + "id": "a5a31ba8-6ecb-ba33-f271-5a50afc76d9b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218" + ], + "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detection well-known mimikatz command line arguments", + "event_ids": [ + "4688" + ], + "id": "b0b6f0e2-8ed1-fa15-6ebb-cf992c0fd7ea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003.002", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003" + ], + "title": "HackTool - Mimikatz Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.\n", + "event_ids": [ + "4688" + ], + "id": "4b892866-fe93-c61b-f506-c8fd8948a868", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0003", + "T1546.007", + "attack.s0108", + "T1546" + ], + "title": "Potential Persistence Via Netsh Helper DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", + "event_ids": [ + "4688" + ], + "id": "cfe8471d-2e7f-9e55-aa92-3b117789d6a6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0005", + "TA0011", + "T1090" + ], + "title": "New Port Forwarding Rule Added Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.", + "event_ids": [ + "4688" + ], + "id": "e669c0f5-387a-753e-708c-1ab656e547cf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of NimScan, a portscanner utility.\nIn early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.\nThis rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.\n", + "event_ids": [ + "4688" + ], + "id": "e922cc27-53d4-6ba7-9673-6c91fc2bc3ca", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1046" + ], + "title": "PUA - NimScan Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", + "event_ids": [ + "4688" + ], + "id": "bc7f261d-3cfe-72c9-521d-d3cd1a0032bf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Advanced Port Scanner.", + "event_ids": [ + "4688" + ], + "id": "3ea85a25-dba7-a10e-8a48-9aa4dc65abb9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1046", + "T1135" + ], + "title": "PUA - Advanced Port Scanner Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.\n", + "event_ids": [ + "4688" + ], + "id": "d1521b48-cb82-dd9a-0d90-4e3a69b29fb2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1528" + ], + "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.\n", + "event_ids": [ + "4688" + ], + "id": "502f2034-8929-9fd1-10fc-732a817671b7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "New Capture Session Launched Via DXCap.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", + "event_ids": [ + "4688" + ], + "id": "7a110d73-1faa-19d5-10aa-bd44ad1e783f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "TA0005", + "T1218", + "T1202", + "T1059" + ], + "title": "Uncommon Child Process Of BgInfo.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "event_ids": [ + "4688" + ], + "id": "a40c99d5-1323-f65d-73d1-ca673940b7b2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0007", + "T1082", + "T1057", + "T1012", + "T1083", + "T1007" + ], + "title": "HackTool - PCHunter Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "event_ids": [ + "4688" + ], + "id": "614f34c3-e108-8880-5b20-f3df7e3ccd9e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "event_ids": [ + "4688" + ], + "id": "541e3fb5-f235-d13c-cd97-2e31f774193b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "Potential UAC Bypass Via Sdclt.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.\nThese parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.\nThis technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.\n", + "event_ids": [ + "4688" + ], + "id": "7997ec07-1c34-0bba-64bc-d699a65b149f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219", + "T1105" + ], + "title": "Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".", + "event_ids": [ + "4688" + ], + "id": "4c2ffc3b-017b-451b-81bb-1739d5d5b1d8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0008", + "T1133", + "T1136.001", + "T1021.001", + "T1021", + "T1136" + ], + "title": "User Added to Remote Desktop Users Group" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.", + "event_ids": [ + "4688" + ], + "id": "0e400d25-3298-763d-1813-3fe64dbdb2b0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "event_ids": [ + "4688" + ], + "id": "eac79e1c-5b45-db94-6b62-f7581c5ed0cb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "attack.s0190", + "T1036.003", + "T1036" + ], + "title": "Suspicious Download From Direct IP Via Bitsadmin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", + "event_ids": [ + "4688" + ], + "id": "3e293b2c-b40f-53b9-4e78-e7ad13badd8a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Conhost Spawned By Uncommon Parent Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "event_ids": [ + "4688" + ], + "id": "1f5db239-6608-ab63-3f89-95375c7872fc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Suspicious Control Panel DLL Load" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "event_ids": [ + "4688" + ], + "id": "77f6e2f1-7fec-6f30-aa0e-cec73ad32fc1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1110", + "T1110.001" + ], + "title": "HackTool - Hydra Password Bruteforce Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", + "event_ids": [ + "4688" + ], + "id": "56a9069d-21e3-4b02-f132-6a4e930a4432", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1482" + ], + "title": "HackTool - TruffleSnout Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.", + "event_ids": [ + "4688" + ], + "id": "bde2aa8e-57e6-7c83-466b-dfdcf1a7de29", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1053.005", + "T1059.001", + "T1059", + "T1053" + ], + "title": "Scheduled Task Executing Payload from Registry" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "event_ids": [ + "4688" + ], + "id": "d2f4e6f8-8091-3df9-bc05-f48b7a951ac8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.", + "event_ids": [ + "4688" + ], + "id": "36f17029-664a-9448-86bb-81a24da07e7e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Uncommon Child Process Of Conhost.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "event_ids": [ + "4688" + ], + "id": "8dd79010-f068-2bb3-d92f-2545a02ba504", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "New Root Certificate Installed Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "event_ids": [ + "4688" + ], + "id": "bedacc2c-35b3-fa81-61dc-a81f0369247e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "event_ids": [ + "4688" + ], + "id": "617ab1b8-544d-3774-60f6-7fcbd7612a8f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0043", + "TA0007", + "TA0040" + ], + "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", + "event_ids": [ + "4688" + ], + "id": "5a867cd0-5780-c09f-9e82-86aaaca431f5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "car.2016-03-001" + ], + "title": "HackTool - SharpLdapWhoami Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "event_ids": [ + "4688" + ], + "id": "512d7248-20c4-a7bb-650b-19b15c46e2a2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Suspicious VBoxDrvInst.exe Parameters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "event_ids": [ + "4688" + ], + "id": "c888539c-8fb0-45df-4874-934d5b1edf1c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1046", + "T1135" + ], + "title": "PUA - Advanced IP Scanner Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.", + "event_ids": [ + "4688" + ], + "id": "773a2339-22b1-7f0c-c821-a5831b6a43cc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Potentially Suspicious Office Document Executed From Trusted Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.\n", + "event_ids": [ + "4688" + ], + "id": "dfd2290c-5c82-62f3-7643-4df329d43ce1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1021.003", + "TA0008", + "T1021" + ], + "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "event_ids": [ + "4688" + ], + "id": "03483409-2c67-3117-debd-eaa756713643", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Suspicious Schtasks Schedule Types" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", + "event_ids": [ + "4688" + ], + "id": "f8039355-05ea-ab7a-159d-51b07b17da1e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of LiveKD with the \"-m\" flag to potentially dump the kernel memory", + "event_ids": [ + "4688" + ], + "id": "37cf7844-0508-0f79-123b-7bb4a92b5bf3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Kernel Memory Dump Via LiveKD" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "event_ids": [ + "4688" + ], + "id": "686228e1-28f8-b922-43d9-3b2fb663b67e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1570", + "TA0002", + "T1569.002", + "T1021", + "T1569" + ], + "title": "Rundll32 Execution Without Parameters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "event_ids": [ + "4688" + ], + "id": "57e2b3e2-fb28-0497-4729-aa536a2a5089", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0008", + "T1021.003", + "T1021" + ], + "title": "MMC20 Lateral Movement" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of PowerShell commands that attempt to install MSI packages via the\nWindows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.\nThis could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.\nAnd the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.\n", + "event_ids": [ + "4688" + ], + "id": "67cbe37e-314f-cce4-2882-0cb45993a3c5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1218", + "TA0011", + "T1105", + "T1059" + ], + "title": "PowerShell MSI Install via WindowsInstaller COM From Remote Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "event_ids": [ + "4688" + ], + "id": "33de75b5-e77d-234d-db45-228cb5921cdd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Use of Scriptrunner.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "event_ids": [ + "4688" + ], + "id": "d60bae71-ab70-95e8-ce1c-c0226f62a597", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053" + ], + "title": "HackTool - SharPersist Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "event_ids": [ + "4688" + ], + "id": "16277ba9-49fc-5f62-bf22-e5c2952e32ea", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "DLL Execution via Rasautou.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "event_ids": [ + "4688" + ], + "id": "0052946a-1593-6881-f638-b14ac2efcff8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "T1059" + ], + "title": "PUA - Wsudo Suspicious Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", + "event_ids": [ + "4688" + ], + "id": "a4c2d962-184c-6b0f-6155-edee8fac04c8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0008", + "T1021.001", + "T1112", + "T1021" + ], + "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\nOne of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\nThe tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.\n", + "event_ids": [ + "4688" + ], + "id": "db8f163e-5399-d993-524b-d1c4ad63c442", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.threat-hunting" + ], + "title": "Potential DLL Injection Via AccCheckConsole" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "event_ids": [ + "4688" + ], + "id": "c6bdb310-216f-075c-19c4-3873b8a1a516", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Potential Tampering With Security Products Via WMIC" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "event_ids": [ + "4688" + ], + "id": "3c74726b-21b2-7edc-9091-a8cb4cd92eb0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1574.011", + "T1574" + ], + "title": "Changing Existing Service ImagePath Value Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a when net.exe is called with a password in the command line", + "event_ids": [ + "4688" + ], + "id": "63b59ec7-e487-aef1-5cca-722ee215db7f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0001", + "TA0003", + "TA0004", + "TA0008", + "T1021.002", + "T1078", + "T1021" + ], + "title": "Password Provided In Command Line Of Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", + "event_ids": [ + "4688" + ], + "id": "457a72af-e7d7-48c0-0f9f-cd793a1a2584", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1539", + "T1555.003", + "TA0009", + "T1005", + "T1555" + ], + "title": "SQLite Chromium Profile Data DB Access" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", + "event_ids": [ + "4688" + ], + "id": "39bd9b2b-7c43-e7a8-e882-3de14365ae19", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218" + ], + "title": "Arbitrary MSI Download Via Devinit.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\n", + "event_ids": [ + "4688" + ], + "id": "f3baa8fc-8db9-1300-7b37-53785ce88ee9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Sensitive File Dump Via Wbadmin.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", + "event_ids": [ + "4688" + ], + "id": "22cc197f-f74f-a4e3-7021-a3b56dee5864", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Potential Product Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "event_ids": [ + "4688" + ], + "id": "7ff57038-20dd-b144-f4f9-fe2fb075e004", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Suspicious Mofcomp Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", + "event_ids": [ + "4688" + ], + "id": "11f0b956-1d1f-35ac-0745-953256f95462", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "T1136" + ], + "title": "New User Created Via Net.EXE With Never Expire Option" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Download or Copy file with Extrac32", + "event_ids": [ + "4688" + ], + "id": "1a6983b5-f09c-767b-3ebe-349e7cde3c8e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Extrac32 Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects active directory enumeration activity using known AdFind CLI flags", + "event_ids": [ + "4688" + ], + "id": "5a05c10d-f2a5-f434-4d63-63cd535745b6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1087" + ], + "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", + "event_ids": [ + "4688" + ], + "id": "65188275-2c87-e92b-f463-550b550ef7f5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Python Inline Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects nltest commands that can be used for information discovery", + "event_ids": [ + "4688" + ], + "id": "b775be60-00d5-cb10-a24f-ba7f10563dcb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1016", + "T1482" + ], + "title": "Potential Recon Activity Via Nltest.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks", + "event_ids": [ + "4688" + ], + "id": "f8095356-407c-fb04-afa9-b637495e8d2b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potentially Suspicious Cabinet File Expansion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "event_ids": [ + "4688" + ], + "id": "f671b855-3ea9-045a-c84d-36fc3884e2c7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "TA0002", + "T1574.001", + "T1574" + ], + "title": "Tasks Folder Evasion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\nVShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\nattackers can leverage this parameter to proxy the execution of malware.\n", + "event_ids": [ + "4688" + ], + "id": "b31f0683-91b2-ad1b-a771-24124f22e83e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Proxy Execution via Vshadow" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "event_ids": [ + "4688" + ], + "id": "403a879a-c765-af55-2a45-cce39e1f5cdb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Script Run in AppData" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.\nAdversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.\nThis information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.\n", + "event_ids": [ + "4688" + ], + "id": "4bfb861e-7df2-1670-f8ba-15b3d32325bf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "TA0007", + "T1082" + ], + "title": "Potential Product Class Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", + "event_ids": [ + "4688" + ], + "id": "d4107fed-b19a-c873-993e-db24e6528e9f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1132.001", + "T1132" + ], + "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "event_ids": [ + "4688" + ], + "id": "389f8439-d42b-53a1-cb96-9387255a319f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1216", + "T1059" + ], + "title": "Execute Code with Pester.bat as Parent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.", + "event_ids": [ + "4688" + ], + "id": "7d713cf5-4d56-75d5-a689-0206993c4d03", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.007", + "T1059" + ], + "title": "Potentially Suspicious Inline JavaScript Execution via NodeJS Binary" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "event_ids": [ + "4688" + ], + "id": "61dd8b58-6c93-639f-6342-1ba077ce0f45", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1546.008", + "TA0004", + "T1546" + ], + "title": "Persistence Via Sticky Key Backdoor" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "event_ids": [ + "4688" + ], + "id": "4aed73e4-2a5e-b456-3e10-0b58348a0620", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of PktMon, a tool that captures network packets.", + "event_ids": [ + "4688" + ], + "id": "94ae2cf8-1a32-d069-3ee0-eaae5f14745e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1040" + ], + "title": "PktMon.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.", + "event_ids": [ + "4688" + ], + "id": "7badcd39-a428-768b-6bd0-e5db3b7fa90e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002" + ], + "title": "Proxy Execution Via Wuauclt.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "event_ids": [ + "4688" + ], + "id": "61e02907-aae8-db6e-46be-fbbed3a0a0d3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "PUA - NirCmd Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "event_ids": [ + "4688" + ], + "id": "47705ba8-0a49-a7e0-328a-4001dcc919a4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using MSConfig Token Modification - Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.", + "event_ids": [ + "4688" + ], + "id": "0c6e9a79-2e34-53ee-92c8-a3b0e05011d0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0043", + "T1595" + ], + "title": "PUA - PingCastle Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.\n", + "event_ids": [ + "4688" + ], + "id": "ac70393b-10a3-1934-e063-2bff18e8a37c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0043", + "T1595" + ], + "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "event_ids": [ + "4688" + ], + "id": "c4e3bdbb-aa79-5067-6b21-87a8fa83ae97", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "T1562.001", + "T1562" + ], + "title": "Reg Add Suspicious Paths" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)\n", + "event_ids": [ + "4688" + ], + "id": "a138f860-6c01-6ff3-2c12-046799df8672", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious Electron Application Child Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "event_ids": [ + "4688" + ], + "id": "17babac2-1f37-4875-6354-a2ba383af162", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "Local Groups Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file which might contain a malicious action.", + "event_ids": [ + "4688" + ], + "id": "711f2e81-bb48-8eaf-84ad-7a331ee0cd95", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Response File Execution Via Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "event_ids": [ + "4688" + ], + "id": "06305885-4321-1104-1a1d-5f6dcddf76af", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "TA0006", + "T1003.001", + "T1218", + "T1003" + ], + "title": "Process Access via TrolleyExpress Exclusion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "event_ids": [ + "4688" + ], + "id": "1704d7d3-0c6c-8a4d-b02a-55dd951e5f61", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential PowerShell Downgrade Attack" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "event_ids": [ + "4688" + ], + "id": "f97091ca-49b9-ea39-1091-bc06ed73b48f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021" + ], + "title": "Privilege Escalation via Named Pipe Impersonation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "event_ids": [ + "4688" + ], + "id": "65bb4129-82c6-f4f5-d2e1-7089e8799d2e", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.005", + "T1070" + ], + "title": "Unmount Share Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "event_ids": [ + "4688" + ], + "id": "549eb2a1-da80-3ed5-9385-6358ef00fe24", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1134.001", + "T1134.003", + "T1134" + ], + "title": "HackTool - SharpImpersonation Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious or uncommon parent processes of PowerShell", + "event_ids": [ + "4688" + ], + "id": "a453a0f3-e93d-a242-f111-8c1267906414", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Parent Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "event_ids": [ + "4688" + ], + "id": "bb0b061c-443d-7026-485e-32bd309fb7d9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "Windows Firewall Disabled via PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.", + "event_ids": [ + "4688" + ], + "id": "53c6b925-8f6a-b834-1463-b4dade337d85", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Non Interactive PowerShell Process Spawned" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of 3proxy, a tiny free proxy server", + "event_ids": [ + "4688" + ], + "id": "e43a9b6c-3df8-4f97-b870-474e24033f49", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1572" + ], + "title": "PUA - 3Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", + "event_ids": [ + "4688" + ], + "id": "69f1f3b5-0009-eed3-f99e-e0db531c168b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0001", + "T1047", + "T1059.001", + "T1059.003", + "T1059.005", + "T1059.007", + "T1218", + "T1218.001", + "T1218.010", + "T1218.011", + "T1566", + "T1566.001", + "T1059" + ], + "title": "HTML Help HH.EXE Suspicious Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"curl.exe\" with the \"-c\" flag in order to save cookie data.", + "event_ids": [ + "4688" + ], + "id": "ec0626ac-00c0-7cf3-223c-20d71ccd38c0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Potential Cookies Session Hijacking" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "event_ids": [ + "4688" + ], + "id": "1fb003fd-3505-dd3d-39c9-067a836b7257", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Suspicious Process Patterns NTDS.DIT Exfil" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The OpenWith.exe executes other binary", + "event_ids": [ + "4688" + ], + "id": "2c25a504-0f86-ca3f-43e0-5a40240a81fd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "OpenWith.exe Executes Specified Binary" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL\n", + "event_ids": [ + "4688" + ], + "id": "7466d932-270d-a4c2-5851-05e1557ee730", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", + "event_ids": [ + "4688" + ], + "id": "9bfa1ffb-5b30-0951-fa5a-9746a98f1a6a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Sysinternals PsSuspend Suspicious Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", + "event_ids": [ + "4688" + ], + "id": "fdb2c7f2-63dc-72cd-5261-f3ab65d5d157", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", + "event_ids": [ + "4688" + ], + "id": "a23f9412-323f-fd1c-1c72-ac38fdedc079", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.003", + "T1546" + ], + "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.\nNode.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.\nAdversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.\nBecause Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.\n", + "event_ids": [ + "4688" + ], + "id": "5b59cdaa-a618-5038-0573-2902a6798a29", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.007", + "T1059" + ], + "title": "NodeJS Execution of JavaScript File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", + "event_ids": [ + "4688" + ], + "id": "5fc3dbcc-6777-a314-9939-6cb33e4afe74", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090", + "attack.s0040" + ], + "title": "HackTool - Htran/NATBypass Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "event_ids": [ + "4688" + ], + "id": "70d8efc3-4098-d71c-be3c-59f75ccb6019", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "T1087.001", + "T1087" + ], + "title": "Local Accounts Discovery" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n", + "event_ids": [ + "4688" + ], + "id": "e2ba6258-28e5-71a1-3cb2-d13b881841dc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0040", + "T1112", + "T1491.001", + "T1491" + ], + "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a copy command or a copy utility execution to or from an Admin share or remote", + "event_ids": [ + "4688" + ], + "id": "6646eced-c21d-4c5f-dae2-0a7a43be1d5c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0009", + "TA0010", + "T1039", + "T1048", + "T1021.002", + "T1021" + ], + "title": "Copy From Or To Admin Share Or Sysvol Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a new service using powershell.", + "event_ids": [ + "4688" + ], + "id": "97bbdb27-032d-af8b-7a1a-2e826f3f9b02", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "New Service Creation Using PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of SecurityXploded Tools", + "event_ids": [ + "4688" + ], + "id": "0cb1943b-75df-d254-4a36-58c1dc6a3f97", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555" + ], + "title": "HackTool - SecurityXploded Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the PowerShell command lines with special characters", + "event_ids": [ + "4688" + ], + "id": "8f07f78d-22f4-9cc9-b3fb-8d8c7b056395", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1027", + "T1059.001", + "T1059" + ], + "title": "Potential PowerShell Command Line Obfuscation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", + "event_ids": [ + "4688" + ], + "id": "0ac2cb1c-3284-c46e-dd61-1fd81302ad3c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.004", + "T1552" + ], + "title": "PowerShell Get-Process LSASS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "event_ids": [ + "4688" + ], + "id": "ccbdac70-917f-7393-ee60-cc1586b03137", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "Suspicious New Service Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "event_ids": [ + "4688" + ], + "id": "aac97665-0e43-e14b-bc3c-bbefd72790dd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002" + ], + "title": "Execute MSDT Via Answer File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "event_ids": [ + "4688" + ], + "id": "0114b671-6245-50f6-97b3-693945ab45cc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow", + "event_ids": [ + "4688" + ], + "id": "6fed31ac-e26c-8668-fed8-9145c0f0cb2b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1036" + ], + "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "event_ids": [ + "4688" + ], + "id": "e5dce32e-6986-6417-4a01-aea6093f1e87", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "TA0005", + "T1564.004", + "T1564" + ], + "title": "PrintBrm ZIP Creation of Extraction" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "event_ids": [ + "4688" + ], + "id": "469a9d6a-0e9f-492d-9e3a-e0f35762874e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555.003", + "T1555" + ], + "title": "Potential Browser Data Stealing" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", + "event_ids": [ + "4688" + ], + "id": "37ebc902-d86f-808a-3790-0d2051db2e46", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1059.001", + "T1027", + "T1059" + ], + "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\n", + "event_ids": [ + "4688" + ], + "id": "55a1a7a8-02ee-7df8-a5e6-387dda75fc16", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Indirect Command Execution From Script File Via Bash.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", + "event_ids": [ + "4688" + ], + "id": "c73c2af1-f71f-fcf6-7d69-8930f2b95d96", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055" + ], + "title": "Suspicious Rundll32 Invoking Inline VBScript" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", + "event_ids": [ + "4688" + ], + "id": "ac40503f-520c-79c6-d0e8-3a32c8cec7eb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "car.2016-03-002" + ], + "title": "Hardware Model Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "event_ids": [ + "4688" + ], + "id": "cec3aeb1-8e95-5fa2-4566-9463115e48b2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "Suspicious GUP Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.", + "event_ids": [ + "4688" + ], + "id": "9443f6eb-9423-8b8f-335d-61cab9a1d680", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", + "event_ids": [ + "4688" + ], + "id": "53138fa3-42f4-bab3-4939-cdc55f014842", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.006", + "T1564" + ], + "title": "Virtualbox Driver Installation or Starting of VMs" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.\n", + "event_ids": [ + "4688" + ], + "id": "314ca2e6-e324-0e58-b1e7-2d38858b534a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.002", + "T1564" + ], + "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.", + "event_ids": [ + "4688" + ], + "id": "42b13785-107e-7eb5-074f-9d1ca751c065", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "TA0002", + "T1059" + ], + "title": "Elevated System Shell Spawned From Uncommon Parent Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\nAttackers often try to enumerate the services currently running on a system in order to find different attack vectors.\n", + "event_ids": [ + "4688" + ], + "id": "75a50ccd-ba64-66cd-de19-003e2f044761", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1003", + "TA0006" + ], + "title": "Interesting Service Enumeration Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.", + "event_ids": [ + "4688" + ], + "id": "89dbe2e8-d793-a90f-ede7-4e29c886f987", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.002", + "T1069.002", + "T1482", + "T1069", + "T1087" + ], + "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)\n", + "event_ids": [ + "4688" + ], + "id": "bd0d2f25-0055-04fe-5229-5ddc996bcdaa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Sensitive File Access Via Volume Shadow Copy Backup" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "event_ids": [ + "4688" + ], + "id": "07d9d3ee-e3e8-9005-68ba-2e1c50fd018b", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1112", + "TA0005" + ], + "title": "Registry Modification Via Regini.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects dump of credentials in VeeamBackup dbo", + "event_ids": [ + "4688" + ], + "id": "9a714c62-1669-9a37-eb23-3aca9c2ca26e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1005" + ], + "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "event_ids": [ + "4688" + ], + "id": "c7a2ef80-f915-79f0-1ce3-bf61d570a990", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "Operator Bloopers Cobalt Strike Modules" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "event_ids": [ + "4688" + ], + "id": "7d6acc1b-aef6-8fb8-8b37-50e258273f6a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Net WebClient Casing Anomalies" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the SysInternals Procdump utility", + "event_ids": [ + "4688" + ], + "id": "9dd8cfb3-e15d-dfe4-ac54-004a540f3279", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "TA0006", + "T1003" + ], + "title": "Procdump Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", + "event_ids": [ + "4688" + ], + "id": "4c7b96eb-1897-7935-762d-58700203bb94", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Winrar Compressing Dump Files" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "event_ids": [ + "4688" + ], + "id": "5c8771ec-db48-4d8e-8701-02680fde2531", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1615" + ], + "title": "Gpresult Display Group Policy Information" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of powershell commands from headless ConHost window.\nThe \"--headless\" flag hides the windows from the user upon execution.\n", + "event_ids": [ + "4688" + ], + "id": "0df72588-414b-1bc3-7b9d-ea4a01af56db", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059.001", + "T1059.003", + "T1564.003", + "T1059", + "T1564" + ], + "title": "Powershell Executed From Headless ConHost Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Attackers can use print.exe for remote file copy", + "event_ids": [ + "4688" + ], + "id": "6e8f01f5-1282-1217-9c7a-9b84824e30a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Abusing Print Executable" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects ScreenConnect program starts that establish a remote access to a system.", + "event_ids": [ + "4688" + ], + "id": "16e1adf7-4ed1-54b8-0031-41fd83c53349", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1133" + ], + "title": "Remote Access Tool - ScreenConnect Installation Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.", + "event_ids": [ + "4688" + ], + "id": "84707330-6ce4-b159-4432-712646f49a7b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "event_ids": [ + "4688" + ], + "id": "bb0ae7bd-c963-0404-061e-ae3c6b866830", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1055" + ], + "title": "Suspect Svchost Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "event_ids": [ + "4688" + ], + "id": "ae65ef8c-318b-89f9-30d3-1f3bcfab81e9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Possible Privilege Escalation via Weak Service Permissions" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "event_ids": [ + "4688" + ], + "id": "683820e7-ec9c-fd2b-4e30-d67656765081", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "event_ids": [ + "4688" + ], + "id": "7e75fbd5-4501-e7c8-deb1-b24ea8448793", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Fsutil Behavior Set SymlinkEvaluation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the enabling of the Windows Recall feature via registry manipulation.\nWindows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" value, or setting it to 0.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\n", + "event_ids": [ + "4688" + ], + "id": "3be2ca2a-e70a-49c3-7d32-ac25c979e199", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1113" + ], + "title": "Windows Recall Feature Enabled Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\nWhen the job runs on the system the command specified in the BITS job will be executed.\nThis can be abused by actors to create a backdoor within the system and for persistence.\nIt will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.\n", + "event_ids": [ + "4688" + ], + "id": "b6abae48-2937-b8aa-70ef-ae27212059c5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1197" + ], + "title": "Monitoring For Persistence Via BITS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.\n", + "event_ids": [ + "4688" + ], + "id": "8578ef59-9a77-e58f-416e-a109c066b60e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.003", + "T1036" + ], + "title": "LOL-Binary Copied From System Directory" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", + "event_ids": [ + "4688" + ], + "id": "5ede905b-ba07-4607-d2f1-ae3b552a752f", + "level": "informational", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Suspicious High IntegrityLevel Conhost Legacy Option" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", + "event_ids": [ + "4688" + ], + "id": "d3b62eee-982b-e3f3-e106-d83048e4cf0d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "HackTool - Pypykatz Credentials Dumping Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "event_ids": [ + "4688" + ], + "id": "9eaaf7c3-c142-31ba-f615-52ed6de31344", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.006", + "T1552" + ], + "title": "Suspicious SYSVOL Domain Group Policy Access" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.", + "event_ids": [ + "4688" + ], + "id": "468cc04c-7017-cf17-29f4-4d2845397d91", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1113" + ], + "title": "Screen Capture Activity Via Psr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious parent process for cmd.exe", + "event_ids": [ + "4688" + ], + "id": "370b959a-526f-4355-c41d-8388206d423a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Unusual Parent Process For Cmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "event_ids": [ + "4688" + ], + "id": "49f7221b-6487-9808-ded9-4019dfe83e80", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1134.001", + "T1134.003", + "T1134" + ], + "title": "HackTool - Impersonate Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", + "event_ids": [ + "4688" + ], + "id": "c9c7afb7-56ad-a3b2-ad8a-727beaa81d41", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "PUA - RunXCmd Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the start of a non built-in assistive technology applications via \"Atbroker.EXE\".", + "event_ids": [ + "4688" + ], + "id": "d5a94ccf-58fd-7481-3683-e59fbf33e8c1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects new process creation using WMIC via the \"process call create\" flag", + "event_ids": [ + "4688" + ], + "id": "cac49200-88c2-7917-c315-8a2e0981b42a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "car.2016-03-002" + ], + "title": "New Process Created Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line parameters used by Koadic hack tool", + "event_ids": [ + "4688" + ], + "id": "21709122-92d3-408a-ce43-7f0ab256c315", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059.005", + "T1059.007", + "T1059" + ], + "title": "HackTool - Koadic Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", + "event_ids": [ + "4688" + ], + "id": "d7bb3d76-50b6-1c43-cbaf-4f1600e03c9c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "T1059.001", + "T1059" + ], + "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\n", + "event_ids": [ + "4688" + ], + "id": "912e3077-a6e6-c6a3-649e-01cf0d496eb3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1546.011", + "T1546" + ], + "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.", + "event_ids": [ + "4688" + ], + "id": "00ca290b-102c-83b3-ff90-2781c070cf8e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0003", + "T1219.002", + "T1219" + ], + "title": "Potential Amazon SSM Agent Hijacking" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", + "event_ids": [ + "4688" + ], + "id": "80fc60a3-3570-d8c6-9ee9-d527bfd15b84", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082" + ], + "title": "Uncommon System Information Discovery Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC", + "event_ids": [ + "4688" + ], + "id": "09c3b6b8-4904-bec5-4fc1-d69447e6ff3b", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "New Process Created Via Taskmgr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "event_ids": [ + "4688" + ], + "id": "04ee126c-89e1-9dfa-1863-5f42fde61c35", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1222.001", + "T1222" + ], + "title": "Suspicious Recursive Takeown" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"whoami.exe\" with the \"/FO\" flag to choose CSV as output format or with redirection options to export the results to a file for later use.", + "event_ids": [ + "4688" + ], + "id": "9e0f0c37-ffdb-1903-192f-5f8056bd407a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "car.2016-03-001" + ], + "title": "Whoami.EXE Execution With Output Option" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process run from unusual locations", + "event_ids": [ + "4688" + ], + "id": "1e2a7e53-8c4f-8c72-f7cc-26dca620d1c8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "car.2013-05-002" + ], + "title": "Suspicious Process Start Locations" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.", + "event_ids": [ + "4688" + ], + "id": "e20cb030-7e44-e3e0-0314-4f07eae201d0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.004", + "T1027" + ], + "title": "Dynamic .NET Compilation Via Csc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"VSDiagnostics.exe\" with the \"start\" command in order to launch and proxy arbitrary binaries.", + "event_ids": [ + "4688" + ], + "id": "ef5024d5-3303-f180-2b6c-186303099c26", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"", + "event_ids": [ + "4688" + ], + "id": "8b1a1dbd-8084-e219-f9ee-15c286aab6c9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "event_ids": [ + "4688" + ], + "id": "c918e9f3-229d-19b9-a50f-408e5811b033", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "HackTool - CreateMiniDump Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.", + "event_ids": [ + "4688" + ], + "id": "c7b9e6e8-4212-b14e-b622-503d7c760107", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "TA0004", + "T1053.005", + "attack.s0111", + "car.2013-08-001", + "stp.1u", + "T1053" + ], + "title": "Scheduled Task Creation Via Schtasks.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "event_ids": [ + "4688" + ], + "id": "bddf8e50-854c-b536-b42e-72e80d7115da", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.001", + "T1546" + ], + "title": "Change Default File Association To Executable Via Assoc" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "event_ids": [ + "4688" + ], + "id": "6b169ef1-e760-a417-0794-dc36e56ea984", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe", + "event_ids": [ + "4688" + ], + "id": "a404c83b-51de-a308-f6fc-659d55a00b6c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious File Download From IP Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "event_ids": [ + "4688" + ], + "id": "52b94cb0-304c-59f3-ca56-497db104688c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003.003", + "T1003" + ], + "title": "VolumeShadowCopy Symlink Creation Via Mklink" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.", + "event_ids": [ + "4688" + ], + "id": "8bb8dbbf-4781-7bf2-3340-f3b39cc8501a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1220" + ], + "title": "Remote XSL Execution Via Msxsl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious powershell command line parameters used in Empire", + "event_ids": [ + "4688" + ], + "id": "5f6038bc-96f3-de3a-2b59-fb22aefe871a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "HackTool - Empire PowerShell Launch Parameters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"", + "event_ids": [ + "4688" + ], + "id": "c53a6656-ecdc-89f8-742f-0455f2ed3c64", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Stop Windows Service Via PowerShell Stop-Service" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n", + "event_ids": [ + "4688" + ], + "id": "9ea6664e-70c1-5f36-42c2-1fdb75330fb7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potentially Suspicious CMD Shell Output Redirect" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.\n", + "event_ids": [ + "4688" + ], + "id": "a7c815fc-1c17-fb9b-3993-9508f7fe6f3f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "HackTool - SharpMove Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "event_ids": [ + "4688" + ], + "id": "b99e1330-4add-8df6-a3ab-1425cde93e31", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1119", + "TA0006", + "T1552.001", + "T1552" + ], + "title": "Automated Collection Command Prompt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user downloads a file by using CertOC.exe", + "event_ids": [ + "4688" + ], + "id": "ae801fc7-f16f-247e-f3da-918f64136e9d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "File Download via CertOC.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.", + "event_ids": [ + "4688" + ], + "id": "77495bbc-a90d-6112-a1bf-c357d3b901fd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "LOLBIN Execution From Abnormal Drive" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the `wmic` command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.\n", + "event_ids": [ + "4688" + ], + "id": "f880519f-4419-7762-c6d0-7676fd2192a9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0007", + "T1047", + "T1082" + ], + "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "event_ids": [ + "4688" + ], + "id": "4304f0ae-3682-de08-b8f4-d768ac9cb749", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082" + ], + "title": "Suspicious Execution of Systeminfo" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detection of unusual child processes by different system processes", + "event_ids": [ + "4688" + ], + "id": "4411c966-d5e0-1715-f458-2221d89b7eee", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548" + ], + "title": "Abused Debug Privilege by Arbitrary Parent Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", + "event_ids": [ + "4688" + ], + "id": "b3de6fc6-2aa5-32aa-2172-7e989f524bb1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Invoke-WebRequest Execution With DirectIP" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", + "event_ids": [ + "4688" + ], + "id": "1adbdfce-5fe9-9717-cc78-42b380893e97", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.001", + "T1546" + ], + "title": "Change Default File Association Via Assoc" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "event_ids": [ + "4688" + ], + "id": "602c5e30-f2c0-b275-aab7-2e95c70b2883", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Ruby Inline Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.", + "event_ids": [ + "4688" + ], + "id": "96fd693f-cd31-d232-84e6-212a9dd1c530", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "File Download From Browser Process Via Inline URL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "event_ids": [ + "4688" + ], + "id": "e0e9ccfe-20b3-2dca-ffe5-0e6c86ad22bc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1059" + ], + "title": "Potential PowerShell Obfuscation Via WCHAR/CHAR" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.", + "event_ids": [ + "4688" + ], + "id": "4308f710-0e58-712f-6781-9323b7dc779e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Insecure Transfer Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "event_ids": [ + "4688" + ], + "id": "9e12c2cd-fa32-33a2-e894-455cfcbb3680", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.009", + "T1027" + ], + "title": "Powershell Token Obfuscation - Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line", + "event_ids": [ + "4688" + ], + "id": "85c1b693-1ea8-0d6c-249a-3a2bffdd4bb4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007" + ], + "title": "Obfuscated IP Via CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", + "event_ids": [ + "4688" + ], + "id": "79657164-232b-d42a-7eab-1d9b88196e7a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "event_ids": [ + "4688" + ], + "id": "de663faa-aac0-dab6-a4b3-8d8c8a00ef96", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090.001", + "T1090" + ], + "title": "PUA - Chisel Tunneling Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)", + "event_ids": [ + "4688" + ], + "id": "095ae799-3f3b-554f-3c83-f8d48e711e72", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0003", + "TA0004" + ], + "title": "Suspicious Processes Spawned by Java.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "event_ids": [ + "4688" + ], + "id": "0a237495-b305-87bb-8e26-417ba98a4546", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0003", + "T1546.008", + "car.2014-11-003", + "car.2014-11-008", + "T1546" + ], + "title": "Sticky Key Like Backdoor Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "event_ids": [ + "4688" + ], + "id": "d9505c25-324b-3a98-4f63-55ba6b677e07", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1134.001", + "T1134.002", + "T1134" + ], + "title": "Potential Meterpreter/CobaltStrike Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "event_ids": [ + "4688" + ], + "id": "17d5818d-8b83-0d06-600a-d4adc1b2f136", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002" + ], + "title": "Wab/Wabmig Unusual Parent Or Child Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "event_ids": [ + "4688" + ], + "id": "0e51a9f2-52ef-1f9a-cd41-f229ac148283", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1112", + "TA0005" + ], + "title": "Suspicious Registry Modification From ADS Via Regini.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "event_ids": [ + "4688" + ], + "id": "c095d894-f021-b42f-054d-9727ada91e6a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0011", + "T1104", + "T1105", + "T1059" + ], + "title": "PowerShell DownloadFile" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.", + "event_ids": [ + "4688" + ], + "id": "2f7ca8a6-7f75-cecd-494a-76a83910eac9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.", + "event_ids": [ + "4688" + ], + "id": "cb9078dd-dd0d-01f3-eee3-a3dfddf5858e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious Execution Location Of Wermgr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", + "event_ids": [ + "4688" + ], + "id": "c748889d-9dac-b46a-4f1b-812efb97e670", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Service StartupType Change Via PowerShell Set-Service" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", + "event_ids": [ + "4688" + ], + "id": "1441d7b2-4429-f275-3f6d-ba7c9718c13b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012", + "T1007" + ], + "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", + "event_ids": [ + "4688" + ], + "id": "2c2b3870-6e31-b098-9771-e14231da412e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Tamper Windows Defender Remove-MpPreference" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands\n", + "event_ids": [ + "4688" + ], + "id": "9295c6c5-8012-1bb1-6460-1440670cc734", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1505.003", + "T1505" + ], + "title": "Webshell Tool Reconnaissance Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "event_ids": [ + "4688" + ], + "id": "9c2f40db-46e4-85f0-3104-427e61b344a1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Suspicious Program Names" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "event_ids": [ + "4688" + ], + "id": "8f82ce6b-dc46-1b1e-3024-baa24253e735", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055.001", + "T1055" + ], + "title": "Potential DLL Injection Or Execution Using Tracker.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a service binary running in a suspicious directory", + "event_ids": [ + "4688" + ], + "id": "4083d5ce-5bfd-6eca-7ad7-6ab633bbc01f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Suspicious Service Binary Directory" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the BCP utility in order to export data from the database.\nAttackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.\n", + "event_ids": [ + "4688" + ], + "id": "c7c4727f-4a16-4625-f1f0-4d6a7b7eb808", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0010", + "T1048" + ], + "title": "Data Export From MSSQL Table Via BCP.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a specific OneLiner to download and execute powershell modules in memory.", + "event_ids": [ + "4688" + ], + "id": "5656cdf4-b7e5-dbcf-3fc4-2d935d5999cd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059.001", + "T1562.001", + "T1562", + "T1059" + ], + "title": "Obfuscated PowerShell OneLiner Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"BitLockerToGo.EXE\".\nBitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\nThis is a rarely used application and usage of it at all is worth investigating.\nMalware such as Lumma stealer has been seen using this process as a target for process hollowing.\n", + "event_ids": [ + "4688" + ], + "id": "7c5a0957-44c3-19d6-fbb2-bf2ea7ba0a36", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "BitLockerTogo.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "event_ids": [ + "4688" + ], + "id": "091f16dc-7243-8589-626d-3f1fa16f326b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1202", + "T1027.003", + "T1027" + ], + "title": "Findstr Launching .lnk File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "event_ids": [ + "4688" + ], + "id": "735b333c-168f-1517-ce6e-44604578243f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Use of Wfc.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible execution via LNK file accessed on a WebDAV server.", + "event_ids": [ + "4688" + ], + "id": "a2325ec9-0dd9-e21d-c39b-3e8dc0f36213", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1204", + "T1059" + ], + "title": "Potentially Suspicious WebDAV LNK Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "event_ids": [ + "4688" + ], + "id": "aa1b5f1a-0f18-adfb-7274-ca82c7711c36", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1115" + ], + "title": "Data Copied To Clipboard Via Clip.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "event_ids": [ + "4688" + ], + "id": "f4b9cf98-c3c6-4a42-a20e-6728d79f8fec", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Firewall Rule Deleted Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "event_ids": [ + "4688" + ], + "id": "40795b72-f1da-c1a0-035c-56ecfca25ca3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1518" + ], + "title": "Detected Windows Software Discovery" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects wscript/cscript executions of scripts located in user directories", + "event_ids": [ + "4688" + ], + "id": "4b713aaa-d275-9bdc-3492-6a1d3582348c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059.007", + "T1059" + ], + "title": "Potential Dropper Script Execution Via WScript/CScript" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects AdFind execution with common flags seen used during attacks", + "event_ids": [ + "4688" + ], + "id": "241ae810-4742-fb7e-24a5-9fe5b120827a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1018", + "T1087.002", + "T1482", + "T1069.002", + "stp.1u", + "T1087", + "T1069" + ], + "title": "PUA - AdFind Suspicious Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "event_ids": [ + "4688" + ], + "id": "d9d5da14-1719-381f-170e-e347318f764f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1059", + "T1202" + ], + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "event_ids": [ + "4688" + ], + "id": "7fd1971c-8117-58b7-9bfd-d42cda435945", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0006", + "T1212" + ], + "title": "Suspicious NTLM Authentication on the Printer Spooler Service" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands", + "event_ids": [ + "4688" + ], + "id": "7c9f3379-969f-2e9a-5a03-cc75e44fffd0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Suspicious Command Patterns In Scheduled Task Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", + "event_ids": [ + "4688" + ], + "id": "ff580d50-30ff-1e98-ec8c-c70512d70b55", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1074.001", + "T1074" + ], + "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", + "event_ids": [ + "4688" + ], + "id": "ff27f8e8-0d0c-7ee1-fc19-a2d8cd69186a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0006", + "T1649" + ], + "title": "HackTool - Certify Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "event_ids": [ + "4688" + ], + "id": "74925938-de32-0417-5a62-b63a5d0dd01a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1127", + "T1059.007", + "T1059" + ], + "title": "Node Process Executions" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "event_ids": [ + "4688" + ], + "id": "063b6d5e-3f4e-c3a0-f506-0f8296b9eec4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "PsExec Service Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\nAdversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\n", + "event_ids": [ + "4688" + ], + "id": "1ba53115-a14d-1c17-6fc0-2239bc5c4ed6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1220" + ], + "title": "Msxsl.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", + "event_ids": [ + "4688" + ], + "id": "3412c13e-f0d6-c967-da33-0c43c8817356", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070", + "T1562", + "T1562.002" + ], + "title": "Sysmon Driver Unloaded Via Fltmc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "event_ids": [ + "4688" + ], + "id": "f35bf333-81f6-500b-dc59-92da984b5ea2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Certreq Command to Download" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.", + "event_ids": [ + "4688" + ], + "id": "6b615673-d368-2deb-8281-a7ff75887a8c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "PowerShell Execution With Potential Decryption Capabilities" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a Windows command line executable started from MMC", + "event_ids": [ + "4688" + ], + "id": "cf0e4cea-8b93-73a0-c4f6-1d496da38fea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.003", + "T1021" + ], + "title": "MMC Spawning Windows Shell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "event_ids": [ + "4688" + ], + "id": "e9360920-9296-fc5f-1231-e443387e7381", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "HackTool - KrbRelay Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of SoftPerfect's \"netscan.exe\". An application for scanning networks.\nIt is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.\n", + "event_ids": [ + "4688" + ], + "id": "d14c21ed-9fb4-dd37-d9a0-df7cd5f8092b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1046" + ], + "title": "PUA - SoftPerfect Netscan Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "event_ids": [ + "4688" + ], + "id": "c94695cb-a047-b9fd-ad81-7c51224d6fd0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002" + ], + "title": "Execute Pcwrun.EXE To Leverage Follina" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "event_ids": [ + "4688" + ], + "id": "3ff6fb4d-1767-844e-dbf0-3bfa8dd55d56", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using Windows Media Player - Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location", + "event_ids": [ + "4688" + ], + "id": "d14f893b-1931-f274-ce30-147d8cca81fb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.009", + "T1218" + ], + "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", + "event_ids": [ + "4688" + ], + "id": "c5a82926-ad38-8cac-850a-dcc4d26f5660", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "TA0005", + "T1218", + "T1202", + "T1059" + ], + "title": "Suspicious Child Process Of BgInfo.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", + "event_ids": [ + "4688" + ], + "id": "0d0facfd-ddef-e44b-f118-c42aff14db7a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1059" + ], + "title": "PowerShell Base64 Encoded Invoke Keyword" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects indicators of a UAC bypass method by mocking directories", + "event_ids": [ + "4688" + ], + "id": "6ffb15be-b4f1-f105-4d90-0797b05c1838", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1548.002", + "T1548" + ], + "title": "TrustedPath UAC Bypass Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "event_ids": [ + "4688" + ], + "id": "024e903d-9124-23ff-2ce8-f59651a961ea", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0006", + "T1557.001", + "T1557" + ], + "title": "Potential SMB Relay Attack Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Windows Defender MpCmdRun.EXE to download files", + "event_ids": [ + "4688" + ], + "id": "b331fafb-1ddd-52ca-9bc6-1ef1b08828b0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0011", + "T1105" + ], + "title": "File Download Via Windows Defender MpCmpRun.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", + "event_ids": [ + "4688" + ], + "id": "ee690e64-5c3d-8ec8-e9eb-fd7af8b36bf0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Service StartupType Change Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "event_ids": [ + "4688" + ], + "id": "f7214fe4-985b-b820-4816-01cc5cd40601", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "HackTool - SafetyKatz Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", + "event_ids": [ + "4688" + ], + "id": "b089b249-149b-dfae-0fa9-53aef8435346", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Mstsc.EXE Execution With Local RDP File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.\n", + "event_ids": [ + "4688" + ], + "id": "c1477cd5-ccf1-5649-1688-b3fc9ce45594", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070", + "T1562.006", + "car.2016-04-002", + "T1562" + ], + "title": "ETW Trace Evasion Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", + "event_ids": [ + "4688" + ], + "id": "0fe943e0-d659-589c-d734-689f0f7de8e7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Powershell Defender Disable Scan Feature" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an uncommon svchost parent process", + "event_ids": [ + "4688" + ], + "id": "057c8ea6-1759-bf0b-4271-d71dfc700239", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.005", + "T1036" + ], + "title": "Uncommon Svchost Parent Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.", + "event_ids": [ + "4688" + ], + "id": "f827f8f1-fb4f-4e87-e688-b05d54c996ad", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0002", + "T1053.005", + "TA0011", + "T1053" + ], + "title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "event_ids": [ + "4688" + ], + "id": "f5338a44-bd1b-81a7-3b76-7e2efbe1ce0d", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "HackTool - Inveigh Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", + "event_ids": [ + "4688" + ], + "id": "57b77c31-00b9-0cc8-2bba-b8620f34a730", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1036.005", + "T1053.005", + "T1036", + "T1053" + ], + "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "event_ids": [ + "4688" + ], + "id": "f9558484-5f9f-17f3-06a0-774afccc35e1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1216", + "T1059" + ], + "title": "Execute Code with Pester.bat" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", + "event_ids": [ + "4688" + ], + "id": "b77adf00-db71-5767-769e-2ba7c942d820", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Lolbin Runexehelper Use As Proxy" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.\n", + "event_ids": [ + "4688" + ], + "id": "f82366e8-2ece-fea5-4f56-18d49f3c6aef", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "HackTool - RemoteKrbRelay Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "event_ids": [ + "4688" + ], + "id": "37366c60-8aea-e3e5-bae7-3c24e54f629b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.001", + "T1087.002", + "T1482", + "T1069.001", + "T1069.002", + "TA0002", + "T1059.001", + "T1069", + "T1059", + "T1087" + ], + "title": "HackTool - Bloodhound/Sharphound Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", + "event_ids": [ + "4688" + ], + "id": "0005a605-5e4a-5704-75bf-485dbd31aa9a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1482" + ], + "title": "Domain Trust Discovery Via Dsquery" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", + "event_ids": [ + "4688" + ], + "id": "ba78b609-b5f0-41e2-1081-e3424cdfe02d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216.001", + "T1216" + ], + "title": "Launch-VsDevShell.PS1 Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", + "event_ids": [ + "4688" + ], + "id": "be670d5c-31eb-7391-4d2e-d122c89cd5bb", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003", + "T1558.003", + "TA0008", + "T1550.003", + "T1558", + "T1550" + ], + "title": "HackTool - Rubeus Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "event_ids": [ + "4688" + ], + "id": "256784a9-8cdb-2cfd-8363-95ac15a61e9c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1133" + ], + "title": "Unusual Child Process of dns.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects WmiPrvSE spawning a process", + "event_ids": [ + "4688" + ], + "id": "26773337-b821-6c5b-2c1f-2e6cca581b84", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "WmiPrvSE Spawned A Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects child processes of the \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) which can abused to execute arbitrary binaries.", + "event_ids": [ + "4688" + ], + "id": "62ff6ff0-2ab6-4498-2d8a-7aaf4d8bdbb1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Potential Mftrace.EXE Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\nAttackers often time use this technique to extract specific information they require in their reconnaissance phase.\n", + "event_ids": [ + "4688" + ], + "id": "afc0e7da-4e96-1953-3fa3-8e9112c06c1c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1057" + ], + "title": "Recon Command Output Piped To Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "event_ids": [ + "4688" + ], + "id": "5705250b-888d-01e5-36cf-4302564a99bf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.006", + "T1552" + ], + "title": "LSASS Process Reconnaissance Via Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.\nThis way we are also able to catch cases in which the attacker has renamed the procdump executable.\n", + "event_ids": [ + "4688" + ], + "id": "16b983b0-2a6e-197e-d708-3468b8785eb6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "TA0006", + "T1003.001", + "car.2013-05-009", + "T1003" + ], + "title": "Potential LSASS Process Dump Via Procdump" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "event_ids": [ + "4688" + ], + "id": "737bbf5e-7b83-3600-ebcc-76fd8f9c65ef", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "T1564" + ], + "title": "Use Icacls to Hide File to Everyone" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of KeyScrambler.exe", + "event_ids": [ + "4688" + ], + "id": "b2e90afd-fc69-1c5c-0457-d908fe3c4335", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "TA0004", + "T1203", + "T1574.001", + "T1574" + ], + "title": "Potentially Suspicious Child Process of KeyScrambler.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\nPrior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\nUse this rule to detect instances of older versions of Anydesk using the compromised certificate\nThis is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.\n", + "event_ids": [ + "4688" + ], + "id": "2bd79a93-cca3-3280-f400-f38c499e263e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0001" + ], + "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"cdb.exe\" to launch arbitrary processes or commands from a debugger script file", + "event_ids": [ + "4688" + ], + "id": "67e63fd2-26a0-1961-477b-8f6b517ae20b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1106", + "TA0005", + "T1218", + "T1127" + ], + "title": "Potential Binary Proxy Execution Via Cdb.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "event_ids": [ + "4688" + ], + "id": "a407b6c9-ae1a-6fb2-a44d-24de12a2e2f7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1134.002", + "T1134" + ], + "title": "PUA - AdvancedRun Suspicious Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n", + "event_ids": [ + "4688" + ], + "id": "6ea28a10-22c9-94e3-ecf6-cd29b8bc75bd", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1133" + ], + "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "event_ids": [ + "4688" + ], + "id": "1a4e84c2-b143-1ac5-61c9-00faf74cb62a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Msbuild Execution By Uncommon Parent Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the extensions of the file is suspicious", + "event_ids": [ + "4688" + ], + "id": "28c8ac5c-4774-b281-e7e4-3445164e0180", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection\n", + "event_ids": [ + "4688" + ], + "id": "0e292cea-6680-a95e-46e2-4b938a65597e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.\nBy setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events\nfrom being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.\n", + "event_ids": [ + "4688" + ], + "id": "900cc808-eb18-0106-55ac-478667fa36d5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disabling Windows Defender WMI Autologger Session via Reg.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "event_ids": [ + "4688" + ], + "id": "685a2b5a-0d1d-e78a-174a-b35f1069684b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0043", + "TA0007", + "TA0006", + "TA0040" + ], + "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect attacker collecting audio via SoundRecorder application.", + "event_ids": [ + "4688" + ], + "id": "ebef59bf-5a12-af67-8a95-a282ae4bdaf6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1123" + ], + "title": "Audio Capture via SoundRecorder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user downloads a file from an IP based URL using CertOC.exe", + "event_ids": [ + "4688" + ], + "id": "67db6bcf-cb5b-3e0b-2ba8-4afd9e5ca3a8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0002", + "T1105" + ], + "title": "File Download From IP Based URL Via CertOC.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.\n", + "event_ids": [ + "4688" + ], + "id": "48e84a4f-20a1-de9f-6a28-37b0494dedfc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "LSASS Dump Keyword In CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "event_ids": [ + "4688" + ], + "id": "176cddad-09e5-95d1-e061-52b79cdbd6b7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047", + "TA0008", + "T1021.003", + "T1021" + ], + "title": "HackTool - Potential Impacket Lateral Movement Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "event_ids": [ + "4688" + ], + "id": "3425d55a-86e5-737e-7213-a8a416faeb89", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218.003", + "attack.g0069", + "car.2019-04-001", + "T1218" + ], + "title": "CMSTP Execution Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "event_ids": [ + "4688" + ], + "id": "65dc2fc6-8f96-eccf-0cba-714a1f3af110", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Invoke-WebRequest Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "event_ids": [ + "4688" + ], + "id": "892fa867-a4bc-7858-dc5f-0f959244b3ca", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Microsoft IIS Service Account Password Dumped" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", + "event_ids": [ + "4688" + ], + "id": "49fe14e0-e6d2-95cc-58a2-431e7dd03cf5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010" + ], + "title": "Active Directory Structure Export Via Ldifde.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", + "event_ids": [ + "4688" + ], + "id": "eacb8d30-18b2-df70-fb8e-b5b8bb773983", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Potential Arbitrary DLL Load Using Winword" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule detects the execution of Run Once task as configured in the registry", + "event_ids": [ + "4688" + ], + "id": "aa8af443-e70d-a6a2-5903-1c62f232c0ed", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Run Once Task Execution as Configured in Registry" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "event_ids": [ + "4688" + ], + "id": "2dadd86d-ec91-774c-96a2-b80b47515d60", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "New Kernel Driver Via SC.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "event_ids": [ + "4688" + ], + "id": "f4d831e1-972e-94c7-61af-2c756813c8af", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Remote File Download Via Desktopimgdownldr Utility" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "event_ids": [ + "4688" + ], + "id": "b38e988d-9ea4-447b-cc36-a30c9c3801e1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1566", + "T1566.001", + "TA0001" + ], + "title": "Suspicious Microsoft OneNote Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "event_ids": [ + "4688" + ], + "id": "e6f654c0-1d07-0204-f77c-f791d88e44d0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "attack.g0047", + "T1021.005", + "T1021" + ], + "title": "Suspicious UltraVNC Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "event_ids": [ + "4688" + ], + "id": "9acd90a3-770d-023f-0b71-92c461984dcc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1203", + "TA0004", + "T1068" + ], + "title": "Suspicious Spool Service Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious call to the \"ShellExec_RunDLL\" exported function of SHELL32.DLL through the ordinal number to launch other commands.\nAdversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.\n", + "event_ids": [ + "4688" + ], + "id": "afe56692-d76f-5259-cd59-c1032f5cf01b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", + "event_ids": [ + "4688" + ], + "id": "e90d5723-9e13-61f4-569b-d8b4ac050c09", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", + "event_ids": [ + "4688" + ], + "id": "b23c27a3-ce02-1abb-0aa3-f1376bd9d0bd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "HackTool - UACMe Akagi Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "event_ids": [ + "4688" + ], + "id": "5161ecbd-ced9-5f55-3dba-cfb5e38cf9d1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1059" + ], + "title": "VMToolsd Suspicious Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of \"Ilasm.EXE\" in order to compile C# intermediate (IL) code to EXE or DLL.", + "event_ids": [ + "4688" + ], + "id": "5ea0b54f-98b4-7cc7-6c38-01a53470b4e4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "C# IL Code Compilation Via Ilasm.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.", + "event_ids": [ + "4688" + ], + "id": "c70669f8-ed0f-df3b-f2a4-6e8605285bb1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "New DLL Registered Via Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects RDP session hijacking by using MSTSC shadowing", + "event_ids": [ + "4688" + ], + "id": "5e22c0e7-bde8-560d-0187-ee4134940af6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1563.002", + "T1563" + ], + "title": "Potential MSTSC Shadowing Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Well-known DNS Exfiltration tools execution", + "event_ids": [ + "4688" + ], + "id": "e44a6a45-107b-0cdb-3b8a-61b2e33d55d7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1048.001", + "TA0011", + "T1071.004", + "T1132.001", + "T1048", + "T1071", + "T1132" + ], + "title": "DNS Exfiltration and Tunneling Tools Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", + "event_ids": [ + "4688" + ], + "id": "ae6951e9-b0dd-cdaa-48f1-9c0ec91d0faf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", + "event_ids": [ + "4688" + ], + "id": "8d302e8b-d95c-0027-59e0-a3c179726623", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Powershell Base64 Encoded MpPreference Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "event_ids": [ + "4688" + ], + "id": "f54d52ff-5047-da16-21d1-67d79aacd624", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable Windows Defender AV Security Monitoring" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of \"GoogleUpdate.exe\"", + "event_ids": [ + "4688" + ], + "id": "54947316-2baa-1515-3a10-8569020a445a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potentially Suspicious GoogleUpdate Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "event_ids": [ + "4688" + ], + "id": "ae6cf4fd-c5fb-db3d-3aec-31478d51a921", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1218" + ], + "title": "Sdiagnhost Calling Suspicious Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "event_ids": [ + "4688" + ], + "id": "b1b4e91a-f98e-efe3-e440-4baf203a621a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0003", + "TA0005", + "TA0006", + "TA0004", + "T1562.002", + "T1547.001", + "T1505.005", + "T1556.002", + "T1562", + "T1574.007", + "T1564.002", + "T1546.008", + "T1546.007", + "T1547.014", + "T1547.010", + "T1547.002", + "T1557", + "T1082", + "T1547", + "T1556", + "T1546", + "T1574", + "T1505", + "T1564" + ], + "title": "Potential Suspicious Activity Using SeCEdit" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects some Empire PowerShell UAC bypass methods", + "event_ids": [ + "4688" + ], + "id": "5ccc4b5a-ddf6-63e0-3b00-82be3eb56506", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "car.2019-04-001", + "T1548" + ], + "title": "HackTool - Empire PowerShell UAC Bypass" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", + "event_ids": [ + "4688" + ], + "id": "b9675cf5-52dc-a941-e484-247f3640e055", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1059.005", + "T1059.001", + "T1218", + "T1059" + ], + "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe", + "event_ids": [ + "4688" + ], + "id": "a84f4bc1-ba9a-517d-9339-0a232578cf27", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "event_ids": [ + "4688" + ], + "id": "db43d94f-ee5a-913b-3a86-2e1cb07e39a4", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "HackTool - F-Secure C3 Load by Rundll32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "event_ids": [ + "4688" + ], + "id": "1f9094b1-f522-539a-f715-fd13acf3cd22", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1542.001", + "T1542" + ], + "title": "UEFI Persistence Via Wpbbin - ProcessCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "event_ids": [ + "4688" + ], + "id": "0c52293c-57fb-c251-5f09-4da3e0776891", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.007", + "T1218" + ], + "title": "Suspicious Msiexec Execute Arbitrary DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "event_ids": [ + "4688" + ], + "id": "b206cc55-bd72-1034-393c-cb8b9e643aa0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "TA0006", + "T1003" + ], + "title": "Renamed CreateDump Utility Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.\nThis detection assumes that PowerShell commands are passed via the CommandLine.\n", + "event_ids": [ + "4688" + ], + "id": "52aeb4d7-4368-4da4-c717-f3b016a01d64", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Potential PowerShell Execution Via DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.", + "event_ids": [ + "4688" + ], + "id": "a49d1313-b65e-0401-130b-8e929805577f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", + "event_ids": [ + "4688" + ], + "id": "24b74db7-6d52-4791-9c5a-8e5de42df8f2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Computer Password Change Via Ksetup.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.\n", + "event_ids": [ + "4688" + ], + "id": "d0de4ba1-77ce-d47b-23ee-62cdcbc849a6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.002", + "T1204" + ], + "title": "Potential Suspicious Browser Launch From Document Reader Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "event_ids": [ + "4688" + ], + "id": "874b58be-13ea-f81c-3413-0356498356e2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Script Event Consumer Spawning Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of reg.exe to export registry paths associated with third-party credentials.\nCredential stealers have been known to use this technique to extract sensitive information from the registry.\n", + "event_ids": [ + "4688" + ], + "id": "c870786e-ac3c-7be8-93ba-79705472c787", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.002", + "T1552" + ], + "title": "Registry Export of Third-Party Credentials" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of javascript code using \"mshta.exe\".", + "event_ids": [ + "4688" + ], + "id": "40dc8b10-369e-d60a-531b-a6d6de0bad18", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.005", + "T1218" + ], + "title": "Suspicious JavaScript Execution Via Mshta.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\nWindows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.\n", + "event_ids": [ + "4688" + ], + "id": "7987377e-ddde-302c-5a17-7723837a1d38", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0008", + "T1210" + ], + "title": "HackTool - SharpWSUS/WSUSpendu Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "event_ids": [ + "4688" + ], + "id": "f52ac08e-65ef-a059-20d3-1eca726c6659", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "event_ids": [ + "4688" + ], + "id": "62ed175b-c554-0c7c-9804-0a1628688796", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1218", + "TA0005" + ], + "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "event_ids": [ + "4688" + ], + "id": "04c281fd-ba4b-8255-087a-ace794d28c8e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1572" + ], + "title": "Potential RDP Tunneling Via SSH" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "event_ids": [ + "4688" + ], + "id": "7a6b455d-a8d7-2cba-6d4e-05d8c6c9278c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "REGISTER_APP.VBS Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "event_ids": [ + "4688" + ], + "id": "5ee853eb-9d4f-e140-fd4d-c6c6e65e27bf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Add Windows Capability Via PowerShell Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", + "event_ids": [ + "4688" + ], + "id": "c77efdd5-f664-66dc-23fb-73ab8e695b53", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Process Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "event_ids": [ + "4688" + ], + "id": "fb65baaf-fbef-b775-a0f1-03268c7e5fa5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.007", + "T1218" + ], + "title": "Suspicious Msiexec Quiet Install From Remote Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n", + "event_ids": [ + "4688" + ], + "id": "f7115cfd-3899-16ef-c89b-2db0aa711a9c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.005", + "T1036" + ], + "title": "Suspicious Process Masquerading As SvcHost.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "event_ids": [ + "4688" + ], + "id": "99b507ef-fee7-2f19-767e-66439dad9d9f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Suspicious Cabinet File Execution Via Msdt.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of various CLI utilities exfiltrating data via web requests", + "event_ids": [ + "4688" + ], + "id": "245dab46-e862-0264-ae5c-a935a1f94160", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential Data Exfiltration Activity Via CommandLine Tools" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", + "event_ids": [ + "4688" + ], + "id": "96951861-e068-11a1-bdd8-1fdc951102b8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Usage Of Web Request Commands And Cmdlets" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "event_ids": [ + "4688" + ], + "id": "3d30b2bb-135f-d972-364f-9e41f8aa609b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Arbitrary Binary Execution Using GUP Utility" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious file download from file sharing domains using curl.exe", + "event_ids": [ + "4688" + ], + "id": "ebccbc0b-0513-7912-7679-1ff5d676842e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious child process of userinit", + "event_ids": [ + "4688" + ], + "id": "fc42ea9c-4c0d-4a66-b3b7-34b2a831f588", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055" + ], + "title": "Suspicious Userinit Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as other files", + "event_ids": [ + "4688" + ], + "id": "de7bed2f-8da9-bfd3-f7af-a1a8e5ff462d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Regsvr32 DLL Execution With Suspicious File Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the installation of VsCode tunnel (code-tunnel) as a service.", + "event_ids": [ + "4688" + ], + "id": "b9112bca-62a9-013b-2fba-56019745171c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071.001", + "T1071" + ], + "title": "Visual Studio Code Tunnel Service Installation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", + "event_ids": [ + "4688" + ], + "id": "b176b53d-4619-d65f-baf1-b3a4f1ec0b12", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216.001", + "T1216" + ], + "title": "Pubprn.vbs Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects python spawning a pretty tty", + "event_ids": [ + "4688" + ], + "id": "4e16e266-e27d-ab29-fd78-e04352a8aee7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Python Spawning Pretty TTY on Windows" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.", + "event_ids": [ + "4688" + ], + "id": "a6a65b53-c476-cb1e-8267-5383b33c0dc1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Odbcconf.EXE Suspicious DLL Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "event_ids": [ + "4688" + ], + "id": "e768da19-d0fa-86b7-d2c1-93535bdac05e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1484.001", + "T1484" + ], + "title": "Modify Group Policy Settings" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"hh.exe\" to open \".chm\" files.", + "event_ids": [ + "4688" + ], + "id": "cb0503aa-0857-ee4c-cde4-211dcf7917f8", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.001", + "T1218" + ], + "title": "HH.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Use of the commandline to shutdown or reboot windows", + "event_ids": [ + "4688" + ], + "id": "b74fe142-8535-448b-b2ff-c6de4a5a5133", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1529" + ], + "title": "Suspicious Execution of Shutdown" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "event_ids": [ + "4688" + ], + "id": "3c178fa3-3914-652f-7007-f1d6f385c2ed", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Remote Code Execute via Winrm.vbs" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Chromium based browser in headless mode", + "event_ids": [ + "4688" + ], + "id": "c2ba2ab9-14d6-22d6-50e6-def8d485c093", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "T1564.003", + "T1564" + ], + "title": "Browser Execution In Headless Mode" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "event_ids": [ + "4688" + ], + "id": "fb7a3239-94db-7a87-e1de-97016c713f32", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004" + ], + "title": "UAC Bypass Using Event Viewer RecentViews" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "event_ids": [ + "4688" + ], + "id": "7d08c255-caa9-d1ce-ba23-4030c6718e0b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0007", + "T1040" + ], + "title": "Potential Network Sniffing Activity Using Network Tools" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", + "event_ids": [ + "4688" + ], + "id": "1c799762-beac-3409-8ab4-09485fc2ca91", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "event_ids": [ + "4688" + ], + "id": "598ec0b9-1b1e-4814-86ae-15ef649eb159", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Copy From VolumeShadowCopy Via Cmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "event_ids": [ + "4688" + ], + "id": "bf85cbac-5a6f-8e8c-535a-0c786ee46919", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547" + ], + "title": "Suspicious GrpConv Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) child process", + "event_ids": [ + "4688" + ], + "id": "65769ded-2258-284c-b61d-e79567f5efc0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1055", + "T1036" + ], + "title": "Suspicious Child Process Of Wermgr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the Microsoft signed script \"CL_mutexverifiers\" to proxy the execution of additional PowerShell script commands", + "event_ids": [ + "4688" + ], + "id": "844df162-c07b-4b60-29d1-adf324d785f5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.", + "event_ids": [ + "4688" + ], + "id": "27d72949-e67d-d712-e695-b0f3fe1d1428", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "event_ids": [ + "4688" + ], + "id": "7cd5f138-8005-2cb8-cb41-d6b0365b8e5f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.002", + "T1552" + ], + "title": "Enumeration for 3rd Party Creds From CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line", + "event_ids": [ + "4688" + ], + "id": "e53219c7-ae63-0b28-f372-3dc6d8b00829", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Base64 Encoded IEX Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Commandline to launch powershell with a base64 payload", + "event_ids": [ + "4688" + ], + "id": "5464890a-e53b-c991-756a-8ac37655adca", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious Execution of Powershell with Base64" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse", + "event_ids": [ + "4688" + ], + "id": "c60e39f2-5135-0c04-8c79-a2730ff4a37a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1548.002", + "T1548" + ], + "title": "PowerShell Web Access Feature Enabled Via DISM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", + "event_ids": [ + "4688" + ], + "id": "1c7255e9-5677-0dce-20d7-83f42f4a517c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Perl Inline Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", + "event_ids": [ + "4688" + ], + "id": "fbf93b53-f074-9501-418b-f1d43360e2cb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Lolbin Unregmp2.exe Use As Proxy" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "event_ids": [ + "4688" + ], + "id": "01184351-0c59-01e2-23f8-68eb74e51558", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555.004", + "T1555" + ], + "title": "Suspicious Key Manager Access" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", + "event_ids": [ + "4688" + ], + "id": "a6a22651-ffaa-7713-8313-46ce8a85ad64", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.010", + "T1562" + ], + "title": "LSA PPL Protection Disabled Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "event_ids": [ + "4688" + ], + "id": "ea83af54-6f44-4f59-df6c-6d8669775fcd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204", + "T1566.001", + "TA0002", + "TA0001", + "T1566" + ], + "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.", + "event_ids": [ + "4688" + ], + "id": "6e3409a5-e74b-e405-2f94-d7be95561e7e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "event_ids": [ + "4688" + ], + "id": "a56ae12f-67c8-f625-2279-f5290ba86fa9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Signing Bypass Via Windows Developer Features" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "event_ids": [ + "4688" + ], + "id": "f0dcd1c8-56d8-8dd0-b4d1-4e8b9a04a6c6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Parameter Substring" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "event_ids": [ + "4688" + ], + "id": "30f60c05-7105-c523-3ab6-698b29aebbce", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1567" + ], + "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", + "event_ids": [ + "4688" + ], + "id": "4f66eca2-1272-c8d1-d056-e903294b1046", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "car.2016-03-001" + ], + "title": "Whoami Utility Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "event_ids": [ + "4688" + ], + "id": "0b1a8cb5-34ab-b019-66ad-98f7c43bb8ff", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a system command via the ScreenConnect RMM service.", + "event_ids": [ + "4688" + ], + "id": "fa02ff62-1ebd-d56a-ffa0-8accc97eeec4", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "Remote Access Tool - ScreenConnect Remote Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of WMIC with the \"format\" flag to potentially load XSL files.\nAdversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.\n", + "event_ids": [ + "4688" + ], + "id": "d90fcd50-5835-4b80-6d1a-c708404a142c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1220" + ], + "title": "XSL Script Execution Via WMIC.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "event_ids": [ + "4688" + ], + "id": "31ca06b4-e4e7-1456-557e-809415680296", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218.005", + "T1218" + ], + "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "event_ids": [ + "4688" + ], + "id": "962de487-869e-eec3-a641-839d9af9c49d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the addition of a new rule to the Windows firewall via netsh", + "event_ids": [ + "4688" + ], + "id": "5a3de052-774a-c805-ef2c-a9b71abecc0a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "attack.s0246", + "T1562" + ], + "title": "New Firewall Rule Added Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "event_ids": [ + "4688" + ], + "id": "5054d08a-687f-e98a-b2ca-ebbe7e3035b0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1546.008", + "T1546" + ], + "title": "Suspicious Debugger Registration Cmdline" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "event_ids": [ + "4688" + ], + "id": "802f2f6f-fab8-e8d2-bb45-6ad7a2f8f4a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.007", + "T1218" + ], + "title": "DllUnregisterServer Function Call Via Msiexec.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "event_ids": [ + "4688" + ], + "id": "3682c181-3b54-0cf3-cfdb-1d800bb7b125", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Disable Windows IIS HTTP Logging" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "event_ids": [ + "4688" + ], + "id": "b192c555-7ec6-6836-9df6-a81347c77e35", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "HackTool - Quarks PwDump Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Execution of plink to perform data exfiltration and tunneling", + "event_ids": [ + "4688" + ], + "id": "2eaa1baa-a2c9-b59b-efa8-825ca75ad2d8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1572" + ], + "title": "Potential RDP Tunneling Via Plink" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "event_ids": [ + "4688" + ], + "id": "e158c0fd-66a1-71d4-8c4c-0728569ed574", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "UtilityFunctions.ps1 Proxy Dll" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Windows Defender \"OfflineScannerShell.exe\" from its non standard directory.\nThe \"OfflineScannerShell.exe\" binary is vulnerable to DLL side loading and will load any DLL named \"mpclient.dll\" from the current working directory.\n", + "event_ids": [ + "4688" + ], + "id": "bbfa2296-5f8e-96c6-f1fd-0e0bcda268dc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", + "event_ids": [ + "4688" + ], + "id": "55da7839-272c-d651-9349-c6e62c955734", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Sysinternals PsService Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", + "event_ids": [ + "4688" + ], + "id": "031e5974-b1b0-7293-81e5-57a3c3009f63", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "File Encoded To Base64 Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).", + "event_ids": [ + "4688" + ], + "id": "7799eb33-05b6-9a35-9e50-e2da961e40bb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Chromium Browser Headless Execution To Mockbin Like Site" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.", + "event_ids": [ + "4688" + ], + "id": "101d5724-f172-6946-1713-7b535e7c5af9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005" + ], + "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.", + "event_ids": [ + "4688" + ], + "id": "9936b6f6-994d-8664-d072-7e6900571270", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003.004", + "T1003.005", + "car.2013-07-001", + "T1003" + ], + "title": "Dumping of Sensitive Hives Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of CoercedPotato, a tool for privilege escalation", + "event_ids": [ + "4688" + ], + "id": "75a96fdd-ec6a-1351-5cf2-00b8606831fe", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1055" + ], + "title": "HackTool - CoercedPotato Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects addition of users to the local administrator group via \"Net\" or \"Add-LocalGroupMember\".", + "event_ids": [ + "4688" + ], + "id": "dd05faca-794f-ae1f-a880-bb0237d1443f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1098" + ], + "title": "User Added to Local Administrators Group" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a set of suspicious network related commands often used in recon stages", + "event_ids": [ + "4688" + ], + "id": "cf674881-75bf-1708-a3d3-daf22e485a07", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087", + "T1082", + "car.2016-03-001" + ], + "title": "Network Reconnaissance Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", + "event_ids": [ + "4688" + ], + "id": "9d637e7d-578d-a370-8149-78de1277654c", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1124" + ], + "title": "Discovery of a System Time" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "event_ids": [ + "4688" + ], + "id": "fd5780a1-437f-d735-9ec2-8ed852b7c70f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Potential Credential Dumping Via WER" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.", + "event_ids": [ + "4688" + ], + "id": "0931c657-0f5b-cc80-ce24-bb4f81b15b02", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574", + "TA0002" + ], + "title": "Regsvr32 DLL Execution With Uncommon Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "event_ids": [ + "4688" + ], + "id": "b408292c-4fa0-410a-a192-4228c81af02e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1548.002", + "T1548" + ], + "title": "Explorer NOUACCHECK Flag" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a new service using the \"sc.exe\" utility.", + "event_ids": [ + "4688" + ], + "id": "9030c2bf-bf5b-cbfb-9cfc-e37534d2031a", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "New Service Creation Using Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious script executions from temporary folder", + "event_ids": [ + "4688" + ], + "id": "18f506e1-2726-f3fa-8429-f7b06ce69825", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Suspicious Script Execution From Temp Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "event_ids": [ + "4688" + ], + "id": "0d996232-49fa-9bae-0ee6-ad86ec993064", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "TA0007", + "T1018" + ], + "title": "Suspicious Scan Loop Network" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule", + "event_ids": [ + "4688" + ], + "id": "982b7732-cb4f-a678-742f-12975f002ced", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Firewall Rule Update Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "event_ids": [ + "4688" + ], + "id": "4dbb6aeb-a6f4-b360-d399-0b08844976b6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Kavremover Dropped Binary LOLBIN Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "event_ids": [ + "4688" + ], + "id": "e51a363c-2979-56e7-4526-c49be62e6062", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Add SafeBoot Keys Via Reg Utility" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Gpg4win to encrypt files", + "event_ids": [ + "4688" + ], + "id": "5159a920-5ab6-272b-4cd3-a3ea17a108ea", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "File Encryption Using Gpg4win" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "event_ids": [ + "4688" + ], + "id": "f477a622-8a8a-8528-fd42-9362defe645e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1055.001", + "T1218.013", + "T1218", + "T1055" + ], + "title": "Mavinject Inject DLL Into Running Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", + "event_ids": [ + "4688" + ], + "id": "767261e0-460c-37f0-aadd-2d3d361db835", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1083" + ], + "title": "DirLister Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "event_ids": [ + "4688" + ], + "id": "a3eb659a-2a75-984c-1dd1-a034449b5d3a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Suspicious Splwow64 Without Params" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "event_ids": [ + "4688" + ], + "id": "812c76e3-a745-515e-484b-d64d6f64c779", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.003", + "T1546" + ], + "title": "WMI Backdoor Exchange Transport Agent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "event_ids": [ + "4688" + ], + "id": "088e72dd-07b4-8c9a-4e3a-f8b72d98def0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0008", + "T1059.001", + "T1021.006", + "T1059", + "T1021" + ], + "title": "Remote PowerShell Session Host Process (WinRM)" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "event_ids": [ + "4688" + ], + "id": "1cc14403-ea65-fe73-9eab-a49768dbd354", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "TA0006", + "T1003" + ], + "title": "CreateDump Process Dump" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.\n", + "event_ids": [ + "4688" + ], + "id": "ac2323f5-a7b6-baa6-4cb6-1df6089d834d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0007", + "TA0003", + "TA0004", + "T1622", + "T1564", + "T1543" + ], + "title": "PUA - Process Hacker Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", + "event_ids": [ + "4688" + ], + "id": "f0e123c3-0e38-7799-a7bb-c5682449e2e8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "InfDefaultInstall.exe .inf Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process spawning from an Outlook process.", + "event_ids": [ + "4688" + ], + "id": "ce29d50b-8a96-dc9b-96a1-3acbb2b68039", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.002", + "T1204" + ], + "title": "Suspicious Outlook Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", + "event_ids": [ + "4688" + ], + "id": "153a349d-2f66-9cce-ff30-aebbad4e103b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0005", + "T1218", + "T1105" + ], + "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", + "event_ids": [ + "4688" + ], + "id": "36d25ea3-c267-467d-2607-8791f67b7e4e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007" + ], + "title": "Potential Recon Activity Using DriverQuery.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects WMI script event consumers", + "event_ids": [ + "4688" + ], + "id": "87226774-feb7-cb9f-bb57-e19cc4fbfb1a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1546.003", + "T1546" + ], + "title": "WMI Persistence - Script Event Consumer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities", + "event_ids": [ + "4688" + ], + "id": "756c6a71-c6c7-f447-b851-823221c5d2fc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Potentially Suspicious Rundll32 Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious IIS native-code module installations via command line", + "event_ids": [ + "4688" + ], + "id": "144c93b7-e660-277e-cd3c-0141893803ea", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1505.003", + "T1505" + ], + "title": "IIS Native-Code Module Command Line Installation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "event_ids": [ + "4688" + ], + "id": "b0fec5a0-3b3f-9e6c-b5b1-bdabd28f18ee", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Rar Usage with Password and Compression Level" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", + "event_ids": [ + "4688" + ], + "id": "1ee3a188-7a90-b357-3e25-dd202515f11d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "Permission Check Via Accesschk.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"RegAsm.exe\" without a commandline flag or file, which might indicate potential process injection activity.\nUsually \"RegAsm.exe\" should point to a dedicated DLL file or call the help with the \"/?\" flag.\n", + "event_ids": [ + "4688" + ], + "id": "4865bce7-425b-5efe-ad03-7dfe40725e2b", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.009", + "T1218" + ], + "title": "RegAsm.EXE Execution Without CommandLine Flags or Files" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\nThis is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\nIn order to dump the process memory or perform other nefarious actions.\n", + "event_ids": [ + "4688" + ], + "id": "0f054564-5b4b-f7e3-ffa7-a1afda6c3715", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1003", + "TA0006" + ], + "title": "Loaded Module Enumeration Via Tasklist.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "event_ids": [ + "4688" + ], + "id": "011b5544-f9c6-7b7c-5114-f1cbce8b511a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Rundll32 Execution Without CommandLine Parameters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Gpg4win to decrypt files", + "event_ids": [ + "4688" + ], + "id": "f539aaee-c369-f209-b744-3e1b8b37c936", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "File Decryption Using Gpg4win" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "event_ids": [ + "4688" + ], + "id": "1ec0b8fb-050d-074d-7209-6c4c724f24cb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - AnyDesk Silent Installation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", + "event_ids": [ + "4688" + ], + "id": "6c78dafc-594b-ab99-d6da-cafcb37ab087", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007" + ], + "title": "DriverQuery.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "event_ids": [ + "4688" + ], + "id": "56fda9b4-d3c0-2709-26ea-b109bdafb5c2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.007", + "T1218" + ], + "title": "Msiexec Quiet Installation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a potentially suspicious execution from an uncommon folder.", + "event_ids": [ + "4688" + ], + "id": "a9dad077-e2f9-a739-8ac0-eb0e6dcbdebb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Process Execution From A Potentially Suspicious Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "event_ids": [ + "4688" + ], + "id": "3681f000-5b6c-d6a6-3a0f-8240c1325dc3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "ShimCache Flush" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", + "event_ids": [ + "4688" + ], + "id": "a20a870a-fc43-6932-6410-116f3d5e0221", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "T1202" + ], + "title": "Potentially Suspicious Child Process Of VsCode" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", + "event_ids": [ + "4688" + ], + "id": "63efb70a-b106-3e6a-fe1d-b3c49558ebd0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "Potential CommandLine Path Traversal Via Cmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "event_ids": [ + "4688" + ], + "id": "fa60721b-3812-856b-d15f-7c528214d125", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Execution via stordiag.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "event_ids": [ + "4688" + ], + "id": "b89edd67-19bc-8e17-7967-2c47614dadee", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0007", + "T1505.003", + "T1018", + "T1033", + "T1087", + "T1505" + ], + "title": "Webshell Detection With Command Line Keywords" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", + "event_ids": [ + "4688" + ], + "id": "814014e5-bfa2-e72a-4f31-6155fab87672", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell IEX Execution Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line parameters or strings often used by crypto miners", + "event_ids": [ + "4688" + ], + "id": "c3538d2c-107c-a590-509c-957631b1eaf2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1496" + ], + "title": "Potential Crypto Mining Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the deletion of backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "event_ids": [ + "4688" + ], + "id": "133b31a6-d87d-34ee-0699-ac8c9dce764b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Windows Backup Deleted Via Wbadmin.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", + "event_ids": [ + "4688" + ], + "id": "5dd528dc-d144-18ab-88ff-fca3158b68c5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Certificate Exported Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.\n", + "event_ids": [ + "4688" + ], + "id": "54a21dac-be5a-04d2-da18-4bdd55216fa0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "CodePage Modification Via MODE.COM To Russian Language" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "event_ids": [ + "4688" + ], + "id": "23c16dc8-5f28-940b-9094-092e89b8727f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "attack.s0190", + "T1036.003", + "T1036" + ], + "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", + "event_ids": [ + "4688" + ], + "id": "74dee6c8-810b-ae34-e12e-ab1a91355d18", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Suspicious Rundll32 Execution With Image Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "event_ids": [ + "4688" + ], + "id": "9137ba87-68d5-272d-9ada-3803321cb4c4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Direct Autorun Keys Modification" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to disable security event logging by adding the `MiniNt` registry key.\nThis key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.\nAdversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.\n", + "event_ids": [ + "4688" + ], + "id": "847d9f6f-a38e-7aa1-9da8-20f3f4c1d416", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1112", + "car.2022-03-001", + "T1562" + ], + "title": "Security Event Logging Disabled via MiniNt Registry Key - Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "event_ids": [ + "4688" + ], + "id": "c50000d8-b326-29d3-f4c2-7f15bb158633", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Use NTFS Short Name in Image" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", + "event_ids": [ + "4688" + ], + "id": "98622a71-2d8e-2959-2a0c-8caffeacea13", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n", + "event_ids": [ + "4688" + ], + "id": "d2fa11c1-82e2-42db-8f24-39f38b6ea6ba", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1217" + ], + "title": "File And SubFolder Enumeration Via Dir Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a share is mounted using the \"net.exe\" utility", + "event_ids": [ + "4688" + ], + "id": "3037cec2-08d0-f4a4-91c3-668db3535704", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Windows Share Mount Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "event_ids": [ + "4688" + ], + "id": "125653c0-b2ab-c23a-d7aa-6a45f2add313", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1112", + "T1574" + ], + "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", + "event_ids": [ + "4688" + ], + "id": "ebcee1df-9cac-a989-982c-08e181e9d5a8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects file downloads directly from IP address URL using curl.exe", + "event_ids": [ + "4688" + ], + "id": "4ed666e7-e78b-4b16-c4bd-1612077f0065", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "File Download From IP URL Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Windows Credential Editor (WCE)", + "event_ids": [ + "4688" + ], + "id": "956c7de5-3b88-83e6-b1c1-c1d194e166d8", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "attack.s0005", + "T1003" + ], + "title": "HackTool - Windows Credential Editor (WCE) Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "event_ids": [ + "4688" + ], + "id": "d9100b89-baa5-8f0b-5a28-90217fe41a0f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Suspicious Greedy Compression Using Rar.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.\nThis behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.\nAttackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.\n", + "event_ids": [ + "4688" + ], + "id": "287709ae-0175-f8df-11fc-9ec74c46d8c9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "TA0007", + "T1047", + "T1112", + "T1012" + ], + "title": "Registry Manipulation via WMI Stdregprov" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\n", + "event_ids": [ + "4688" + ], + "id": "48279b22-db22-17e5-5146-824c1f8d07db", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Arbitrary File Download Via Squirrel.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\n", + "event_ids": [ + "4688" + ], + "id": "9990ea1d-fc80-2490-3c4f-8237e8bfbc7f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Suspicious AddinUtil.EXE CommandLine Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "event_ids": [ + "4688" + ], + "id": "3098e48f-fecd-881b-462e-38104798a111", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Schtasks From Suspicious Folders" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "event_ids": [ + "4688" + ], + "id": "6608cba0-3816-77a3-31ab-3b70c790f18c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.004", + "T1552" + ], + "title": "Private Keys Reconnaissance Via CommandLine Tools" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "event_ids": [ + "4688" + ], + "id": "835eeb0d-312a-9bdf-62f1-ae4e172e57cb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Potential Arbitrary Command Execution Using Msdt.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "event_ids": [ + "4688" + ], + "id": "296d5364-4c6f-d2ea-601c-12477b9e4053", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027.005", + "T1027", + "T1059" + ], + "title": "HackTool - CrackMapExec PowerShell Obfuscation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", + "event_ids": [ + "4688" + ], + "id": "22698f6a-6197-0acb-d0f8-39939e9af18f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087", + "T1087.001", + "T1087.002" + ], + "title": "Suspicious Use of PsLogList" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", + "event_ids": [ + "4688" + ], + "id": "e0c7a46a-e1c5-f3fd-6202-5fcf88ffeb16", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the IEExec utility to download and execute files", + "event_ids": [ + "4688" + ], + "id": "b7adfc19-5e32-e2d7-a70c-a28e9a844564", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "File Download And Execution Via IEExec.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension", + "event_ids": [ + "4688" + ], + "id": "bb8639b3-534e-d193-84ff-570b4a6eb383", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1176.001", + "T1176" + ], + "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process related to rasdial.exe", + "event_ids": [ + "4688" + ], + "id": "60b34e33-95fe-6beb-2917-eb4309e6dcd8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059" + ], + "title": "Suspicious RASdial Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of Dsacls to grant over permissive permissions", + "event_ids": [ + "4688" + ], + "id": "a81385de-1365-3d8d-2778-5d914a66d61e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", + "event_ids": [ + "4688" + ], + "id": "a6b2ba82-448c-971d-4112-1464c1588d84", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", + "event_ids": [ + "4688" + ], + "id": "be028779-def3-3fc8-e466-1ed868806e63", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "cve.2023-21746" + ], + "title": "HackTool - LocalPotato Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "event_ids": [ + "4688" + ], + "id": "e6b6d67d-434b-039b-029d-55391089a033", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1218.003", + "T1548", + "T1218" + ], + "title": "Bypass UAC via CMSTP" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [ + "4688" + ], + "id": "1c5c23b8-d4a3-0d4b-6116-74f8ddd96546", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.", + "event_ids": [ + "4688" + ], + "id": "d6a4c9bc-d5cf-bd43-fc5b-0a8b0a3c125f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1219" + ], + "title": "Suspicious Velociraptor Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential execution of MeshAgent which is a tool used for remote access.\nHistorical data shows that threat actors rename MeshAgent binary to evade detection.\nMatching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.\n", + "event_ids": [ + "4688" + ], + "id": "8137d225-9af4-eac6-7709-6bcb96a183f2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - Potential MeshAgent Execution - Windows" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", + "event_ids": [ + "4688" + ], + "id": "b78e620c-3115-0c6d-ea3e-4ad5d55c1217", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0007", + "T1033" + ], + "title": "Whoami.EXE Execution From Privileged Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "event_ids": [ + "4688" + ], + "id": "18739cbf-55f7-1dda-7985-1f08fc87ea5f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1526", + "T1087", + "T1083" + ], + "title": "PUA - Seatbelt Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects netsh commands that turns off the Windows firewall", + "event_ids": [ + "4688" + ], + "id": "228eaacb-c113-c297-5804-6247ce9a2393", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "attack.s0108", + "T1562" + ], + "title": "Firewall Disabled via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential commandline obfuscation using known escape characters", + "event_ids": [ + "4688" + ], + "id": "77f78d0c-79a5-d749-2130-9bea40bef10a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1140" + ], + "title": "Potential Commandline Obfuscation Using Escape Characters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", + "event_ids": [ + "4688" + ], + "id": "3870935a-4632-088f-5f37-1baf2d7d56fe", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003" + ], + "title": "Suspicious WindowsTerminal Child Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\nThis detection focuses on the keywords that the attacker might use as a filter.\n", + "event_ids": [ + "4688" + ], + "id": "90bfcc44-6d97-c258-a28e-a17300913661", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1518.001", + "T1518" + ], + "title": "Security Tools Keyword Lookup Via Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "event_ids": [ + "4688" + ], + "id": "ae9cee89-1554-68ec-26d5-616c9e234796", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "DLL Sideloading by VMware Xfer Utility" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible password spraying attempts using Dsacls", + "event_ids": [ + "4688" + ], + "id": "3dce4add-2a09-340f-3b2e-5d79b18a4adb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Password Spraying Attempt Using Dsacls.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "event_ids": [ + "4688" + ], + "id": "6c75d760-680d-9c24-79e3-123491563466", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious Desktopimgdownldr Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "event_ids": [ + "4688" + ], + "id": "51e070ce-c40e-99ba-6652-7a5ac4f85fea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0002", + "T1615", + "T1059.005", + "T1059" + ], + "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "event_ids": [ + "4688" + ], + "id": "0a1228c0-6754-8156-d07f-6aa2daece740", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Gpscript Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of \"aspnet_compiler.exe\".", + "event_ids": [ + "4688" + ], + "id": "300b2c4e-03e9-b2ee-c6c3-9c87971d4bf2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Suspicious Child Process of AspNetCompiler" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects commandline arguments for executing a child process via dotnet-trace.exe", + "event_ids": [ + "4688" + ], + "id": "47beff1b-e312-3476-6c22-0805b517fa1f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218" + ], + "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "event_ids": [ + "4688" + ], + "id": "3e89a33f-127c-1329-d332-0d836db05ad7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "PUA - CleanWipe Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "event_ids": [ + "4688" + ], + "id": "e9ec99cd-f425-c533-3e51-bf39335dbe29", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "HackTool - HandleKatz LSASS Dumper Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an uncommon parent process of \"LINK.EXE\".\nLink.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\nMultiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\nThis would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\nBy filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.\n", + "event_ids": [ + "4688" + ], + "id": "f2200f88-34e8-ad86-b006-fc01b177fad9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Uncommon Link.EXE Parent Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Microsoft Quick Assist tool \"QuickAssist.exe\". This utility can be used by attackers to gain remote access.\n", + "event_ids": [ + "4688" + ], + "id": "7eddf245-1436-4062-e0cb-f656cda705b9", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "QuickAssist Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "event_ids": [ + "4688" + ], + "id": "9221ea23-8f7a-5f6e-cde6-763911fe289d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "event_ids": [ + "4688" + ], + "id": "9069f74a-131e-643b-86fc-0f23d29805d7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "SafeBoot Registry Key Deleted Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", + "event_ids": [ + "4688" + ], + "id": "93586827-5f54-fc91-0b2f-338fd5365694", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "7Zip Compressing Dump Files" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", + "event_ids": [ + "4688" + ], + "id": "31616502-c261-6b78-a809-4408f88bc4fb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1132.001", + "T1132" + ], + "title": "Gzip Archive Decode Via PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "event_ids": [ + "4688" + ], + "id": "f483b0b8-2606-8691-2edb-5c64c3a7347e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1095" + ], + "title": "PUA - Netcat Suspicious Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to disable windows recovery environment using Reagentc.\nReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).\nIt allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.\n", + "event_ids": [ + "4688" + ], + "id": "7e941643-69fc-290f-3b49-eee5d24adde8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Windows Recovery Environment Disabled Via Reagentc" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", + "event_ids": [ + "4688" + ], + "id": "ae7a6aa8-b9bd-4f34-f72a-5e9d33e9098c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "NtdllPipe Like Activity Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "event_ids": [ + "4688" + ], + "id": "2a048dab-1493-f4cf-68dc-2fc90db2a471", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "T1202" + ], + "title": "Suspicious ZipExec Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.\n", + "event_ids": [ + "4688" + ], + "id": "705fa07c-8ce4-2fcc-9d33-de2ac20c6369", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055.001", + "T1055" + ], + "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", + "event_ids": [ + "4688" + ], + "id": "35e14148-f5cd-9d4d-90bb-e63d555a1a02", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", + "event_ids": [ + "4688" + ], + "id": "2cc522c8-300b-2344-e384-3db7df590412", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Potential Command Line Path Traversal Evasion Attempt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.\nThreat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.\n", + "event_ids": [ + "4688" + ], + "id": "bb67b9c1-36b4-5057-bac0-7c90c9147791", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070" + ], + "title": "IIS WebServer Log Deletion via CommandLine Utilities" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "event_ids": [ + "4688" + ], + "id": "471f9aca-34da-a143-18bc-d54d121778dd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "DLL Loaded via CertOC.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious mshta process execution patterns", + "event_ids": [ + "4688" + ], + "id": "01ee4326-bf63-03dc-3a07-97129ea929cb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1106" + ], + "title": "Suspicious Mshta.EXE Execution Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of a ClickOnce deployment application", + "event_ids": [ + "4688" + ], + "id": "66a0246c-c8ba-1f83-d729-7de76ec64ee7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005" + ], + "title": "Potentially Suspicious Child Process Of ClickOnce Application" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "event_ids": [ + "4688" + ], + "id": "79562785-6cc3-acf1-853a-e4758e918d32", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Start of NT Virtual DOS Machine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\nSharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.\n", + "event_ids": [ + "4688" + ], + "id": "e653c5ce-5d53-8f18-097d-affbeeb0425a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1134.001", + "T1134.003", + "T1134" + ], + "title": "HackTool - SharpDPAPI Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "event_ids": [ + "4688" + ], + "id": "18dfc536-9538-c1a3-545c-82b5c749672c", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1587", + "TA0042" + ], + "title": "HackTool - PurpleSharp Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects powershell scripts that import modules from suspicious directories", + "event_ids": [ + "4688" + ], + "id": "d671a75d-7b95-f624-cf04-8c7814fca3aa", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", + "event_ids": [ + "4688" + ], + "id": "bee3c5b9-5fce-49e8-2301-d000d81eba6e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002" + ], + "title": "ImagingDevices Unusual Parent/Child Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", + "event_ids": [ + "4688" + ], + "id": "5ced154c-67dd-89a9-5337-0da89bcd4cdc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1587.001", + "T1587" + ], + "title": "Potential Privilege Escalation To LOCAL SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", + "event_ids": [ + "4688" + ], + "id": "be45d499-4cd7-c4a6-727e-e52c6770468e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "TA0007", + "T1087.002", + "T1087" + ], + "title": "Active Directory Structure Export Via Csvde.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", + "event_ids": [ + "4688" + ], + "id": "a0d3fa7f-7155-4aef-0428-ccfae2e54d9f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.004", + "T1070" + ], + "title": "Greedy File Deletion Using Del" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "event_ids": [ + "4688" + ], + "id": "26de0206-5a40-c902-6fcf-8ab280a45735", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Potentially Suspicious Execution Of PDQDeployRunner" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "event_ids": [ + "4688" + ], + "id": "77303e46-58e3-05a8-24a1-2274aa37201c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1556.002", + "T1556" + ], + "title": "Dropping Of Password Filter DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "event_ids": [ + "4688" + ], + "id": "9d6f9951-dc6f-66b5-290e-ff79c75550f6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Suspicious Rundll32 Activity Invoking Sys File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "event_ids": [ + "4688" + ], + "id": "2a6f617c-481d-6799-1fd1-f7e0a24d76bf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "HackTool - PowerTool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", + "event_ids": [ + "4688" + ], + "id": "e2ad4178-62be-451e-624c-06ea47918a7a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055" + ], + "title": "Dllhost.EXE Execution Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "event_ids": [ + "4688" + ], + "id": "8a9278f4-40c8-30f3-c1ab-7dc224491477", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.006", + "T1552" + ], + "title": "Findstr GPP Passwords" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.\n", + "event_ids": [ + "4688" + ], + "id": "9610d848-8049-b860-c3ee-235db9eccfc4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Uninstall of Windows Defender Feature via PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "event_ids": [ + "4688" + ], + "id": "e78082d8-696f-c684-d72a-e1b29ffbcc74", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1203", + "TA0002" + ], + "title": "Java Running with Remote Debugging" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE\nCheck if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)\n", + "event_ids": [ + "4688" + ], + "id": "233231d1-9636-f53b-5bc9-0b43d4d9a539", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087.001", + "T1087.002", + "T1087" + ], + "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", + "event_ids": [ + "4688" + ], + "id": "1d0387b6-6de7-eb5c-ffe9-ee892ff26f07", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "File Decoded From Base64/Hex Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the removal or uninstallation of an application via \"Wmic.EXE\".", + "event_ids": [ + "4688" + ], + "id": "4f8de5d6-a332-76fb-d759-219688d83254", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Application Removed Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "event_ids": [ + "4688" + ], + "id": "24194c4a-9136-8ccc-cb24-c32ee6a83d2f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1587.001", + "T1587" + ], + "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "event_ids": [ + "4688" + ], + "id": "a7ed3875-d941-ac17-9f8a-7828f6a11738", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1566.001", + "TA0002", + "T1203", + "T1059.003", + "attack.g0032", + "T1059", + "T1566" + ], + "title": "Suspicious HWP Sub Processes" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function", + "event_ids": [ + "4688" + ], + "id": "afdc65aa-8680-da5e-c417-fc0432a76cd1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Advpack Call Via Rundll32.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", + "event_ids": [ + "4688" + ], + "id": "584c503a-bcee-ab44-f773-dea130827275", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Potential AMSI Bypass Via .NET Reflection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"curl.exe\" with the \"insecure\" flag over proxy or DOH.", + "event_ids": [ + "4688" + ], + "id": "b1d59fa0-c42c-0efd-027d-d7721d153420", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "event_ids": [ + "4688" + ], + "id": "40c1ee69-dcc9-b5a4-614c-60aa83c693d0", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "cve.2022-41120", + "T1068", + "TA0004" + ], + "title": "HackTool - SysmonEOP Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).\nThis can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.\n", + "event_ids": [ + "4688" + ], + "id": "3becf1a9-6869-2795-e158-31485eae103f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.001", + "T1552" + ], + "title": "Potential PowerShell Console History Access Attempt via History File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", + "event_ids": [ + "4688" + ], + "id": "04aeef7e-daa9-3212-481e-808d0386c3a2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1115" + ], + "title": "PowerShell Get-Clipboard Cmdlet Via CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "event_ids": [ + "4688" + ], + "id": "40457d53-1448-2b59-d171-3ec4d0c7e8b6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1485" + ], + "title": "Deleted Data Overwritten Via Cipher.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"IMEWDBLD.exe\" to download arbitrary files", + "event_ids": [ + "4688" + ], + "id": "9a2b890c-d67f-9cbf-6350-4365c0828269", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Arbitrary File Download Via IMEWDBLD.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", + "event_ids": [ + "4688" + ], + "id": "912866aa-0cd5-dcb6-e1d4-a0b6cbbdc575", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027.005", + "T1027" + ], + "title": "PUA - DefenderCheck Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "event_ids": [ + "4688" + ], + "id": "6b789465-3c6e-9af1-e00a-929db8f324d1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1053.005", + "T1059.001", + "T1053", + "T1059" + ], + "title": "Suspicious Schtasks Execution AppData Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "event_ids": [ + "4688" + ], + "id": "5485eaef-6cb2-5361-f012-c32a0798ac29", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010" + ], + "title": "Suspicious PowerShell Mailbox Export to Share" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "event_ids": [ + "4688" + ], + "id": "e690ad80-ba5d-6c78-f689-97c9bdad6517", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1566" + ], + "title": "Phishing Pattern ISO in Archive" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "event_ids": [ + "4688" + ], + "id": "ab4d23c2-9f69-e6fd-d546-041e823f0147", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "event_ids": [ + "4688" + ], + "id": "fbb20f1c-c29f-e4fb-e289-3fd4de5feda4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033" + ], + "title": "User Discovery And Export Via Get-ADUser Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "event_ids": [ + "4688" + ], + "id": "39a37f01-5f47-60db-1809-3aef76fc537a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0006", + "T1557.001", + "T1557" + ], + "title": "HackTool - Impacket Tools Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "event_ids": [ + "4688" + ], + "id": "775d4bc1-d404-6927-6dc7-c22d00029c37", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.007", + "T1036" + ], + "title": "Suspicious Parent Double Extension File Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"gpg.exe\" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.", + "event_ids": [ + "4688" + ], + "id": "69ecc75a-13a3-371f-01a6-fcb003da67b4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1486" + ], + "title": "Portable Gpg.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", + "event_ids": [ + "4688" + ], + "id": "49fcee15-4a91-2599-357b-6a1abe3d7cf4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003", + "T1218" + ], + "title": "Suspicious MSHTA Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.", + "event_ids": [ + "4688" + ], + "id": "c9a20835-ce7c-8118-9269-64b5a5e8cbb5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", + "event_ids": [ + "4688" + ], + "id": "b85ec837-2a0a-7e8d-e3cb-a5f960e625e5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005" + ], + "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "event_ids": [ + "4688" + ], + "id": "deb3c0f1-0961-ecf5-5c89-8c7640d2b22f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of a scheduled task with a GUID like name", + "event_ids": [ + "4688" + ], + "id": "470da37d-268f-d626-f90a-04ef23655a27", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Suspicious Scheduled Task Name As GUID" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "event_ids": [ + "4688" + ], + "id": "90b43135-d789-00ee-977c-ed235554c372", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Obfuscated PowerShell Code" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.\n", + "event_ids": [ + "4688" + ], + "id": "864f6704-33c0-cdec-c3fa-ae453ca199c1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.003", + "T1036" + ], + "title": "Suspicious Copy From or To System Directory" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.", + "event_ids": [ + "4688" + ], + "id": "2eed1cc9-eaed-d468-3184-02f80bf78c3d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1005" + ], + "title": "Veeam Backup Database Suspicious Query" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of FSharp Interpreters \"FsiAnyCpu.exe\" and \"FSi.exe\"\nBoth can be used for AWL bypass and to execute F# code via scripts or inline.\n", + "event_ids": [ + "4688" + ], + "id": "5c7dd694-d4dd-a0a8-ea44-8357ca998b69", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Use of FSharp Interpreters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "event_ids": [ + "4688" + ], + "id": "86e778e7-ed84-5e14-0732-2e352101ac62", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1218.011", + "TA0005", + "T1218" + ], + "title": "Rundll32 InstallScreenSaver Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "event_ids": [ + "4688" + ], + "id": "0ce3d50b-989b-895d-96cd-f820e09f2e18", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0005", + "TA0004", + "T1134", + "T1003", + "T1027" + ], + "title": "Suspicious SYSTEM User Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "event_ids": [ + "4688" + ], + "id": "17bc9aa9-eb49-a701-4cab-cbcaea111644", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1018", + "T1087.002", + "T1482", + "T1069.002", + "T1087", + "T1069" + ], + "title": "Renamed AdFind Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.", + "event_ids": [ + "4688" + ], + "id": "e5fef5f3-db95-fac1-d6a8-ebe5cea61016", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1505.003", + "T1190", + "TA0001", + "TA0003", + "TA0004", + "T1505" + ], + "title": "Suspicious Child Process Of SQL Server" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "event_ids": [ + "4688" + ], + "id": "3d04a8d4-c258-0c3b-8665-5803d5ceba7f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", + "event_ids": [ + "4688" + ], + "id": "59996aa8-9ca2-1ef7-5102-ad18e12d4402", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "event_ids": [ + "4688" + ], + "id": "f57937ba-e844-d5ff-1b06-4ca216d0b747", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Abuse of Service Permissions to Hide Services Via Set-Service" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.", + "event_ids": [ + "4688" + ], + "id": "7b1d6a26-339a-db21-8b7d-55f848967cdd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0002", + "T1059.001", + "T1105", + "T1059" + ], + "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of LiveKD based on PE metadata or image name", + "event_ids": [ + "4688" + ], + "id": "4015c0bf-a80a-7b4f-cff2-cb50ea14b40f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Memory Dumping Activity Via LiveKD" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "event_ids": [ + "4688" + ], + "id": "655cb0fd-79c4-949b-b842-e1fcf2e1e527", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1072", + "TA0005", + "T1218" + ], + "title": "Suspicious Csi.exe Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "event_ids": [ + "4688" + ], + "id": "1f76708c-e9a2-3032-ae39-9025038a90c4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1049", + "T1069.002", + "T1482", + "T1135", + "T1033", + "T1069" + ], + "title": "HackTool - SharpView Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "event_ids": [ + "4688" + ], + "id": "cee773e9-972f-17a6-5cec-90899c703f16", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Arbitrary File Download Via MSOHTMED.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when an admin share is mounted using net.exe", + "event_ids": [ + "4688" + ], + "id": "70e8ecd5-c850-e676-1c25-2bdb4f5ef98c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Windows Admin Share Mount Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects commands that temporarily turn off Volume Snapshots", + "event_ids": [ + "4688" + ], + "id": "1f7c1ba3-2f41-4b49-17f6-5a4719527d57", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disabled Volume Snapshots" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", + "event_ids": [ + "4688" + ], + "id": "7fba96c8-5c12-aafa-9f68-5c0c7fd6e592", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "TA0006", + "T1003" + ], + "title": "DumpMinitool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", + "event_ids": [ + "4688" + ], + "id": "7aaa460d-7613-e1bd-01a0-3c17a897a9d2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0002" + ], + "title": "Potential Discovery Activity Via Dnscmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", + "event_ids": [ + "4688" + ], + "id": "4329e2b7-363d-b9dc-cbd5-6bbcc79a1b5b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Php Inline Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "event_ids": [ + "4688" + ], + "id": "6be0f4bd-c96b-6215-65ad-e38299aa0561", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1055" + ], + "title": "Process Creation Using Sysnative Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", + "event_ids": [ + "4688" + ], + "id": "909ad08b-a33e-57b8-8a0e-98a42a566b03", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0002", + "T1552.004", + "T1059.001", + "T1552", + "T1059" + ], + "title": "Certificate Exported Via PowerShell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "event_ids": [ + "4688" + ], + "id": "3135cfd1-5a2f-468b-9cf2-fbf03902985f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Potential Fake Instance Of Hxtsr.EXE Executed" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a renamed \"cloudflared\" binary.", + "event_ids": [ + "4688" + ], + "id": "c4597337-053d-373e-4faa-cc0e1796fde6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090.001", + "T1090" + ], + "title": "Renamed Cloudflared.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the files are located in potentially suspicious locations", + "event_ids": [ + "4688" + ], + "id": "09f25420-43e9-2a11-7301-c1c851349604", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious program execution in Outlook temp folder", + "event_ids": [ + "4688" + ], + "id": "c4a80f4d-4976-2f43-f3ef-3feed52e43dd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1566.001", + "T1566" + ], + "title": "Suspicious Execution From Outlook Temporary Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon child processes of \"DefaultPack.EXE\" binary as a proxy to launch other programs", + "event_ids": [ + "4688" + ], + "id": "91d53283-959d-c486-79b7-288d5aa3be9c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1218", + "TA0005", + "TA0002" + ], + "title": "Uncommon Child Process Of Defaultpack.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "event_ids": [ + "4688" + ], + "id": "80e2dcdb-b882-51ac-b1e2-8440243a0492", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.004", + "T1070" + ], + "title": "Directory Removal Via Rmdir" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.", + "event_ids": [ + "4688" + ], + "id": "b229510a-6249-effe-47a7-1453bddf03a7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "AddinUtil.EXE Execution From Uncommon Directory" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\nThis could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.\n", + "event_ids": [ + "4688" + ], + "id": "5cf7d531-3e77-6eb0-d0e7-497c9a6520f2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "Write Protect For Storage Disabled" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "event_ids": [ + "4688" + ], + "id": "ae609e1c-eb91-f3a5-50b2-e6d70abc4c8b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.003", + "T1036", + "T1027.005", + "T1027" + ], + "title": "PUA - Potential PE Metadata Tamper Using Rcedit" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "event_ids": [ + "4688" + ], + "id": "226527e7-8837-a785-775d-0dfb86e3fa27", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Suspicious Process Parents" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of Cmdl32 with the \"/vpn\" and \"/lan\" flags.\nAttackers can abuse this utility in order to download arbitrary files via a configuration file.\nInspect the location and the content of the file passed as an argument in order to determine if it is suspicious.\n", + "event_ids": [ + "4688" + ], + "id": "9c5b92ea-7921-f006-6f7b-a5f9ce49a774", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "T1202" + ], + "title": "Potential Arbitrary File Download Via Cmdl32.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.", + "event_ids": [ + "4688" + ], + "id": "8d2051ab-4ac8-617f-7be7-3a2c8e1a8aa8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1037.001", + "TA0003", + "T1037" + ], + "title": "Uncommon Userinit Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.\n", + "event_ids": [ + "4688" + ], + "id": "37b23b1a-fcb3-7612-9af9-bcb48f1877d7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0006", + "TA0011", + "T1218", + "T1564.004", + "T1552.001", + "T1105", + "T1552", + "T1564" + ], + "title": "Remote File Download Via Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of msiexec.exe from an uncommon directory", + "event_ids": [ + "4688" + ], + "id": "c043e0b2-a5f8-ebe1-e99b-54303aa6f2ad", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.005", + "T1036" + ], + "title": "Potential MsiExec Masquerading" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.\n", + "event_ids": [ + "4688" + ], + "id": "eae2fe25-e367-9c8d-111c-fe4507f8e1be", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "TA0010", + "T1560", + "T1560.001" + ], + "title": "Compressed File Creation Via Tar.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"cmdkey.exe\" to add generic credentials.\nAs an example, this can be used before connecting to an RDP session via command line interface.\n", + "event_ids": [ + "4688" + ], + "id": "06860765-c664-13b1-1bba-4ae0606ad697", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.005", + "T1003" + ], + "title": "New Generic Credentials Added Via Cmdkey.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", + "event_ids": [ + "4688" + ], + "id": "d6747b91-0f0d-b0e6-e128-10f8dd2feb2e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070", + "TA0003", + "T1542.003", + "T1542" + ], + "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of cmdkey to look for cached credentials on the system", + "event_ids": [ + "4688" + ], + "id": "e1b669ee-98b7-25ba-818f-8198fdb19b0d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.005", + "T1003" + ], + "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\nThis utility can be abused in order to run custom COM object created in the registry.\n", + "event_ids": [ + "4688" + ], + "id": "9229b93f-725b-ba48-a5e2-fd3ba4c5751b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "COM Object Execution via Xwizard.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", + "event_ids": [ + "4688" + ], + "id": "f096d3e4-a0dc-1035-8028-34c72c5504c6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090" + ], + "title": "PUA - NPS Tunneling Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", + "event_ids": [ + "4688" + ], + "id": "1bc24d28-b7b8-e116-11bd-46368cdb03ac", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "event_ids": [ + "4688" + ], + "id": "5385a182-a453-d329-5d89-d768e2b73e28", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Execution Of Non-Existing File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", + "event_ids": [ + "4688" + ], + "id": "974c3659-4c63-c8c0-e3e1-1cedf5c38b24", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "Read Contents From Stdin Via Cmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", + "event_ids": [ + "4688" + ], + "id": "0ea4a0ee-5c69-9f71-3691-d203eb76c9fc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "New Root Certificate Installed Via CertMgr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of WinRAR.exe.", + "event_ids": [ + "4688" + ], + "id": "c57b53ed-b127-34e4-6906-e0e36b11d5ed", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1203" + ], + "title": "Potentially Suspicious Child Process Of WinRAR.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of wmic to start or stop a service", + "event_ids": [ + "4688" + ], + "id": "36fe1761-03ba-cf23-48dc-4de20028381f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Service Started/Stopped Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"\n", + "event_ids": [ + "4688" + ], + "id": "687991ec-6a52-9d7a-a775-7e80204757b3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Use of hostname to get information", + "event_ids": [ + "4688" + ], + "id": "70d8280e-179e-392c-fb0d-96528c5d36cc", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082" + ], + "title": "Suspicious Execution of Hostname" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential abuse of the \"register_app.vbs\" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.", + "event_ids": [ + "4688" + ], + "id": "6855348e-9e88-3b8c-cd96-7a09bd19a04d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Register_App.Vbs LOLScript Abuse" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "event_ids": [ + "4688" + ], + "id": "3b38d2cf-7ccd-53a3-5491-424880982502", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1218", + "TA0005", + "TA0002" + ], + "title": "Uncommon Child Process Of Appvlp.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of winget to add new additional download sources", + "event_ids": [ + "4688" + ], + "id": "d8e1c729-6e00-4d1f-0af5-f58bd233d23a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059" + ], + "title": "Add New Download Source To Winget" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.\n", + "event_ids": [ + "4688" + ], + "id": "cd36cd3c-17cb-d0c6-1e77-c74a5a6e96fe", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1564", + "T1059" + ], + "title": "Potentially Suspicious Execution From Parent Process In Public Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the recovery of files from backups via \"wbadmin.exe\".\nAttackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.\n", + "event_ids": [ + "4688" + ], + "id": "5202675a-41e6-e644-d9e9-47e5f945d40a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "File Recovery From Backup Via Wbadmin.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "event_ids": [ + "4688" + ], + "id": "1245d006-c502-7e4c-66d3-55cfd5aa5fc4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0009", + "T1185" + ], + "title": "Browser Started with Remote Debugging" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "event_ids": [ + "4688" + ], + "id": "7aeff814-b27b-e580-603c-4c71d478a677", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Delete Important Scheduled Task" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect use of X509Enrollment", + "event_ids": [ + "4688" + ], + "id": "5e80556b-2efe-2558-9119-c09636c4c9e4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "Suspicious X509Enrollment - Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.\n", + "event_ids": [ + "4688" + ], + "id": "1f7106cd-f5e2-0696-4238-9f85251a052c", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0006", + "TA0011", + "T1218", + "T1564.004", + "T1552.001", + "T1105", + "T1564", + "T1552" + ], + "title": "Insensitive Subfolder Search Via Findstr.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.\n", + "event_ids": [ + "4688" + ], + "id": "c5afc50a-fb5c-5df5-9dbe-3d574bc0fa64", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0002", + "T1204.002", + "T1204" + ], + "title": "Suspicious LNK Command-Line Padding with Whitespace Characters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\nAutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\nAttackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.\n", + "event_ids": [ + "4688" + ], + "id": "6c6e8f1c-70aa-c21c-7860-3cd72022adb7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Renamed AutoIt Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "event_ids": [ + "4688" + ], + "id": "fdd2fe27-5f29-7b4f-0381-22bac2ea7c0a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008" + ], + "title": "Mstsc.EXE Execution From Uncommon Parent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", + "event_ids": [ + "4688" + ], + "id": "b881e130-b2f3-59a2-f31f-1ab4f003c199", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Suspicious Mstsc.EXE Execution With Local RDP File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "event_ids": [ + "4688" + ], + "id": "8a1ff7a8-dc08-8d51-6f44-ebf8369d583a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Cmd.EXE Missing Space Characters Execution Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the malicious use of a control panel item", + "event_ids": [ + "4688" + ], + "id": "412f66af-4b64-0d69-8b91-9fa5161724cd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218.002", + "TA0003", + "T1546", + "T1218" + ], + "title": "Control Panel Items" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "event_ids": [ + "4688" + ], + "id": "4033fb39-b0df-89aa-584b-12d73c5e5bd6", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Files Added To An Archive Using Rar.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced", + "event_ids": [ + "4688" + ], + "id": "6408b665-07d6-1525-496f-24511bfff69c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1558.003", + "TA0008", + "T1550.003", + "T1550", + "T1558" + ], + "title": "HackTool - KrbRelayUp Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "event_ids": [ + "4688" + ], + "id": "41405b7a-f9bc-bce2-50ed-abfca5390f19", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Suspicious Scheduled Task Creation Involving Temp Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\nInitial baselining of the allowed extension list is required.\n", + "event_ids": [ + "4688" + ], + "id": "a5621ded-7646-ab81-f618-d9132148ad46", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the export of the target Registry key to a file.", + "event_ids": [ + "4688" + ], + "id": "033b2a23-2b9c-4ad7-db96-f2f2a509169c", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "TA0007", + "T1012" + ], + "title": "Exports Registry Key To a File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", + "event_ids": [ + "4688" + ], + "id": "52926c4e-2c91-7854-02bb-6edbfebd425e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1036.003" + ], + "title": "Potential Homoglyph Attack Using Lookalike Characters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "event_ids": [ + "4688" + ], + "id": "af422edd-75d2-0585-95bf-c4e72291a69e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197", + "attack.s0190", + "T1036.003", + "T1036" + ], + "title": "File Download Via Bitsadmin To An Uncommon Target Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "event_ids": [ + "4688" + ], + "id": "2116c0b4-e272-0fc0-40da-107d4cbaa911", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Use of VisualUiaVerifyNative.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", + "event_ids": [ + "4688" + ], + "id": "835ff144-018a-4ec5-3788-ea773f0fd869", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "PUA - DIT Snapshot Viewer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "event_ids": [ + "4688" + ], + "id": "9974aa8a-7f9d-e45d-d1f2-353a893b2572", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "event_ids": [ + "4688" + ], + "id": "0e524b9d-1e47-2065-5827-2b8d0125307c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005", + "T1218", + "T1204" + ], + "title": "Suspicious WMIC Execution Via Office Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "event_ids": [ + "4688" + ], + "id": "b68cfad0-0e22-e824-aed8-8c1c3d1accdc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "Use of Remote.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "event_ids": [ + "4688" + ], + "id": "db4d52b7-af14-c61b-c1e1-5b52f036b5e0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Potentially Suspicious Electron Application CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to query system information directly from the Windows Registry.", + "event_ids": [ + "4688" + ], + "id": "62c2be2f-ba0e-142b-7bf8-cf4b2b8a6bf5", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1082" + ], + "title": "System Information Discovery via Registry Queries" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious child processes of \"regsvr32.exe\".", + "event_ids": [ + "4688" + ], + "id": "64533e2e-fc62-38e3-32ed-413f474d82c7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Potentially Suspicious Child Process Of Regsvr32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "event_ids": [ + "4688" + ], + "id": "bbc6093d-c0e1-e946-62dd-d27307534a1f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0006", + "T1040" + ], + "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "event_ids": [ + "4688" + ], + "id": "dd4ac92f-1ad9-9f2e-e7b1-574030f25c36", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Arbitrary File Download Via MSPUB.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"ConfigSecurityPolicy.EXE\", a binary part of Windows Defender used to manage settings in Windows Defender.\nUsers can configure different pilot collections for each of the co-management workloads.\nIt can be abused by attackers in order to upload or download files.\n", + "event_ids": [ + "4688" + ], + "id": "956a39b3-a319-4b78-6305-a216732d379e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1567" + ], + "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "event_ids": [ + "4688" + ], + "id": "90622c98-76d8-785d-1539-e8120fa53bc6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003", + "T1003.003", + "attack.s0404" + ], + "title": "Esentutl Gather Credentials" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the Installation of a Exchange Transport Agent", + "event_ids": [ + "4688" + ], + "id": "5bc86f64-e263-f14b-6525-bacad0b088ad", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1505.002", + "T1505" + ], + "title": "MSExchange Transport Agent Installation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", + "event_ids": [ + "4688" + ], + "id": "fd14e822-33da-bc04-253d-2c8cc8659a30", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1543.003", + "T1543" + ], + "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "event_ids": [ + "4688" + ], + "id": "af00bb3c-d23f-1210-525a-d8eaf94dd907", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555.004", + "T1555" + ], + "title": "Windows Credential Manager Access via VaultCmd" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", + "event_ids": [ + "4688" + ], + "id": "401fb350-d891-c9ac-1ba7-13d9cce53c20", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "PowerShell Set-Acl On Windows Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", + "event_ids": [ + "4688" + ], + "id": "432d294d-a306-5b48-a105-306e9dfd78cf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1053.002", + "T1053" + ], + "title": "Interactive AT Job" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.", + "event_ids": [ + "4688" + ], + "id": "9fac7dce-b844-3db0-da6c-98df4b015954", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0043", + "T1590.001", + "T1590" + ], + "title": "PUA - Crassus Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\nThis technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.\n", + "event_ids": [ + "4688" + ], + "id": "c833260b-e625-9fc5-e600-302e176fb76e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0007", + "T1552" + ], + "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "event_ids": [ + "4688" + ], + "id": "039cf906-44b1-1f3a-cc07-9f2cf592d320", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1486" + ], + "title": "Suspicious Reg Add BitLocker" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)", + "event_ids": [ + "4688" + ], + "id": "bb3d59c6-7ec7-685a-4ae1-f39045534f39", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Uncommon Child Processes Of SndVol.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "event_ids": [ + "4688" + ], + "id": "91a429e4-2bb4-05ef-b164-545b86f9ba8e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560.001", + "T1560" + ], + "title": "Winrar Execution in Non-Standard Folder" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "event_ids": [ + "4688" + ], + "id": "62995636-6f75-677a-428e-531368fbda08", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "CobaltStrike Load by Rundll32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "event_ids": [ + "4688" + ], + "id": "687367a8-d423-cb00-4753-adfcbf3ef580", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Suspicious Modification Of Scheduled Tasks" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.\n", + "event_ids": [ + "4688" + ], + "id": "9acd1f19-c194-7c55-3130-8479b170af87", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036" + ], + "title": "Suspicious Calculator Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential web shell execution from the ScreenConnect server process.", + "event_ids": [ + "4688" + ], + "id": "e8e1c7ac-50e7-03e1-c3d6-e1192efc4260", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1190" + ], + "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", + "event_ids": [ + "4688" + ], + "id": "bc230d45-327b-2042-de48-73c5a52eb131", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1059" + ], + "title": "Add Insecure Download Source To Winget" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process", + "event_ids": [ + "4688" + ], + "id": "f9884b6b-0ac3-139d-1ebe-a5587c9a51fd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.005", + "T1218" + ], + "title": "Potential LethalHTA Technique Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\nThis technique were seen used by threat actors and ransomware strains in order to evade defenses.\n", + "event_ids": [ + "4688" + ], + "id": "676111e7-0d6f-b5f4-e267-6399b5052fdc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.001", + "T1562.002", + "car.2016-04-002", + "T1562", + "T1070" + ], + "title": "Suspicious Eventlog Clearing or Configuration Change Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious use of XORDump process memory dumping utility", + "event_ids": [ + "4688" + ], + "id": "e11f3d67-9772-748c-2a6a-e825964efe89", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "TA0006", + "T1003" + ], + "title": "HackTool - XORDump Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "event_ids": [ + "4688" + ], + "id": "45b0c0bb-7d7a-7e71-e757-cdd2508c0105", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1046" + ], + "title": "PUA - Nmap/Zenmap Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", + "event_ids": [ + "4688" + ], + "id": "b7987e8f-8f8a-20ea-821c-fa454516f624", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Malicious Windows Script Components File Execution by TAEF Detection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "event_ids": [ + "4688" + ], + "id": "b2376187-e8e7-aeeb-fb7e-7636ad9dadc9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1110.002", + "T1110" + ], + "title": "HackTool - Hashcat Password Cracker Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", + "event_ids": [ + "4688" + ], + "id": "850febcc-7dad-d3e9-05e3-1c69b3ba2db3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Use of Pcalua For Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "event_ids": [ + "4688" + ], + "id": "d7156c2d-f3d8-5088-3d92-b5b7ee49cb65", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1546.002", + "T1546" + ], + "title": "Suspicious ScreenSave Change by Reg.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "event_ids": [ + "4688" + ], + "id": "0aae20f4-4b90-f3db-47a1-d0032e30ccfd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1119" + ], + "title": "Recon Information for Export with Command Prompt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.\n", + "event_ids": [ + "4688" + ], + "id": "5c3a9984-9934-58ca-15e5-cc96b8da7455", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087" + ], + "title": "HackTool - SOAPHound Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\nThe downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\\"\n", + "event_ids": [ + "4688" + ], + "id": "04dd1706-97cc-c1bf-45db-6a9786736ab4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Potential File Download Via MS-AppInstaller Protocol Handler" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "event_ids": [ + "4688" + ], + "id": "ef92722b-fb96-33d7-d77b-f6770ac84d0f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090.003", + "T1090" + ], + "title": "Tor Client/Browser Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "event_ids": [ + "4688" + ], + "id": "f8836306-dba7-b71c-033f-6a42b39ae975", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Tools Using ComputerDefaults" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", + "event_ids": [ + "4688" + ], + "id": "a81ad1b6-b20d-14f9-7c3a-e41f81fd519f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "TA0002", + "T1615", + "T1059.005", + "T1059" + ], + "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "event_ids": [ + "4688" + ], + "id": "1f2eb669-e0a1-6d98-cf43-82b1f083fb23", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003", + "T1003.002", + "T1003.003" + ], + "title": "Shadow Copies Creation Using Operating Systems Utilities" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "event_ids": [ + "4688" + ], + "id": "e394e239-a5c1-5879-edab-2c697795ff9e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" with \"INSTALLDRIVER\" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.", + "event_ids": [ + "4688" + ], + "id": "adc0be0e-1fd7-a7d2-38cd-74c936dcd78f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Driver/DLL Installation Via Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of WMIC to query information on a remote system", + "event_ids": [ + "4688" + ], + "id": "55f4543b-1bd2-73c3-dbda-2fed3f373efa", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "WMIC Remote Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "event_ids": [ + "4688" + ], + "id": "2211d14a-9a4c-d937-2a25-6428d586be6c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Use Of The SFTP.EXE Binary As A LOLBIN" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.", + "event_ids": [ + "4688" + ], + "id": "ded5cb8d-2fb5-7bbb-b00c-0009dc64f546", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Process Launched Without Image Name" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "event_ids": [ + "4688" + ], + "id": "a2c55c02-a430-f460-3ee3-924318d48700", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1124" + ], + "title": "Use of W32tm as Timer" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell execution to set the ACL of a file or a folder", + "event_ids": [ + "4688" + ], + "id": "ebd8be0a-94fe-a103-a2bd-e48cc9af988d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "PowerShell Script Change Permission Via Set-Acl" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", + "event_ids": [ + "4688" + ], + "id": "b9b053da-68a6-d372-9780-828406597122", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1047", + "T1220", + "TA0002", + "T1059.005", + "T1059.007", + "T1059" + ], + "title": "Potential SquiblyTwo Technique Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", + "event_ids": [ + "4688" + ], + "id": "06d1ba8b-f692-36bb-8b57-6c340c87d71b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1587.001", + "T1587" + ], + "title": "Potential PsExec Remote Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "event_ids": [ + "4688" + ], + "id": "5f94c12e-15a0-28ec-cd81-8049ae6c625d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Audit Policy Tampering Via Auditpol" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "event_ids": [ + "4688" + ], + "id": "6375eb27-4436-c582-1f6d-066ebfb78131", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Execute From Alternate Data Streams" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", + "event_ids": [ + "4688" + ], + "id": "0cc20ab0-4c30-c947-6985-884817d59f4a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "T1564" + ], + "title": "Set Suspicious Files as System Files Using Attrib.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "event_ids": [ + "4688" + ], + "id": "ba8fde0b-93d2-2680-ea4d-b260729bf75e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "All Backups Deleted Via Wbadmin.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a potential command line flag anomaly related to \"regsvr32\" in which the \"/i\" flag is used without the \"/n\" which should be uncommon.", + "event_ids": [ + "4688" + ], + "id": "0b0db942-3c12-3469-b96f-420423d80dbb", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "T1218" + ], + "title": "Potential Regsvr32 Commandline Flag Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", + "event_ids": [ + "4688" + ], + "id": "fb3e5ab0-ed05-d894-23b3-a28ca8b237ba", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1140", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", + "event_ids": [ + "4688" + ], + "id": "aab62ba9-1795-b6b5-47f8-75e49b89b59d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Dism Remove Online Package" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", + "event_ids": [ + "4688" + ], + "id": "1bd2b1a4-7ec2-8aac-b8fa-fa17526df88a", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "Start Windows Service Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.\n", + "event_ids": [ + "4688" + ], + "id": "b3e6207b-ca8e-5b69-8194-cd66e4bdfc3e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090.001", + "T1090" + ], + "title": "Cloudflared Quick Tunnel Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "event_ids": [ + "4688" + ], + "id": "fc5c47f8-9b56-8d98-de6d-cd2b31c648f1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious Encoded PowerShell Command Line" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", + "event_ids": [ + "4688" + ], + "id": "bc5cba6d-bdf9-70db-83d3-ffea696528e5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential process patterns related to Cobalt Strike beacon activity", + "event_ids": [ + "4688" + ], + "id": "c78a9b49-3e9d-b00c-9e65-90d9f30bbe50", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Potential CobaltStrike Process Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"aspnet_compiler.exe\" which can be abused to compile and execute C# code.", + "event_ids": [ + "4688" + ], + "id": "e20075e6-6784-9276-2205-4f452684a4cc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1127" + ], + "title": "AspNetCompiler Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "event_ids": [ + "4688" + ], + "id": "f57976f9-310f-c36f-c17a-0efb253e7f94", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Execution via WorkFolders.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "event_ids": [ + "4688" + ], + "id": "15f30e45-8a75-9af7-3703-c6af70b3d9f5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "DSInternals Suspicious PowerShell Cmdlets" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", + "event_ids": [ + "4688" + ], + "id": "2660fe06-fcf6-19f2-3233-b50236d5ff13", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Boot Configuration Tampering Via Bcdedit.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "event_ids": [ + "4688" + ], + "id": "145ace9e-159a-7105-5f01-b8880c351067", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Service Reconnaissance Via Wmic.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an uncommon child process of \"odbcconf.exe\" binary which normally shouldn't have any child processes.", + "event_ids": [ + "4688" + ], + "id": "e05fd36e-2242-ac32-2c73-8e345a62cc85", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Uncommon Child Process Spawned By Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "event_ids": [ + "4688" + ], + "id": "e57cc75a-d93a-26d1-615c-9a093649f70a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disabled IE Security Features" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", + "event_ids": [ + "4688" + ], + "id": "a42438c9-7c08-7a7e-2791-43440efb6047", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1588.002", + "T1588" + ], + "title": "Potential Execution of Sysinternals Tools" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "event_ids": [ + "4688" + ], + "id": "378bed70-399f-408f-0667-aa91c755a606", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Wscript Shell Run In CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag", + "event_ids": [ + "4688" + ], + "id": "33f733e0-fb92-860f-da22-47ee0186c951", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "car.2016-03-001" + ], + "title": "Enumerate All Information With Whoami.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection.\nThis rule looks for the execution of binaries that are named similarly to Sysinternals tools.\nAdversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.\n", + "event_ids": [ + "4688" + ], + "id": "31a31ff3-32c0-0f43-bbec-b089825d4c52", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "T1202", + "T1036.005", + "T1036" + ], + "title": "Potential Binary Impersonating Sysinternals Tools" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "event_ids": [ + "4688" + ], + "id": "af675749-89e4-ecbe-08aa-846a61be3500", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1016" + ], + "title": "Firewall Configuration Discovery Via Netsh.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "event_ids": [ + "4688" + ], + "id": "15e3c45c-06b7-5da5-4bc0-66cf00fcc185", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0003", + "TA0004" + ], + "title": "Shell Process Spawned by Java.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "event_ids": [ + "4688" + ], + "id": "3acb1e73-2bdc-efdf-3865-3967cf6ce445", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "T1216" + ], + "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", + "event_ids": [ + "4688" + ], + "id": "a69dee50-f5d1-178f-3794-9e06d089fc93", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1048" + ], + "title": "Suspicious Redirection to Local Admin Share" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", + "event_ids": [ + "4688" + ], + "id": "7516a7b1-84de-fe17-e375-6395aa84f270", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0001", + "T1047", + "T1059.001", + "T1059.003", + "T1059.005", + "T1059.007", + "T1218", + "T1218.001", + "T1218.010", + "T1218.011", + "T1566", + "T1566.001", + "T1059" + ], + "title": "Suspicious HH.EXE Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "event_ids": [ + "4688" + ], + "id": "1ff691f3-1574-b038-89dd-518a27855b80", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1112", + "TA0005" + ], + "title": "Imports Registry Key From a File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", + "event_ids": [ + "4688" + ], + "id": "a649199e-56ae-51bf-53e5-69e87b06e563", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1106", + "T1059.003", + "T1218.011", + "T1059", + "T1218" + ], + "title": "HackTool - RedMimicry Winnti Playbook Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n", + "event_ids": [ + "4688" + ], + "id": "310bf792-4e0d-b9ba-7dea-7512f8953921", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Enable LM Hash Storage - ProcCreation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.", + "event_ids": [ + "4688" + ], + "id": "faa3b493-02b2-9e9c-3d74-8a59a0205e5d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1202", + "TA0005", + "T1218" + ], + "title": "Potentially Suspicious Child Processes Spawned by ConHost" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of whoami.exe with suspicious parent processes.", + "event_ids": [ + "4688" + ], + "id": "5a52bc92-7713-3fca-6d54-f03845a88c47", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1033", + "car.2016-03-001" + ], + "title": "Whoami.EXE Execution Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", + "event_ids": [ + "4688" + ], + "id": "555c9e0e-bd1c-accd-f824-11a77ca76819", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Suspicious Diantz Alternate Data Stream Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", + "event_ids": [ + "4688" + ], + "id": "f94fdc78-2a2f-b107-8abe-c68c288a8e0c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1059", + "T1202" + ], + "title": "Suspicious Remote Child Process From Outlook" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.", + "event_ids": [ + "4688" + ], + "id": "953dba36-324e-646a-d6e5-ef62aedd2205", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system\n", + "event_ids": [ + "4688" + ], + "id": "9ee3416d-660e-2be4-06ed-73f1dce70009", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0007", + "T1505.003", + "T1018", + "T1033", + "T1087", + "T1505" + ], + "title": "Webshell Hacking Activity Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "event_ids": [ + "4688" + ], + "id": "274285c4-15a3-9ee1-1a76-fa05fa2b17e1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1548.002", + "T1548" + ], + "title": "Bypass UAC via Fodhelper.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service", + "event_ids": [ + "4688" + ], + "id": "fa8c67ae-ace2-9a11-43d7-c5b5954ce489", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1102" + ], + "title": "Suspicious Child Process Of Manage Engine ServiceDesk" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "event_ids": [ + "4688" + ], + "id": "d6a5fc1c-e0e9-bcc2-daed-22823802b707", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Run PowerShell Script from ADS" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious and uncommon child processes of WmiPrvSE", + "event_ids": [ + "4688" + ], + "id": "19090407-d63d-5d05-f03e-f254980d972c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1047", + "T1204.002", + "T1218.010", + "T1204", + "T1218" + ], + "title": "Suspicious WmiPrvSE Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "event_ids": [ + "4688" + ], + "id": "452b2159-5e6e-c494-63b9-b385d6195f58", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1566.001", + "T1566" + ], + "title": "Suspicious Double Extension File Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "event_ids": [ + "4688" + ], + "id": "9a2d19cf-4378-c7a2-7a77-b268c7875c7c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218" + ], + "title": "MpiExec Lolbin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)\n", + "event_ids": [ + "4688" + ], + "id": "40508368-741e-4fc4-bc48-e76128b330d2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "File Download Using ProtocolHandler.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.", + "event_ids": [ + "4688" + ], + "id": "11009f2c-2e92-f0a7-40e3-76f389110133", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "event_ids": [ + "4688" + ], + "id": "9b9bf6cd-1e4c-25a1-5857-4e6793b53d32", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Potential AMSI Bypass Using NULL Bits" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects changes to environment variables related to ETW logging via the CommandLine.\nThis could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.\n", + "event_ids": [ + "4688" + ], + "id": "2d61b1f3-942f-cd54-c470-efc9dad10255", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "ETW Logging Tamper In .NET Processes Via CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", + "event_ids": [ + "4688" + ], + "id": "8d0b4349-4a33-f9c1-b911-e922e9ed2f63", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0008" + ], + "title": "HackTool - Wmiexec Default Powershell Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "event_ids": [ + "4688" + ], + "id": "c9722d26-25e3-6e45-3950-85182a7a1b35", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Microsoft IIS Connection Strings Decryption" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", + "event_ids": [ + "4688" + ], + "id": "c03c42ba-1e4e-45c3-c0ba-c8d38b077ee7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1027", + "TA0005", + "TA0002", + "T1140", + "T1059.001", + "T1059" + ], + "title": "Base64 Encoded PowerShell Command Detected" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"reg.exe\" to disable security services such as Windows Defender.", + "event_ids": [ + "4688" + ], + "id": "8ba4f215-e4a8-8858-ae46-4785a18094c6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Security Service Disabled Via Reg.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\nAttackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.\n", + "event_ids": [ + "4688" + ], + "id": "12bc26c7-41c4-101d-3d26-8419d0725870", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "event_ids": [ + "4688" + ], + "id": "2c256f43-053a-3f93-b183-27b3a5d312ed", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using DismHost" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "event_ids": [ + "4657" + ], + "id": "6a724c01-e3a5-3f08-0a26-a25aab47a2d1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1588.002", + "T1588" + ], + "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects creation of \"UserInitMprLogonScript\" registry value which can be used as a persistence method by malicious actors", + "event_ids": [ + "4657" + ], + "id": "c6a4d8a3-8e7d-30b4-a6f0-aee8a87463bf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1037.001", + "TA0003", + "TA0008", + "T1037" + ], + "title": "Potential Persistence Via Logon Scripts - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "event_ids": [ + "4657" + ], + "id": "d8884952-23ce-8a65-d998-cb775a119c95", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via New AMSI Providers - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", + "event_ids": [ + "4657" + ], + "id": "08427b1c-3ceb-9aa5-7d8d-84dfc1531fb8", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1588.002", + "T1588" + ], + "title": "PUA - Sysinternal Tool Execution - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "event_ids": [ + "4657" + ], + "id": "e3adf6e1-6fbf-d4fe-ee8f-a000db6d64c8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via Disk Cleanup Handler - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects COM object hijacking via TreatAs subkey", + "event_ids": [ + "4657" + ], + "id": "6b4b0ded-e40c-4d49-68f0-b78339d9587e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.015", + "T1546" + ], + "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects registry keys related to NetWire RAT", + "event_ids": [ + "4657" + ], + "id": "61bb2824-c37f-f432-0767-9a80d45583aa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Potential NetWire RAT Activity - Registry" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "event_ids": [ + "4657" + ], + "id": "cab7e60f-55aa-b72e-1943-4d3980028a43", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1588.002", + "T1588" + ], + "title": "PUA - Sysinternals Tools Execution - Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "event_ids": [ + "4657" + ], + "id": "0a77c311-af5b-b0e4-4d1d-e87ede81b2c7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1608" + ], + "title": "HybridConnectionManager Service Installation - Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "event_ids": [ + "4657" + ], + "id": "b1bd0320-da55-2715-927f-f70a3cb846fa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1546.001", + "T1546", + "T1548" + ], + "title": "Shell Open Registry Keys Manipulation" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", + "event_ids": [ + "4657" + ], + "id": "930cd1b8-c592-1982-65c9-cf7fecc0adf7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0005", + "TA0011", + "T1090" + ], + "title": "New PortProxy Registry Entry Added" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "event_ids": [ + "4657" + ], + "id": "60c241e3-567b-86bb-ae42-0e0b650b51ec", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Wdigest CredGuard Registry Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.", + "event_ids": [ + "4657" + ], + "id": "153b0ce0-9f0b-f10f-7d6e-3a23dea83494", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "event_ids": [ + "4657" + ], + "id": "0af15a7d-56b4-6742-50d9-011df5f8449e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.009", + "T1546" + ], + "title": "New DLL Added to AppCertDlls Registry Key" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "event_ids": [ + "4657" + ], + "id": "3b19eda3-3430-8cdc-686c-e0d94a32427d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1137.002", + "T1137" + ], + "title": "Office Application Startup - Office Test" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "event_ids": [ + "4657" + ], + "id": "5e3a86ef-f4fb-dd10-9bc7-e7c2d0a15e70", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.010", + "T1546" + ], + "title": "New DLL Added to AppInit_DLLs Registry Key" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.", + "event_ids": [ + "4657" + ], + "id": "36ef53bd-ce38-b8b6-b163-c7ff42107ecb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1112", + "car.2022-03-001", + "T1562" + ], + "title": "Disable Security Events Logging Adding Reg Key MiniNt" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "event_ids": [ + "4657" + ], + "id": "f81b1344-1639-27dc-c1e1-577c4e6c8e19", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Suspicious Run Key from Download" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "event_ids": [ + "4657" + ], + "id": "c42f7ed2-10ea-21b4-bcc5-6978cbf4ca0d", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "event_ids": [ + "4657" + ], + "id": "f6fed793-a359-2cae-0383-6ec6a9aee77b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "Esentutl Volume Shadow Copy Service Keys" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "event_ids": [ + "4657" + ], + "id": "255a8d48-2f51-b8e1-ed5c-4063555a7569", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0003", + "T1546.008", + "car.2014-11-003", + "car.2014-11-008", + "T1546" + ], + "title": "Sticky Key Like Backdoor Usage - Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "event_ids": [ + "4657" + ], + "id": "f00c4059-0241-7fee-4186-e8d0b5741cba", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Run Once Task Configuration in Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the presence of a registry key created during Azorult execution", + "event_ids": [ + "12", + "13", + "4657" + ], + "id": "46595663-e666-c413-ccf4-028a618ca712", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0002", + "T1112" + ], + "title": "Registry Entries For Azorult Malware" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects NetNTLM downgrade attack", + "event_ids": [ + "4657" + ], + "id": "3387665f-9c44-56db-5cb9-a35e48689376", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1112", + "T1562" + ], + "title": "NetNTLM Downgrade Attack - Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "event_ids": [ + "4657" + ], + "id": "52da4b83-76bb-1c03-3d3d-d2767a05c186", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Potential Qakbot Registry Activity" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects Pandemic Windows Implant", + "event_ids": [ + "4657" + ], + "id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Pandemic Registry Key" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects persistence registry keys for Recycle Bin", + "event_ids": [ + "4657" + ], + "id": "1617c214-9562-4819-58cd-ffa7929cf167", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547" + ], + "title": "Registry Persistence Mechanisms in Recycle Bin" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects the use of Windows Credential Editor (WCE)", + "event_ids": [ + "4657" + ], + "id": "092a900e-c6b2-7064-f7b5-699f1b3be49d", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "attack.s0005", + "T1003" + ], + "title": "Windows Credential Editor Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "event_ids": [ + "4657" + ], + "id": "95ca0984-3622-ee0b-d0b7-4bf861f58030", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Via Wsreset" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "event_ids": [ + "4657" + ], + "id": "b2a0af70-a308-0185-6128-c2e37db1ebf2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1566.001", + "T1566" + ], + "title": "Windows Registry Trust Record Modification" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "event_ids": [ + "4657" + ], + "id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204", + "cve.2021-1675", + "cve.2021-34527" + ], + "title": "PrinterNightmare Mimikatz Driver Name" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "event_ids": [ + "4657" + ], + "id": "f90321bd-3a7e-2f0a-220f-49096e6b8ef5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1547.008", + "T1547" + ], + "title": "DLL Load via LSASS" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Sysmon registry detection of a local hidden user account.", + "event_ids": [ + "4657" + ], + "id": "447c311d-5d73-52c3-d10c-a1205258cf04", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "T1136" + ], + "title": "Creation of a Local Hidden User Account by Registry" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "event_ids": [ + "4657" + ], + "id": "5c5490c6-68eb-786c-e6b0-12374dce833f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0003", + "T1547" + ], + "title": "Atbroker Registry Change" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "event_ids": [ + "4657" + ], + "id": "e45e543e-8d13-302c-2825-398896bd0bf8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Narrator's Feedback-Hub Persistence" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "event_ids": [ + "4657" + ], + "id": "c28049f8-7766-14aa-616f-a8628ee679bd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547" + ], + "title": "WINEKEY Registry Modification" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,\nallowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.\n", + "event_ids": [ + "4657" + ], + "id": "4162459b-68e6-524b-ec5a-48ed032b96cd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Threat Severity Default Action Modified" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "event_ids": [ + "4657" + ], + "id": "139f52db-35af-c5f8-bbf8-22a2094dfea6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1125", + "T1123" + ], + "title": "Suspicious Camera and Microphone Access" }, { "category": "registry_event", @@ -31988,11 +33557,11 @@ "channel": [ "sec" ], - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "description": "Detects value modification of registry key containing path to binary used as screensaver.", "event_ids": [ "4657" ], - "id": "3b19eda3-3430-8cdc-686c-e0d94a32427d", + "id": "f5a1f729-ff8c-577e-2d33-a209e00bf7f3", "level": "medium", "service": "", "subcategory_guids": [ @@ -32000,344 +33569,11 @@ ], "tags": [ "TA0003", - "T1137.002", - "T1137" - ], - "title": "Office Application Startup - Office Test" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the presence of a registry key created during Azorult execution", - "event_ids": [ - "12", - "13", - "4657" - ], - "id": "46595663-e666-c413-ccf4-028a618ca712", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0002", - "T1112" - ], - "title": "Registry Entries For Azorult Malware" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "event_ids": [ - "4657" - ], - "id": "f6fed793-a359-2cae-0383-6ec6a9aee77b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "Esentutl Volume Shadow Copy Service Keys" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "event_ids": [ - "4657" - ], - "id": "e45e543e-8d13-302c-2825-398896bd0bf8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Narrator's Feedback-Hub Persistence" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "event_ids": [ - "4657" - ], - "id": "0af15a7d-56b4-6742-50d9-011df5f8449e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.009", + "TA0004", + "T1546.002", "T1546" ], - "title": "New DLL Added to AppCertDlls Registry Key" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.", - "event_ids": [ - "4657" - ], - "id": "930cd1b8-c592-1982-65c9-cf7fecc0adf7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0005", - "TA0011", - "T1090" - ], - "title": "New PortProxy Registry Entry Added" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "event_ids": [ - "4657" - ], - "id": "b2a0af70-a308-0185-6128-c2e37db1ebf2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1566.001", - "T1566" - ], - "title": "Windows Registry Trust Record Modification" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "event_ids": [ - "4657" - ], - "id": "c28049f8-7766-14aa-616f-a8628ee679bd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547" - ], - "title": "WINEKEY Registry Modification" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "event_ids": [ - "4657" - ], - "id": "c42f7ed2-10ea-21b4-bcc5-6978cbf4ca0d", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "event_ids": [ - "4657" - ], - "id": "f00c4059-0241-7fee-4186-e8d0b5741cba", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Run Once Task Configuration in Registry" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "event_ids": [ - "4657" - ], - "id": "f81b1344-1639-27dc-c1e1-577c4e6c8e19", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Suspicious Run Key from Download" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "event_ids": [ - "4657" - ], - "id": "139f52db-35af-c5f8-bbf8-22a2094dfea6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1125", - "T1123" - ], - "title": "Suspicious Camera and Microphone Access" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects Pandemic Windows Implant", - "event_ids": [ - "4657" - ], - "id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Pandemic Registry Key" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "event_ids": [ - "4657" - ], - "id": "95ca0984-3622-ee0b-d0b7-4bf861f58030", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Via Wsreset" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", - "event_ids": [ - "4657" - ], - "id": "a2b70475-be0a-993d-b01f-8ecf4bbd7576", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.005", - "T1547" - ], - "title": "Security Support Provider (SSP) Added to LSA Configuration" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "event_ids": [ - "4657" - ], - "id": "b1bd0320-da55-2715-927f-f70a3cb846fa", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1546.001", - "T1548", - "T1546" - ], - "title": "Shell Open Registry Keys Manipulation" + "title": "Path To Screensaver Binary Modified" }, { "category": "registry_event", @@ -32365,190 +33601,11 @@ "channel": [ "sec" ], - "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n", "event_ids": [ "4657" ], - "id": "52da4b83-76bb-1c03-3d3d-d2767a05c186", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Potential Qakbot Registry Activity" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects NetNTLM downgrade attack", - "event_ids": [ - "4657" - ], - "id": "3387665f-9c44-56db-5cb9-a35e48689376", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1112", - "T1562" - ], - "title": "NetNTLM Downgrade Attack - Registry" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.", - "event_ids": [ - "4657" - ], - "id": "36ef53bd-ce38-b8b6-b163-c7ff42107ecb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1112", - "car.2022-03-001", - "T1562" - ], - "title": "Disable Security Events Logging Adding Reg Key MiniNt" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.", - "event_ids": [ - "4657" - ], - "id": "153b0ce0-9f0b-f10f-7d6e-3a23dea83494", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "event_ids": [ - "4657" - ], - "id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204", - "cve.2021-1675", - "cve.2021-34527" - ], - "title": "PrinterNightmare Mimikatz Driver Name" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Sysmon registry detection of a local hidden user account.", - "event_ids": [ - "4657" - ], - "id": "447c311d-5d73-52c3-d10c-a1205258cf04", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "T1136" - ], - "title": "Creation of a Local Hidden User Account by Registry" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "event_ids": [ - "4657" - ], - "id": "f5a1f729-ff8c-577e-2d33-a209e00bf7f3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1546.002", - "T1546" - ], - "title": "Path To Screensaver Binary Modified" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "event_ids": [ - "4657" - ], - "id": "0a77c311-af5b-b0e4-4d1d-e87ede81b2c7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1608" - ], - "title": "HybridConnectionManager Service Installation - Registry" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects persistence registry keys for Recycle Bin", - "event_ids": [ - "4657" - ], - "id": "1617c214-9562-4819-58cd-ffa7929cf167", + "id": "a2b70475-be0a-993d-b01f-8ecf4bbd7576", "level": "high", "service": "", "subcategory_guids": [ @@ -32556,1098 +33613,10 @@ ], "tags": [ "TA0003", + "T1547.005", "T1547" ], - "title": "Registry Persistence Mechanisms in Recycle Bin" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "event_ids": [ - "4657" - ], - "id": "f90321bd-3a7e-2f0a-220f-49096e6b8ef5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1547.008", - "T1547" - ], - "title": "DLL Load via LSASS" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "event_ids": [ - "4657" - ], - "id": "5e3a86ef-f4fb-dd10-9bc7-e7c2d0a15e70", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.010", - "T1546" - ], - "title": "New DLL Added to AppInit_DLLs Registry Key" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,\nallowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.\n", - "event_ids": [ - "4657" - ], - "id": "4162459b-68e6-524b-ec5a-48ed032b96cd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Threat Severity Default Action Modified" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "event_ids": [ - "4657" - ], - "id": "5c5490c6-68eb-786c-e6b0-12374dce833f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0003", - "T1547" - ], - "title": "Atbroker Registry Change" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the use of Windows Credential Editor (WCE)", - "event_ids": [ - "4657" - ], - "id": "092a900e-c6b2-7064-f7b5-699f1b3be49d", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "attack.s0005", - "T1003" - ], - "title": "Windows Credential Editor Registry" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "event_ids": [ - "4657" - ], - "id": "60c241e3-567b-86bb-ae42-0e0b650b51ec", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Wdigest CredGuard Registry Modification" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "event_ids": [ - "4657" - ], - "id": "255a8d48-2f51-b8e1-ed5c-4063555a7569", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0003", - "T1546.008", - "car.2014-11-003", - "car.2014-11-008", - "T1546" - ], - "title": "Sticky Key Like Backdoor Usage - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.", - "event_ids": [ - "4657" - ], - "id": "b8f4d6cb-7db9-474a-2da3-8465b2f9b699", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Microsoft Office Protected View Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry modifications that disable Privacy Settings Experience", - "event_ids": [ - "4657" - ], - "id": "6728497e-f64d-54b9-cebf-4f2234da439a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable Privacy Settings Experience in Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", - "event_ids": [ - "4657" - ], - "id": "debedc1b-8c7d-7257-67d1-a047bde616a4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1112" - ], - "title": "RDP Sensitive Settings Changed to Zero" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the registration of a new ODBC driver.", - "event_ids": [ - "4657" - ], - "id": "f3d16bf4-2de2-b0e3-b8dc-37b2ca82c1cf", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "New ODBC Driver Registered" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "event_ids": [ - "4657" - ], - "id": "a6f5fcfd-58a6-fb93-b548-3772adf366b9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via MyComputer Registry Keys" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Hides the file extension through modification of the registry", - "event_ids": [ - "4657" - ], - "id": "88665d21-f330-6799-62f0-724746a160d7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1137" - ], - "title": "Registry Modification to Hidden File Extension" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "event_ids": [ - "4657" - ], - "id": "7f5a4070-c4d2-ba36-ab1f-378da90ddf45", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Service Disabled - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect set EnableFirewall to 0 to disable the Windows firewall", - "event_ids": [ - "4657" - ], - "id": "d84ec9a7-296b-e4d1-d97c-daa11eee226b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Disable Windows Firewall by Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", - "event_ids": [ - "4657" - ], - "id": "42144fcb-9adc-b4dc-e024-4bdf3311c757", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Sysmon Driver Altitude Change" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", - "event_ids": [ - "4657" - ], - "id": "b6f9cd8c-4abc-cbc8-159c-654b64f77695", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects UAC bypass method using Windows event viewer", - "event_ids": [ - "4657" - ], - "id": "dee5910c-4bd3-fb48-fdbf-2d813d23aefb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "car.2019-04-001", - "T1548" - ], - "title": "UAC Bypass via Event Viewer" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "event_ids": [ - "4657" - ], - "id": "ac9276b0-7220-7600-35b6-e24d01034d45", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via Mpnotify" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "e2bf2ad9-465c-3b63-7970-fd222ffa3708", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "CurrentVersion NT Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel\n", - "event_ids": [ - "4657" - ], - "id": "3b708c9b-48bd-96e8-a680-84e819fcd228", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Hypervisor Enforced Code Integrity Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.\nClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.\nThrough the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,\nsuch as one-liners that execute remotely hosted malicious files or scripts.\n", - "event_ids": [ - "4657" - ], - "id": "00d744c2-1966-dcdc-2c72-3a12d7b5fd2d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.001", - "T1204" - ], - "title": "Potential ClickFix Execution Pattern - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "a4cae50c-cac3-7292-659e-cf9ca88c8ba8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Classes Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the setting of the environement variable \"windir\" to a non default value.\nAttackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\nThe SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.\n", - "event_ids": [ - "4657" - ], - "id": "b9c795cf-be1f-5020-c75e-f51c56483739", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "Bypass UAC Using SilentCleanup Task" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", - "event_ids": [ - "4657" - ], - "id": "dcbfe53c-e933-cfb7-d9ce-8f03726f9637", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1491.001", - "T1491" - ], - "title": "Potential Ransomware Activity Using LegalNotice Message" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the installation of a new shim database where the file is located in a non-default location", - "event_ids": [ - "4657" - ], - "id": "658b7369-eb29-2ab2-5a37-830bffa14b06", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.011", - "T1546" - ], - "title": "Potential Persistence Via Shim Database In Uncommon Location" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "event_ids": [ - "4657" - ], - "id": "48421345-c746-0b27-ad78-2d4de6169565", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Disable Macro Runtime Scan Scope" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.", - "event_ids": [ - "4657" - ], - "id": "d3c2b07c-075b-b06e-926a-3c74236f7b42", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Potential PSFactoryBuffer COM Hijacking" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\nUAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\nWhen \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.\n", - "event_ids": [ - "4657" - ], - "id": "4936b46c-badc-cb8a-54d4-3d0b9502aa8a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "UAC Notification Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "event_ids": [ - "4657" - ], - "id": "55790e96-f1bd-5804-59c2-7cd806625025", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1588.002", - "T1588" - ], - "title": "Usage of Renamed Sysinternals Tools - RegistrySet" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "event_ids": [ - "4657" - ], - "id": "e0f39f6d-5bc7-83ca-9a1f-4e67316af212", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via TypedPaths" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", - "event_ids": [ - "4657" - ], - "id": "5631054a-458c-6998-d637-e2d4f239ed07", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1137.006", - "T1137" - ], - "title": "Potential Persistence Via Excel Add-in - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "event_ids": [ - "4657" - ], - "id": "96a90fb0-3747-35a8-d9c5-dcc7d373c57c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Change User Account Associated with the FAX Service" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.", - "event_ids": [ - "4657" - ], - "id": "b0ac9712-6658-cdfd-92d7-8aa07fcdf31c", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002" - ], - "title": "PowerShell Script Execution Policy Enabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "event_ids": [ - "4657" - ], - "id": "b845b5d0-c25c-d832-f891-58b8224599ee", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112", - "T1562" - ], - "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", - "event_ids": [ - "4657" - ], - "id": "dacb1ee4-05cc-995a-adee-964a19774888", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "event_ids": [ - "4657" - ], - "id": "fbab75d9-3bd2-3705-4511-3e0cf5a10fe4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Attachment Manager Settings Attachments Tamper" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential persistence behavior using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "event_ids": [ - "4657" - ], - "id": "e4a5e8fc-9e86-a5c9-b9f4-41288262dd40", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Potential Registry Persistence Attempt Via Windows Telemetry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", - "event_ids": [ - "4657" - ], - "id": "0a89f91f-0278-2cf2-d4ad-c958bc125ad3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "COM Hijacking via TreatAs" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", - "event_ids": [ - "4657" - ], - "id": "2c7799c7-bf70-0033-f2e0-e2ae59d4385b", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112", - "T1562" - ], - "title": "ETW Logging Disabled For SCM" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "94a78414-5302-4e88-7c59-1d5d0de11a5f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "CurrentControlSet Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "event_ids": [ - "4657" - ], - "id": "5c6e4e04-c3a5-0b21-f966-97441d749d47", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "60c54878-2012-57de-2333-6d23649b0e92", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "CurrentVersion Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", - "event_ids": [ - "4657" - ], - "id": "2f221db9-1924-551f-ad98-7f01d47c6c7e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0011", - "T1137", - "T1008", - "T1546" - ], - "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to \"DsrmAdminLogonBehavior\" registry value.\nDuring a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\nAttackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.\n", - "event_ids": [ - "4657" - ], - "id": "04c29127-1ef3-f2f5-5b26-645eb052c42d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1556" - ], - "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.", - "event_ids": [ - "4657" - ], - "id": "57a468ba-845c-797e-81fb-79970450803a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.004", - "T1204" - ], - "title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\nRegistry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".\n", - "event_ids": [ - "4657" - ], - "id": "08ad005b-9676-0872-2751-56c87d6c1385", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1113" - ], - "title": "Periodic Backup For System Registry Hives Enabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "50b1dd22-8438-5c33-c5f2-00496987423b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Wow6432Node Classes Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the modification of the registry to disable a system restore on the computer", - "event_ids": [ - "4657" - ], - "id": "5cfed8dd-d873-5012-6a54-f3136099d818", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Registry Disable System Restore" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "e182da19-f29b-2327-f6f0-f71d15ff8dd5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" + "title": "Security Support Provider (SSP) Added to LSA Configuration" }, { "category": "registry_set", @@ -33671,1499 +33640,6 @@ ], "title": "Potential Persistence Via Visual Studio Tools for Office" }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via \"BgInfo.exe\"", - "event_ids": [ - "4657" - ], - "id": "d3e621d9-17c0-c31c-1daf-8247438baa83", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "New BgInfo.EXE Custom VBScript Registry Configuration" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n", - "event_ids": [ - "4657" - ], - "id": "536c7bf1-8834-bffb-665e-b945d9a1894b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.011", - "T1546" - ], - "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", - "event_ids": [ - "4657" - ], - "id": "4d50dc2c-f2bf-a039-820d-65c415ab31ee", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003" - ], - "title": "Winget Admin Settings Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", - "event_ids": [ - "4657" - ], - "id": "bc9f1068-0677-5580-301a-add396842846", - "level": "informational", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.002", - "T1204" - ], - "title": "New Application in AppCompat" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "event_ids": [ - "4657" - ], - "id": "15d9849f-4559-6cb8-b45b-663e3ddd9cc5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "T1553.003", - "T1553" - ], - "title": "Persistence Via New SIP Provider" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", - "event_ids": [ - "4657" - ], - "id": "0399e65b-992d-24c3-dc62-0b2904dda8f1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "T1564" - ], - "title": "Displaying Hidden Files Feature Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", - "event_ids": [ - "4657" - ], - "id": "69cb5d0b-48e9-4795-d7bf-3b3051750973", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Change Winevt Channel Access Permission Via Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "event_ids": [ - "4657" - ], - "id": "24cd048b-21d4-3957-a68d-e073a077e305", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1112" - ], - "title": "RDP Sensitive Settings Changed" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential persistence using Appx DebugPath", - "event_ids": [ - "4657" - ], - "id": "7e39f9c6-fca2-d20b-c975-48062f7ac3e0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Potential Persistence Using DebugPath" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "event_ids": [ - "4657" - ], - "id": "8a77badb-a001-0da9-9213-ba6efbd70a95", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Allow RDP Remote Assistance Feature" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", - "event_ids": [ - "4657" - ], - "id": "8ce03c3b-7a99-449f-6af3-9f5f4685385b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1574" - ], - "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "event_ids": [ - "4657" - ], - "id": "9f6b7775-4d86-0f98-45b5-2cfac0e410e7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "NET NGenAssemblyUsageLog Registry Key Tamper" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential COM object hijacking via modification of default system CLSID.", - "event_ids": [ - "4657" - ], - "id": "f27c3f9d-33e2-2ee6-64f7-a34b895b6379", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "event_ids": [ - "4657" - ], - "id": "027f1f5f-4aa7-ac2c-d8c2-084da4eaee3d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Execution DLL of Choice Using WAB.EXE" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when attackers or tools disable Windows Defender functionalities via the Windows registry", - "event_ids": [ - "4657" - ], - "id": "14e19d39-b1be-4903-56be-684b57d45e16", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable Windows Defender Functionalities Via Registry Keys" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.\n", - "event_ids": [ - "4657" - ], - "id": "43beb49f-0ccb-ecd4-f361-bcb66b1170f4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Driver Added To Disallowed Images In HVCI - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "672c20dd-b3a3-85e6-ece5-2b1010734c41", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "System Scripts Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.\n", - "event_ids": [ - "4657" - ], - "id": "cddc552b-0261-3637-470e-9296ae9dd79f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.003", - "T1036" - ], - "title": "Potential PendingFileRenameOperations Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel", - "event_ids": [ - "4657" - ], - "id": "6d5ef37b-2d6d-8ef5-a641-57161c232686", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Disable Windows Event Logging Via Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.", - "event_ids": [ - "4657" - ], - "id": "1bb96a94-8ab5-69b5-8366-2ab8e23877f2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "New BgInfo.EXE Custom DB Path Registry Configuration" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects disabling Windows Defender PUA protection", - "event_ids": [ - "4657" - ], - "id": "ac73de31-10d9-b1f0-6a99-7f5449fef005", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable PUA Protection on Windows Defender" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "event_ids": [ - "4657" - ], - "id": "7c631357-74f2-6fac-f215-06a5d2c1e99b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via CHM Helper DLL" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", - "event_ids": [ - "4657" - ], - "id": "595fb3ac-f3e2-e83b-fe23-f4a160b15c17", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Suspicious Path In Keyboard Layout IME File Registry Value" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the Internet Explorer \"DisableFirstRunCustomize\" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.\n", - "event_ids": [ - "4657" - ], - "id": "6b3466e8-35d1-e288-b322-0873400febd7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Internet Explorer DisableFirstRunCustomize Enabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", - "event_ids": [ - "4657" - ], - "id": "7ee582b4-6e4c-aa81-c848-34f91ae9302d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.002", - "T1564" - ], - "title": "Hiding User Account Via SpecialAccounts Registry Key" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "event_ids": [ - "4657" - ], - "id": "4e584b07-47af-0e21-5779-6585650ca16e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "T1564" - ], - "title": "Registry Persistence via Service in Safe Mode" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", - "event_ids": [ - "4657" - ], - "id": "c1e78049-d5f0-8a11-39dd-10110524f89f", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112", - "T1562" - ], - "title": "ETW Logging Disabled For rpcrt4.dll" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "event_ids": [ - "4657" - ], - "id": "a6cf9f0e-8857-2bf6-bf8f-ebe833b09125", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "ScreenSaver Registry Key Set" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "event_ids": [ - "4657" - ], - "id": "2c5460e8-fa5b-2a17-1e53-f6f3789de52d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Registry Persistence via Explorer Run Key" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential PowerShell commands or code within registry run keys", - "event_ids": [ - "4657" - ], - "id": "886d79ab-1307-d072-9729-18305985ebad", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Suspicious PowerShell In Registry Run Keys" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "event_ids": [ - "4657" - ], - "id": "8b15d432-7c88-1622-8af2-9ab6b7134bdf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Add Debugger Entry To AeDebug For Persistence" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the abuse of custom file open handler, executing powershell", - "event_ids": [ - "4657" - ], - "id": "790cbe25-2aac-45a7-48c4-234b2a622f06", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Custom File Open Handler Executes PowerShell" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", - "event_ids": [ - "4657" - ], - "id": "406b79d8-988c-0ef9-5702-7aa379ce70e2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "T1112" - ], - "title": "Potential Persistence Via Event Viewer Events.asp" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "event_ids": [ - "4657" - ], - "id": "49f0ef07-1fcf-1ac7-54ee-8cfbb34caf06", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1547.003", - "T1547" - ], - "title": "New TimeProviders Registered With Uncommon DLL Name" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.", - "event_ids": [ - "4657" - ], - "id": "4b44d428-f676-8642-3d97-3eb23a44d818", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "TA0005", - "T1574.012", - "T1574" - ], - "title": "Enabling COR Profiler Environment Variables" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", - "event_ids": [ - "4657" - ], - "id": "4320bfce-fa0f-05d4-9e60-55d3f27794d8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.001", - "T1564" - ], - "title": "PowerShell Logging Disabled Via Registry Key Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", - "event_ids": [ - "4657" - ], - "id": "3728b695-0511-c1dd-81df-030fda358222", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Register New IFiltre For Persistence" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "event_ids": [ - "4657" - ], - "id": "35a986a0-86d6-9685-21af-3277c6172094", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via DLLPathOverride" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects disabling Windows Defender Tamper Protection", - "event_ids": [ - "4657" - ], - "id": "5a289d79-b7ce-fff7-d06d-771cffd14775", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable Tamper Protection on Windows Defender" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via \"BgInfo.exe\"", - "event_ids": [ - "4657" - ], - "id": "c08df57b-ce0c-de04-72c1-3319cfdc5a37", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "event_ids": [ - "4657" - ], - "id": "8d3cb1da-3cc0-2448-a467-9b5a2bd3c4c0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Attachment Manager Settings Associations Tamper" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", - "event_ids": [ - "4657" - ], - "id": "8f6d136c-f1db-74c5-9845-308043bbbaea", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "T1112" - ], - "title": "Winlogon AllowMultipleTSSessions Enable" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", - "event_ids": [ - "4657" - ], - "id": "5b59bbe4-226f-1215-bff7-8c5a79430936", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "RestrictedAdminMode Registry Value Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "event_ids": [ - "4657" - ], - "id": "4e8bf251-fcde-0996-45f9-62335b5e5d8b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "car.2019-04-001", - "T1548" - ], - "title": "UAC Bypass via Sdclt" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "event_ids": [ - "4657" - ], - "id": "8c9b2605-a3a3-f822-afa4-e8d7abdf70e3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053", - "T1053.005" - ], - "title": "Scheduled TaskCache Change by Uncommon Program" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect set UseActionCenterExperience to 0 to disable the Windows security center notification", - "event_ids": [ - "4657" - ], - "id": "75c0a3fc-9821-e555-9c15-d7829e36ed2e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Disable Windows Security Center Notifications" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "event_ids": [ - "4657" - ], - "id": "a41b0618-1e99-30df-5b32-d040dd4ca439", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.010", - "T1547" - ], - "title": "Add Port Monitor Persistence in Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "event_ids": [ - "4657" - ], - "id": "16505b6b-b744-b451-e1cc-2bf1ecc9e7df", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.004", - "T1547" - ], - "title": "Winlogon Notify Key Logon Persistence" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", - "event_ids": [ - "4657" - ], - "id": "717a326e-aa46-b2cd-4db7-1e0be4003fb9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Lsass Full Dump Request Via DumpType Registry Settings" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n", - "event_ids": [ - "4657" - ], - "id": "e368acaa-a5b7-0fab-0997-8f0f1db5f99a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0040", - "T1112", - "T1491.001", - "T1491" - ], - "title": "Potentially Suspicious Desktop Background Change Via Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "e262d6ab-07ec-712b-78c5-696f002dc7f0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Wow6432Node CurrentVersion Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "event_ids": [ - "4657" - ], - "id": "a2a9ea74-be61-a011-3676-5bdd9cdae0a4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Wdigest Enable UseLogonCredential" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", - "event_ids": [ - "4657" - ], - "id": "010beef6-dccd-7edc-c751-9236ab787158", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.", - "event_ids": [ - "4657" - ], - "id": "c22014de-7963-a2c6-ead7-9fded54d54f0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Uncommon Microsoft Office Trusted Location Added" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", - "event_ids": [ - "4657" - ], - "id": "6191bb45-e2d4-dc12-74c9-be6994d84572", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.007", - "T1546" - ], - "title": "Potential Persistence Via Netsh Helper DLL - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", - "event_ids": [ - "4657" - ], - "id": "40faa526-8b40-5332-0b76-013443d7e0ee", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1559.002", - "T1559" - ], - "title": "Enable Microsoft Dynamic Data Exchange" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", - "event_ids": [ - "4657" - ], - "id": "ae407430-a207-5af9-e0ad-439b41b90e3a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0011", - "T1137", - "T1008", - "T1546" - ], - "title": "Outlook Macro Execution Without Warning Setting Enabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "event_ids": [ - "4657" - ], - "id": "ebfabc1f-964a-69f3-60d7-e027eaaf1022", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Disable Internal Tools or Feature in Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", - "event_ids": [ - "4657" - ], - "id": "007fb76c-92e3-5bfa-4f46-d6179811290f", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.005", - "T1070" - ], - "title": "MaxMpxCt Registry Value Changed" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\nThe \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\nWhen \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.\n", - "event_ids": [ - "4657" - ], - "id": "4475b3bd-9b24-b189-1118-871c5fe3fe17", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "UAC Secure Desktop Prompt Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "event_ids": [ - "4657" - ], - "id": "e249ebd9-4719-fbd6-ad42-802038c12f87", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via LSA Extensions" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "event_ids": [ - "4657" - ], - "id": "742762c2-287c-4b94-5f99-ae234cdd3d2c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564", - "T1112" - ], - "title": "CrashControl CrashDump Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", - "event_ids": [ - "4657" - ], - "id": "7bb576ef-cc9a-5126-c758-aa8d24f0edda", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Potential Persistence Via Scrobj.dll COM Hijacking" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "event_ids": [ - "4657" - ], - "id": "c5041759-c026-94ae-a6d4-6e6bfbfa3d0c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", - "event_ids": [ - "4657" - ], - "id": "eea69d1c-b62d-d58f-4ee3-82f9053a20ea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential Signing Bypass Via Windows Developer Features - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "event_ids": [ - "4657" - ], - "id": "6e7e4fc7-4279-156d-6a7b-f6c593f51098", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Persistence Via Hhctrl.ocx" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect set Notification_Suppress to 1 to disable the Windows security center notification", - "event_ids": [ - "4657" - ], - "id": "b0b20369-6a44-df4d-5671-a85b5eb960dd", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Activate Suppression of Windows Security Center Notifications" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "event_ids": [ - "4657" - ], - "id": "a1e4b72a-2af2-0002-fb44-971730e2befa", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable Exploit Guard Network Protection on Windows Defender" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect possible persistence using Fax DLL load when service restart", - "event_ids": [ - "4657" - ], - "id": "b04c5cc0-6866-8748-e7a7-d69ff8d55935", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Change the Fax Dll" - }, { "category": "registry_set", "channel": [ @@ -35192,139 +33668,32 @@ "channel": [ "sec" ], - "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "description": "Detects the modification of the registry to disable a system restore on the computer", "event_ids": [ "4657" ], - "id": "ed9f6502-6cf6-8a06-be4a-10027cabb474", + "id": "5cfed8dd-d873-5012-6a54-f3136099d818", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Service Binary in Suspicious Folder" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location", - "event_ids": [ - "4657" - ], - "id": "d61e6c48-1d69-1942-c9e5-4244f12fc88e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0003", - "T1003" - ], - "title": "Potentially Suspicious ODBC Driver Registered" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "event_ids": [ - "4657" - ], - "id": "844e4a35-c606-6b5d-8390-52c55b9f09b5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Persistence Via Disk Cleanup Handler - Autorun" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "event_ids": [ - "4657" - ], - "id": "8365c772-65e3-7f23-1606-2a2ecbd20235", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], "tags": [ "TA0040", "T1490" ], - "title": "New Root or CA or AuthRoot Certificate to Store" + "title": "Registry Disable System Restore" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to prepend information to the PATH environment variable on a per-application, per-process basis.\n", "event_ids": [ "4657" ], - "id": "1c9de880-3d26-4614-f41f-a4d975e609ff", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "T1112", - "T1574" - ], - "title": "New DNS ServerLevelPluginDll Installed" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n", - "event_ids": [ - "4657" - ], - "id": "3649e76a-4f74-b4bf-7b6e-511fc789a746", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Enable LM Hash Storage" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "event_ids": [ - "4657" - ], - "id": "b0acca11-04f4-7e88-5dd9-fc299b3716e8", + "id": "addf4ebc-b3ab-c6ab-98ba-db37848a8ee2", "level": "high", "service": "", "subcategory_guids": [ @@ -35332,616 +33701,10 @@ ], "tags": [ "TA0003", - "T1547.010", - "T1547" - ], - "title": "Default RDP Port Changed to Non Standard Port" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.", - "event_ids": [ - "4657" - ], - "id": "f1d2e557-5935-d1b7-cc8a-48563f722f9c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.\nWindows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.\nAdversary may want to disable this service to disable logging of security events which could be used to detect their activities.\n", - "event_ids": [ - "4657" - ], - "id": "bff51a59-a1b9-f1f5-f5e4-ac2e523d572a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1112", - "car.2022-03-001", - "T1562" - ], - "title": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", - "event_ids": [ - "4657" - ], - "id": "57fba93d-7938-c3fd-109b-6d1fb6037e2c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.007", + "T1546.012", "T1546" ], - "title": "New Netsh Helper DLL Registered From A Suspicious Location" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", - "event_ids": [ - "4657" - ], - "id": "e95c5cb7-fd08-cb3b-14e8-d0a4287e6f68", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Registry Hide Function from User" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects that a powershell code is written to the registry as a service.", - "event_ids": [ - "4657" - ], - "id": "891340b3-d63e-73d0-742f-b481f911074c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "PowerShell as a Service in Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "event_ids": [ - "4657" - ], - "id": "edcac99a-55ef-aa9c-92a3-d9c9d7e1e46e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "VBScript Payload Stored in Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "e06345ae-614b-8ef6-d336-a5ed3b2dc71b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "WinSock2 Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.", - "event_ids": [ - "4657" - ], - "id": "d5d54339-c5a4-2889-7da2-66fd42b16ef0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Trust Access Disable For VBApplications" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "event_ids": [ - "4657" - ], - "id": "60953210-fd32-ddac-1118-a569c8452fd3", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1562.001", - "TA0005", - "T1562" - ], - "title": "Suspicious Service Installed" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "event_ids": [ - "4657" - ], - "id": "ea43cb8f-21a1-38f6-1d50-bbcb754a91f6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Tamper With Sophos AV Registry Keys" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "event_ids": [ - "4657" - ], - "id": "ba919d03-0c34-c3c3-272c-ec0656c3d10c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1547.001", - "T1547" - ], - "title": "Modify User Shell Folders Startup Value" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", - "event_ids": [ - "4657" - ], - "id": "f3359b54-f4f9-b8da-0ddb-ef16968c70e7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", - "event_ids": [ - "4657" - ], - "id": "fbdc5117-68bf-93e5-9ab3-03ea072e0d36", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Potential AMSI COM Server Hijacking" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential persistence activity via outlook today page.\nAn attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".\n", - "event_ids": [ - "4657" - ], - "id": "0e75b3d7-d3d3-d9fa-4d60-a1254f59e47d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1112" - ], - "title": "Potential Persistence Via Outlook Today Page" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "event_ids": [ - "4657" - ], - "id": "e4a61ceb-0bbe-6cab-3249-6c48c6ef7320", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1546", - "T1548" - ], - "title": "COM Hijack via Sdclt" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "4c6aafd5-b32d-12d2-ecc7-0138f21e65e8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Internet Explorer Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", - "event_ids": [ - "4657" - ], - "id": "c561b602-ffb8-a69c-10ef-7c35000d7bca", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Potential AutoLogger Sessions Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", - "event_ids": [ - "4657" - ], - "id": "e70cde78-b476-8726-75d1-073aeabb4e1d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003" - ], - "title": "Enable Local Manifest Installation With Winget" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "event_ids": [ - "4657" - ], - "id": "0ea81575-bcbc-e0f8-6604-6236751cb5db", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Potential Persistence Via AutodialDLL" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "event_ids": [ - "4657" - ], - "id": "2c97b46f-dbd7-bf78-71c0-86ed4a55c654", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "New RUN Key Pointing to Suspicious Folder" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Attempts to detect system changes made by Blue Mockingbird", - "event_ids": [ - "4657" - ], - "id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1112", - "T1047" - ], - "title": "Blue Mockingbird - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the Setting of Windows Defender Exclusions", - "event_ids": [ - "4657" - ], - "id": "c86baf10-abab-0f8f-88a2-e51640a26b5c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Exclusions Added - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential persistence activity via outlook home page.\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.\n", - "event_ids": [ - "4657" - ], - "id": "fe333043-ad46-425d-1661-2d2a65e25177", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1112" - ], - "title": "Potential Persistence Via Outlook Home Page" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "092b0638-9aaa-3ecd-820c-9e873b647497", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Common Autorun Keys Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "event_ids": [ - "4657" - ], - "id": "c1daf9d0-4faf-5cf7-ee69-08dbaf545e0b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Add DisallowRun Execution to Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n", - "event_ids": [ - "4657" - ], - "id": "d22a2c0b-fd48-300f-ba44-d6881df81aab", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "event_ids": [ - "4657" - ], - "id": "239ba06d-b7b1-2237-ec7e-0f41d80ff78b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Registry Explorer Policy Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.", - "event_ids": [ - "4657" - ], - "id": "effced04-aa28-c07f-9aa5-41cdded8bb61", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.003", - "T1036" - ], - "title": "Potential WerFault ReflectDebugger Registry Value Abuse" + "title": "Potential Persistence Via App Paths Default Property" }, { "category": "registry_set", @@ -35973,11 +33736,11 @@ "channel": [ "sec" ], - "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", + "description": "Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.", "event_ids": [ "4657" ], - "id": "90a9c79a-934b-1610-6e9c-d088885d656f", + "id": "effced04-aa28-c07f-9aa5-41cdded8bb61", "level": "high", "service": "", "subcategory_guids": [ @@ -35985,42 +33748,88 @@ ], "tags": [ "TA0005", - "T1562.001", + "T1036.003", + "T1036" + ], + "title": "Potential WerFault ReflectDebugger Registry Value Abuse" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.", + "event_ids": [ + "4657" + ], + "id": "c22014de-7963-a2c6-ead7-9fded54d54f0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Uncommon Microsoft Office Trusted Location Added" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "event_ids": [ + "4657" + ], + "id": "a6cf9f0e-8857-2bf6-bf8f-ebe833b09125", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "ScreenSaver Registry Key Set" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.\nWindows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.\nAdversary may want to disable this service to disable logging of security events which could be used to detect their activities.\n", + "event_ids": [ + "4657" + ], + "id": "bff51a59-a1b9-f1f5-f5e4-ac2e523d572a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1112", + "car.2022-03-001", "T1562" ], - "title": "Python Function Execution Security Warning Disabled In Excel - Registry" + "title": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects changes to the registry values related to outlook security settings", + "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "event_ids": [ "4657" ], - "id": "8a91b3b9-6d62-e700-63e7-73170f5b0bbc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1137" - ], - "title": "Outlook Security Settings Updated - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "event_ids": [ - "4657" - ], - "id": "8f22d1f4-6491-fcf7-858d-c2e73bcb8c48", + "id": "7ee582b4-6e4c-aa81-c848-34f91ae9302d", "level": "high", "service": "", "subcategory_guids": [ @@ -36028,318 +33837,52 @@ ], "tags": [ "TA0005", - "T1562" + "T1564.002", + "T1564" ], - "title": "Hide Schedule Task Via Index Value Tamper" + "title": "Hiding User Account Via SpecialAccounts Registry Key" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", "event_ids": [ "4657" ], - "id": "bc03960b-bb9d-b48c-e6cd-73b6e8d17d74", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.011", - "T1546" - ], - "title": "Potential Persistence Via Shim Database Modification" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "event_ids": [ - "4657" - ], - "id": "6f4258c6-a880-1da0-7c68-c7e19ed0c795", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", - "event_ids": [ - "4657" - ], - "id": "22ff751c-b2ff-1cd8-3e5b-3bd123b3a93e", + "id": "c561b602-ffb8-a69c-10ef-7c35000d7bca", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "tags": [ - "TA0002", - "TA0004", - "TA0008", - "T1021.002", - "T1543.003", - "T1569.002", - "T1543", - "T1569", - "T1021" - ], - "title": "Potential CobaltStrike Service Installations - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", - "event_ids": [ - "4657" - ], - "id": "59a208e8-d58f-efd0-e693-48703d554101", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003" - ], - "title": "Suspicious Environment Variable Has Been Registered" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", - "event_ids": [ - "4657" - ], - "id": "989dffb4-2561-5f0b-079e-74bfe39a050a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], "tags": [ "TA0005" ], - "title": "Potential PowerShell Execution Policy Tampering" + "title": "Potential AutoLogger Sessions Tampering" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "event_ids": [ "4657" ], - "id": "8db93e70-1420-c43f-ea06-00a6fc42449f", + "id": "dcbfe53c-e933-cfb7-d9ce-8f03726f9637", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1574.001", - "T1112", - "T1574" + "TA0040", + "T1491.001", + "T1491" ], - "title": "DHCP Callout DLL Installation" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "event_ids": [ - "4657" - ], - "id": "9f96ee4d-d1e8-d5d0-e2d8-8fce145b8006", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Add Debugger Entry To Hangs Key For Persistence" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.", - "event_ids": [ - "4657" - ], - "id": "6dbd4cbc-13d1-1d53-1ce4-5ad27813a654", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "ClickOnce Trust Prompt Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "event_ids": [ - "4657" - ], - "id": "f06899a3-2598-48df-bd36-4c846265e174", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Suspicious Application Allowed Through Exploit Guard" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", - "event_ids": [ - "4657" - ], - "id": "49b76666-4660-3762-b2ea-818e190edd5d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Potential Persistence Via Custom Protocol Handler" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Bypasses User Account Control using a fileless method", - "event_ids": [ - "4657" - ], - "id": "6c5c8d47-3184-6c84-8736-f426d0e50839", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "Bypass UAC Using DelegateExecute" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", - "event_ids": [ - "4657" - ], - "id": "0b5acb16-e364-ec25-c330-4c4868819d39", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.004", - "T1562" - ], - "title": "Disable Microsoft Defender Firewall via Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.\n", - "event_ids": [ - "4657" - ], - "id": "9023759d-f7e3-127f-82b8-e618efea5217", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Hypervisor Enforced Paging Translation Disabled" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.\n", - "event_ids": [ - "4657" - ], - "id": "6665e720-ff59-40c7-6fc2-63c2990aef5f", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1548.002", - "T1548" - ], - "title": "UAC Disabled" + "title": "Potential Ransomware Activity Using LegalNotice Message" }, { "category": "registry_set", @@ -36367,99 +33910,11 @@ "channel": [ "sec" ], - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "description": "Detect the creation of a service with a service binary located in a suspicious directory", "event_ids": [ "4657" ], - "id": "59f5abe2-1a9e-45ca-21d7-c1494694129e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1588.002", - "T1588" - ], - "title": "Suspicious Keyboard Layout Load" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.", - "event_ids": [ - "4657" - ], - "id": "98109d4e-3967-7837-46d2-9fdaface4ac0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.011", - "T1546" - ], - "title": "Suspicious Shim Database Patching Activity" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "event_ids": [ - "4657" - ], - "id": "7b78e30a-de66-08da-7417-5b735a074ba2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disabled Windows Defender Eventlog" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", - "event_ids": [ - "4657" - ], - "id": "dfa1b70c-248b-d9ac-0b47-fbce1fe26a10", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Potential EventLog File Location Tampering" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry changes to Office trust records where the path is located in a potentially suspicious location", - "event_ids": [ - "4657" - ], - "id": "ea79a782-319f-b5bd-9293-cab2134f5c43", + "id": "ed9f6502-6cf6-8a06-be4a-10027cabb474", "level": "high", "service": "", "subcategory_guids": [ @@ -36469,93 +33924,47 @@ "TA0005", "T1112" ], - "title": "Macro Enabled In A Potentially Suspicious Document" + "title": "Service Binary in Suspicious Folder" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "event_ids": [ "4657" ], - "id": "7d02b772-7006-ba16-2b13-60db59dcfa00", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1133" - ], - "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "event_ids": [ - "4657" - ], - "id": "22adc86b-0198-3dfd-0cc2-f686d342be66", + "id": "844e4a35-c606-6b5d-8390-52c55b9f09b5", "level": "medium", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1140", - "T1112" + "TA0003" ], - "title": "DNS-over-HTTPS Enabled by Registry" + "title": "Persistence Via Disk Cleanup Handler - Autorun" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", "event_ids": [ "4657" ], - "id": "5726e5a8-ce24-8360-cfb3-731d16ed8aca", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "event_ids": [ - "4657" - ], - "id": "9651c944-f6ad-6a83-4ff8-76f682bce13e", + "id": "fbab75d9-3bd2-3705-4511-3e0cf5a10fe4", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1112" + "TA0005" ], - "title": "Blackbyte Ransomware Registry" + "title": "Potential Attachment Manager Settings Attachments Tamper" }, { "category": "registry_set", @@ -36605,11 +34014,425 @@ "channel": [ "sec" ], - "description": "Hides the file extension through modification of the registry", + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", "event_ids": [ "4657" ], - "id": "c2ff02fd-f4fe-2876-15ee-2a3d914b1a9f", + "id": "8f22d1f4-6491-fcf7-858d-c2e73bcb8c48", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562" + ], + "title": "Hide Schedule Task Via Index Value Tamper" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "cb43927e-70c4-47e4-6121-af9fb00a6a77", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Office Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the setting of the environement variable \"windir\" to a non default value.\nAttackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\nThe SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.\n", + "event_ids": [ + "4657" + ], + "id": "b9c795cf-be1f-5020-c75e-f51c56483739", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "Bypass UAC Using SilentCleanup Task" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "event_ids": [ + "4657" + ], + "id": "c5041759-c026-94ae-a6d4-6e6bfbfa3d0c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.\nClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.\nThrough the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,\nsuch as one-liners that execute remotely hosted malicious files or scripts.\n", + "event_ids": [ + "4657" + ], + "id": "00d744c2-1966-dcdc-2c72-3a12d7b5fd2d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.001", + "T1204" + ], + "title": "Potential ClickFix Execution Pattern - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "event_ids": [ + "4657" + ], + "id": "eea69d1c-b62d-d58f-4ee3-82f9053a20ea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Signing Bypass Via Windows Developer Features - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "092b0638-9aaa-3ecd-820c-9e873b647497", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Common Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\n", + "event_ids": [ + "4657" + ], + "id": "90a9c79a-934b-1610-6e9c-d088885d656f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Python Function Execution Security Warning Disabled In Excel - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect set Notification_Suppress to 1 to disable the Windows security center notification", + "event_ids": [ + "4657" + ], + "id": "b0b20369-6a44-df4d-5671-a85b5eb960dd", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Activate Suppression of Windows Security Center Notifications" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.", + "event_ids": [ + "4657" + ], + "id": "d3c2b07c-075b-b06e-926a-3c74236f7b42", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.015", + "T1546" + ], + "title": "Potential PSFactoryBuffer COM Hijacking" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "event_ids": [ + "4657" + ], + "id": "16505b6b-b744-b451-e1cc-2bf1ecc9e7df", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.004", + "T1547" + ], + "title": "Winlogon Notify Key Logon Persistence" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "event_ids": [ + "4657" + ], + "id": "6b966f00-7138-0a2d-0f30-029d3bed3524", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.010", + "T1547" + ], + "title": "Bypass UAC Using Event Viewer" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel", + "event_ids": [ + "4657" + ], + "id": "6d5ef37b-2d6d-8ef5-a641-57161c232686", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Disable Windows Event Logging Via Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "event_ids": [ + "4657" + ], + "id": "a41b0618-1e99-30df-5b32-d040dd4ca439", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.010", + "T1547" + ], + "title": "Add Port Monitor Persistence in Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "event_ids": [ + "4657" + ], + "id": "5726e5a8-ce24-8360-cfb3-731d16ed8aca", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry changes to Office trust records where the path is located in a potentially suspicious location", + "event_ids": [ + "4657" + ], + "id": "ea79a782-319f-b5bd-9293-cab2134f5c43", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Macro Enabled In A Potentially Suspicious Document" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect set EnableFirewall to 0 to disable the Windows firewall", + "event_ids": [ + "4657" + ], + "id": "d84ec9a7-296b-e4d1-d97c-daa11eee226b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Disable Windows Firewall by Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "event_ids": [ + "4657" + ], + "id": "24cd048b-21d4-3957-a68d-e073a077e305", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1112" + ], + "title": "RDP Sensitive Settings Changed" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\n", + "event_ids": [ + "4657" + ], + "id": "3649e76a-4f74-b4bf-7b6e-511fc789a746", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Enable LM Hash Storage" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry values related to outlook security settings", + "event_ids": [ + "4657" + ], + "id": "8a91b3b9-6d62-e700-63e7-73170f5b0bbc", "level": "medium", "service": "", "subcategory_guids": [ @@ -36619,7 +34442,116 @@ "TA0003", "T1137" ], - "title": "IE Change Domain Zone" + "title": "Outlook Security Settings Updated - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "event_ids": [ + "4657" + ], + "id": "b845b5d0-c25c-d832-f891-58b8224599ee", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "T1562" + ], + "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "event_ids": [ + "4657" + ], + "id": "7b78e30a-de66-08da-7417-5b735a074ba2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disabled Windows Defender Eventlog" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.", + "event_ids": [ + "4657" + ], + "id": "57a468ba-845c-797e-81fb-79970450803a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.004", + "T1204" + ], + "title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "event_ids": [ + "4657" + ], + "id": "027f1f5f-4aa7-ac2c-d8c2-084da4eaee3d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Execution DLL of Choice Using WAB.EXE" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "672c20dd-b3a3-85e6-ece5-2b1010734c41", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "System Scripts Autorun Keys Modification" }, { "category": "registry_set", @@ -36647,11 +34579,160 @@ "channel": [ "sec" ], - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "description": "Hides the file extension through modification of the registry", "event_ids": [ "4657" ], - "id": "6b966f00-7138-0a2d-0f30-029d3bed3524", + "id": "88665d21-f330-6799-62f0-724746a160d7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1137" + ], + "title": "Registry Modification to Hidden File Extension" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", + "event_ids": [ + "4657" + ], + "id": "8ce03c3b-7a99-449f-6af3-9f5f4685385b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1574" + ], + "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", + "event_ids": [ + "4657" + ], + "id": "989dffb4-2561-5f0b-079e-74bfe39a050a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential PowerShell Execution Policy Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", + "event_ids": [ + "4657" + ], + "id": "7d12e91a-b670-4461-8bdc-aff5b37eda63", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "ServiceDll Hijack" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "event_ids": [ + "4657" + ], + "id": "59f5abe2-1a9e-45ca-21d7-c1494694129e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1588.002", + "T1588" + ], + "title": "Suspicious Keyboard Layout Load" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "event_ids": [ + "4657" + ], + "id": "21c41e20-e274-bd0e-e22d-072fc5e0962d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1574", + "cve.2021-1675" + ], + "title": "Suspicious Printer Driver Empty Manufacturer" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.\n", + "event_ids": [ + "4657" + ], + "id": "43beb49f-0ccb-ecd4-f361-bcb66b1170f4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Driver Added To Disallowed Images In HVCI - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", + "event_ids": [ + "4657" + ], + "id": "ae407430-a207-5af9-e0ad-439b41b90e3a", "level": "high", "service": "", "subcategory_guids": [ @@ -36659,10 +34740,2293 @@ ], "tags": [ "TA0003", - "T1547.010", + "TA0011", + "T1137", + "T1008", + "T1546" + ], + "title": "Outlook Macro Execution Without Warning Setting Enabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "event_ids": [ + "4657" + ], + "id": "22adc86b-0198-3dfd-0cc2-f686d342be66", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1140", + "T1112" + ], + "title": "DNS-over-HTTPS Enabled by Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", + "event_ids": [ + "4657" + ], + "id": "5631054a-458c-6998-d637-e2d4f239ed07", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1137.006", + "T1137" + ], + "title": "Potential Persistence Via Excel Add-in - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the registration of a new ODBC driver.", + "event_ids": [ + "4657" + ], + "id": "f3d16bf4-2de2-b0e3-b8dc-37b2ca82c1cf", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "New ODBC Driver Registered" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", + "event_ids": [ + "4657" + ], + "id": "5b59bbe4-226f-1215-bff7-8c5a79430936", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "RestrictedAdminMode Registry Value Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential COM object hijacking via modification of default system CLSID.", + "event_ids": [ + "4657" + ], + "id": "f27c3f9d-33e2-2ee6-64f7-a34b895b6379", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.015", + "T1546" + ], + "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", + "event_ids": [ + "4657" + ], + "id": "4320bfce-fa0f-05d4-9e60-55d3f27794d8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "T1564" + ], + "title": "PowerShell Logging Disabled Via Registry Key Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.\n", + "event_ids": [ + "4657" + ], + "id": "536c7bf1-8834-bffb-665e-b945d9a1894b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.011", + "T1546" + ], + "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "event_ids": [ + "4657" + ], + "id": "9f6b7775-4d86-0f98-45b5-2cfac0e410e7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "NET NGenAssemblyUsageLog Registry Key Tamper" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the installation of a new shim database where the file is located in a non-default location", + "event_ids": [ + "4657" + ], + "id": "658b7369-eb29-2ab2-5a37-830bffa14b06", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.011", + "T1546" + ], + "title": "Potential Persistence Via Shim Database In Uncommon Location" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "event_ids": [ + "4657" + ], + "id": "15d9849f-4559-6cb8-b45b-663e3ddd9cc5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1553.003", + "T1553" + ], + "title": "Persistence Via New SIP Provider" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the Internet Explorer \"DisableFirstRunCustomize\" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.\n", + "event_ids": [ + "4657" + ], + "id": "6b3466e8-35d1-e288-b322-0873400febd7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Internet Explorer DisableFirstRunCustomize Enabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects disabling Windows Defender PUA protection", + "event_ids": [ + "4657" + ], + "id": "ac73de31-10d9-b1f0-6a99-7f5449fef005", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable PUA Protection on Windows Defender" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "e2bf2ad9-465c-3b63-7970-fd222ffa3708", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", "T1547" ], - "title": "Bypass UAC Using Event Viewer" + "title": "CurrentVersion NT Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "e06345ae-614b-8ef6-d336-a5ed3b2dc71b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "WinSock2 Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects that a powershell code is written to the registry as a service.", + "event_ids": [ + "4657" + ], + "id": "891340b3-d63e-73d0-742f-b481f911074c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "PowerShell as a Service in Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", + "event_ids": [ + "4657" + ], + "id": "8a77badb-a001-0da9-9213-ba6efbd70a95", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Allow RDP Remote Assistance Feature" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "event_ids": [ + "4657" + ], + "id": "96a90fb0-3747-35a8-d9c5-dcc7d373c57c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Change User Account Associated with the FAX Service" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential persistence using Appx DebugPath", + "event_ids": [ + "4657" + ], + "id": "7e39f9c6-fca2-d20b-c975-48062f7ac3e0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.015", + "T1546" + ], + "title": "Potential Persistence Using DebugPath" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "event_ids": [ + "4657" + ], + "id": "8365c772-65e3-7f23-1606-2a2ecbd20235", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "New Root or CA or AuthRoot Certificate to Store" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "event_ids": [ + "4657" + ], + "id": "7f5a4070-c4d2-ba36-ab1f-378da90ddf45", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Service Disabled - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when attackers or tools disable Windows Defender functionalities via the Windows registry", + "event_ids": [ + "4657" + ], + "id": "14e19d39-b1be-4903-56be-684b57d45e16", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable Windows Defender Functionalities Via Registry Keys" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential persistence behavior using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "event_ids": [ + "4657" + ], + "id": "e4a5e8fc-9e86-a5c9-b9f4-41288262dd40", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Potential Registry Persistence Attempt Via Windows Telemetry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.", + "event_ids": [ + "4657" + ], + "id": "b8f4d6cb-7db9-474a-2da3-8465b2f9b699", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Microsoft Office Protected View Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.", + "event_ids": [ + "4657" + ], + "id": "8785a0bb-8ec2-c019-4196-7d4d2fb47bd7", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "event_ids": [ + "4657" + ], + "id": "8c9b2605-a3a3-f822-afa4-e8d7abdf70e3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053", + "T1053.005" + ], + "title": "Scheduled TaskCache Change by Uncommon Program" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Hides the file extension through modification of the registry", + "event_ids": [ + "4657" + ], + "id": "c2ff02fd-f4fe-2876-15ee-2a3d914b1a9f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1137" + ], + "title": "IE Change Domain Zone" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "event_ids": [ + "4657" + ], + "id": "239ba06d-b7b1-2237-ec7e-0f41d80ff78b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Registry Explorer Policy Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", + "event_ids": [ + "4657" + ], + "id": "fbdc5117-68bf-93e5-9ab3-03ea072e0d36", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Potential AMSI COM Server Hijacking" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", + "event_ids": [ + "4657" + ], + "id": "dacb1ee4-05cc-995a-adee-964a19774888", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".", + "event_ids": [ + "4657" + ], + "id": "010beef6-dccd-7edc-c751-9236ab787158", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "event_ids": [ + "4657" + ], + "id": "8d3cb1da-3cc0-2448-a467-9b5a2bd3c4c0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Potential Attachment Manager Settings Associations Tamper" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.\n", + "event_ids": [ + "4657" + ], + "id": "e368acaa-a5b7-0fab-0997-8f0f1db5f99a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0040", + "T1112", + "T1491.001", + "T1491" + ], + "title": "Potentially Suspicious Desktop Background Change Via Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "event_ids": [ + "4657" + ], + "id": "e0f39f6d-5bc7-83ca-9a1f-4e67316af212", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via TypedPaths" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "event_ids": [ + "4657" + ], + "id": "9f96ee4d-d1e8-d5d0-e2d8-8fce145b8006", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Add Debugger Entry To Hangs Key For Persistence" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "event_ids": [ + "4657" + ], + "id": "ea43cb8f-21a1-38f6-1d50-bbcb754a91f6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Tamper With Sophos AV Registry Keys" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "event_ids": [ + "4657" + ], + "id": "42974e40-8ef8-03fa-d9ca-4d3522a5b239", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "T1548" + ], + "title": "UAC Bypass Using Windows Media Player - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "94a78414-5302-4e88-7c59-1d5d0de11a5f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "CurrentControlSet Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry modifications that disable Privacy Settings Experience", + "event_ids": [ + "4657" + ], + "id": "6728497e-f64d-54b9-cebf-4f2234da439a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable Privacy Settings Experience in Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.\n", + "event_ids": [ + "4657" + ], + "id": "cddc552b-0261-3637-470e-9296ae9dd79f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.003", + "T1036" + ], + "title": "Potential PendingFileRenameOperations Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\nThe \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\nWhen \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.\n", + "event_ids": [ + "4657" + ], + "id": "4475b3bd-9b24-b189-1118-871c5fe3fe17", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "UAC Secure Desktop Prompt Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", + "event_ids": [ + "4657" + ], + "id": "f3359b54-f4f9-b8da-0ddb-ef16968c70e7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", + "event_ids": [ + "4657" + ], + "id": "2f221db9-1924-551f-ad98-7f01d47c6c7e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0011", + "T1137", + "T1008", + "T1546" + ], + "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "event_ids": [ + "4657" + ], + "id": "4e8bf251-fcde-0996-45f9-62335b5e5d8b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "car.2019-04-001", + "T1548" + ], + "title": "UAC Bypass via Sdclt" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".\n", + "event_ids": [ + "4657" + ], + "id": "068836cf-abab-c1b2-804b-c9f34e4445aa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "event_ids": [ + "4657" + ], + "id": "a2a9ea74-be61-a011-3676-5bdd9cdae0a4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Wdigest Enable UseLogonCredential" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "event_ids": [ + "4657" + ], + "id": "49b76666-4660-3762-b2ea-818e190edd5d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Potential Persistence Via Custom Protocol Handler" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect set UseActionCenterExperience to 0 to disable the Windows security center notification", + "event_ids": [ + "4657" + ], + "id": "75c0a3fc-9821-e555-9c15-d7829e36ed2e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Disable Windows Security Center Notifications" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "a4cae50c-cac3-7292-659e-cf9ca88c8ba8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Classes Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", + "event_ids": [ + "4657" + ], + "id": "debedc1b-8c7d-7257-67d1-a047bde616a4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1112" + ], + "title": "RDP Sensitive Settings Changed to Zero" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential persistence activity via outlook today page.\nAn attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".\n", + "event_ids": [ + "4657" + ], + "id": "0e75b3d7-d3d3-d9fa-4d60-a1254f59e47d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1112" + ], + "title": "Potential Persistence Via Outlook Today Page" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "event_ids": [ + "4657" + ], + "id": "0a89f91f-0278-2cf2-d4ad-c958bc125ad3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.015", + "T1546" + ], + "title": "COM Hijacking via TreatAs" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "event_ids": [ + "4657" + ], + "id": "8f6d136c-f1db-74c5-9845-308043bbbaea", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1112" + ], + "title": "Winlogon AllowMultipleTSSessions Enable" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", + "event_ids": [ + "4657" + ], + "id": "c1daf9d0-4faf-5cf7-ee69-08dbaf545e0b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Add DisallowRun Execution to Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "event_ids": [ + "4657" + ], + "id": "a6f5fcfd-58a6-fb93-b548-3772adf366b9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via MyComputer Registry Keys" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via \"BgInfo.exe\"", + "event_ids": [ + "4657" + ], + "id": "c08df57b-ce0c-de04-72c1-3319cfdc5a37", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.\n", + "event_ids": [ + "4657" + ], + "id": "6665e720-ff59-40c7-6fc2-63c2990aef5f", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "UAC Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.", + "event_ids": [ + "4657" + ], + "id": "6dbd4cbc-13d1-1d53-1ce4-5ad27813a654", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "ClickOnce Trust Prompt Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "event_ids": [ + "4657" + ], + "id": "55790e96-f1bd-5804-59c2-7cd806625025", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1588.002", + "T1588" + ], + "title": "Usage of Renamed Sysinternals Tools - RegistrySet" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.", + "event_ids": [ + "4657" + ], + "id": "f1d2e557-5935-d1b7-cc8a-48563f722f9c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", + "event_ids": [ + "4657" + ], + "id": "6191bb45-e2d4-dc12-74c9-be6994d84572", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.007", + "T1546" + ], + "title": "Potential Persistence Via Netsh Helper DLL - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via \"BgInfo.exe\"", + "event_ids": [ + "4657" + ], + "id": "d3e621d9-17c0-c31c-1daf-8247438baa83", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "New BgInfo.EXE Custom VBScript Registry Configuration" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "event_ids": [ + "4657" + ], + "id": "f06899a3-2598-48df-bd36-4c846265e174", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Application Allowed Through Exploit Guard" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", + "event_ids": [ + "4657" + ], + "id": "e70cde78-b476-8726-75d1-073aeabb4e1d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003" + ], + "title": "Enable Local Manifest Installation With Winget" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", + "event_ids": [ + "4657" + ], + "id": "bc9f1068-0677-5580-301a-add396842846", + "level": "informational", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.002", + "T1204" + ], + "title": "New Application in AppCompat" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location", + "event_ids": [ + "4657" + ], + "id": "d61e6c48-1d69-1942-c9e5-4244f12fc88e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0003", + "T1003" + ], + "title": "Potentially Suspicious ODBC Driver Registered" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential PowerShell commands or code within registry run keys", + "event_ids": [ + "4657" + ], + "id": "886d79ab-1307-d072-9729-18305985ebad", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Suspicious PowerShell In Registry Run Keys" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "50b1dd22-8438-5c33-c5f2-00496987423b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Wow6432Node Classes Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", + "event_ids": [ + "4657" + ], + "id": "c1e78049-d5f0-8a11-39dd-10110524f89f", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "T1562" + ], + "title": "ETW Logging Disabled For rpcrt4.dll" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.", + "event_ids": [ + "4657" + ], + "id": "4b44d428-f676-8642-3d97-3eb23a44d818", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "TA0005", + "T1574.012", + "T1574" + ], + "title": "Enabling COR Profiler Environment Variables" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "event_ids": [ + "4657" + ], + "id": "e249ebd9-4719-fbd6-ad42-802038c12f87", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via LSA Extensions" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect possible persistence using Fax DLL load when service restart", + "event_ids": [ + "4657" + ], + "id": "b04c5cc0-6866-8748-e7a7-d69ff8d55935", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Change the Fax Dll" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.", + "event_ids": [ + "4657" + ], + "id": "69cb5d0b-48e9-4795-d7bf-3b3051750973", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Change Winevt Channel Access Permission Via Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", + "event_ids": [ + "4657" + ], + "id": "57fba93d-7938-c3fd-109b-6d1fb6037e2c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.007", + "T1546" + ], + "title": "New Netsh Helper DLL Registered From A Suspicious Location" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "event_ids": [ + "4657" + ], + "id": "b0fb77bd-c468-c8dd-1a84-96bf79d003a7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "New File Association Using Exefile" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n", + "event_ids": [ + "4657" + ], + "id": "22ff751c-b2ff-1cd8-3e5b-3bd123b3a93e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "TA0008", + "T1021.002", + "T1543.003", + "T1569.002", + "T1021", + "T1543", + "T1569" + ], + "title": "Potential CobaltStrike Service Installations - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "event_ids": [ + "4657" + ], + "id": "6f4258c6-a880-1da0-7c68-c7e19ed0c795", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "event_ids": [ + "4657" + ], + "id": "dfa1b70c-248b-d9ac-0b47-fbce1fe26a10", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.002", + "T1562" + ], + "title": "Potential EventLog File Location Tampering" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", + "event_ids": [ + "4657" + ], + "id": "4d50dc2c-f2bf-a039-820d-65c415ab31ee", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003" + ], + "title": "Winget Admin Settings Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "event_ids": [ + "4657" + ], + "id": "4e584b07-47af-0e21-5779-6585650ca16e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "T1564" + ], + "title": "Registry Persistence via Service in Safe Mode" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "event_ids": [ + "4657" + ], + "id": "e95c5cb7-fd08-cb3b-14e8-d0a4287e6f68", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Registry Hide Function from User" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "event_ids": [ + "4657" + ], + "id": "0ea81575-bcbc-e0f8-6604-6236751cb5db", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via AutodialDLL" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "event_ids": [ + "4657" + ], + "id": "7d02b772-7006-ba16-2b13-60db59dcfa00", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1133" + ], + "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.", + "event_ids": [ + "4657" + ], + "id": "d5d54339-c5a4-2889-7da2-66fd42b16ef0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Trust Access Disable For VBApplications" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "60c54878-2012-57de-2333-6d23649b0e92", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "CurrentVersion Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "event_ids": [ + "4657" + ], + "id": "edcac99a-55ef-aa9c-92a3-d9c9d7e1e46e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "VBScript Payload Stored in Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Bypasses User Account Control using a fileless method", + "event_ids": [ + "4657" + ], + "id": "6c5c8d47-3184-6c84-8736-f426d0e50839", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "Bypass UAC Using DelegateExecute" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "event_ids": [ + "4657" + ], + "id": "49f0ef07-1fcf-1ac7-54ee-8cfbb34caf06", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1547.003", + "T1547" + ], + "title": "New TimeProviders Registered With Uncommon DLL Name" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n", + "event_ids": [ + "4657" + ], + "id": "007fb76c-92e3-5bfa-4f46-d6179811290f", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.005", + "T1070" + ], + "title": "MaxMpxCt Registry Value Changed" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "event_ids": [ + "4657" + ], + "id": "e4a61ceb-0bbe-6cab-3249-6c48c6ef7320", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1546", + "T1548" + ], + "title": "COM Hijack via Sdclt" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects UAC bypass method using Windows event viewer", + "event_ids": [ + "4657" + ], + "id": "dee5910c-4bd3-fb48-fdbf-2d813d23aefb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1548.002", + "car.2019-04-001", + "T1548" + ], + "title": "UAC Bypass via Event Viewer" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "event_ids": [ + "4657" + ], + "id": "ba919d03-0c34-c3c3-272c-ec0656c3d10c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1547.001", + "T1547" + ], + "title": "Modify User Shell Folders Startup Value" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.", + "event_ids": [ + "4657" + ], + "id": "98109d4e-3967-7837-46d2-9fdaface4ac0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.011", + "T1546" + ], + "title": "Suspicious Shim Database Patching Activity" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\nRegistry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".\n", + "event_ids": [ + "4657" + ], + "id": "08ad005b-9676-0872-2751-56c87d6c1385", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1113" + ], + "title": "Periodic Backup For System Registry Hives Enabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "event_ids": [ + "4657" + ], + "id": "60953210-fd32-ddac-1118-a569c8452fd3", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1562.001", + "TA0005", + "T1562" + ], + "title": "Suspicious Service Installed" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel\n", + "event_ids": [ + "4657" + ], + "id": "3b708c9b-48bd-96e8-a680-84e819fcd228", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Hypervisor Enforced Code Integrity Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "event_ids": [ + "4657" + ], + "id": "bc03960b-bb9d-b48c-e6cd-73b6e8d17d74", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.011", + "T1546" + ], + "title": "Potential Persistence Via Shim Database Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", + "event_ids": [ + "4657" + ], + "id": "595fb3ac-f3e2-e83b-fe23-f4a160b15c17", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Path In Keyboard Layout IME File Registry Value" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", + "event_ids": [ + "4657" + ], + "id": "8b15d432-7c88-1622-8af2-9ab6b7134bdf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Add Debugger Entry To AeDebug For Persistence" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "event_ids": [ + "4657" + ], + "id": "2c5460e8-fa5b-2a17-1e53-f6f3789de52d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Registry Persistence via Explorer Run Key" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Attempts to detect system changes made by Blue Mockingbird", + "event_ids": [ + "4657" + ], + "id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1112", + "T1047" + ], + "title": "Blue Mockingbird - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential persistence activity via outlook home page.\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.\n", + "event_ids": [ + "4657" + ], + "id": "fe333043-ad46-425d-1661-2d2a65e25177", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1112" + ], + "title": "Potential Persistence Via Outlook Home Page" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "event_ids": [ + "4657" + ], + "id": "0b5acb16-e364-ec25-c330-4c4868819d39", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Disable Microsoft Defender Firewall via Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the abuse of custom file open handler, executing powershell", + "event_ids": [ + "4657" + ], + "id": "790cbe25-2aac-45a7-48c4-234b2a622f06", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Custom File Open Handler Executes PowerShell" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", + "event_ids": [ + "4657" + ], + "id": "48421345-c746-0b27-ad78-2d4de6169565", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Disable Macro Runtime Scan Scope" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "event_ids": [ + "4657" + ], + "id": "2c97b46f-dbd7-bf78-71c0-86ed4a55c654", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "New RUN Key Pointing to Suspicious Folder" }, { "category": "registry_set", @@ -36693,132 +37057,195 @@ "channel": [ "sec" ], - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "event_ids": [ "4657" ], - "id": "42974e40-8ef8-03fa-d9ca-4d3522a5b239", + "id": "35a986a0-86d6-9685-21af-3277c6172094", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], - "tags": [ - "TA0005", - "TA0004", - "T1548.002", - "T1548" - ], - "title": "UAC Bypass Using Windows Media Player - Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to prepend information to the PATH environment variable on a per-application, per-process basis.\n", - "event_ids": [ - "4657" - ], - "id": "addf4ebc-b3ab-c6ab-98ba-db37848a8ee2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.012", - "T1546" - ], - "title": "Potential Persistence Via App Paths Default Property" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.", - "event_ids": [ - "4657" - ], - "id": "8785a0bb-8ec2-c019-4196-7d4d2fb47bd7", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], "tags": [ "TA0003" ], - "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" + "title": "Potential Persistence Via DLLPathOverride" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n", + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "event_ids": [ "4657" ], - "id": "7d12e91a-b670-4461-8bdc-aff5b37eda63", + "id": "5c6e4e04-c3a5-0b21-f966-97441d749d47", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "event_ids": [ + "4657" + ], + "id": "ebfabc1f-964a-69f3-60d7-e027eaaf1022", "level": "medium", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" + "TA0005", + "T1112" ], - "title": "ServiceDll Hijack" + "title": "Disable Internal Tools or Feature in Registry" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "description": "Detects changes to \"DsrmAdminLogonBehavior\" registry value.\nDuring a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\nAttackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.\n", "event_ids": [ "4657" ], - "id": "21c41e20-e274-bd0e-e22d-072fc5e0962d", + "id": "04c29127-1ef3-f2f5-5b26-645eb052c42d", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0004", - "T1574", - "cve.2021-1675" + "TA0003", + "T1556" ], - "title": "Suspicious Printer Driver Empty Manufacturer" + "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".\n", + "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "event_ids": [ "4657" ], - "id": "068836cf-abab-c1b2-804b-c9f34e4445aa", + "id": "1c9de880-3d26-4614-f41f-a4d975e609ff", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "TA0005", + "T1574.001", + "T1112", + "T1574" + ], + "title": "New DNS ServerLevelPluginDll Installed" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\nUAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\nWhen \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.\n", + "event_ids": [ + "4657" + ], + "id": "4936b46c-badc-cb8a-54d4-3d0b9502aa8a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1548.002", + "T1548" + ], + "title": "UAC Notification Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the Setting of Windows Defender Exclusions", + "event_ids": [ + "4657" + ], + "id": "c86baf10-abab-0f8f-88a2-e51640a26b5c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], "tags": [ "TA0005", "T1562.001", "T1562" ], - "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" + "title": "Windows Defender Exclusions Added - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "event_ids": [ + "4657" + ], + "id": "8db93e70-1420-c43f-ea06-00a6fc42449f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "T1112", + "T1574" + ], + "title": "DHCP Callout DLL Installation" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.", + "event_ids": [ + "4657" + ], + "id": "1bb96a94-8ab5-69b5-8366-2ab8e23877f2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "New BgInfo.EXE Custom DB Path Registry Configuration" }, { "category": "registry_set", @@ -36829,7 +37256,7 @@ "event_ids": [ "4657" ], - "id": "cb43927e-70c4-47e4-6121-af9fb00a6a77", + "id": "e262d6ab-07ec-712b-78c5-696f002dc7f0", "level": "medium", "service": "", "subcategory_guids": [ @@ -36840,18 +37267,362 @@ "T1547.001", "T1547" ], - "title": "Office Autorun Keys Modification" + "title": "Wow6432Node CurrentVersion Autorun Keys Modification" }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", "event_ids": [ "4657" ], - "id": "b0fb77bd-c468-c8dd-1a84-96bf79d003a7", + "id": "40faa526-8b40-5332-0b76-013443d7e0ee", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1559.002", + "T1559" + ], + "title": "Enable Microsoft Dynamic Data Exchange" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "event_ids": [ + "4657" + ], + "id": "7c631357-74f2-6fac-f215-06a5d2c1e99b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via CHM Helper DLL" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", + "event_ids": [ + "4657" + ], + "id": "406b79d8-988c-0ef9-5702-7aa379ce70e2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1112" + ], + "title": "Potential Persistence Via Event Viewer Events.asp" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.", + "event_ids": [ + "4657" + ], + "id": "b0ac9712-6658-cdfd-92d7-8aa07fcdf31c", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002" + ], + "title": "PowerShell Script Execution Policy Enabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects disabling Windows Defender Tamper Protection", + "event_ids": [ + "4657" + ], + "id": "5a289d79-b7ce-fff7-d06d-771cffd14775", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable Tamper Protection on Windows Defender" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "4c6aafd5-b32d-12d2-ecc7-0138f21e65e8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Internet Explorer Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "event_ids": [ + "4657" + ], + "id": "717a326e-aa46-b2cd-4db7-1e0be4003fb9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "Lsass Full Dump Request Via DumpType Registry Settings" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "event_ids": [ + "4657" + ], + "id": "a1e4b72a-2af2-0002-fb44-971730e2befa", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable Exploit Guard Network Protection on Windows Defender" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n", + "event_ids": [ + "4657" + ], + "id": "42144fcb-9adc-b4dc-e024-4bdf3311c757", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Sysmon Driver Altitude Change" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "event_ids": [ + "4657" + ], + "id": "b0acca11-04f4-7e88-5dd9-fc299b3716e8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.010", + "T1547" + ], + "title": "Default RDP Port Changed to Non Standard Port" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\n", + "event_ids": [ + "4657" + ], + "id": "d22a2c0b-fd48-300f-ba44-d6881df81aab", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.\n", + "event_ids": [ + "4657" + ], + "id": "9023759d-f7e3-127f-82b8-e618efea5217", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Hypervisor Enforced Paging Translation Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n", + "event_ids": [ + "4657" + ], + "id": "3728b695-0511-c1dd-81df-030fda358222", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Register New IFiltre For Persistence" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n", + "event_ids": [ + "4657" + ], + "id": "0399e65b-992d-24c3-dc62-0b2904dda8f1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.001", + "T1564" + ], + "title": "Displaying Hidden Files Feature Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", + "event_ids": [ + "4657" + ], + "id": "59a208e8-d58f-efd0-e693-48703d554101", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003" + ], + "title": "Suspicious Environment Variable Has Been Registered" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "event_ids": [ + "4657" + ], + "id": "9651c944-f6ad-6a83-4ff8-76f682bce13e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Blackbyte Ransomware Registry" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", + "event_ids": [ + "4657" + ], + "id": "b6f9cd8c-4abc-cbc8-159c-654b64f77695", "level": "high", "service": "", "subcategory_guids": [ @@ -36860,18 +37631,124 @@ "tags": [ "TA0005" ], - "title": "New File Association Using Exefile" + "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" }, { - "category": "registry_add", + "category": "registry_set", "channel": [ "sec" ], - "description": "Detects COM object hijacking via TreatAs subkey", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "event_ids": [ "4657" ], - "id": "6b4b0ded-e40c-4d49-68f0-b78339d9587e", + "id": "e182da19-f29b-2327-f6f0-f71d15ff8dd5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "event_ids": [ + "4657" + ], + "id": "742762c2-287c-4b94-5f99-ae234cdd3d2c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564", + "T1112" + ], + "title": "CrashControl CrashDump Disabled" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "event_ids": [ + "4657" + ], + "id": "ac9276b0-7220-7600-35b6-e24d01034d45", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Potential Persistence Via Mpnotify" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", + "event_ids": [ + "4657" + ], + "id": "2c7799c7-bf70-0033-f2e0-e2ae59d4385b", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "T1562" + ], + "title": "ETW Logging Disabled For SCM" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "event_ids": [ + "4657" + ], + "id": "6e7e4fc7-4279-156d-6a7b-f6c593f51098", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003" + ], + "title": "Persistence Via Hhctrl.ocx" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "event_ids": [ + "4657" + ], + "id": "7bb576ef-cc9a-5126-c758-aa8d24f0edda", "level": "medium", "service": "", "subcategory_guids": [ @@ -36882,38 +37759,109 @@ "T1546.015", "T1546" ], - "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" + "title": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { - "category": "registry_add", + "category": "process_creation", "channel": [ "sec" ], - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "description": "schtasks.exe create task from user AppData\\Local\\Temp", + "event_ids": [ + "4688" + ], + "id": "cb56735d-37c1-c9ff-010a-4f31ee20e531", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1053.005", + "T1053" + ], + "title": "Suspicious Add Scheduled Task From User AppData Temp" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", + "event_ids": [ + "4688" + ], + "id": "dc86094c-5f6f-895a-e92a-8b82229db6b7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Suspicious File Download Using Office Application" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Disable Microsoft Office Security Features by registry", "event_ids": [ "4657" ], - "id": "d8884952-23ce-8a65-d998-cb775a119c95", + "id": "d226853e-3dbf-ce71-60c1-5458858abbbc", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0003" + "TA0005", + "T1562.001", + "T1562" ], - "title": "Potential Persistence Via New AMSI Providers - Registry" + "title": "Disable Microsoft Office Security Features" }, { - "category": "registry_add", + "category": "process_creation", "channel": [ "sec" ], - "description": "Detects registry keys related to NetWire RAT", + "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", + "event_ids": [ + "4688" + ], + "id": "0fce2028-5a0d-536d-eafa-a00a85f184be", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005", + "T1204", + "T1218" + ], + "title": "New Lolbin Process by Office Applications" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", "event_ids": [ "4657" ], - "id": "61bb2824-c37f-f432-0767-9a80d45583aa", + "id": "ea79a782-319f-b5bd-9293-cab2134f5c43", "level": "high", "service": "", "subcategory_guids": [ @@ -36923,116 +37871,8631 @@ "TA0005", "T1112" ], - "title": "Potential NetWire RAT Activity - Registry" + "title": "Office Security Settings Changed" }, { - "category": "registry_add", + "category": "process_creation", "channel": [ "sec" ], - "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", + "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", + "event_ids": [ + "4688" + ], + "id": "22061fc3-84a3-c190-7b04-d735915a8912", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "Read and Execute a File Via Cmd.exe" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "event_ids": [ + "4104" + ], + "id": "63c2d41b-b587-6c55-c256-9c0bb392f0a9", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1555.003", + "T1555" + ], + "title": "Accessing Encrypted Credentials from Google Chrome Login Database" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a PsExec service start", + "event_ids": [ + "4688" + ], + "id": "0dc4e02b-cd15-c6bf-f6ef-134ff49fa620", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "attack.s0029", + "T1569.002", + "T1569" + ], + "title": "PsExec Service Start" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects base64 encoded listing Win32_Shadowcopy", + "event_ids": [ + "4688" + ], + "id": "13aab741-9ea4-27bf-57c1-aac004da4b9f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1059" + ], + "title": "Base64 Encoded Listing of Shadowcopy" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "event_ids": [ + "4688" + ], + "id": "ec8ef858-1a44-a7b3-821d-a85f6cdaa1c9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.008", + "T1218" + ], + "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "event_ids": [ + "7045" + ], + "id": "22b90bac-a283-6153-761c-7b6059f8f250", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027" + ], + "title": "New Service Uses Double Ampersand in Path" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\n", + "event_ids": [ + "4660" + ], + "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Exclusion Deleted" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", + "event_ids": [ + "4688" + ], + "id": "9f2a9424-8e85-d783-1735-f72375b3b6d8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "attack.g0016", + "T1059.001", + "T1059" + ], + "title": "APT29" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential COM object hijacking leveraging the COM Search Order", "event_ids": [ "4657" ], - "id": "6a724c01-e3a5-3f08-0a26-a25aab47a2d1", + "id": "20f7b927-82bf-9d38-6573-0ed63831fdc5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.015", + "T1546" + ], + "title": "Potential Persistence Via COM Search Order Hijacking" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", + "event_ids": [ + "4657" + ], + "id": "1b78376c-c1d2-a830-93b1-5dee98965490", "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0042", - "T1588.002", - "T1588" + "TA0005", + "T1564.002", + "T1564" ], - "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" + "title": "User Account Hidden By Registry" }, { - "category": "registry_add", + "category": "process_creation", "channel": [ "sec" ], - "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "event_ids": [ + "4688" + ], + "id": "0bca1760-51b3-cdf0-9756-923f2be12c94", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005", + "T1218", + "T1204" + ], + "title": "WMI Execution Via Office Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", + "event_ids": [ + "4688" + ], + "id": "0a67f769-527a-e79d-fa05-a4bbdcd6fcc4", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "attack.g0092", + "T1106" + ], + "title": "TA505 Dropper Load Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Hurricane Panda Activity", + "event_ids": [ + "4688" + ], + "id": "6c99d057-c73c-6771-1c7f-a352debc5b84", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "attack.g0009", + "T1068" + ], + "title": "Hurricane Panda Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Credential Acquisition via Registry Hive Dumping", + "event_ids": [ + "4688" + ], + "id": "4973dea2-3985-affa-babc-f0c00821d2a1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Credential Acquisition via Registry Hive Dumping" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a suspicious or unusual location.", "event_ids": [ "4657" ], - "id": "cab7e60f-55aa-b72e-1943-4d3980028a43", - "level": "medium", + "id": "79389718-9e14-e5e9-1cc7-2c027078bf22", + "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0042", - "T1588.002", - "T1588" - ], - "title": "PUA - Sysinternals Tools Execution - Registry" - }, - { - "category": "registry_add", - "channel": [ - "sec" - ], - "description": "Detects creation of \"UserInitMprLogonScript\" registry value which can be used as a persistence method by malicious actors", - "event_ids": [ - "4657" - ], - "id": "c6a4d8a3-8e7d-30b4-a6f0-aee8a87463bf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1037.001", "TA0003", - "TA0008", - "T1037" + "T1546.015", + "T1546" ], - "title": "Potential Persistence Via Logon Scripts - Registry" + "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { - "category": "registry_add", + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Commandlet name for PrintNightmare exploitation.", + "event_ids": [ + "4104" + ], + "id": "5eb9df17-06bd-e2fe-8871-13bd6bd36406", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1548" + ], + "title": "PrintNightmare Powershell Exploitation" + }, + { + "category": "process_creation", "channel": [ "sec" ], - "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", + "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", "event_ids": [ - "4657" + "4688" ], - "id": "08427b1c-3ceb-9aa5-7d8d-84dfc1531fb8", + "id": "540f0d7f-8d92-2c4b-ce07-2be23d582ede", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1140", + "TA0011", + "T1105", + "attack.s0160", + "attack.g0007", + "attack.g0010", + "attack.g0045", + "attack.g0049", + "attack.g0075", + "attack.g0096" + ], + "title": "Suspicious Certutil Command Usage" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of \"xor\" or \"bxor\" in combination of a \"foreach\" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection", + "event_ids": [ + "4688" + ], + "id": "405d20b3-771f-a808-6794-c0aae7cf9cf6", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential Xor Encoded PowerShell Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "event_ids": [ + "4688" + ], + "id": "13dc41d6-0489-5505-887a-c3bc11ddec90", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "T1567.002", + "T1567" + ], + "title": "RClone Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).", + "event_ids": [ + "4688" + ], + "id": "62997599-6864-08ee-302c-90c1649f5e1a", "level": "low", "service": "", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0042", - "T1588.002", - "T1588" + "TA0005", + "T1202" ], - "title": "PUA - Sysinternal Tool Execution - Registry" + "title": "Indirect Command Execution" }, { - "category": "registry_add", + "category": "process_creation", "channel": [ "sec" ], - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", + "event_ids": [ + "4688" + ], + "id": "5294a012-1f07-fe01-599b-94cf8adf630e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Execute MSDT.EXE Using Diagcab File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely", + "event_ids": [ + "4688" + ], + "id": "b7e3098a-6c20-c6d3-df75-9b07536b3310", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Activity Related to NTDS.dit Domain Hash Retrieval" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "event_ids": [ + "4104" + ], + "id": "baee41a3-2063-6125-778e-0d9710474c06", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Excel called wmic to finally proxy execute regsvr32 with the payload.\nAn attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).\nBut we have command-line in the event which allow us to \"restore\" this suspicious parent-child chain and detect it.\nMonitor process creation with \"wmic process call create\" and LOLBins in command-line with parent Office application processes.\n", + "event_ids": [ + "4688" + ], + "id": "9b2384e8-4067-f192-274f-73d711fc193f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005", + "T1218", + "T1204" + ], + "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process related to rundll32 based on arguments", + "event_ids": [ + "4688" + ], + "id": "ae18b229-740e-17c7-63f2-b15422d6271e", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "T1218" + ], + "title": "Suspicious Rundll32 Script in CommandLine" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "event_ids": [ "4657" ], - "id": "e3adf6e1-6fbf-d4fe-ee8f-a000db6d64c8", + "id": "6c44673b-8c80-9ce9-718d-46f34b17ffcc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059.007", + "T1059" + ], + "title": "Adwind RAT / JRAT - Registry" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "event_ids": [ + "4104" + ], + "id": "830423bc-69e4-b19b-5474-414e4ab0c365", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1546" + ], + "title": "Suspicious Get-WmiObject" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Ryuk Ransomware command lines", + "event_ids": [ + "4688" + ], + "id": "7b159be0-8034-a6cb-dcb7-f6fbcf9b2680", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204" + ], + "title": "Ryuk Ransomware Command Line Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", + "event_ids": [ + "4688" + ], + "id": "6ddd7376-3f18-f83d-1e75-58189e39abf1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Stop Or Remove Antivirus Service" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "event_ids": [ + "1102" + ], + "id": "23f0b75b-66c0-4895-ae63-4243fa898109", + "level": "medium", + "service": "security", + "subcategory_guids": [], + "tags": [ + "T1070.001", + "T1070" + ], + "title": "Security Event Log Cleared" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detect the creation of a service with a service binary located in a uncommon directory", + "event_ids": [ + "4657" + ], + "id": "f9252ab9-0f85-c10d-fd51-576b83182926", "level": "medium", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "TA0005", + "T1112" + ], + "title": "Service Binary in Uncommon Folder" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "event_ids": [ + "4657" + ], + "id": "7c470022-ced9-05c4-b9fc-5aff8e5f4dce", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1112", + "T1053" + ], + "title": "Abusing Windows Telemetry For Persistence - Registry" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detecting DNS tunnel activity for Muddywater actor", + "event_ids": [ + "4688" + ], + "id": "0f27e458-cb56-857e-1e9a-630975f5984a", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071.004", + "T1071" + ], + "title": "DNS Tunnel Technique from MuddyWater" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "event_ids": [ + "4688" + ], + "id": "2b349adb-9984-0950-4917-0629c50ff73b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", + "event_ids": [ + "4657" + ], + "id": "a08aa16a-ae4f-9e1e-7a2d-3ad02f750ff0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1070.004", + "T1070" + ], + "title": "Sysinternals SDelete Registry Keys" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "event_ids": [ + "4688" + ], + "id": "5ffab4e3-fa0b-4adc-c733-2754d5d2e20a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005", + "T1218", + "T1204" + ], + "title": "Office Applications Spawning Wmi Cli Alternate" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects PsExec service execution via default service image name", + "event_ids": [ + "4688" + ], + "id": "02e5fd82-2643-35a3-b104-51f4ef19c215", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "PsExec Tool Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Excel called wmic to finally proxy execute regsvr32 with the payload.\nAn attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).\nBut we have command-line in the event which allow us to \"restore\" this suspicious parent-child chain and detect it.\nMonitor process creation with \"wmic process call create\" and LOLBins in command-line with parent Office application processes.\n", + "event_ids": [ + "4688" + ], + "id": "72d5e2d6-b55d-f6aa-2db3-4a5fd0d1dd98", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005", + "T1218", + "T1204" + ], + "title": "Excel Proxy Executing Regsvr32 With Payload" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "event_ids": [ + "4104" + ], + "id": "6587075c-6239-f6e1-4717-4b7972b1c086", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Execution via CL_Invocation.ps1 - Powershell" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process injection using the signed Windows tool Mavinject32.exe", + "event_ids": [ + "4688" + ], + "id": "1b8fce80-846c-a731-f21e-d6a2823fe38c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1055.001", + "T1218", + "T1055" + ], + "title": "MavInject Process Injection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", + "event_ids": [ + "4688" + ], + "id": "a3b6ca34-23c2-eedd-8733-1294655ca76a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1059" + ], + "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Dnscat exfiltration tool execution", + "event_ids": [ + "4104" + ], + "id": "47d13687-edae-dafa-bdab-416474c95f53", + "level": "critical", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1048", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Dnscat Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", + "event_ids": [ + "4688" + ], + "id": "9ec2c364-89c8-b572-4a96-ddc786444ecf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562.001", + "TA0002", + "T1562" + ], + "title": "PowerShell AMSI Bypass Pattern" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "event_ids": [ + "4104" + ], + "id": "113fcff8-c64d-8743-88b7-9ff2539cde7d", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1083" + ], + "title": "Powershell File and Directory Discovery" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "event_ids": [ + "5156" + ], + "id": "58a2d80c-c77b-324c-640d-c97cf5fcbefa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008" + ], + "title": "Suspicious Epmap Connection" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process", + "event_ids": [ + "4657" + ], + "id": "9482abf0-5008-838f-0912-a85e0c7792a7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546.012", + "T1546" + ], + "title": "SilentProcessExit Monitor Registration" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.", + "event_ids": [ + "4674" + ], + "id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9229-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0002", + "T1021", + "T1059" + ], + "title": "Lateral Movement Indicator ConDrv" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects different loaders as described in various threat reports on Lazarus group activity", + "event_ids": [ + "4688" + ], + "id": "c155c295-ca75-0671-80f9-2910740dabe7", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0032", + "TA0002", + "T1059" + ], + "title": "Lazarus Loaders" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", + "event_ids": [ + "4688" + ], + "id": "0557765a-6dad-b15a-5cf0-d92eef2b33ab", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1485" + ], + "title": "Run from a Zip File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", + "event_ids": [ + "4688" + ], + "id": "c4c78b6f-2ead-8d39-dc1b-9ab4e88fc5b6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Suspicious Characters in CommandLine" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "event_ids": [ + "4688" + ], + "id": "8994ee03-9478-bde3-ab3d-3abafad0bfd1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005" + ], + "title": "Rundll32 JS RunHTMLApplication Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a Windows service to be stopped", + "event_ids": [ + "4688" + ], + "id": "5e1aa8a2-0c7e-a580-4093-894302350358", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Stop Windows Service" + }, + { + "category": "", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell download command", + "event_ids": [], + "id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a", + "level": "medium", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Download" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects CrackMapExecWin Activity as Described by NCSC", + "event_ids": [ + "4688" + ], + "id": "9fcbb5dc-f858-0445-bcf4-ade441a89dc3", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0035", + "TA0006", + "TA0007", + "T1110", + "T1087" + ], + "title": "CrackMapExecWin" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound", + "event_ids": [ + "4104" + ], + "id": "74dda95a-b492-e2ee-4a33-b22a41a1cb57", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069" + ], + "title": "AzureHound PowerShell Commands" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of a new service.", + "event_ids": [ + "4688" + ], + "id": "f3c0ce89-d7e4-b1be-b79d-265254701fe6", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "New Service Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files", + "event_ids": [ + "4688" + ], + "id": "24e2ce91-6438-41b5-d23e-48e775ae72bd", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204" + ], + "title": "Process Start From Suspicious Folder" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "event_ids": [ + "4104" + ], + "id": "f427b1c7-bbad-7bd6-bb0f-65b6170a3cb5", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Execution via CL_Mutexverifiers.ps1" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "event_ids": [ + "4688" + ], + "id": "f378e980-dd67-4968-9df5-2ac09c718d4d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "Root Certificate Installed" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execition of commands and binaries from the context of \"forfiles.exe\". This can be used as a LOLBIN in order to bypass application whitelisting.", + "event_ids": [ + "4688" + ], + "id": "4bea8156-6003-3037-62a5-4be1429183b9", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Indirect Command Exectuion via Forfiles" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "event_ids": [ + "4688" + ], + "id": "105c3740-9666-1fe5-4e4f-e9e8bdf29dc1", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "WMI Reconnaissance List Remote Services" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "event_ids": [ + "4728", + "4729", + "4730", + "632", + "633", + "634" + ], + "id": "506379d9-8545-c010-e9a3-693119ab9261", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [], + "title": "Group Modification Logging" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects code execution via the Windows Update client (wuauclt)", + "event_ids": [ + "4688" + ], + "id": "a1901cc9-34ea-0ae3-68a7-07397e0d8338", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0005", + "T1105", + "T1218" + ], + "title": "Windows Update Client LOLBIN" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detect download by BITS jobs via PowerShell", + "event_ids": [ + "4688" + ], + "id": "a6124306-bb3c-9e0e-a088-a4dee392c1ee", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0003", + "T1197" + ], + "title": "Suspicious Bitsadmin Job via PowerShell" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", + "event_ids": [ + "4689" + ], + "id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE922C-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1482", + "T1018", + "T1016" + ], + "title": "Correct Execution of Nltest.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "event_ids": [ + "4688" + ], + "id": "62e3a364-8fcf-5d67-d080-27c37fade654", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", + "event_ids": [ + "16" + ], + "id": "f224a2b6-2db1-a1a2-42d4-25df0c460915", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "SAM Dump to AppData" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", + "event_ids": [ + "4688" + ], + "id": "84bff3a1-2282-883e-eaff-6e74ffbf1e5f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Suspicious Execution of Sc to Delete AV Services" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", + "event_ids": [ + "4688" + ], + "id": "70824154-ca31-ca8f-0cc1-045e5d217a3a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Cmd Stream Redirection" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", + "event_ids": [ + "4688" + ], + "id": "807db7b2-c1e5-520b-2e63-7b2c400be00d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "event_ids": [ + "4688" + ], + "id": "f7b13249-d828-2008-3a24-1364b5609ab5", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "T1564.004", + "T1552.001", + "T1105", + "T1564", + "T1552" + ], + "title": "Abusing Findstr for Defense Evasion" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", + "event_ids": [ + "4688" + ], + "id": "528921e1-f356-7cca-49a4-c5e1402eb356", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0032", + "TA0002", + "T1106" + ], + "title": "Lazarus Activity Apr21" + }, + { + "category": "", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "event_ids": [], + "id": "349e3bb4-b72b-193d-810e-7d9c145b863e", + "level": "medium", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218" + ], + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", + "event_ids": [ + "4688" + ], + "id": "10aa2f9c-45d9-5c31-ffa2-06fc745b7e33", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1482" + ], + "title": "Trickbot Malware Reconnaissance Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "An adversary might use WMI to execute commands on a remote system", + "event_ids": [ + "4688" + ], + "id": "f58bcb01-a76b-cc94-f698-29be1afd376b", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "WMI Remote Command Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", + "event_ids": [ + "4688" + ], + "id": "4d7489b1-282a-3c79-a3fe-e852cdea4515", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036", + "T1003.001", + "T1003" + ], + "title": "Process Memory Dumped Via RdrLeakDiag.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", + "event_ids": [ + "4688" + ], + "id": "f4ff3d8e-34aa-51f7-6a8e-5081ec934b65", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "Registry Dump of SAM Creds and Secrets" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", + "event_ids": [ + "4688" + ], + "id": "dc28bbe4-14ec-d765-8514-2ff2ff532e24", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0010", + "TA0003", + "T1197" + ], + "title": "Suspicious Bitstransfer via PowerShell" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "event_ids": [ + "4103" + ], + "id": "65efb931-2d64-dea1-b559-544498a9b6f8", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1095" + ], + "title": "Netcat The Powershell Version - PowerShell Module" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects disabling Windows Defender threat protection", + "event_ids": [ + "5001", + "5010", + "5012", + "5101" + ], + "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Threat Detection Disabled" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "event_ids": [ + "4688" + ], + "id": "83f40f59-3ad9-6e41-f40d-b0c6cba08720", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1047" + ], + "title": "Suspicious Cmd Execution via WMI" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "event_ids": [ + "4688" + ], + "id": "300c09ba-ba6b-5fea-7022-567fa5593c41", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Rundll32" + }, + { + "category": "", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [], + "id": "391b98f2-3f42-0d06-a295-18a2aa29d39a", + "level": "high", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocations - Generic" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Possible Squirrel Packages Manager as Lolbin", + "event_ids": [ + "4688" + ], + "id": "6dd18e44-e4a2-1c08-3d0e-f4dc7e2fa9cc", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218" + ], + "title": "Squirrel Lolbin" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]", + "event_ids": [ + "4688" + ], + "id": "79c252ba-3759-a153-7242-9f3de6ec7ba4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "T1071.004", + "T1071" + ], + "title": "Nslookup PwSh Download Cradle" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious ways to download files or content using PowerShell", + "event_ids": [ + "4688" + ], + "id": "0b1811c8-8c1e-c6bb-1af2-2fe3b42a6b56", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0002", + "T1059.001", + "T1105", + "T1059" + ], + "title": "PowerShell Web Download" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.", + "event_ids": [ + "4688" + ], + "id": "86c08df9-01b6-6556-09cc-9ac6feb774e8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218" + ], + "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential powershell Base64 encoded Shellcode", + "event_ids": [ + "4688" + ], + "id": "2d9870fb-01d3-f66f-b058-9bd90d56418d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Potential PowerShell Base64 Encoded Shellcode" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "event_ids": [ + "4657" + ], + "id": "b8939982-1774-1f45-f838-7bf9ac9be3c2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "T1547" + ], + "title": "Autorun Keys Modification" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.", + "event_ids": [ + "4688" + ], + "id": "c21b19ea-3369-9fab-3ca6-767d24c85595", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "attack.s0404", + "T1218" + ], + "title": "Suspicious Esentutl Use" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects various anomalies in relation to regsvr32.exe", + "event_ids": [ + "4688" + ], + "id": "1b8521f9-1e64-123d-b6f0-d133e0b6f34c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "car.2019-04-002", + "car.2019-04-003", + "T1218" + ], + "title": "Regsvr32 Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "event_ids": [ + "4688" + ], + "id": "5f55c592-7555-3ca2-5d49-f1b7b74454ab", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Wscript Execution from Non C Drive" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Adversaries may abuse Visual Basic (VB) for execution", + "event_ids": [ + "4688" + ], + "id": "124493b3-4f31-c0bb-dbe9-97f0666635ba", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059" + ], + "title": "Visual Basic Script Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a discovery of domain trusts.", + "event_ids": [ + "4688" + ], + "id": "d5dc5032-aa74-54e8-76e0-3d264adc2ea0", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1482" + ], + "title": "Domain Trust Discovery" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", + "event_ids": [ + "4688" + ], + "id": "9586750a-6351-1543-241d-6d76087e4b01", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0007", + "T1033" + ], + "title": "Run Whoami as SYSTEM" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Winword.exe loading a custom DLL using the /l flag", + "event_ids": [ + "4688" + ], + "id": "af42e8c8-7702-f542-d278-68bf89a26251", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Winword.exe Loads Suspicious DLL" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of executables that can be used to bypass Applocker whitelisting", + "event_ids": [ + "4688" + ], + "id": "6e17c2a5-a828-97d2-c2f4-223c82264f3c", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.004", + "T1218.009", + "T1127.001", + "T1218.005", + "T1218", + "T1127" + ], + "title": "Possible Applocker Bypass" + }, + { + "category": "", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [], + "id": "3db961f4-6217-4957-b717-e5955c82d6e5", + "level": "high", + "service": "powershell", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocations - Specific" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-CAPI2/Operational" + ], + "description": "Detects when an application acquires a certificate private key", + "event_ids": [ + "70" + ], + "id": "dadaca47-d760-88a9-fd35-cbe8a6237499", + "level": "medium", + "service": "capi2", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1649" + ], + "title": "Certificate Private Key Acquired" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-AppxPackaging/Operational" + ], + "description": "Detects execution of AppX packages with known suspicious or malicious signature", + "event_ids": [ + "157" + ], + "id": "e6dd8206-87ca-b6e9-3c8f-9e097bfc4e31", + "level": "medium", + "service": "appxpackaging-om", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0002" + ], + "title": "Suspicious Digital Signature Of AppX Package" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" + ], + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "event_ids": [ + "21" + ], + "id": "cfba8e23-d224-ff3b-7cb7-dbc6085172a0", + "level": "high", + "service": "terminalservices-localsessionmanager", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1090" + ], + "title": "Ngrok Usage with Remote Desktop Service" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects the Installation of a Exchange Transport Agent", + "event_ids": [], + "id": "31aa27f1-7ac6-a316-2786-b13400c130f5", + "level": "medium", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1505.002", + "T1505" + ], + "title": "MSExchange Transport Agent Installation - Builtin" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", + "event_ids": [], + "id": "469804e4-bb11-7cb1-96ce-f7687daa98a0", + "level": "critical", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "T1587.001", + "TA0042", + "T1587" + ], + "title": "ProxyLogon MSExchange OabVirtualDirectory" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "event_ids": [], + "id": "30eb1897-ab7e-5cc9-6f83-cd5abd8ee0dc", + "level": "high", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1505.003", + "T1505" + ], + "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", + "event_ids": [], + "id": "684f5f59-5de0-7d7a-e983-1e2758d383d6", + "level": "critical", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1505.003", + "T1505" + ], + "title": "Mailbox Export to Exchange Webserver" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects a failed installation of a Exchange Transport Agent", + "event_ids": [ + "6" + ], + "id": "29ec9279-2899-b0a0-0b41-6bf40cdda885", + "level": "high", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1505.002", + "T1505" + ], + "title": "Failed MSExchange Transport Agent Installation" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "event_ids": [], + "id": "47e67dfc-354a-0989-f6b1-f3f888a31278", + "level": "high", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070" + ], + "title": "Remove Exported Mailbox from Exchange Webserver" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", + "event_ids": [], + "id": "9c8f1614-f386-ea28-e870-75e3daf99adc", + "level": "critical", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1505.003", + "T1505" + ], + "title": "Certificate Request Export to Exchange Webserver" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "22f82564-4b51-e901-bf00-ea94ff39b468", + "level": "critical", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "T1486", + "TA0040" + ], + "title": "Antivirus Ransomware Detection" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab", + "level": "critical", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003", + "T1558", + "T1003.001", + "T1003.002" + ], + "title": "Antivirus Password Dumper Detection" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "a1be9170-2ada-e8bb-285c-3e1ff336189e", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0042", + "T1588" + ], + "title": "Antivirus Relevant File Paths Alerts" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "1868a1c5-30e8-dffd-a373-90c72ea4921a", + "level": "critical", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1203", + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Antivirus Exploitation Framework Detection" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1505.003", + "T1505" + ], + "title": "Antivirus Web Shell Detection" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1204" + ], + "title": "Antivirus Hacktool Detection" + }, + { + "category": "wmi_event", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], + "description": "Detects suspicious encoded payloads in WMI Event Consumers", + "event_ids": [ + "5861" + ], + "id": "f4e538d8-94a9-8ecc-779e-e03aa85aedb4", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1047", + "TA0003", + "T1546.003", + "T1546" + ], + "title": "Suspicious Encoded Scripts in a WMI Consumer" + }, + { + "category": "wmi_event", + "channel": [ + "Microsoft-Windows-WMI-Activity/Operational" + ], + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "event_ids": [ + "5861" + ], + "id": "93786e05-1808-f3b1-9841-7fee02fd7247", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.005", + "T1059" + ], + "title": "Suspicious Scripting in a WMI Consumer" + }, + { + "category": "", + "channel": [ + "DNS Server" + ], + "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "event_ids": [ + "150", + "770", + "771" + ], + "id": "40077f9e-f597-1087-0c4f-8901d1a07af4", + "level": "high", + "service": "dns-server", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" + }, + { + "category": "", + "channel": [ + "DNS Server" + ], + "description": "Detects when a DNS zone transfer failed.", + "event_ids": [ + "6004" + ], + "id": "04768e11-3acf-895f-9193-daae77c4678f", + "level": "medium", + "service": "dns-server", + "subcategory_guids": [], + "tags": [ + "TA0043", + "T1590.002", + "T1590" + ], + "title": "Failed DNS Zone Transfer" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects volume shadow copy mount via Windows event log", + "event_ids": [ + "98" + ], + "id": "15b42b84-becb-a48c-8971-28895065fbd3", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "Volume Shadow Copy Mount" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects \"BugCheck\" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.", + "event_ids": [ + "1001" + ], + "id": "d4ccca35-9fd6-1ed8-f5d5-84f755404fdd", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0009", + "T1003.002", + "T1005", + "T1003" + ], + "title": "Crash Dump Created By Operating System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "event_ids": [ + "16990", + "16991" + ], + "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Potential CVE-2021-42287 Exploitation Attempt" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.\n", + "event_ids": [ + "53" + ], + "id": "817138f1-cfd3-c653-7392-a3c61051a8d3", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0005", + "T1553.004", + "T1553" + ], + "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "event_ids": [ + "1031", + "1032", + "1034" + ], + "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "DHCP Server Error Failed Loading the CallOut DLL" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "event_ids": [ + "1033" + ], + "id": "87ade82b-7e03-f378-c163-59adb06640ae", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "DHCP Server Loaded the CallOut DLL" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects application popup reporting a failure of the Sysmon service", + "event_ids": [ + "26" + ], + "id": "e064a7a6-e709-1464-34e4-626106c91d98", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562" + ], + "title": "Sysmon Application Crashed" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", + "event_ids": [ + "1511" + ], + "id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909", + "level": "low", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "event_ids": [ + "50", + "56" + ], + "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1210", + "car.2013-07-002" + ], + "title": "Potential RDP Exploit CVE-2019-0708" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "event_ids": [ + "104" + ], + "id": "8617b59c-812e-c88e-0bd4-5267e0e825f0", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "car.2016-04-002", + "T1070" + ], + "title": "Eventlog Cleared" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", + "event_ids": [ + "104" + ], + "id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "car.2016-04-002", + "T1070" + ], + "title": "Important Windows Eventlog Cleared" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "event_ids": [ + "5723", + "5805" + ], + "id": "4d943318-24e9-7318-6951-fdf8cb235652", + "level": "critical", + "service": "system", + "subcategory_guids": [], + "tags": [ + "T1210", + "TA0008" + ], + "title": "Zerologon Exploitation Using Well-known Tools" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "event_ids": [ + "5829" + ], + "id": "a82f6b3b-324f-7234-9092-289117234d31", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1548" + ], + "title": "Vulnerable Netlogon Secure Channel Connection Allowed" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "event_ids": [ + "10001" + ], + "id": "cd12f5c0-9798-3928-58bf-34b2816ea898", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0006", + "T1557.001", + "T1557" + ], + "title": "Local Privilege Escalation Indicator TabTip" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "event_ids": [ + "7045" + ], + "id": "af2b45c1-ed61-0866-791a-13ae39ff80c3", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "event_ids": [ + "7045" + ], + "id": "4639745f-a91a-d296-8935-4c694a97f938", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1134.001", + "T1134.002", + "T1134" + ], + "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects service installation in suspicious folder appdata", + "event_ids": [ + "7045" + ], + "id": "60ddd708-71a3-e524-27b1-4cdeda02ce46", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "car.2013-09-005", + "T1543.003", + "T1543" + ], + "title": "Service Installation in Suspicious Folder" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "event_ids": [ + "7045" + ], + "id": "686d9481-474f-2b85-7c51-e69967c1afcc", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "event_ids": [ + "7045" + ], + "id": "9e870183-fbbc-e736-c380-d20bd74d7dbe", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0004", + "T1543.003", + "T1569.002", + "T1543", + "T1569" + ], + "title": "ProcessHacker Privilege Elevation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Remote Utilities Host service installation on the target system.", + "event_ids": [ + "7045" + ], + "id": "97bd461f-b35e-a243-c697-06cc0539d7e3", + "level": "medium", + "service": "system", + "subcategory_guids": [], "tags": [ "TA0003" ], - "title": "Potential Persistence Via Disk Cleanup Handler - Registry" + "title": "Remote Utilities Host Service Install" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "event_ids": [ + "7045" + ], + "id": "8aef41c8-fc2b-f490-5a9b-a683fe107829", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Stdin - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "event_ids": [ + "7045" + ], + "id": "e92121bb-a1c1-5d5a-6abb-3a25fe37fb41", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Clip - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Windows services that got terminated for whatever reason", + "event_ids": [ + "7023" + ], + "id": "c002ec31-f147-d591-b2f2-253774fd4248", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Windows Service Terminated With Error" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "event_ids": [ + "7045" + ], + "id": "e38955da-ce8e-7137-94e5-7890c0bab131", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0004", + "T1543.003", + "T1569.002", + "T1543", + "T1569" + ], + "title": "Sliver C2 Default Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "event_ids": [ + "7045" + ], + "id": "e0aa759a-fa97-fb3b-1b02-82aa44f8c068", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use MSHTA - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "event_ids": [ + "7045" + ], + "id": "a36af175-0d96-acc8-c2f7-f5bb57c974fe", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "TacticalRMM Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "event_ids": [ + "7045" + ], + "id": "414e0fbd-67a8-17e4-371e-4f9f6a8799d0", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "event_ids": [ + "7045" + ], + "id": "87d5cdc0-24c5-8411-1230-d717dd6a47e8", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003" + ], + "title": "Anydesk Remote Access Software Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "event_ids": [ + "7045" + ], + "id": "6cda0359-f921-911b-a724-cc2f00d661f8", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1048" + ], + "title": "Tap Driver Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "event_ids": [ + "7045" + ], + "id": "384155f0-8906-ff64-5188-211c9a98274e", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0008", + "TA0002", + "T1021.002", + "T1569.002", + "T1569", + "T1021" + ], + "title": "smbexec.py Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)", + "event_ids": [ + "7045" + ], + "id": "8623dcbf-e828-afb3-eb29-42cade82b39a", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1543" + ], + "title": "KrbRelayUp Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "event_ids": [ + "7045" + ], + "id": "c5b232f5-bd0a-c0ea-585f-c54fbe370580", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1543.003", + "T1543" + ], + "title": "New PDQDeploy Service - Client Side" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects suspicious service installation commands", + "event_ids": [ + "7045" + ], + "id": "ebfad3e2-5025-b233-20ef-71fc2ada8fe7", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "car.2013-09-005", + "T1543.003", + "T1543" + ], + "title": "Suspicious Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "event_ids": [ + "7045" + ], + "id": "9d5e9ea9-180b-0d92-6e5a-645275e94267", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "event_ids": [ + "7045" + ], + "id": "cd204548-409b-e025-4fde-4a8fb1fe5332", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Mesh Agent Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "event_ids": [ + "7045" + ], + "id": "97b97d4d-e03c-ace5-3215-fa2f51ec5fd5", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1543" + ], + "title": "Service Installed By Unusual Client - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects RemCom service installation and execution events", + "event_ids": [ + "7045" + ], + "id": "1ae1cb63-2c82-d95d-a200-533f229715b2", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "RemCom Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "event_ids": [ + "7045" + ], + "id": "51ba8477-86a4-6ff0-35fa-7b7f1b1e3f83", + "level": "critical", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0004", + "TA0008", + "T1021.002", + "T1543.003", + "T1569.002", + "T1569", + "T1021", + "T1543" + ], + "title": "CobaltStrike Service Installations - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "event_ids": [ + "7045" + ], + "id": "8682ea60-89d6-e616-7cdd-410a05ed1611", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1543.003", + "T1543" + ], + "title": "New PDQDeploy Service - Server Side" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects service installation with suspicious folder patterns", + "event_ids": [ + "7045" + ], + "id": "1702910b-83b9-ce95-4ae8-2405c2e9faf7", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "car.2013-09-005", + "T1543.003", + "T1543" + ], + "title": "Service Installation with Suspicious Folder Pattern" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects important or interesting Windows services that got terminated unexpectedly.", + "event_ids": [ + "7034" + ], + "id": "d3c329c7-54bd-4896-cc7d-e04077eba081", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Important Windows Service Terminated Unexpectedly" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "event_ids": [ + "7045" + ], + "id": "19adbb05-25d8-44fe-3721-1590be735426", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR+ Launcher - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "event_ids": [ + "7045" + ], + "id": "6623b0c3-f904-2d2e-9c24-4cbb81bf55aa", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects installation or execution of services", + "event_ids": [ + "7036", + "7045" + ], + "id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "HackTool Service Registration or Execution" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\n", + "event_ids": [ + "7045" + ], + "id": "4de4ea24-8c0c-75ed-78c3-bf620ec06fd5", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "car.2013-09-005", + "T1543.003", + "T1543" + ], + "title": "Uncommon Service Installation Image Path" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "event_ids": [ + "7045" + ], + "id": "f5581097-47d5-fd2b-1a94-37dd36318706", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects NetSupport Manager service installation on the target system.", + "event_ids": [ + "7045" + ], + "id": "ee415dc3-b7c0-9568-e6dd-878777ff237a", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003" + ], + "title": "NetSupport Manager Service Install" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "event_ids": [ + "7036", + "7045" + ], + "id": "cd1c0081-d0c8-369f-2ed1-dcc058b08b9c", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0002", + "T1543.003", + "T1569.002", + "T1569", + "T1543" + ], + "title": "Remote Access Tool Services Have Been Installed - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects important or interesting Windows services that got terminated for whatever reason", + "event_ids": [ + "7023" + ], + "id": "bf2272c8-bc92-d925-4fb6-aeb1fe9283aa", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Important Windows Service Terminated With Error" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects suspicious service installation scripts", + "event_ids": [ + "7045" + ], + "id": "778c7f2b-32f5-e591-5c4a-01e47388475c", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "car.2013-09-005", + "T1543.003", + "T1543" + ], + "title": "Suspicious Service Installation Script" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects PAExec service installation", + "event_ids": [ + "7045" + ], + "id": "19b4e2a1-4499-8c65-e93a-5f675df202d8", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "PAExec Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "event_ids": [ + "7045" + ], + "id": "7ca6e518-decb-de46-861e-5673c026b257", + "level": "critical", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "T1543.003", + "T1543" + ], + "title": "Moriya Rootkit - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects powershell script installed as a Service", + "event_ids": [ + "7045" + ], + "id": "be1b026a-db82-4f10-0739-68c60f1261c9", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "PowerShell Scripts Installed as Services" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects well-known credential dumping tools execution via service execution events", + "event_ids": [ + "7045" + ], + "id": "81562732-3278-cd48-1db2-581bc7158b6e", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0002", + "T1003.001", + "T1003.002", + "T1003.004", + "T1003.005", + "T1003.006", + "T1569.002", + "attack.s0005", + "T1003", + "T1569" + ], + "title": "Credential Dumping Tools Service Execution - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects CSExec service installation and execution events", + "event_ids": [ + "7045" + ], + "id": "efef064b-d350-a96b-fe1e-ef4cfe657066", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569.002", + "T1569" + ], + "title": "CSExec Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "event_ids": [ + "7045" + ], + "id": "f1988b01-7f12-1851-58b5-8a4d63743183", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Rundll32 - System" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects when the \"Windows Defender Threat Protection\" service is disabled.", + "event_ids": [ + "7036" + ], + "id": "07c5c883-1da4-d066-f69b-6caadbd1d6f9", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Threat Detection Service Disabled" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "event_ids": [ + "7045" + ], + "id": "6218888e-3b1f-f6be-b9f8-9fd758caa380", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003" + ], + "title": "RTCore Suspicious Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects PsExec service installation and execution events", + "event_ids": [ + "7045" + ], + "id": "cb7a40d5-f1de-9dd4-465d-eada7e316d8f", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569.002", + "attack.s0029", + "T1569" + ], + "title": "PsExec Service Installation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\n", + "event_ids": [ + "16" + ], + "id": "625954f8-9cc1-bc90-d5bd-4d1d82849d37", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.002", + "T1003" + ], + "title": "Critical Hive In Suspicious Location Access Bits Cleared" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.", + "event_ids": [ + "6038", + "6039" + ], + "id": "cb063566-b04b-c7e4-316b-c69075ed08f5", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0008", + "T1550.002", + "T1550" + ], + "title": "NTLMv1 Logon Between Client and Server" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "event_ids": [ + "55" + ], + "id": "73b6342c-c17a-d447-2fd3-119ed3cf61ca", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1499.001", + "T1499" + ], + "title": "NTFS Vulnerability Exploitation" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\n", + "event_ids": [ + "39", + "41" + ], + "id": "470e08fc-0b52-8769-10d3-5b5c1920327e", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "Certificate Use With No Strong Mapping" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "event_ids": [ + "42" + ], + "id": "87515290-bf9f-09a4-af0e-bac22cb017f6", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004" + ], + "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.\n", + "event_ids": [ + "16", + "27" + ], + "id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6", + "level": "low", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\n", + "event_ids": [ + "16", + "20", + "213", + "217", + "24" + ], + "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", + "level": "informational", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0040", + "TA0042", + "T1584" + ], + "title": "Windows Update Error" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Security-Mitigations*" + ], + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "event_ids": [ + "11", + "12" + ], + "id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08", + "level": "high", + "service": "security-mitigations", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "Microsoft Defender Blocked from Loading Unsigned DLL" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Security-Mitigations*" + ], + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "event_ids": [ + "11", + "12" + ], + "id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c", + "level": "high", + "service": "security-mitigations", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1574.001", + "T1574" + ], + "title": "Unsigned Binary Loaded From Suspicious Location" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "event_ids": [ + "400" + ], + "id": "970cb6bc-a1b8-c7da-f658-ea96f2045162", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Delete Volume Shadow Copies Via WMI With PowerShell" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "event_ids": [ + "400" + ], + "id": "19bee8fa-b4db-79ab-2c60-ea8ae4875dcc", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1049" + ], + "title": "Use Get-NetTCPConnection" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects remote PowerShell sessions", + "event_ids": [ + "400" + ], + "id": "d79eda57-503a-274d-fab8-0d26ff047015", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "TA0008", + "T1021.006", + "T1059", + "T1021" + ], + "title": "Remote PowerShell Session (PS Classic)" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.", + "event_ids": [ + "400" + ], + "id": "11151659-80c2-7657-d058-2a07c5662662", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Nslookup PowerShell Download Cradle" + }, + { + "category": "ps_classic_provider_start", + "channel": [ + "pwsh" + ], + "description": "Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", + "event_ids": [ + "600" + ], + "id": "3ec981cc-6521-d6a9-9630-d1df7d2090b9", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Tamper Windows Defender - PSClassic" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "event_ids": [ + "400" + ], + "id": "05ab81d4-8539-cffc-89f9-e470468bb28c", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Downgrade Attack - PowerShell" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects suspicious PowerShell download command", + "event_ids": [ + "400" + ], + "id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Download" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\n", + "event_ids": [ + "400" + ], + "id": "b1868902-0d34-3392-8d98-99c0919a01d4", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0005", + "T1059.001", + "T1036.003", + "T1036", + "T1059" + ], + "title": "Renamed Powershell Under Powershell Channel" + }, + { + "category": "", + "channel": [ + "pwsh" + ], + "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", + "event_ids": [], + "id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9", + "level": "medium", + "service": "powershell-classic", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1074.001", + "T1074" + ], + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" + }, + { + "category": "", + "channel": [ + "pwsh" + ], + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "event_ids": [], + "id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3", + "level": "medium", + "service": "powershell-classic", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "TA0008", + "T1021.003", + "T1059", + "T1021" + ], + "title": "Suspicious Non PowerShell WSMAN COM Provider" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects PowerShell called from an executable by the version mismatch method", + "event_ids": [ + "400" + ], + "id": "b8c409c0-bd7a-5c05-0bae-56f88fe7b78d", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Called from an Executable Version Mismatch" + }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "event_ids": [ + "400" + ], + "id": "cc575689-20fe-0dda-ed3b-93e52d0d8ef1", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1095" + ], + "title": "Netcat The Powershell Version" + }, + { + "category": "", + "channel": [ + "pwsh" + ], + "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", + "event_ids": [], + "id": "29a3935d-0428-4f39-d39e-ec43c598b272", + "level": "high", + "service": "powershell-classic", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "event_ids": [ + "4104" + ], + "id": "ec4cdf41-f053-d3af-6a68-973d32bacdff", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1098" + ], + "title": "Powershell LocalAccount Manipulation" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", + "event_ids": [ + "4104" + ], + "id": "58f5980d-d851-77b4-2f1f-945eb2d3e430", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1552.004", + "T1552" + ], + "title": "Certificate Exported Via PowerShell - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", + "event_ids": [ + "4104" + ], + "id": "9a9b4924-bf93-774d-4bee-a2d13260663c", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "event_ids": [ + "4104" + ], + "id": "245734a0-22f3-d684-07a7-ed1cea011d8e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "Root Certificate Installed - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Get the processes that are running on the local computer.", + "event_ids": [ + "4104" + ], + "id": "0e7ff574-cd58-3250-821d-47fedcc03db6", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1057" + ], + "title": "Suspicious Process Discovery With Get-Process" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", + "event_ids": [ + "4104" + ], + "id": "9d0ff6ee-9967-a757-d8dc-cf3f3b3546b1", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1021.002", + "T1021" + ], + "title": "Suspicious New-PSDrive to Admin Share" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "event_ids": [ + "4104" + ], + "id": "654b7573-5b04-0352-d832-f32c333f4a56", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1497.001", + "T1497" + ], + "title": "Powershell Detect Virtualization Environment" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence", + "event_ids": [ + "4104" + ], + "id": "aa566d46-235a-b467-88ed-434788883da2", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0004", + "T1546.013", + "T1546" + ], + "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts set ACL to of a file or a folder", + "event_ids": [ + "4104" + ], + "id": "3586407d-f3a3-bb2d-8467-0956e15af381", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1222" + ], + "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", + "event_ids": [ + "4104" + ], + "id": "a427508a-2c94-8fdb-863f-555304b70605", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1491.001", + "T1491" + ], + "title": "Replace Desktop Wallpaper by Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "event_ids": [ + "4104" + ], + "id": "1bc61c35-56bd-6b9c-12fc-5513d8aa80d2", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", + "event_ids": [ + "4104" + ], + "id": "12b5b805-7b4b-d153-35e2-2230d216346c", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potential Suspicious PowerShell Keywords" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", + "event_ids": [ + "4104" + ], + "id": "5ab8284b-d017-c68c-31ff-6c9b51010284", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0002", + "T1027", + "T1059.001", + "T1059" + ], + "title": "Potential PowerShell Obfuscation Using Character Join" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", + "event_ids": [ + "4104" + ], + "id": "12bd77fd-a44d-6373-2156-4c29b22d9c85", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1120" + ], + "title": "Powershell Suspicious Win32_PnPEntity" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "event_ids": [ + "4104" + ], + "id": "d2c72fb1-8ebf-d5d3-1e88-80f15ba1079a", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1564.003", + "T1564" + ], + "title": "Suspicious PowerShell WindowStyle Option" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", + "event_ids": [ + "4104" + ], + "id": "3bef19ed-f703-65eb-ab07-eebb20abdd4e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007" + ], + "title": "PowerShell Hotfix Enumeration" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "event_ids": [ + "4104" + ], + "id": "d7f88495-fd82-8062-2c13-6036a8358e39", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1119" + ], + "title": "Automated Collection Command PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", + "event_ids": [ + "4104" + ], + "id": "8094e74c-0e24-f840-50c3-bfcdc98cd6a9", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002" + ], + "title": "Add Windows Capability Via PowerShell Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects potential exfiltration attempt via audio file using PowerShell", + "event_ids": [ + "4104" + ], + "id": "4956629d-759b-2297-1edf-5751449384cb", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010" + ], + "title": "Potential Data Exfiltration Via Audio File" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "event_ids": [ + "4104" + ], + "id": "f279fcb8-4560-0d0c-3bee-043b32f9b3fb", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Live Memory Dump Using Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", + "event_ids": [ + "4104" + ], + "id": "6154995f-9153-aaa3-dc51-d3062506c78a", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "TA0006", + "T1056.001", + "T1056" + ], + "title": "Potential Keylogger Activity" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "event_ids": [ + "4104" + ], + "id": "437d2bdc-4ee9-913b-42df-e947c8193f88", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1555" + ], + "title": "Dump Credentials from Windows Credential Manager With PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.", + "event_ids": [ + "4104" + ], + "id": "00f90856-99dc-9ecd-31ca-0d93b7577bac", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1018", + "T1087.002", + "T1087" + ], + "title": "Active Directory Computers Enumeration With Get-AdComputer" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.", + "event_ids": [ + "4104" + ], + "id": "c0fcc261-538c-247d-21ff-05b6d2cbdf07", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0043", + "TA0007", + "TA0006", + "T1018", + "T1558", + "T1589.002", + "T1589" + ], + "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "event_ids": [ + "4104" + ], + "id": "71d6a25b-6fe6-37e2-40bc-c4de171fbbc9", + "level": "critical", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "TA0011", + "T1071.004", + "T1572", + "TA0040", + "T1529", + "attack.g0091", + "attack.s0363", + "T1059", + "T1071" + ], + "title": "Silence.EDA Detection" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "event_ids": [ + "4104" + ], + "id": "6dcad107-58f0-d885-7198-fe78bda1ff4b", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1565" + ], + "title": "Powershell Add Name Resolution Policy Table Rule" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", + "event_ids": [ + "4104" + ], + "id": "57b18282-5df7-0636-ee86-75ccdbe55519", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.003", + "T1059" + ], + "title": "Powershell Execute Batch Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "event_ids": [ + "4104" + ], + "id": "369a4eed-03b4-7aea-6309-c6d7173b0567", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1033" + ], + "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "event_ids": [ + "4104" + ], + "id": "e701b235-4663-b82b-8611-b51a0706589b", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1564.004", + "TA0002", + "T1059.001", + "T1059", + "T1564" + ], + "title": "NTFS Alternate Data Stream" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", + "event_ids": [ + "4104" + ], + "id": "714c75ab-6bed-7c9d-462b-f7f9252e47e5", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "event_ids": [ + "4104" + ], + "id": "b38a93d1-2bd3-6583-6617-1f4bdccf8589", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "TA0002", + "T1562" + ], + "title": "AMSI Bypass Pattern Assembly GetType" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "event_ids": [ + "4104" + ], + "id": "0c3ed50a-e9ab-a1ab-192f-17494d3bcb53", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1555.003", + "T1555" + ], + "title": "Access to Browser Login Data" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell calling a credential prompt", + "event_ids": [ + "4104" + ], + "id": "77e99ce3-b834-1c0d-0fe8-ffd39f1bc29f", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Credential Prompt" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "event_ids": [ + "4104" + ], + "id": "0b0963db-269b-9351-ab12-4aa9d1f8a105", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0004", + "T1484.001", + "T1484" + ], + "title": "Modify Group Policy Settings - ScriptBlockLogging" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of the hacktool Rubeus using specific command line flags", + "event_ids": [ + "4104" + ], + "id": "1296d31f-9f66-0be1-424b-a641f15c4475", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003", + "T1558.003", + "TA0008", + "T1550.003", + "T1558", + "T1550" + ], + "title": "HackTool - Rubeus Execution - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", + "event_ids": [ + "4104" + ], + "id": "00ba998e-b435-22a6-2dbf-e85e1918b8a7", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1114.001", + "T1114" + ], + "title": "Powershell Local Email Collection" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "event_ids": [ + "4104" + ], + "id": "088701bf-4758-9a2a-76c0-2e148a7e122c", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1558.003", + "T1558" + ], + "title": "Request A Single Ticket via PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "event_ids": [ + "4104" + ], + "id": "33811b3f-3506-6bff-bb4a-4250e7714358", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Clip - Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "event_ids": [ + "4104" + ], + "id": "f698fa3e-50d4-0a6b-4f65-9cc569e1a709", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Powershell XML Execute Command" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "event_ids": [ + "4104" + ], + "id": "129010c2-32d8-8ae8-d3a5-cdd24744231e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1555" + ], + "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder", + "event_ids": [ + "4104" + ], + "id": "82a11bd6-070f-3229-f413-73fe2ddd7018", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1222" + ], + "title": "PowerShell Set-Acl On Windows Folder - PsScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "event_ids": [ + "4104" + ], + "id": "79769f3b-efb3-9463-e114-7446d4361146", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Malicious Nishang PowerShell Commandlets" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "event_ids": [ + "4104" + ], + "id": "737309de-cb25-6cd6-de11-74ac6a587299", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "event_ids": [ + "4104" + ], + "id": "1dc5f777-bb62-c024-3838-e53492b5e574", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1048" + ], + "title": "Powershell DNSExfiltration" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "event_ids": [ + "4104" + ], + "id": "cb989f20-ebb9-8b1b-a5d6-f98b3929346c", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Disable-WindowsOptionalFeature Command PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "event_ids": [ + "4104" + ], + "id": "3c8ea56a-ad16-8598-c24e-3fdd6b345dda", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1201" + ], + "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "event_ids": [ + "4104" + ], + "id": "e355cee1-576c-66ad-ccaf-3f4dfa5b541e", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Stdin - Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet", + "event_ids": [ + "4104" + ], + "id": "97e928f0-6985-66cd-fd2d-3783904a3c7c", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.", + "event_ids": [ + "4104" + ], + "id": "4dc42aa9-1963-4ee8-e6ed-021575365449", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1020" + ], + "title": "PowerShell Script With File Upload Capabilities" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "event_ids": [ + "4104" + ], + "id": "fd4e11cc-a1e1-264d-4545-f06b97371ed2", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\nAdversaries may attempt to capture network to gather information over the course of an operation.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.\n", + "event_ids": [ + "4104" + ], + "id": "0357e3d7-f8fe-0601-0902-364f4cdbed81", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0007", + "T1040" + ], + "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "event_ids": [ + "4104" + ], + "id": "e59d0c87-f426-154d-9744-50e5cb987c9f", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.006", + "T1003" + ], + "title": "Suspicious Get-ADReplAccount" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "event_ids": [ + "4104" + ], + "id": "1a8e1936-4b07-2bb2-ef3a-2cdf7d294a56", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070", + "T1070.003" + ], + "title": "Clearing Windows Console History" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of PSAttack PowerShell hack tool", + "event_ids": [ + "4104" + ], + "id": "8dd08d08-a638-c74c-8e7a-07d55d3b3318", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell PSAttack" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [ + "4104" + ], + "id": "308e8029-d702-799b-6aea-82f749348b24", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocations - Generic" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "event_ids": [ + "4104" + ], + "id": "b5223513-5e9d-2c11-1cf7-d980bfed58f5", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1021.006", + "T1021" + ], + "title": "Enable Windows Remote Management" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious Powershell code that execute COM Objects", + "event_ids": [ + "4104" + ], + "id": "9134b08c-39fa-8211-b3f5-5bd1839b9540", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0004", + "TA0003", + "T1546.015", + "T1546" + ], + "title": "Suspicious GetTypeFromCLSID ShellExecute" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "event_ids": [ + "4104" + ], + "id": "aa7ecfb4-5a28-3a35-0b06-35cdfed46928", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1119" + ], + "title": "Recon Information for Export with PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", + "event_ids": [ + "4104" + ], + "id": "649adb28-28ab-34b1-166d-cfffb0245bbd", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0005" + ], + "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "event_ids": [ + "4104" + ], + "id": "389e5737-c793-4d03-4191-fe78d2cc1dcb", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1217" + ], + "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "event_ids": [ + "4104" + ], + "id": "6454f2bf-2962-a90a-eec3-6c7bef6be08e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.003", + "T1070" + ], + "title": "Suspicious IO.FileStream" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "event_ids": [ + "4104" + ], + "id": "956b0dfd-4aba-c0c7-7608-c7889eea8a67", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "event_ids": [ + "4104" + ], + "id": "0f434135-833f-9c32-7048-ab3c6264d3d2", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1132.001", + "T1132" + ], + "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", + "event_ids": [ + "4104" + ], + "id": "6074ad34-a80f-fdd9-5c49-e1a2fc4572c4", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Tamper Windows Defender - ScriptBlockLogging" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "event_ids": [ + "4104" + ], + "id": "2843f0fc-1a75-2140-6c4c-f5c296073941", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1136.002", + "T1136" + ], + "title": "Manipulation of User Computer or Group Security Principals Across AD" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.", + "event_ids": [ + "4104" + ], + "id": "e5a59479-4ded-f6c3-ab4d-8d464128fbb2", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Change PowerShell Policies to an Insecure Level - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", + "event_ids": [ + "4104" + ], + "id": "eddbf1d6-60c9-96f5-4cdf-f0947b3aad8f", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "event_ids": [ + "4104" + ], + "id": "c4a3b240-b0c5-3eed-9e95-d3db01157764", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.", + "event_ids": [ + "4104" + ], + "id": "53f26dda-d088-32eb-a704-03c3b6986b49", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1020" + ], + "title": "PowerShell Script With File Hostname Resolving Capabilities" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "event_ids": [ + "4104" + ], + "id": "a4fa5d2e-a803-b311-5ff7-669ada2d36eb", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1553.005", + "T1553" + ], + "title": "Suspicious Invoke-Item From Mount-DiskImage" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\n", + "event_ids": [ + "4104" + ], + "id": "231be74a-ed58-7e55-d906-23131f589913", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "Suspicious Get Local Groups Information - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "event_ids": [ + "4104" + ], + "id": "d72c1916-ab63-11e1-1916-5e8b3822f133", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1018" + ], + "title": "DirectorySearcher Powershell Exploitation" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script", + "event_ids": [ + "4104" + ], + "id": "72ba1398-c3d6-c1a6-9133-bc72ccaca90d", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Uses PowerShell to install/copy a file into a system directory such as \"System32\" or \"SysWOW64\"", + "event_ids": [ + "4104" + ], + "id": "b16a0b26-d586-4ff7-f200-20927037e55f", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1556.002", + "T1556" + ], + "title": "Powershell Install a DLL in System Directory" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "event_ids": [ + "4104" + ], + "id": "b56d246e-e1d8-6f33-6e90-65864d130915", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1553.005", + "T1553" + ], + "title": "Suspicious Unblock-File" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "event_ids": [ + "4104" + ], + "id": "977cdcc1-6d3a-a221-a03f-d794230e01ae", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1053.005", + "T1053" + ], + "title": "Powershell Create Scheduled Task" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "event_ids": [ + "4104" + ], + "id": "77af6d22-9887-7943-53f1-6a849e2e892d", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027.009", + "T1027" + ], + "title": "Powershell Token Obfuscation - Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", + "event_ids": [ + "4104" + ], + "id": "437f4723-94d2-dfdf-cd3b-9cf2e0af0fba", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1047" + ], + "title": "WMIC Unquoted Services Path Lookup - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [ + "4104" + ], + "id": "8655ba53-c937-dbcf-91c5-3125219b9497", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocations - Specific" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "event_ids": [ + "4104" + ], + "id": "abc8469f-9601-7199-13b7-9620478f5335", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1518" + ], + "title": "Detected Windows Software Discovery - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "event_ids": [ + "4104" + ], + "id": "77515874-226e-d597-815a-9962d2951358", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "PowerShell Get-Process LSASS in ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", + "event_ids": [ + "4104" + ], + "id": "777d9383-7a6f-f82a-d22e-2f05f433bc9b", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "PowerShell Write-EventLog Usage" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Powershell use PassThru option to start in background", + "event_ids": [ + "4104" + ], + "id": "c6dce605-3bb0-c881-1c5c-f3e4e9d62577", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1036.003", + "T1036" + ], + "title": "Suspicious Start-Process PassThru" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "event_ids": [ + "4104" + ], + "id": "b46c37cc-554c-aab3-0744-26f3a5ace219", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0005", + "TA0004" + ], + "title": "Potential Persistence Via Security Descriptors - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "event_ids": [ + "4104" + ], + "id": "a47e2fc3-e3e3-9763-7cb2-d19df00ad719", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1553.005", + "T1553" + ], + "title": "Suspicious Mount-DiskImage" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", + "event_ids": [ + "4104" + ], + "id": "6535a2a7-e5ce-2a80-726d-8eb3b016084d", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1546.003", + "T1546" + ], + "title": "Powershell WMI Persistence" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "event_ids": [ + "4104" + ], + "id": "98d89b85-61ea-f78b-d1fa-cd52182b6b28", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1574.012", + "T1574" + ], + "title": "Registry-Free Process Scope COR_PROFILER" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "event_ids": [ + "4104" + ], + "id": "4502b93e-2c0d-56b8-7ce1-35523e4fb0ba", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Potential AMSI Bypass Script Using NULL Bits" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "event_ids": [ + "4104" + ], + "id": "53ba1f6b-70f2-242f-1377-8dc22d806e78", + "level": "critical", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010" + ], + "title": "Suspicious PowerShell Mailbox Export to Share - PS" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "event_ids": [ + "4104" + ], + "id": "329df23d-a366-2e13-47f7-3c67cfb56f75", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1490" + ], + "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "event_ids": [ + "4104" + ], + "id": "d7307e8a-60da-106b-aeb8-c4ebd5c1fb6d", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "event_ids": [ + "4104" + ], + "id": "c9aa7755-6950-a83c-72f5-53d0eab019eb", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1056.001", + "T1056" + ], + "title": "Powershell Keylogging" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "event_ids": [ + "4104" + ], + "id": "f9889db2-6490-a082-33a3-1b46dff5e2f1", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1552.001", + "T1552" + ], + "title": "Extracting Information with PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "event_ids": [ + "4104" + ], + "id": "247b332c-8cf3-11c1-bf63-2693c99a6082", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069", + "T1059.001", + "T1059" + ], + "title": "Malicious PowerShell Commandlets - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "event_ids": [ + "4104" + ], + "id": "bf9ed747-37f2-803e-2a51-91d56622d6ba", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1113" + ], + "title": "Windows Screen Capture with CopyFromScreen" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detect adversaries enumerate sensitive files", + "event_ids": [ + "4104" + ], + "id": "246287be-b277-41bc-b620-83f82d6006d3", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1083" + ], + "title": "Powershell Sensitive File Discovery" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "event_ids": [ + "4104" + ], + "id": "b3cb91b9-f3a8-1486-c398-1ea1e5183b3c", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "Suspicious Get Information for SMB Share" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "event_ids": [ + "4104" + ], + "id": "00b36dc9-4f98-0596-4487-6aabd187344b", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "event_ids": [ + "4104" + ], + "id": "a4545017-4d6d-c3bd-7fec-62214f01e6b2", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "event_ids": [ + "4104" + ], + "id": "297f849b-2dff-ce76-be52-6f50e2f5d205", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1202" + ], + "title": "Troubleshooting Pack Cmdlet Execution" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.", + "event_ids": [ + "4104" + ], + "id": "cc813de1-cf1f-dd91-bcfb-3821610d9dfc", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerView PowerShell Cmdlets - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "event_ids": [ + "4104" + ], + "id": "80aaec39-a75b-8ad7-ac46-14fd5159f93f", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.002", + "T1069" + ], + "title": "Active Directory Group Enumeration With Get-AdGroup" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects creation of a local user via PowerShell", + "event_ids": [ + "4104" + ], + "id": "b49ece4c-cd58-540c-62a8-d4189dc45f3e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "TA0003", + "T1136.001", + "T1059", + "T1136" + ], + "title": "PowerShell Create Local User" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "event_ids": [ + "4104" + ], + "id": "527063ac-15f7-52e7-7ced-4348087aaec7", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "event_ids": [ + "4104" + ], + "id": "94272bf4-116b-5204-4be6-69b2d5648fa4", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1564.006", + "T1564" + ], + "title": "Suspicious Hyper-V Cmdlets" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "event_ids": [ + "4104" + ], + "id": "8c8871af-c2f2-4671-9f1d-d6c3e90b7c42", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Potential COM Objects Download Cradles Usage - PS Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "event_ids": [ + "4104" + ], + "id": "55d8816f-49cc-7135-b3b1-63d41ce23a01", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "event_ids": [ + "4104" + ], + "id": "ce3cad3a-afec-9acc-c763-9b4cb0fd5ece", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1574.011", + "stp.2a", + "T1574" + ], + "title": "Service Registry Permissions Weakness Check" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "event_ids": [ + "4104" + ], + "id": "b935d5dd-d5e5-51df-9c4f-dc30aec0a6e6", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Windows Firewall Profile Disabled" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "event_ids": [ + "4104" + ], + "id": "a86c5f75-859a-89ac-20a4-ad3be80336c9", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1033" + ], + "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects keywords that could indicate clearing PowerShell history", + "event_ids": [ + "4104" + ], + "id": "36e3fc18-c21d-b046-86b0-9f14ccbb975e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.003", + "T1070" + ], + "title": "Clear PowerShell History - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of PowerShell to identify the current logged user.", + "event_ids": [ + "4104" + ], + "id": "43541d1d-9cb1-a49f-2fb9-4121c1302705", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1033" + ], + "title": "Suspicious PowerShell Get Current User" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse", + "event_ids": [ + "4104" + ], + "id": "802477a9-01ea-d5f8-2ff9-44285787d0f7", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Web Access Installation - PsScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", + "event_ids": [ + "4104" + ], + "id": "4ee64eb7-79b5-d7d2-9ba7-89616409e7d0", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1620" + ], + "title": "Potential In-Memory Execution Using Reflection.Assembly" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "event_ids": [ + "4104" + ], + "id": "629a73b6-b63c-b6d1-5e2c-5d7ee3042f44", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1571" + ], + "title": "Testing Usage of Uncommonly Used Port" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "event_ids": [ + "4104" + ], + "id": "efbceae5-07cf-4b09-fc03-df062b971e10", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1071.001", + "T1071" + ], + "title": "Change User Agents with WebRequest" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "event_ids": [ + "4104" + ], + "id": "de547eac-5fa2-bf69-1a62-760251de3870", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1547.004", + "T1547" + ], + "title": "Winlogon Helper DLL" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "event_ids": [ + "4104" + ], + "id": "6ab29276-37b6-8501-afb8-33126a6a9918", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218" + ], + "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects use of WinAPI functions in PowerShell scripts", + "event_ids": [ + "4104" + ], + "id": "edeeb148-ce01-b5b8-a531-3b364b7fd191", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1106", + "T1059" + ], + "title": "Potential WinAPI Calls Via PowerShell Scripts" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "event_ids": [ + "4104" + ], + "id": "f0174af7-3de1-3209-5f81-f96ff9d1f5c6", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1090" + ], + "title": "Suspicious TCP Tunnel Via PowerShell Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", + "event_ids": [ + "4104" + ], + "id": "f9203bdd-ca24-aced-1e79-b9cfd7936099", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1110.001", + "T1110" + ], + "title": "Suspicious Connection to Remote Account" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus\n", + "event_ids": [ + "4104" + ], + "id": "2e7d9c7a-fab3-d015-8552-39acf165059c", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1518.001", + "T1518" + ], + "title": "Security Software Discovery Via Powershell Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", + "event_ids": [ + "4104" + ], + "id": "b32352bf-5bcb-d3c9-a9eb-4bbf8ed85654", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.006", + "T1070" + ], + "title": "Powershell Timestomp" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "event_ids": [ + "4104" + ], + "id": "2b77aa85-451b-f506-eda5-71bef0c2bfa6", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0002", + "T1027", + "T1059.001", + "T1059" + ], + "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "event_ids": [ + "4104" + ], + "id": "4397a007-0c10-834b-0796-7b4b1b931b03", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Malicious PowerShell Keywords" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "event_ids": [ + "4104" + ], + "id": "70b65468-d1e8-0a6b-78c3-a458a95e477b", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "event_ids": [ + "4104" + ], + "id": "57e275e0-10cf-be8d-39b2-027fbfeb2913", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0011", + "T1573" + ], + "title": "Suspicious SSL Connection" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "event_ids": [ + "4104" + ], + "id": "2182e106-ae16-770c-3022-a67abacb10d0", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.005", + "T1070" + ], + "title": "PowerShell Deleted Mounted Share" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "event_ids": [ + "4104" + ], + "id": "f1205c3a-b112-f060-2b3e-b43fd3460482", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070", + "T1562.006", + "car.2016-04-002", + "T1562" + ], + "title": "Disable of ETW Trace - Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", + "event_ids": [ + "4104" + ], + "id": "a547df68-c62d-4415-9a62-cbe68f006b9e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1564.004", + "T1564" + ], + "title": "Powershell Store File In Alternate Data Stream" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "event_ids": [ + "4104" + ], + "id": "ebdae8b0-7b83-5602-356e-b214571cee19", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.003", + "T1070" + ], + "title": "Disable Powershell Command History" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "event_ids": [ + "4104" + ], + "id": "addd9852-1b8e-322b-77eb-4a749ba8dca6", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562", + "TA0002", + "T1059" + ], + "title": "Windows Defender Exclusions Added - PowerShell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects parameters used by WMImplant", + "event_ids": [ + "4104" + ], + "id": "a91bd8f4-12c9-8c19-370c-2ddece54fd99", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1047", + "T1059.001", + "T1059" + ], + "title": "WMImplant Hack Tool" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "event_ids": [ + "4104" + ], + "id": "647d9a85-b4af-a355-a79e-5ad4afa553bd", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010", + "T1048.003", + "T1048" + ], + "title": "PowerShell ICMP Exfiltration" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Base64 encoded Shellcode", + "event_ids": [ + "4104" + ], + "id": "7f3d30e6-1565-4e09-7b13-5d7c5b8b0947", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0004", + "T1055", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell ShellCode" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", + "event_ids": [ + "4104" + ], + "id": "40e38653-158e-78ce-f816-60a159924dc9", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0004", + "T1046", + "T1082", + "T1106", + "T1518", + "T1548.002", + "T1552.001", + "T1555", + "T1555.003", + "T1552", + "T1548" + ], + "title": "HackTool - WinPwn Execution - ScriptBlock" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "event_ids": [ + "4104" + ], + "id": "a4603d3c-bb7c-8db0-3d8a-23f265190006", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1021.006", + "T1021" + ], + "title": "Execute Invoke-command on Remote Host" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects powershell scripts that import modules from suspicious directories", + "event_ids": [ + "4104" + ], + "id": "0a3956ee-9813-55f3-ca74-4d00e9df5262", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Import PowerShell Modules From Suspicious Directories" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "event_ids": [ + "4104" + ], + "id": "61d6fe12-d403-c9b3-bc3f-fb10de58a4c3", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0043", + "TA0007", + "TA0006", + "TA0040" + ], + "title": "AADInternals PowerShell Cmdlets Execution - PsScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "event_ids": [ + "4104" + ], + "id": "e84977df-6377-368d-ed22-e05ee31e9947", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Malicious ShellIntel PowerShell Commandlets" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "event_ids": [ + "4104" + ], + "id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0010" + ], + "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "event_ids": [ + "4104" + ], + "id": "a91de133-e7bc-3e22-d4ec-af1bfe620409", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218.007", + "T1218" + ], + "title": "PowerShell WMI Win32_Product Install MSI" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "event_ids": [ + "4104" + ], + "id": "a57f49ff-b916-4527-881f-bef76dc42248", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Powershell MsXml COM Object" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "event_ids": [ + "4104" + ], + "id": "cde108d4-944b-2594-02b8-61f2852260a1", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell ADRecon Execution" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detect use of X509Enrollment", + "event_ids": [ + "4104" + ], + "id": "8acde15f-c52f-455b-127c-8de1892767e5", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1553.004", + "T1553" + ], + "title": "Suspicious X509Enrollment - Ps Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "event_ids": [ + "4104" + ], + "id": "33a52335-678e-da31-eb46-d7cfc302cb3e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1531" + ], + "title": "Remove Account From Domain Admin Group" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "event_ids": [ + "4104" + ], + "id": "43de23b6-5e9c-142a-9e42-64992bede784", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "TA0005", + "TA0004", + "T1574.011", + "T1574" + ], + "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.", + "event_ids": [ + "4104" + ], + "id": "5ac6d31e-76f4-b5ee-831e-7d076ff2dca6", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006" + ], + "title": "Veeam Backup Servers Credential Dumping Script Execution" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "event_ids": [ + "4104" + ], + "id": "f5ce4704-7343-4e6a-f741-f53b6d412d1f", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0003", + "T1137.006", + "T1137" + ], + "title": "Code Executed Via Office Add-in XLL File" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "event_ids": [ + "4104" + ], + "id": "c9326131-769a-8ba4-03f2-7d17f9847a50", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Potential Suspicious Windows Feature Enabled" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell download command", + "event_ids": [ + "4104" + ], + "id": "e3888b82-f1d3-14e8-54e5-16b522dfd8a9", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Download - Powershell Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "event_ids": [ + "4104" + ], + "id": "b0c6066e-a243-d2f6-c744-990ed060759c", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003" + ], + "title": "Potential Invoke-Mimikatz PowerShell Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", + "event_ids": [ + "4104" + ], + "id": "0fb43313-1253-f71b-1a13-e10e073c1627", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1033" + ], + "title": "Get-ADUser Enumeration Using UserAccountControl Flags" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs", + "event_ids": [ + "4104" + ], + "id": "a8e07a3d-571c-0d25-729b-fa16be9ea6c5", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.001", + "T1070" + ], + "title": "Suspicious Eventlog Clear" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "event_ids": [ + "4104" + ], + "id": "33f62d96-55cf-87d2-e9f0-0a5fff75a278", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.003", + "attack.ds0005", + "T1003" + ], + "title": "Create Volume Shadow Copy with Powershell" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "event_ids": [ + "4104" + ], + "id": "13a97026-d21c-5c67-761d-537efe8f3fe7", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1083" + ], + "title": "Powershell Directory Enumeration" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "event_ids": [ + "4104" + ], + "id": "43254631-95ca-6c3c-11bc-16c19f09e819", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1615" + ], + "title": "Suspicious GPO Discovery With Get-GPO" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "event_ids": [ + "4104" + ], + "id": "80fe1b47-6d38-9fc5-9535-6afd04b55a15", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0043", + "TA0007", + "TA0040" + ], + "title": "Potential Active Directory Enumeration Using AD Module - PsScript" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", + "event_ids": [ + "4104" + ], + "id": "7778d03c-e7bd-53bb-1f84-6557e3ecf12d", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1074.001", + "T1074" + ], + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", + "event_ids": [ + "4104" + ], + "id": "f1a1daa1-2c4e-6354-e062-1f80427eafc3", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "PowerShell Remote Session Creation" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "event_ids": [ + "4104" + ], + "id": "30be45df-1ada-4075-3586-5a3d6eda8cd3", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n", + "event_ids": [ + "4103" + ], + "id": "a707acca-c4f5-6929-a1fc-0908ab087be0", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1074.001", + "T1074" + ], + "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.\n", + "event_ids": [ + "4103" + ], + "id": "a0ecd6f3-309d-3ad0-2231-421f98a89f32", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0008" + ], + "title": "HackTool - Evil-WinRm Execution - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [ + "4103" + ], + "id": "e27c3517-69ca-c8c3-fc57-c4baba10867f", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects remote PowerShell sessions", + "event_ids": [ + "4103" + ], + "id": "d8bf9898-a71e-347a-25d6-1fde2e2925e6", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "TA0008", + "T1021.006", + "T1059", + "T1021" + ], + "title": "Remote PowerShell Session (PS Module)" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "event_ids": [ + "4103" + ], + "id": "58925ff0-2936-8ebd-4c28-8fdbb8ac19a8", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.", + "event_ids": [ + "4103" + ], + "id": "c2325f35-edc7-9b45-d0bc-548ab4074e0a", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "event_ids": [ + "4103" + ], + "id": "93fea8ea-89ab-d08a-3904-a6949999010c", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", + "event_ids": [ + "4103" + ], + "id": "043fe2ff-2844-9176-3d40-aa3bf3e794a6", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0043", + "TA0007", + "TA0040" + ], + "title": "Potential Active Directory Enumeration Using AD Module - PsModule" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\nthat often undergo minimal changes by attackers due to bad opsec.\n", + "event_ids": [ + "4103" + ], + "id": "118c017d-54bd-d0a7-e24e-74482fd67b54", + "level": "critical", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Bad Opsec Powershell Code Artifacts" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "event_ids": [ + "4103" + ], + "id": "b7826f95-a54d-d6e4-d4e0-38998c4eb8d7", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Alternate PowerShell Hosts - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "event_ids": [ + "4103" + ], + "id": "8485a923-ab47-503c-8823-f930f71f83a1", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1049" + ], + "title": "Use Get-NetTCPConnection - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "event_ids": [ + "4103" + ], + "id": "9863342f-1e0e-72c5-8faa-674337cd6d2b", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1218" + ], + "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", + "event_ids": [ + "4103" + ], + "id": "e4ba78e1-d659-9152-8504-cae6d6c7372e", + "level": "informational", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1140" + ], + "title": "PowerShell Decompress Commands" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "event_ids": [ + "4103" + ], + "id": "d1ec8808-93c9-9dcb-b4b8-b20791287ee2", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "event_ids": [ + "4103" + ], + "id": "36554b35-d185-3e51-6b7f-9b61726b8d3a", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069", + "T1059.001", + "T1059" + ], + "title": "Malicious PowerShell Commandlets - PoshModule" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "event_ids": [ + "4103" + ], + "id": "31981511-e5c7-fa6d-65dd-422e26ba8f0d", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0001", + "T1078" + ], + "title": "Suspicious Computer Machine Password by PowerShell" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "event_ids": [ + "4103" + ], + "id": "61ec8448-ba5d-0b4f-8089-eb047d43a2ec", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "event_ids": [ + "4103" + ], + "id": "c539a450-9d59-8ac3-1709-f3b5f2e5a989", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "event_ids": [ + "4103" + ], + "id": "85b06a92-2ad6-ef34-57c3-fac694f74095", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.003", + "T1003" + ], + "title": "Suspicious Get-ADDBAccount Usage" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "event_ids": [ + "4103" + ], + "id": "567da8d6-9387-9852-16ed-a336bfaad91e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell download command", + "event_ids": [ + "4103" + ], + "id": "3a7c8368-70ba-0539-d7a9-662a59306969", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Download - PoshModule" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", + "event_ids": [ + "4103" + ], + "id": "a26b0227-f81e-097b-19ba-ffbb04417ccc", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Malicious PowerShell Scripts - PoshModule" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\n", + "event_ids": [ + "4103" + ], + "id": "300dbe85-b7a0-be0b-aa57-321c1ee97848", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "Suspicious Get Local Groups Information" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "event_ids": [ + "4103" + ], + "id": "a1d89efd-6d69-416b-3004-ec9c460a863d", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "Suspicious Get Information for SMB Share - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "event_ids": [ + "4103" + ], + "id": "8ed7f4b3-91aa-4c85-95e8-a361f9004b2e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0009", + "T1115" + ], + "title": "PowerShell Get Clipboard" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "event_ids": [ + "4103" + ], + "id": "acb9f9fe-df3e-be2a-239f-51b194099630", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects suspicious PowerShell invocation command parameters", + "event_ids": [ + "4103" + ], + "id": "da4a803e-e609-d187-675c-d7e7f0083763", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "event_ids": [ + "4103" + ], + "id": "f3c1031c-796c-6c50-7af9-c490e09550f6", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0007", + "T1069.001", + "T1069" + ], + "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "event_ids": [ + "4103" + ], + "id": "b21405ff-2071-082b-067f-fa116d28a858", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects keywords that could indicate clearing PowerShell history", + "event_ids": [ + "4103" + ], + "id": "5dea4020-38c8-b6d5-ebdb-2a7cfa20044e", + "level": "medium", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1070.003", + "T1070" + ], + "title": "Clear PowerShell History - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "event_ids": [ + "4103" + ], + "id": "6ead282b-ed6b-7f68-1ed2-b8f5fb092b4e", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "event_ids": [ + "4103" + ], + "id": "b2064db0-e465-72c2-edcc-57cfd9676207", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" + }, + { + "category": "ps_module", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "event_ids": [ + "4103" + ], + "id": "7a595cb6-87c9-7d42-5bf9-f404e939d500", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1027", + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.", + "event_ids": [ + "2004", + "2071", + "2097" + ], + "id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4", + "level": "high", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", + "event_ids": [ + "2009" + ], + "id": "33a69619-460b-90f5-19b1-2f34036caf0a", + "level": "low", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "The Windows Defender Firewall Service Failed To Load Group Policy" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\n", + "event_ids": [ + "2004", + "2071", + "2097" + ], + "id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd", + "level": "medium", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", + "event_ids": [ + "2032", + "2060" + ], + "id": "e2592615-38d5-5099-c59f-83ab34a11d9a", + "level": "low", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects when a rule has been added to the Windows Firewall exception list", + "event_ids": [ + "2004", + "2071", + "2097" + ], + "id": "a1dbd390-a4c5-755a-1b1f-a76aabbecbbc", + "level": "medium", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects activity when the settings of the Windows firewall have been changed", + "event_ids": [ + "2002", + "2003", + "2008", + "2082", + "2083" + ], + "id": "a0062bfc-2eba-05df-e231-f4a44b1317ab", + "level": "low", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "Windows Firewall Settings Have Been Changed" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", + "event_ids": [ + "2006", + "2052" + ], + "id": "55827aab-4062-032f-35e7-2406dc57c35e", + "level": "medium", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" + ], + "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", + "event_ids": [ + "2033", + "2059" + ], + "id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69", + "level": "high", + "service": "firewall-as", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.004", + "T1562" + ], + "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-LSA/Operational" + ], + "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", + "event_ids": [ + "300" + ], + "id": "7536b3d3-6765-4433-9269-2d460cb10adf", + "level": "medium", + "service": "lsa-server", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0004" + ], + "title": "Standard User In High Privileged Group" }, { "category": "", @@ -37055,91 +46518,64 @@ ], "title": "HybridConnectionManager Service Running" }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on \"Application Error\" log where the faulting application is \"lsass.exe\" and the faulting module is \"WLDAP32.dll\".\n", - "event_ids": [ - "1000" - ], - "id": "1117f6c7-1c68-9c6e-c3e8-191e9d687387", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1499", - "cve.2024-49113", - "detection.emerging-threats" - ], - "title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare" - }, { "category": "", "channel": [ "sec" ], - "description": "This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n", + "description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.", "event_ids": [ - "4663" + "4656", + "4663", + "5145" ], - "id": "74d067bc-3f42-3855-c13d-771d589cf11c", - "level": "critical", + "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", + "level": "high", "service": "security", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0001", - "TA0003", - "cve.2024-1708", + "TA0040", + "T1486", "detection.emerging-threats" ], - "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" + "title": "BlueSky Ransomware Artefacts" }, { "category": "", "channel": [ - "sec" + "Application" ], - "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", "event_ids": [ - "4727", - "4728", - "4731", - "4737", - "4754", - "4755", - "4756" + "8128" ], - "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", + "id": "e177969a-73cc-a32c-b948-cb580287057a", "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], + "service": "application", + "subcategory_guids": [], "tags": [ - "TA0002", - "cve.2024-37085", + "TA0003", + "T1546", "detection.emerging-threats" ], - "title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity" + "title": "MSSQL Extended Stored Procedure Backdoor Maggie" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "Detects execution of the \"net.exe\" command in order to add a group named \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", "event_ids": [ "4688" ], - "id": "15644804-cc2a-8565-e214-eefd44105fed", + "id": "228eed07-6e91-fd77-f72d-32e28f0a3739", "level": "high", "service": "", "subcategory_guids": [ @@ -37147,35 +46583,1073 @@ ], "tags": [ "TA0002", - "cve.2024-37085", "detection.emerging-threats" ], - "title": "Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group" + "title": "Potential Raspberry Robin Dot Ending File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects raspberry robin subsequent execution of commands.", + "event_ids": [ + "4688" + ], + "id": "d14ca8ab-730c-d8b6-195c-9cd426d66a34", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "detection.emerging-threats", + "T1059" + ], + "title": "Raspberry Robin Subsequent Execution of Commands" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the initial execution of the Raspberry Robin malware from an external drive using \"Cmd.EXE\".", + "event_ids": [ + "4688" + ], + "id": "f0eeba30-c955-c5ae-d78a-83e0f3a115ea", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "detection.emerging-threats", + "T1059" + ], + "title": "Raspberry Robin Initial Execution From External Drive" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects post exploitation execution technique of the Serpent backdoor.\nAccording to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.\nIt creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.\n", + "event_ids": [ + "4688" + ], + "id": "aadf7b08-beb0-7b83-9155-bc9cf4ea77be", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0003", + "T1053.005", + "T1059.006", + "detection.emerging-threats", + "T1053", + "T1059" + ], + "title": "Serpent Backdoor Payload Execution Via Scheduled Task" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "event_ids": [ + "4688" + ], + "id": "2a9fb7e5-5c2d-b57d-62d3-17245085abdc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0008", + "T1021.001", + "detection.emerging-threats", + "T1021" + ], + "title": "Hermetic Wiper TG Process Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.\nThe \".lnk\" file was delivered via phishing campaign.\n", + "event_ids": [ + "4688" + ], + "id": "b5aa09e0-6b91-0111-57d5-0c7dd40b2208", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.006", + "detection.emerging-threats", + "T1059" + ], + "title": "Emotet Loader Execution Via .LNK File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "event_ids": [ + "4688" + ], + "id": "08d5c383-090f-b317-6fdd-e815d17f2ab6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1053", + "T1053.005", + "detection.emerging-threats" + ], + "title": "Potential ACTINIUM Persistence Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious command line patterns seen being used by MERCURY APT", + "event_ids": [ + "4688" + ], + "id": "48adf0e2-62e3-9147-1be4-087852d3a4a5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "attack.g0069", + "detection.emerging-threats", + "T1059" + ], + "title": "MERCURY APT Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", + "event_ids": [ + "4688" + ], + "id": "04ed5400-e750-0076-db95-3a48baa00f30", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "cve.2022-29072", + "detection.emerging-threats" + ], + "title": "Potential CVE-2022-29072 Exploitation Attempt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", + "event_ids": [ + "4688" + ], + "id": "a34c1c69-20be-c05f-9985-e8dfdd6387df", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0002", + "cve.2023-21554", + "detection.emerging-threats" + ], + "title": "Potential CVE-2023-21554 QueueJumper Exploitation" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "event_ids": [ + "4657" + ], + "id": "9754f622-65d5-8c9b-7762-f074e2d502ed", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1221", + "detection.emerging-threats" + ], + "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.\nAs reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat \"prunsrv.exe\" process application.\n", + "event_ids": [ + "4688" + ], + "id": "c673198f-36bd-eaf8-5986-f439d6b8c2a8", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0001", + "T1059.006", + "T1190", + "cve.2022-22954", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "event_ids": [ + "4688" + ], + "id": "8093c636-02d2-54cd-0170-9c7037dadfda", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068", + "cve.2022-41120", + "detection.emerging-threats" + ], + "title": "Suspicious Sysmon as Execution Parent" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects DarkSide Ransomware and helpers", + "event_ids": [ + "4688" + ], + "id": "29b10082-a29d-5f77-a7da-8ef6d105ab32", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204", + "detection.emerging-threats" + ], + "title": "DarkSide Ransomware Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "event_ids": [ + "4688" + ], + "id": "2efc692b-49f5-1d23-c6ca-3e4e63d3026c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1574.001", + "detection.emerging-threats", + "T1574" + ], + "title": "Pingback Backdoor Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects command line patterns used by BlackByte ransomware in different operations", + "event_ids": [ + "4688" + ], + "id": "de11bbb4-9429-4ee9-9039-d71a174c512e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "TA0040", + "T1485", + "T1498", + "T1059.001", + "T1140", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential BlackByte Ransomware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process behavior observed with Devil Bait samples", + "event_ids": [ + "4688" + ], + "id": "35938479-283e-16c7-ff2a-78b5f267f8f6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "detection.emerging-threats" + ], + "title": "Potential Devil Bait Malware Reconnaissance" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.", + "event_ids": [ + "4688" + ], + "id": "d0813182-98c0-431d-4f35-12d9dc087b3b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1574.001", + "detection.emerging-threats", + "T1574" + ], + "title": "Small Sieve Malware CommandLine Indicator" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware", + "event_ids": [ + "4657" + ], + "id": "8376c984-b3da-370c-ff20-3c9c0dc9f18e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "Small Sieve Malware Registry Persistence" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects \"GoogleUpdate.exe\" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor", + "event_ids": [ + "4688" + ], + "id": "f4ecb52a-58a8-1b58-2edc-0d083d0df505", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "detection.emerging-threats" + ], + "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.", + "event_ids": [ + "4688" + ], + "id": "0704ac61-5014-80cc-4899-419448a02edf", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential Goofy Guineapig Backdoor Activity" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects service creation persistence used by the Goofy Guineapig backdoor", + "event_ids": [ + "7045" + ], + "id": "0375abd6-f86e-a665-27a0-501b2a1621a8", + "level": "critical", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "Goofy Guineapig Backdoor Service Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a command used by conti to exfiltrate NTDS", + "event_ids": [ + "4688" + ], + "id": "458bad33-8cea-bc4b-b0f7-24a975aae847", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1560", + "detection.emerging-threats" + ], + "title": "Conti NTDS Exfiltration Command" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a command used by conti to find volume shadow backups", + "event_ids": [ + "4688" + ], + "id": "cff3f656-4a93-c909-b0a0-0cbc53341fe8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1587.001", + "TA0042", + "detection.emerging-threats", + "T1587" + ], + "title": "Conti Volume Shadow Listing" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific command used by the Conti ransomware group", + "event_ids": [ + "4688" + ], + "id": "0f5f5afd-9d5f-a6e0-5374-15a232233275", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "attack.s0575", + "T1486", + "detection.emerging-threats" + ], + "title": "Potential Conti Ransomware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a command used by conti to dump database", + "event_ids": [ + "4688" + ], + "id": "ba261ff0-33d7-32ab-4a68-618467284009", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0009", + "T1005", + "detection.emerging-threats" + ], + "title": "Potential Conti Ransomware Database Dumping Activity Via SQLCmd" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", + "event_ids": [ + "4688" + ], + "id": "be68dda9-dcd8-3f19-1263-fb0ec5c4f624", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1546", + "T1053", + "attack.g0125", + "detection.emerging-threats" + ], + "title": "HAFNIUM Exchange Exploitation Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "event_ids": [ + "4688" + ], + "id": "9c814658-2890-e222-15ec-41330fd1fad0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1546", + "T1546.015", + "TA0003", + "TA0004", + "detection.emerging-threats" + ], + "title": "SOURGUM Actor Behaviours" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", + "event_ids": [ + "4688" + ], + "id": "a8018a36-765e-3a40-8a76-cc0bc318f8d6", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "attack.g0115", + "detection.emerging-threats" + ], + "title": "REvil Kaseya Incident Malware Patterns" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "event_ids": [ + "4688" + ], + "id": "4a49be77-9768-f48f-06ff-6670c49744f2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1553", + "detection.emerging-threats" + ], + "title": "Suspicious RazerInstaller Explorer Subprocess" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", + "event_ids": [ + "4688" + ], + "id": "8e5b10ed-ce69-5075-d3d8-fbb3de65ff2f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "cve.2021-40444", + "detection.emerging-threats" + ], + "title": "Potential CVE-2021-40444 Exploitation Attempt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", + "event_ids": [ + "4688" + ], + "id": "00676efc-2e92-d9a5-446a-9ba1c79c4e85", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "cve.2021-40444", + "detection.emerging-threats" + ], + "title": "Potential Exploitation Attempt From Office Application" + }, + { + "category": "", + "channel": [ + "MSExchange Management" + ], + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "event_ids": [ + "6", + "8" + ], + "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", + "level": "high", + "service": "msexchange-management", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1210", + "detection.emerging-threats" + ], + "title": "Possible Exploitation of Exchange RCE CVE-2021-42321" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "event_ids": [ + "4688" + ], + "id": "8c7a964a-71e9-b30a-6637-7a43c307510a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0002", + "T1190", + "T1059", + "cve.2021-26084", + "detection.emerging-threats" + ], + "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" }, { "category": "", "channel": [ "sec" ], - "description": "This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.\nThis will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n", + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", "event_ids": [ - "4663" + "4781" ], - "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", - "level": "medium", + "id": "17662114-5bee-2566-359c-68d830193830", + "level": "high", "service": "security", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0005", - "cve.2024-1709", + "TA0003", + "T1036", + "T1098", + "cve.2021-42287", "detection.emerging-threats" ], - "title": "ScreenConnect User Database Modification - Security" + "title": "Suspicious Computer Account Name Change CVE-2021-42287" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "event_ids": [ + "1033" + ], + "id": "8e38887f-8e20-477d-26c1-0862951ae91b", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0001", + "T1190", + "detection.emerging-threats" + ], + "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", + "event_ids": [ + "4688" + ], + "id": "963ed93f-0486-5cc3-afc2-caa06ef8b627", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068", + "cve.2021-41379", + "detection.emerging-threats" + ], + "title": "Potential CVE-2021-41379 Exploitation Attempt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", + "event_ids": [ + "4688" + ], + "id": "4084760d-7ac7-aa67-d486-64383ae4b98e", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068", + "detection.emerging-threats" + ], + "title": "Potential SystemNightmare Exploitation Attempt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "event_ids": [ + "4688" + ], + "id": "ccdd2798-8320-c919-4e0d-210c344a3f2e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1203", + "TA0002", + "cve.2021-26857", + "detection.emerging-threats" + ], + "title": "Potential CVE-2021-26857 Exploitation Attempt" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "event_ids": [ + "35", + "36", + "37", + "38" + ], + "id": "8a194220-2afd-d5a9-0644-0a2d76019999", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1558.003", + "cve.2021-42278", + "detection.emerging-threats", + "T1558" + ], + "title": "Potential CVE-2021-42278 Exploitation Attempt" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", + "event_ids": [ + "4688" + ], + "id": "e40fd714-eaab-3ce4-3a3d-de697f78ed6a", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "cve.2021-35211", + "detection.emerging-threats", + "T1136" + ], + "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.\n", + "event_ids": [ + "4688" + ], + "id": "88ad8420-1fd5-6e62-470b-6eaad464d86d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1190", + "cve.2021-44228", + "detection.emerging-threats" + ], + "title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-PrintService/Admin" + ], + "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", + "event_ids": [ + "808" + ], + "id": "5c10c39e-b9f6-d321-3598-62095b34b663", + "level": "high", + "service": "printservice-admin", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569", + "cve.2021-1675", + "detection.emerging-threats" + ], + "title": "Possible CVE-2021-1675 Print Spooler Exploitation" + }, + { + "category": "antivirus", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", + "event_ids": [ + "1006", + "1007", + "1008", + "1009", + "1010", + "1011", + "1012", + "1017", + "1018", + "1019", + "1115", + "1116" + ], + "id": "aef0711e-c055-e870-92bc-ea130059eed1", + "level": "critical", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0004", + "T1055", + "detection.emerging-threats" + ], + "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "event_ids": [ + "5145" + ], + "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569", + "cve.2021-1675", + "cve.2021-34527", + "detection.emerging-threats" + ], + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-PrintService/Operational" + ], + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "event_ids": [ + "316" + ], + "id": "ae207e8e-3dfd-bd05-1161-e0472778f2be", + "level": "critical", + "service": "printservice-operational", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1569", + "cve.2021-1675", + "detection.emerging-threats" + ], + "title": "CVE-2021-1675 Print Spooler Exploitation" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "event_ids": [ + "4657" + ], + "id": "a4072638-9c3a-3307-e4f9-458edbb60efb", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1566", + "T1203", + "cve.2021-33771", + "cve.2021-31979", + "detection.emerging-threats" + ], + "title": "CVE-2021-31979 CVE-2021-33771 Exploits" }, { "category": "process_creation", @@ -37199,51 +47673,29 @@ ], "title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of a \".CPL\" file located in the user temp directory via the Shell32 DLL \"Control_RunDLL\" export function.\nThis behavior was observed in multiple Raspberry-Robin variants.\n", - "event_ids": [ - "4688" - ], - "id": "4f3b55b9-3f7f-11c9-08ec-023ffed290a0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "Potential Raspberry Robin CPL Execution Activity" - }, { "category": "registry_set", "channel": [ "sec" ], - "description": "Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.\nRaspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.\n", + "description": "Detects registry set activity of a value called \"Seed\" stored in the \"\\Cryptography\\Providers\\\" registry key.\nThe Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.\n", "event_ids": [ "4657" ], - "id": "e46b4e96-6396-bb54-0d11-e1aada87c21e", - "level": "low", + "id": "48e70678-2188-d6d9-11d7-598823558254", + "level": "medium", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "T1112", + "TA0003", "TA0005", - "detection.emerging-threats" + "T1553.003", + "detection.emerging-threats", + "T1553" ], - "title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" + "title": "Kapeka Backdoor Configuration Persistence" }, { "category": "registry_set", @@ -37345,24 +47797,91 @@ "channel": [ "sec" ], - "description": "Detects registry set activity of a value called \"Seed\" stored in the \"\\Cryptography\\Providers\\\" registry key.\nThe Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.\n", + "description": "Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.\nRaspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.\n", "event_ids": [ "4657" ], - "id": "48e70678-2188-d6d9-11d7-598823558254", - "level": "medium", + "id": "e46b4e96-6396-bb54-0d11-e1aada87c21e", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1112", + "TA0005", + "detection.emerging-threats" + ], + "title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a \".CPL\" file located in the user temp directory via the Shell32 DLL \"Control_RunDLL\" export function.\nThis behavior was observed in multiple Raspberry-Robin variants.\n", + "event_ids": [ + "4688" + ], + "id": "4f3b55b9-3f7f-11c9-08ec-023ffed290a0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "Potential Raspberry Robin CPL Execution Activity" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", + "event_ids": [ + "4657" + ], + "id": "396c509f-60dd-659f-6cd4-7e6e45322d5e", + "level": "high", "service": "", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0003", - "TA0005", - "T1553.003", + "T1547.001", "detection.emerging-threats", - "T1553" + "T1547" ], - "title": "Kapeka Backdoor Configuration Persistence" + "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "event_ids": [ + "4688" + ], + "id": "ee52db74-7cf0-30dd-3b79-d7de7002360a", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "detection.emerging-threats" + ], + "title": "Potential KamiKakaBot Activity - Lure Document Execution" }, { "category": "process_creation", @@ -37390,45 +47909,22 @@ "channel": [ "sec" ], - "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n", + "description": "Detects the execution of specific processes and command line combination.\nThese were seen being created by Forest Blizzard as described by MSFT.\n", "event_ids": [ "4688" ], - "id": "ee52db74-7cf0-30dd-3b79-d7de7002360a", - "level": "medium", + "id": "bdf164e3-a724-140c-60ba-88a87f1416e4", + "level": "high", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0002", - "T1059", "detection.emerging-threats" ], - "title": "Potential KamiKakaBot Activity - Lure Document Execution" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n", - "event_ids": [ - "4657" - ], - "id": "396c509f-60dd-659f-6cd4-7e6e45322d5e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "detection.emerging-threats", - "T1547" - ], - "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" + "title": "Forest Blizzard APT - Process Creation Activity" }, { "category": "registry_set", @@ -37476,28 +47972,6 @@ ], "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of specific processes and command line combination.\nThese were seen being created by Forest Blizzard as described by MSFT.\n", - "event_ids": [ - "4688" - ], - "id": "bdf164e3-a724-140c-60ba-88a87f1416e4", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "detection.emerging-threats" - ], - "title": "Forest Blizzard APT - Process Creation Activity" - }, { "category": "process_creation", "channel": [ @@ -37523,71 +47997,980 @@ "title": "Potential APT FIN7 Exploitation Activity" }, { - "category": "process_creation", + "category": "", + "channel": [ + "Application" + ], + "description": "Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on \"Application Error\" log where the faulting application is \"lsass.exe\" and the faulting module is \"WLDAP32.dll\".\n", + "event_ids": [ + "1000" + ], + "id": "1117f6c7-1c68-9c6e-c3e8-191e9d687387", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1499", + "cve.2024-49113", + "detection.emerging-threats" + ], + "title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare" + }, + { + "category": "", "channel": [ "sec" ], - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "description": "This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.\nThis will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n", "event_ids": [ - "4688" + "4663" ], - "id": "cfbcf9de-6e1d-7197-68f5-3fc5226b6373", - "level": "critical", - "service": "", + "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", + "level": "medium", + "service": "security", "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "cve.2024-1709", + "detection.emerging-threats" + ], + "title": "ScreenConnect User Database Modification - Security" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", + "event_ids": [ + "4727", + "4728", + "4731", + "4737", + "4754", + "4755", + "4756" + ], + "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0002", - "T1203", - "T1204.002", - "TA0001", - "T1566.001", - "cve.2017-8759", - "detection.emerging-threats", - "T1566", - "T1204" + "cve.2024-37085", + "detection.emerging-threats" ], - "title": "Exploit for CVE-2017-8759" + "title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "description": "Detects execution of the \"net.exe\" command in order to add a group named \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", "event_ids": [ "4688" ], - "id": "9e9587ab-f1e4-6415-6bc7-bd47066924ba", - "level": "critical", + "id": "15644804-cc2a-8565-e214-eefd44105fed", + "level": "high", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0002", - "T1203", - "T1204.002", + "cve.2024-37085", + "detection.emerging-threats" + ], + "title": "Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n", + "event_ids": [ + "4663" + ], + "id": "74d067bc-3f42-3855-c13d-771d589cf11c", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ "TA0001", - "T1566.001", - "cve.2017-11882", + "TA0003", + "cve.2024-1708", + "detection.emerging-threats" + ], + "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the \"curl.exe\" command, referencing \"SOCKS\" and \".onion\" domains, which could be indicative of Kalambur backdoor activity.", + "event_ids": [ + "4688" + ], + "id": "073e0fdf-35a4-362b-a1c6-2b1b41c71231", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1090", + "T1573", + "T1071.001", + "T1059.001", + "attack.s0183", "detection.emerging-threats", + "T1059", + "T1071" + ], + "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.\nThis allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.\nThe vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.\n", + "event_ids": [ + "4688" + ], + "id": "1df6028e-e6fa-9d43-0ec9-a502e12d85dd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "TA0005", + "T1574.008", + "cve.2025-49144", + "detection.emerging-threats", + "T1574" + ], + "title": "Potential Notepad++ CVE-2025-49144 Exploitation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.\nCVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.\n", + "event_ids": [ + "4688" + ], + "id": "acecfe24-cf2a-2635-dded-a45c357eea3f", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "T1190", + "cve.2025-53770", + "detection.emerging-threats" + ], + "title": "Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as\nCVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.\nThe detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.\n", + "event_ids": [ + "4688" + ], + "id": "c8db6dc8-96e3-1974-3921-3a7fc78993d4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0002", + "T1059.001", + "T1059.003", + "T1190", + "cve.2025-31161", + "detection.emerging-threats", + "T1059" + ], + "title": "Suspicious CrushFTP Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.", + "event_ids": [ + "4688" + ], + "id": "81ef2b50-ae07-2c4b-4242-6669c7176fec", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0001", + "TA0002", + "T1059.001", + "T1059.003", + "T1068", + "T1190", + "cve.2025-54309", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of remote code execution vulnerability CVE-2025-33053\nwhich involves unauthorized code execution via WebDAV through external control of file names or paths.\nThe exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating\ntheir working directories to point to attacker-controlled WebDAV servers, causing them to execute\nmalicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries\nthrough Process.Start() search order manipulation.\n", + "event_ids": [ + "4688" + ], + "id": "5cceaffb-6b96-605b-5c7e-58a2f125f151", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218", + "TA0008", + "T1105", + "detection.emerging-threats", + "cve.2025-33053" + ], + "title": "Potential Exploitation of RCE Vulnerability CVE-2025-33053" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects activity that could be related to Baby Shark malware", + "event_ids": [ + "4688" + ], + "id": "c368d44f-914c-dda1-79ca-a54a155c8491", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "TA0007", + "T1012", + "T1059.003", + "T1059.001", + "T1218.005", + "detection.emerging-threats", + "T1059", + "T1218" + ], + "title": "Potential Baby Shark Malware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "event_ids": [ + "4688" + ], + "id": "588be409-8e98-409a-a4ef-4cccc7b7e865", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0042", + "T1587.001", + "detection.emerging-threats", + "T1587" + ], + "title": "Formbook Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential Dridex acitvity via specific process patterns", + "event_ids": [ + "4688" + ], + "id": "e23a9ec2-a8a3-badf-e230-fcbe8cf7f86e", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0004", + "T1055", + "TA0007", + "T1135", + "T1033", + "detection.emerging-threats" + ], + "title": "Potential Dridex Activity" + }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects registry keys related to Ursnif malware.", + "event_ids": [ + "4657" + ], + "id": "4adab006-3d6b-cf15-fdcc-f081f50e87f5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1112", + "detection.emerging-threats" + ], + "title": "Potential Ursnif Malware Activity - Registry" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential Dtrack RAT activity via specific process patterns", + "event_ids": [ + "4688" + ], + "id": "39724b62-2e68-3ffc-c675-c018f6c9ce11", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490", + "detection.emerging-threats" + ], + "title": "Potential Dtrack RAT Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "event_ids": [ + "4688" + ], + "id": "14cb4558-9252-130c-f8d4-6662b6f951ef", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", "T1204", - "T1566" + "detection.emerging-threats" ], - "title": "Droppers Exploiting CVE-2017-11882" + "title": "Potential Snatch Ransomware Activity" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "description": "Detects LockerGoga ransomware activity via specific command line.", "event_ids": [ "4688" ], - "id": "6beb9c36-3f8a-5de4-1979-7e2b1f7e6f27", + "id": "9dc3524d-8444-15f1-bde6-e060f0050e94", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1486", + "detection.emerging-threats" + ], + "title": "LockerGoga Ransomware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", + "event_ids": [ + "4688" + ], + "id": "399756bd-2003-82b3-c6c6-ab44d1516146", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential Emotet Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Ryuk ransomware activity", + "event_ids": [ + "4688" + ], + "id": "d7037073-136c-baf0-a9d7-cb2c03fcd245", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "detection.emerging-threats", + "T1547" + ], + "title": "Potential Ryuk Ransomware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential QBot activity by looking for process executions used previously by QBot", + "event_ids": [ + "4688" + ], + "id": "178d305a-d6f0-baf2-b49b-89ffaddc2ca1", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential QBot Activity" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects activity mentioned in Operation Wocao report", + "event_ids": [ + "4799" + ], + "id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9237-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012", + "TA0005", + "T1036.004", + "T1027", + "TA0002", + "T1053.005", + "T1059.001", + "detection.emerging-threats", + "T1036", + "T1059", + "T1053" + ], + "title": "Operation Wocao Activity - Security" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects activity mentioned in Operation Wocao report", + "event_ids": [ + "4688" + ], + "id": "5a419751-992b-77c8-867f-49e5097ecddd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1012", + "TA0005", + "T1036.004", + "T1027", + "TA0002", + "T1053.005", + "T1059.001", + "detection.emerging-threats", + "T1036", + "T1053", + "T1059" + ], + "title": "Operation Wocao Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", + "event_ids": [ + "4688" + ], + "id": "95e7263a-c0ff-b3c4-7947-3f452d58d181", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "TA0006", + "attack.g0128", + "T1003.001", + "T1560.001", + "detection.emerging-threats", + "T1003", + "T1560" + ], + "title": "APT31 Judgement Panda Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process parameters as used by Mustang Panda droppers", + "event_ids": [ + "4688" + ], + "id": "5951b1c5-52a0-6011-73e8-d5feb1c407fb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1587.001", + "TA0042", + "detection.emerging-threats", + "T1587" + ], + "title": "Mustang Panda Dropper" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", + "event_ids": [ + "4688" + ], + "id": "c3a27568-59dc-1d9d-e90f-dd041655ebdf", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "detection.emerging-threats", + "T1218" + ], + "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "event_ids": [ + "4688" + ], + "id": "3743899d-8da9-a497-6649-9838de358f7e", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1552.001", + "T1003.003", + "detection.emerging-threats", + "T1003", + "T1552" + ], + "title": "Potential Russian APT Credential Theft Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential EmpireMonkey APT activity", + "event_ids": [ + "4688" + ], + "id": "88973540-d514-9331-f28d-73a9e8f21ac1", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.010", + "detection.emerging-threats", + "T1218" + ], + "title": "Potential EmpireMonkey Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific export function name used by one of EquationGroup tools", + "event_ids": [ + "4688" + ], + "id": "26d86e32-1dec-3706-ae72-6314e702cb7e", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0020", + "TA0005", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "Equation Group DLL_U Export Function Load" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "event_ids": [ + "4688" + ], + "id": "7ff9b9f2-a79d-029b-9d23-1335adb7098c", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068", + "cve.2019-1388", + "detection.emerging-threats" + ], + "title": "Exploiting CVE-2019-1388" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", + "event_ids": [ + "4688" + ], + "id": "def2ec32-0d35-d282-5265-940ec8847ce0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1053.005", + "car.2013-08-001", + "detection.emerging-threats", + "T1053" + ], + "title": "Potential BearLPE Exploitation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "event_ids": [ + "4688" + ], + "id": "a13f506e-fac9-0e14-f1b5-1cfbe9c57e46", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1036.005", + "cve.2015-1641", + "detection.emerging-threats", + "T1036" + ], + "title": "Exploit for CVE-2015-1641" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the creation of a service named \"WerFaultSvc\" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report", + "event_ids": [ + "7045" + ], + "id": "abdb2e55-7d24-7f3d-6091-2b42abca2e67", + "level": "critical", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "SNAKE Malware Service Persistence" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report", + "event_ids": [ + "4688" + ], + "id": "4597ab1c-27ca-a1fa-2aec-793a9478be04", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific child/parent process relationship indicative of a \"WerFault\" process running from the \"WinSxS\" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.", + "event_ids": [ + "4688" + ], + "id": "d5f802ef-a213-5704-405c-10cefe798d45", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential SNAKE Malware Persistence Service Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report", + "event_ids": [ + "4688" + ], + "id": "4b4e4330-74b5-c191-3016-18ec0b0e8c15", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential SNAKE Malware Installation Binary Indicator" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects the creation of a registry value in the \".wav\\OpenWithProgIds\" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA", + "event_ids": [ + "4657" + ], + "id": "2d1ec565-2a6e-eb8c-5e3e-454aa8a32614", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects any registry event that targets the key 'SECURITY\\Policy\\Secrets\\n' which is a key related to SNAKE malware as described by CISA", + "event_ids": [ + "4657" + ], + "id": "58f3d2fb-ee2d-19e8-3792-abdf0eca4067", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "SNAKE Malware Covert Store Registry Key" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.\nThe malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries\n", + "event_ids": [ + "4688" + ], + "id": "36b7b5cb-6442-2a32-49bd-894a5b3ece4e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055.012", + "detection.emerging-threats", + "T1055" + ], + "title": "Potential Pikabot Hollowing Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.\nThe malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).\n", + "event_ids": [ + "4688" + ], + "id": "4d7c1d43-5e75-8d5e-69ed-1a208dd23249", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1016", + "T1049", + "T1087", + "detection.emerging-threats" + ], + "title": "Potential Pikabot Discovery Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n", + "event_ids": [ + "4688" + ], + "id": "2386a20f-b877-d41b-4f24-5561a8b788d2", "level": "medium", "service": "", "subcategory_guids": [ @@ -37595,16 +48978,1100 @@ ], "tags": [ "TA0002", - "T1203", - "T1204.002", - "TA0001", - "T1566.001", - "cve.2017-0261", + "T1059.003", + "T1105", + "T1218", "detection.emerging-threats", - "T1566", - "T1204" + "T1059" ], - "title": "Exploit for CVE-2017-0261" + "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process tree behavior linked to \"rundll32\" executions, wherein the associated DLL lacks a common \".dll\" extension, often signaling potential Pikabot activity.\n", + "event_ids": [ + "4688" + ], + "id": "465c812b-bb1a-4652-0a2a-5e9216ae9b5b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "detection.emerging-threats" + ], + "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects creation of local users via the net.exe command with the name of \"DarkGate\"", + "event_ids": [ + "4688" + ], + "id": "2ea44b75-58f5-f91b-6aa1-6ff2c71bbb5a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1136.001", + "detection.emerging-threats", + "T1136" + ], + "title": "DarkGate - User Created Via Net.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within\nthe DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate\ncommand-and-control server.\n", + "event_ids": [ + "4688" + ], + "id": "2d2fc033-17e9-53b1-ea07-7d2dde3b2a54", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "detection.emerging-threats" + ], + "title": "DarkGate - Autoit3.EXE Execution Parameters" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", + "event_ids": [ + "4688" + ], + "id": "7d4d1b66-641e-c78a-a574-37e2658d3b05", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Griffon Malware Attack Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", + "event_ids": [ + "4688" + ], + "id": "3a5c167a-3ba9-e261-65fb-e6f832c0b3f2", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet", + "event_ids": [ + "4688" + ], + "id": "c5241d42-29a7-201c-7ad6-96648cc368c3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Qakbot Uninstaller Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process tree behavior of a \"rundll32\" execution where the DLL doesn't have the \".dll\" extension. This is often linked with potential Qakbot activity.", + "event_ids": [ + "4688" + ], + "id": "28b6ad8c-6543-08dc-cc45-4088c5d03882", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "detection.emerging-threats" + ], + "title": "Qakbot Rundll32 Fake DLL Extension Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process tree behavior of a \"rundll32\" execution with exports linked with Qakbot activity.", + "event_ids": [ + "4688" + ], + "id": "15f0b692-9547-f109-f9cc-ac165a71dfdb", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "detection.emerging-threats" + ], + "title": "Qakbot Rundll32 Exports Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process tree behavior of a \"rundll32\" execution often linked with potential Qakbot activity.", + "event_ids": [ + "4688" + ], + "id": "4cbce5db-f238-eaa5-7272-ed7b8122ded6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential Qakbot Rundll32 Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific command line of \"regsvr32\" where the \"calc\" keyword is used in conjunction with the \"/s\" flag. This behavior is often seen used by Qakbot", + "event_ids": [ + "4688" + ], + "id": "7a1d5134-71db-5e78-20af-387288b261fe", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "detection.emerging-threats" + ], + "title": "Qakbot Regsvr32 Calc Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of a process executing as user called \"ANONYMOUS\" seen used by the \"MileStone2016\" variant of COLDSTEEL", + "event_ids": [ + "4688" + ], + "id": "71791144-4c24-e133-0435-de80fac210a6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "detection.emerging-threats" + ], + "title": "COLDSTEEL RAT Anonymous User Process Execution" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the creation of new services potentially related to COLDSTEEL RAT", + "event_ids": [ + "7045" + ], + "id": "d8f1ace1-c01b-3f95-34ed-993d29f876f5", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0005", + "TA0003", + "detection.emerging-threats" + ], + "title": "COLDSTEEL Persistence Service Creation" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.", + "event_ids": [ + "4657" + ], + "id": "d1c9a56f-847c-149d-8e33-f2f0cc9d0780", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "Potential COLDSTEEL RAT Windows User Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the creation of an \"svchost\" process with specific command line flags, that were seen present and used by ColdSteel RAT", + "event_ids": [ + "4688" + ], + "id": "cbb04740-ed1c-9f93-63da-7f0564a3b403", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "detection.emerging-threats" + ], + "title": "COLDSTEEL RAT Service Persistence Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.\n", + "event_ids": [ + "4688" + ], + "id": "e1154da5-5e71-c3d4-e8b6-f6a18c1eaf54", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "detection.emerging-threats" + ], + "title": "Ursnif Redirection Of Discovery Commands" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of installed GuLoader malware on the host.\nGuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.\n", + "event_ids": [ + "4688" + ], + "id": "aaa26b8b-7089-ddc7-6b3d-b0786555177e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1055", + "detection.emerging-threats" + ], + "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects RunDLL32.exe executing a single digit DLL named \"1.dll\" with the export function \"DllRegisterServer\". This behaviour was often seen used by malware and especially IcedID", + "event_ids": [ + "4688" + ], + "id": "28ffa72a-4fdf-40aa-4912-e53083a61f96", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Rorschach ransomware execution activity", + "event_ids": [ + "4688" + ], + "id": "76838840-9141-18d6-5182-11d8297d9574", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "T1059.001", + "TA0005", + "detection.emerging-threats", + "T1059" + ], + "title": "Rorschach Ransomware Execution Activity" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "Hunts for known SVR-specific scheduled task names", + "event_ids": [ + "129", + "140", + "141" + ], + "id": "51850e92-9de2-230e-98f6-5775d63df091", + "level": "high", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Hunts for known SVR-specific scheduled task names", + "event_ids": [ + "4698", + "4699", + "4702" + ], + "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "detection.emerging-threats" + ], + "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team\n", + "event_ids": [ + "4104" + ], + "id": "017266c4-7b12-7c2b-d2b3-0b8ffe973af8", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "detection.emerging-threats", + "T1059" + ], + "title": "Lace Tempest PowerShell Evidence Eraser" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team\n", + "event_ids": [ + "4104" + ], + "id": "47fec53e-ab09-f2b7-fc9a-c7364aefc12f", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "detection.emerging-threats", + "T1059" + ], + "title": "Lace Tempest PowerShell Launcher" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team", + "event_ids": [ + "4688" + ], + "id": "d7cc678c-bf6e-c88c-9c51-68ac731baa8b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Lace Tempest Malware Loader Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team", + "event_ids": [ + "4688" + ], + "id": "9cf64f9c-ca0e-07b8-3d01-106dac73ef8b", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Lace Tempest Cobalt Strike Download" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs", + "event_ids": [ + "4104" + ], + "id": "384a6ce5-d681-2e87-6a43-6e1a0eb0f316", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "attack.g0046", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential APT FIN7 POWERHOLD Execution" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects potential execution of the PowerShell script POWERTRASH", + "event_ids": [ + "4104" + ], + "id": "b8581aed-5481-addc-116b-c0b8384cecfc", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059.001", + "attack.g0046", + "detection.emerging-threats", + "T1059" + ], + "title": "Potential POWERTRASH Script Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution", + "event_ids": [ + "4688" + ], + "id": "dc315390-7011-bb4e-751f-f08ecd3ca85d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "attack.g0046", + "detection.emerging-threats" + ], + "title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process creation activity related to Peach Sandstorm APT", + "event_ids": [ + "4688" + ], + "id": "ad6cf96f-fa18-2ab2-281f-bbffecb4ab3a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Peach Sandstorm APT Process Activity Indicators" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects exploitation indicators related to PaperCut MF/NG Exploitation", + "event_ids": [ + "4688" + ], + "id": "ebb92368-23b5-851f-104d-95a89838d948", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "PaperCut MF/NG Exploitation Related Indicators" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious child processes of \"pc-app.exe\". Which could indicate potential exploitation of PaperCut", + "event_ids": [ + "4688" + ], + "id": "2a5d2c0f-578d-a591-f955-6a96069d7d9d", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "PaperCut MF/NG Potential Exploitation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52", + "event_ids": [ + "4688" + ], + "id": "d2624d20-f715-94ca-56f5-47923dc797a2", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "attack.g0129", + "detection.emerging-threats" + ], + "title": "Potential APT Mustang Panda Activity Against Australian Gov" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", + "event_ids": [ + "4688" + ], + "id": "55dc8b32-c836-8c99-848d-630c50764aeb", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0002", + "T1218", + "detection.emerging-threats" + ], + "title": "Potential Suspicious Child Process Of 3CXDesktopApp" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of known compromised version of 3CXDesktopApp", + "event_ids": [ + "4688" + ], + "id": "35f3ea40-3ec2-86b1-9633-0a8230a46fc6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential Compromised 3CXDesktopApp Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", + "event_ids": [ + "4688" + ], + "id": "dfd05613-5afb-ff48-86b9-082194e9ae79", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002", + "detection.emerging-threats" + ], + "title": "Potential Compromised 3CXDesktopApp Update Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm", + "event_ids": [ + "4688" + ], + "id": "16662367-d8c5-c609-8ef7-131dda0a9ae9", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm", + "event_ids": [ + "4688" + ], + "id": "4e26299f-1fd3-fa5e-1aad-a0c22275e7ae", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity", + "event_ids": [ + "4688" + ], + "id": "bc808841-697e-7b11-dc93-e0c729b17e87", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects process creation activity indicators related to Diamond Sleet APT", + "event_ids": [ + "4688" + ], + "id": "2e4649c0-d69b-e162-9c39-4d98600de98a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "Diamond Sleet APT Process Activity Indicators" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\n", + "event_ids": [ + "4657" + ], + "id": "0a08328e-c93e-0397-cb8e-61d93af17c09", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1562", + "detection.emerging-threats" + ], + "title": "Diamond Sleet APT Scheduled Task Creation - Registry" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\n", + "event_ids": [ + "4698" + ], + "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0004", + "TA0003", + "T1053.005", + "detection.emerging-threats", + "T1053" + ], + "title": "Diamond Sleet APT Scheduled Task Creation" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", + "event_ids": [ + "2027" + ], + "id": "0bcc2c11-231f-f491-7985-3571fee7f2c5", + "level": "high", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002", + "detection.emerging-threats" + ], + "title": "MSMQ Corrupted Packet Encountered" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.\n", + "event_ids": [ + "4688" + ], + "id": "b7a9b3d7-4d7a-c3f3-3d76-9b3c30db223c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059", + "TA0001", + "T1190", + "cve.2023-22518", + "detection.emerging-threats" + ], + "title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)" + }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects a crash of \"WinRAR.exe\" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477", + "event_ids": [ + "1000" + ], + "id": "f33feae7-db95-01a2-c35f-a6361e690ebb", + "level": "medium", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002", + "cve.2023-40477", + "detection.emerging-threats" + ], + "title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884", + "event_ids": [ + "5140" + ], + "id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9224-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "cve.2023-36884", + "detection.emerging-threats" + ], + "title": "Potential CVE-2023-36884 Exploitation - Share Access" + }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.", + "event_ids": [ + "4657" + ], + "id": "d2c33d76-7b09-c3b4-a954-ffd2e0da3cc8", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1137", + "cve.2023-23397", + "detection.emerging-threats" + ], + "title": "Outlook Task/Note Reminder Received" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", + "event_ids": [ + "4656", + "4663" + ], + "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0001", + "cve.2023-23397", + "detection.emerging-threats" + ], + "title": "CVE-2023-23397 Exploitation Attempt" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-SmbClient/Connectivity" + ], + "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", + "event_ids": [ + "30803", + "30804", + "30806" + ], + "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", + "level": "medium", + "service": "smbclient-connectivity", + "subcategory_guids": [], + "tags": [ + "TA0010", + "cve.2023-23397", + "detection.emerging-threats" + ], + "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.", + "event_ids": [ + "4688" + ], + "id": "1afd58da-cc18-91ca-c728-f9ead1f47317", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "detection.emerging-threats", + "TA0002", + "T1203", + "cve.2023-38331" + ], + "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Archer malware invocation via rundll32", + "event_ids": [ + "4688" + ], + "id": "016f9629-14c0-6760-6a57-2964982c53c5", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "Fireball Archer Install" }, { "category": "process_creation", @@ -37659,8 +50126,8 @@ "T1003.001", "car.2016-04-002", "detection.emerging-threats", - "T1070", "T1218", + "T1070", "T1003" ], "title": "NotPetya Ransomware Activity" @@ -37690,6 +50157,30 @@ ], "title": "CosmicDuke Service Installation" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "event_ids": [ + "4688" + ], + "id": "57e6d496-927a-453c-36cf-2fece4eb81ae", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.s0013", + "TA0005", + "T1574.001", + "detection.emerging-threats", + "T1574" + ], + "title": "Potential PlugX Activity" + }, { "category": "process_creation", "channel": [ @@ -37714,30 +50205,6 @@ ], "title": "Adwind RAT / JRAT" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Archer malware invocation via rundll32", - "event_ids": [ - "4688" - ], - "id": "016f9629-14c0-6760-6a57-2964982c53c5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "Fireball Archer Install" - }, { "category": "", "channel": [ @@ -37765,24 +50232,24 @@ "channel": [ "sec" ], - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location", + "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", "event_ids": [ "4688" ], - "id": "57e6d496-927a-453c-36cf-2fece4eb81ae", + "id": "b0e856a7-d88c-046d-8874-70a60f6bd627", "level": "high", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.s0013", - "TA0005", - "T1574.001", + "TA0002", + "attack.g0045", + "T1059.005", "detection.emerging-threats", - "T1574" + "T1059" ], - "title": "Potential PlugX Activity" + "title": "Potential APT10 Cloud Hopper Activity" }, { "category": "process_creation", @@ -37881,24 +50348,84 @@ "channel": [ "sec" ], - "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation", + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", "event_ids": [ "4688" ], - "id": "b0e856a7-d88c-046d-8874-70a60f6bd627", - "level": "high", + "id": "6beb9c36-3f8a-5de4-1979-7e2b1f7e6f27", + "level": "medium", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0002", - "attack.g0045", - "T1059.005", + "T1203", + "T1204.002", + "TA0001", + "T1566.001", + "cve.2017-0261", "detection.emerging-threats", - "T1059" + "T1566", + "T1204" ], - "title": "Potential APT10 Cloud Hopper Activity" + "title": "Exploit for CVE-2017-0261" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "event_ids": [ + "4688" + ], + "id": "9e9587ab-f1e4-6415-6bc7-bd47066924ba", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1203", + "T1204.002", + "TA0001", + "T1566.001", + "cve.2017-11882", + "detection.emerging-threats", + "T1204", + "T1566" + ], + "title": "Droppers Exploiting CVE-2017-11882" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "event_ids": [ + "4688" + ], + "id": "cfbcf9de-6e1d-7197-68f5-3fc5226b6373", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1203", + "T1204.002", + "TA0001", + "T1566.001", + "cve.2017-8759", + "detection.emerging-threats", + "T1566", + "T1204" + ], + "title": "Exploit for CVE-2017-8759" }, { "category": "process_creation", @@ -37926,133 +50453,6 @@ ], "title": "Elise Backdoor Activity" }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "event_ids": [ - "4698" - ], - "id": "798c8f65-068a-0a31-009f-12739f547a2d", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "attack.g0049", - "T1053.005", - "attack.s0111", - "T1543.003", - "TA0005", - "T1112", - "TA0011", - "T1071.004", - "detection.emerging-threats", - "T1071", - "T1053", - "T1543" - ], - "title": "OilRig APT Schedule Task Persistence - Security" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", - "event_ids": [ - "4657" - ], - "id": "e3b2e8dd-18aa-f9bc-9af7-bc31d7717574", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "attack.g0049", - "T1053.005", - "attack.s0111", - "T1543.003", - "TA0005", - "T1112", - "TA0011", - "T1071.004", - "detection.emerging-threats", - "T1543", - "T1053", - "T1071" - ], - "title": "OilRig APT Registry Persistence" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", - "event_ids": [ - "4688" - ], - "id": "18831824-9288-e5da-ec10-093f213d54b3", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "attack.g0049", - "T1053.005", - "attack.s0111", - "T1543.003", - "TA0005", - "T1112", - "TA0011", - "T1071.004", - "detection.emerging-threats", - "T1053", - "T1543", - "T1071" - ], - "title": "OilRig APT Activity" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "event_ids": [ - "7045" - ], - "id": "afa88090-3c0b-17fc-7061-2259abc82d2b", - "level": "critical", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "attack.g0049", - "T1053.005", - "attack.s0111", - "T1543.003", - "TA0005", - "T1112", - "TA0011", - "T1071.004", - "detection.emerging-threats", - "T1543", - "T1071", - "T1053" - ], - "title": "OilRig APT Schedule Task Persistence - System" - }, { "category": "process_creation", "channel": [ @@ -38077,28 +50477,6 @@ ], "title": "APT29 2018 Phishing Campaign CommandLine Indicators" }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "event_ids": [ - "4657" - ], - "id": "91264309-c919-28fd-5fff-f994208d1f34", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112", - "detection.emerging-threats" - ], - "title": "OceanLotus Registry Activity" - }, { "category": "", "channel": [ @@ -38147,34 +50525,6 @@ ], "title": "Defrag Deactivation" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Trojan loader activity as used by APT28", - "event_ids": [ - "4688" - ], - "id": "8b5c9860-1038-cd29-e1fe-e5ebcf52d6f0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "attack.g0007", - "T1059.003", - "T1218.011", - "car.2013-10-002", - "detection.emerging-threats", - "T1218", - "T1059" - ], - "title": "Sofacy Trojan Loader Activity" - }, { "category": "process_creation", "channel": [ @@ -38198,6 +50548,178 @@ ], "title": "Potential MuddyWater APT Activity" }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "event_ids": [ + "4657" + ], + "id": "91264309-c919-28fd-5fff-f994208d1f34", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1112", + "detection.emerging-threats" + ], + "title": "OceanLotus Registry Activity" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", + "event_ids": [ + "4657" + ], + "id": "e3b2e8dd-18aa-f9bc-9af7-bc31d7717574", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "attack.g0049", + "T1053.005", + "attack.s0111", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", + "detection.emerging-threats", + "T1053", + "T1071", + "T1543" + ], + "title": "OilRig APT Registry Persistence" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", + "event_ids": [ + "7045" + ], + "id": "afa88090-3c0b-17fc-7061-2259abc82d2b", + "level": "critical", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0003", + "attack.g0049", + "T1053.005", + "attack.s0111", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", + "detection.emerging-threats", + "T1053", + "T1071", + "T1543" + ], + "title": "OilRig APT Schedule Task Persistence - System" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", + "event_ids": [ + "4698" + ], + "id": "798c8f65-068a-0a31-009f-12739f547a2d", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "attack.g0049", + "T1053.005", + "attack.s0111", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", + "detection.emerging-threats", + "T1053", + "T1071", + "T1543" + ], + "title": "OilRig APT Schedule Task Persistence - Security" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report", + "event_ids": [ + "4688" + ], + "id": "18831824-9288-e5da-ec10-093f213d54b3", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "attack.g0049", + "T1053.005", + "attack.s0111", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", + "detection.emerging-threats", + "T1543", + "T1071", + "T1053" + ], + "title": "OilRig APT Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "event_ids": [ + "4688" + ], + "id": "cf360c1a-7d6f-5e83-28e6-2a8388debb83", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "detection.emerging-threats", + "T1059" + ], + "title": "TropicTrooper Campaign November 2018" + }, { "category": "process_creation", "channel": [ @@ -38227,11 +50749,379 @@ "channel": [ "sec" ], - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "description": "Detects Trojan loader activity as used by APT28", "event_ids": [ "4688" ], - "id": "cf360c1a-7d6f-5e83-28e6-2a8388debb83", + "id": "8b5c9860-1038-cd29-e1fe-e5ebcf52d6f0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "attack.g0007", + "T1059.003", + "T1218.011", + "car.2013-10-002", + "detection.emerging-threats", + "T1218", + "T1059" + ], + "title": "Sofacy Trojan Loader Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a ZxShell start by the called and well-known function name", + "event_ids": [ + "4688" + ], + "id": "d0fd7844-3a95-dea8-af80-626b8fcf4e3f", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.003", + "TA0005", + "T1218.011", + "attack.s0412", + "attack.g0001", + "detection.emerging-threats", + "T1218", + "T1059" + ], + "title": "ZxShell Malware" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "event_ids": [ + "4688" + ], + "id": "01fbd572-ed21-128f-a6f8-33d5cd9c5dd4", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0010", + "TA0002", + "T1059.001", + "T1053.005", + "T1027", + "detection.emerging-threats", + "T1059", + "T1053" + ], + "title": "Turla Group Commands May 2020" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects automated lateral movement by Turla group", + "event_ids": [ + "4688" + ], + "id": "43b8a8bc-fb6b-2385-d4a0-7efb8523c625", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0010", + "TA0002", + "T1059", + "TA0008", + "T1021.002", + "TA0007", + "T1083", + "T1135", + "detection.emerging-threats", + "T1021" + ], + "title": "Turla Group Lateral Movement" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Attempts to detect system changes made by Blue Mockingbird", + "event_ids": [ + "4688" + ], + "id": "f6378d07-9103-4e8d-742c-4c622112632a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1112", + "T1047", + "detection.emerging-threats" + ], + "title": "Blue Mockingbird" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", + "event_ids": [ + "4657" + ], + "id": "0b8e16f0-ba71-e4bd-3716-69afe0091614", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1112", + "detection.emerging-threats" + ], + "title": "FlowCloud Registry Markers" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "event_ids": [ + "4688" + ], + "id": "e3ea1348-79be-c569-ad0a-4aadcc5cc216", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204.002", + "T1047", + "TA0040", + "T1490", + "detection.emerging-threats", + "T1204" + ], + "title": "Potential Maze Ransomware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", + "event_ids": [ + "4688" + ], + "id": "761c2906-a130-f6d9-4b0f-4935ac76ab80", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0004", + "TA0005", + "T1562.001", + "detection.emerging-threats", + "T1562" + ], + "title": "Potential Ke3chang/TidePool Malware Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "event_ids": [ + "4688" + ], + "id": "aeae16e2-a1e2-dc9e-0228-60755dd9c6b7", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "Potential Emotet Rundll32 Execution" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", + "event_ids": [ + "4688" + ], + "id": "dbe85609-2e67-6297-cb1d-faed3bebc059", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.011", + "detection.emerging-threats", + "T1218" + ], + "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-DNS-Server/Analytical" + ], + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "event_ids": [ + "257" + ], + "id": "c8e0edae-2335-591c-7057-1ac58f03e06c", + "level": "high", + "service": "dns-server-analytic", + "subcategory_guids": [], + "tags": [ + "TA0006", + "TA0011", + "T1071", + "detection.emerging-threats" + ], + "title": "GALLIUM Artefacts - Builtin" + }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "event_ids": [ + "4657" + ], + "id": "09b9f622-28c3-d403-0447-f3858c57995e", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "detection.emerging-threats", + "T1547" + ], + "title": "Leviathan Registry Key Activity" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "event_ids": [ + "4688" + ], + "id": "d560b276-ce03-f4a8-6672-12ce7b5c62b9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1055.001", + "detection.emerging-threats", + "T1055" + ], + "title": "TAIDOOR RAT DLL Load" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "event_ids": [ + "4688" + ], + "id": "a972ef92-1911-1a94-01aa-d73223ffb539", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "attack.g0044", + "detection.emerging-threats", + "T1574" + ], + "title": "Winnti Pipemon Characteristics" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "event_ids": [ + "4688" + ], + "id": "3f469afc-3a19-1d2e-3bb7-e4d0e8354880", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1574.001", + "attack.g0044", + "detection.emerging-threats", + "T1574" + ], + "title": "Winnti Malware HK University Campaign" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "event_ids": [ + "4688" + ], + "id": "4a5b4327-68a3-c67b-3a03-2e238380c196", "level": "high", "service": "", "subcategory_guids": [ @@ -38243,31 +51133,106 @@ "detection.emerging-threats", "T1059" ], - "title": "TropicTrooper Campaign November 2018" + "title": "UNC2452 Process Creation Patterns" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "Detects the execution of the commonly used ZeroLogon PoC executable.", + "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", "event_ids": [ "4688" ], - "id": "2160db68-9836-29f5-6e25-0d0c4c7b2f55", - "level": "high", + "id": "bd234da4-9181-62b1-7db3-48a5f00642b0", + "level": "critical", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0002", - "TA0008", - "T1210", - "cve.2020-1472", + "T1059.001", + "T1047", + "detection.emerging-threats", + "T1059" + ], + "title": "UNC2452 PowerShell Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects suspicious inline VBScript keywords as used by UNC2452", + "event_ids": [ + "4688" + ], + "id": "c95593ac-8717-262b-cedb-792a55e2bd26", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "T1547.001", + "detection.emerging-threats", + "T1547" + ], + "title": "Suspicious VBScript UN2452 Pattern" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", + "event_ids": [ + "4688" + ], + "id": "66a8b7b5-8783-4815-24bb-0ad1640f23f3", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0049", + "TA0002", + "T1059.001", + "TA0011", + "T1105", + "TA0005", + "T1036.005", + "detection.emerging-threats", + "T1036", + "T1059" + ], + "title": "Greenbug Espionage Group Indicators" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", + "event_ids": [ + "4688" + ], + "id": "2e608159-dacf-a4b9-091f-28534c9424d3", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.g0032", + "TA0002", + "T1059", "detection.emerging-threats" ], - "title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC" + "title": "Lazarus Group Activity" }, { "category": "", @@ -38295,12 +51260,12 @@ "channel": [ "sec" ], - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", "event_ids": [ "4688" ], - "id": "6f871e64-9f5d-28c7-fbcd-63ebfc7df770", - "level": "critical", + "id": "f1b3071f-b77b-96a1-d05e-bd72395cb10c", + "level": "high", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" @@ -38309,12 +51274,14 @@ "TA0001", "T1190", "TA0002", - "T1569.002", - "cve.2020-1350", + "T1059.001", + "T1059.003", + "attack.s0190", + "cve.2020-10189", "detection.emerging-threats", - "T1569" + "T1059" ], - "title": "DNS RCE CVE-2020-1350" + "title": "Exploited CVE-2020-10189 Zoho ManageEngine" }, { "category": "process_creation", @@ -38371,12 +51338,12 @@ "channel": [ "sec" ], - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", "event_ids": [ "4688" ], - "id": "f1b3071f-b77b-96a1-d05e-bd72395cb10c", - "level": "high", + "id": "6f871e64-9f5d-28c7-fbcd-63ebfc7df770", + "level": "critical", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" @@ -38385,25 +51352,23 @@ "TA0001", "T1190", "TA0002", - "T1059.001", - "T1059.003", - "attack.s0190", - "cve.2020-10189", + "T1569.002", + "cve.2020-1350", "detection.emerging-threats", - "T1059" + "T1569" ], - "title": "Exploited CVE-2020-10189 Zoho ManageEngine" + "title": "DNS RCE CVE-2020-1350" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "Attempts to detect system changes made by Blue Mockingbird", + "description": "Detects the execution of the commonly used ZeroLogon PoC executable.", "event_ids": [ "4688" ], - "id": "f6378d07-9103-4e8d-742c-4c622112632a", + "id": "2160db68-9836-29f5-6e25-0d0c4c7b2f55", "level": "high", "service": "", "subcategory_guids": [ @@ -38411,3673 +51376,12 @@ ], "tags": [ "TA0002", - "T1112", - "T1047", - "detection.emerging-threats" - ], - "title": "Blue Mockingbird" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020", - "event_ids": [ - "4688" - ], - "id": "761c2906-a130-f6d9-4b0f-4935ac76ab80", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0004", - "TA0005", - "T1562.001", - "detection.emerging-threats", - "T1562" - ], - "title": "Potential Ke3chang/TidePool Malware Activity" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n", - "event_ids": [ - "4657" - ], - "id": "0b8e16f0-ba71-e4bd-3716-69afe0091614", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1112", - "detection.emerging-threats" - ], - "title": "FlowCloud Registry Markers" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "event_ids": [ - "4688" - ], - "id": "aeae16e2-a1e2-dc9e-0228-60755dd9c6b7", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "Potential Emotet Rundll32 Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "event_ids": [ - "4688" - ], - "id": "e3ea1348-79be-c569-ad0a-4aadcc5cc216", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204.002", - "T1047", - "TA0040", - "T1490", - "detection.emerging-threats", - "T1204" - ], - "title": "Potential Maze Ransomware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "event_ids": [ - "4688" - ], - "id": "bd234da4-9181-62b1-7db3-48a5f00642b0", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1047", - "detection.emerging-threats", - "T1059" - ], - "title": "UNC2452 PowerShell Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "event_ids": [ - "4688" - ], - "id": "4a5b4327-68a3-c67b-3a03-2e238380c196", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "detection.emerging-threats", - "T1059" - ], - "title": "UNC2452 Process Creation Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "event_ids": [ - "4688" - ], - "id": "c95593ac-8717-262b-cedb-792a55e2bd26", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "detection.emerging-threats", - "T1547" - ], - "title": "Suspicious VBScript UN2452 Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report", - "event_ids": [ - "4688" - ], - "id": "dbe85609-2e67-6297-cb1d-faed3bebc059", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "event_ids": [ - "4657" - ], - "id": "09b9f622-28c3-d403-0447-f3858c57995e", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "detection.emerging-threats", - "T1547" - ], - "title": "Leviathan Registry Key Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec", - "event_ids": [ - "4688" - ], - "id": "66a8b7b5-8783-4815-24bb-0ad1640f23f3", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0049", - "TA0002", - "T1059.001", - "TA0011", - "T1105", - "TA0005", - "T1036.005", - "detection.emerging-threats", - "T1059", - "T1036" - ], - "title": "Greenbug Espionage Group Indicators" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity", - "event_ids": [ - "4688" - ], - "id": "2e608159-dacf-a4b9-091f-28534c9424d3", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0032", - "TA0002", - "T1059", - "detection.emerging-threats" - ], - "title": "Lazarus Group Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "event_ids": [ - "4688" - ], - "id": "3f469afc-3a19-1d2e-3bb7-e4d0e8354880", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "attack.g0044", - "detection.emerging-threats", - "T1574" - ], - "title": "Winnti Malware HK University Campaign" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "event_ids": [ - "4688" - ], - "id": "a972ef92-1911-1a94-01aa-d73223ffb539", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1574.001", - "attack.g0044", - "detection.emerging-threats", - "T1574" - ], - "title": "Winnti Pipemon Characteristics" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "event_ids": [ - "4688" - ], - "id": "d560b276-ce03-f4a8-6672-12ce7b5c62b9", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1055.001", - "detection.emerging-threats", - "T1055" - ], - "title": "TAIDOOR RAT DLL Load" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS-Server/Analytical" - ], - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "event_ids": [ - "257" - ], - "id": "c8e0edae-2335-591c-7057-1ac58f03e06c", - "level": "high", - "service": "dns-server-analytic", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0011", - "T1071", - "detection.emerging-threats" - ], - "title": "GALLIUM Artefacts - Builtin" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.\nAs reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat \"prunsrv.exe\" process application.\n", - "event_ids": [ - "4688" - ], - "id": "c673198f-36bd-eaf8-5986-f439d6b8c2a8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0001", - "T1059.006", - "T1190", - "cve.2022-22954", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "event_ids": [ - "4657" - ], - "id": "9754f622-65d5-8c9b-7762-f074e2d502ed", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1221", - "detection.emerging-threats" - ], - "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n", - "event_ids": [ - "4688" - ], - "id": "04ed5400-e750-0076-db95-3a48baa00f30", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "cve.2022-29072", - "detection.emerging-threats" - ], - "title": "Potential CVE-2022-29072 Exploitation Attempt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)", - "event_ids": [ - "4688" - ], - "id": "a34c1c69-20be-c05f-9985-e8dfdd6387df", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0002", - "cve.2023-21554", - "detection.emerging-threats" - ], - "title": "Potential CVE-2023-21554 QueueJumper Exploitation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "event_ids": [ - "4688" - ], - "id": "8093c636-02d2-54cd-0170-9c7037dadfda", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1068", - "cve.2022-41120", - "detection.emerging-threats" - ], - "title": "Suspicious Sysmon as Execution Parent" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects raspberry robin subsequent execution of commands.", - "event_ids": [ - "4688" - ], - "id": "d14ca8ab-730c-d8b6-195c-9cd426d66a34", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "detection.emerging-threats", - "T1059" - ], - "title": "Raspberry Robin Subsequent Execution of Commands" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the initial execution of the Raspberry Robin malware from an external drive using \"Cmd.EXE\".", - "event_ids": [ - "4688" - ], - "id": "f0eeba30-c955-c5ae-d78a-83e0f3a115ea", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "detection.emerging-threats", - "T1059" - ], - "title": "Raspberry Robin Initial Execution From External Drive" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "event_ids": [ - "4688" - ], - "id": "228eed07-6e91-fd77-f72d-32e28f0a3739", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential Raspberry Robin Dot Ending File" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.", - "event_ids": [ - "4656", - "4663", - "5145" - ], - "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1486", - "detection.emerging-threats" - ], - "title": "BlueSky Ransomware Artefacts" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects post exploitation execution technique of the Serpent backdoor.\nAccording to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.\nIt creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.\n", - "event_ids": [ - "4688" - ], - "id": "aadf7b08-beb0-7b83-9155-bc9cf4ea77be", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0003", - "T1053.005", - "T1059.006", - "detection.emerging-threats", - "T1053", - "T1059" - ], - "title": "Serpent Backdoor Payload Execution Via Scheduled Task" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.\nThe \".lnk\" file was delivered via phishing campaign.\n", - "event_ids": [ - "4688" - ], - "id": "b5aa09e0-6b91-0111-57d5-0c7dd40b2208", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.006", - "detection.emerging-threats", - "T1059" - ], - "title": "Emotet Loader Execution Via .LNK File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "event_ids": [ - "4688" - ], - "id": "2a9fb7e5-5c2d-b57d-62d3-17245085abdc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0008", - "T1021.001", - "detection.emerging-threats", - "T1021" - ], - "title": "Hermetic Wiper TG Process Patterns" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "event_ids": [ - "8128" - ], - "id": "e177969a-73cc-a32c-b948-cb580287057a", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1546", - "detection.emerging-threats" - ], - "title": "MSSQL Extended Stored Procedure Backdoor Maggie" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "event_ids": [ - "4688" - ], - "id": "08d5c383-090f-b317-6fdd-e815d17f2ab6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1053", - "T1053.005", - "detection.emerging-threats" - ], - "title": "Potential ACTINIUM Persistence Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious command line patterns seen being used by MERCURY APT", - "event_ids": [ - "4688" - ], - "id": "48adf0e2-62e3-9147-1be4-087852d3a4a5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "attack.g0069", - "detection.emerging-threats", - "T1059" - ], - "title": "MERCURY APT Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "event_ids": [ - "4688" - ], - "id": "01fbd572-ed21-128f-a6f8-33d5cd9c5dd4", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0010", - "TA0002", - "T1059.001", - "T1053.005", - "T1027", - "detection.emerging-threats", - "T1053", - "T1059" - ], - "title": "Turla Group Commands May 2020" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects automated lateral movement by Turla group", - "event_ids": [ - "4688" - ], - "id": "43b8a8bc-fb6b-2385-d4a0-7efb8523c625", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0010", - "TA0002", - "T1059", - "TA0008", - "T1021.002", - "TA0007", - "T1083", - "T1135", - "detection.emerging-threats", - "T1021" - ], - "title": "Turla Group Lateral Movement" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a ZxShell start by the called and well-known function name", - "event_ids": [ - "4688" - ], - "id": "d0fd7844-3a95-dea8-af80-626b8fcf4e3f", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "TA0005", - "T1218.011", - "attack.s0412", - "attack.g0001", - "detection.emerging-threats", - "T1059", - "T1218" - ], - "title": "ZxShell Malware" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)", - "event_ids": [ - "4688" - ], - "id": "00676efc-2e92-d9a5-446a-9ba1c79c4e85", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "cve.2021-40444", - "detection.emerging-threats" - ], - "title": "Potential Exploitation Attempt From Office Application" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations", - "event_ids": [ - "4688" - ], - "id": "8e5b10ed-ce69-5075-d3d8-fbb3de65ff2f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "cve.2021-40444", - "detection.emerging-threats" - ], - "title": "Potential CVE-2021-40444 Exploitation Attempt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "event_ids": [ - "4688" - ], - "id": "8c7a964a-71e9-b30a-6637-7a43c307510a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0002", - "T1190", - "T1059", - "cve.2021-26084", - "detection.emerging-threats" - ], - "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "event_ids": [ - "4657" - ], - "id": "a4072638-9c3a-3307-e4f9-458edbb60efb", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1566", - "T1203", - "cve.2021-33771", - "cve.2021-31979", - "detection.emerging-threats" - ], - "title": "CVE-2021-31979 CVE-2021-33771 Exploits" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "event_ids": [ - "4688" - ], - "id": "ccdd2798-8320-c919-4e0d-210c344a3f2e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1203", - "TA0002", - "cve.2021-26857", - "detection.emerging-threats" - ], - "title": "Potential CVE-2021-26857 Exploitation Attempt" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "event_ids": [ - "35", - "36", - "37", - "38" - ], - "id": "8a194220-2afd-d5a9-0644-0a2d76019999", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1558.003", - "cve.2021-42278", - "detection.emerging-threats", - "T1558" - ], - "title": "Potential CVE-2021-42278 Exploitation Attempt" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "event_ids": [ - "6", - "8" - ], - "id": "429ee035-2f74-8a92-ad19-a448e450bb5e", - "level": "high", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ "TA0008", "T1210", + "cve.2020-1472", "detection.emerging-threats" ], - "title": "Possible Exploitation of Exchange RCE CVE-2021-42321" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "event_ids": [ - "4688" - ], - "id": "4a49be77-9768-f48f-06ff-6670c49744f2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1553", - "detection.emerging-threats" - ], - "title": "Suspicious RazerInstaller Explorer Subprocess" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM", - "event_ids": [ - "4688" - ], - "id": "4084760d-7ac7-aa67-d486-64383ae4b98e", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1068", - "detection.emerging-threats" - ], - "title": "Potential SystemNightmare Exploitation Attempt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "event_ids": [ - "4688" - ], - "id": "e40fd714-eaab-3ce4-3a3d-de697f78ed6a", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "cve.2021-35211", - "detection.emerging-threats", - "T1136" - ], - "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" - }, - { - "category": "antivirus", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "event_ids": [ - "1006", - "1007", - "1008", - "1009", - "1010", - "1011", - "1012", - "1017", - "1018", - "1019", - "1115", - "1116" - ], - "id": "aef0711e-c055-e870-92bc-ea130059eed1", - "level": "critical", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1055", - "detection.emerging-threats" - ], - "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "event_ids": [ - "5145" - ], - "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569", - "cve.2021-1675", - "cve.2021-34527", - "detection.emerging-threats" - ], - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-PrintService/Admin" - ], - "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", - "event_ids": [ - "808" - ], - "id": "5c10c39e-b9f6-d321-3598-62095b34b663", - "level": "high", - "service": "printservice-admin", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569", - "cve.2021-1675", - "detection.emerging-threats" - ], - "title": "Possible CVE-2021-1675 Print Spooler Exploitation" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-PrintService/Operational" - ], - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "event_ids": [ - "316" - ], - "id": "ae207e8e-3dfd-bd05-1161-e0472778f2be", - "level": "critical", - "service": "printservice-operational", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569", - "cve.2021-1675", - "detection.emerging-threats" - ], - "title": "CVE-2021-1675 Print Spooler Exploitation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "event_ids": [ - "4781" - ], - "id": "17662114-5bee-2566-359c-68d830193830", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1036", - "T1098", - "cve.2021-42287", - "detection.emerging-threats" - ], - "title": "Suspicious Computer Account Name Change CVE-2021-42287" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights", - "event_ids": [ - "4688" - ], - "id": "963ed93f-0486-5cc3-afc2-caa06ef8b627", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1068", - "cve.2021-41379", - "detection.emerging-threats" - ], - "title": "Potential CVE-2021-41379 Exploitation Attempt" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "event_ids": [ - "1033" - ], - "id": "8e38887f-8e20-477d-26c1-0862951ae91b", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0001", - "T1190", - "detection.emerging-threats" - ], - "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.\n", - "event_ids": [ - "4688" - ], - "id": "88ad8420-1fd5-6e62-470b-6eaad464d86d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1190", - "cve.2021-44228", - "detection.emerging-threats" - ], - "title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific command used by the Conti ransomware group", - "event_ids": [ - "4688" - ], - "id": "0f5f5afd-9d5f-a6e0-5374-15a232233275", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "attack.s0575", - "T1486", - "detection.emerging-threats" - ], - "title": "Potential Conti Ransomware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a command used by conti to exfiltrate NTDS", - "event_ids": [ - "4688" - ], - "id": "458bad33-8cea-bc4b-b0f7-24a975aae847", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1560", - "detection.emerging-threats" - ], - "title": "Conti NTDS Exfiltration Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a command used by conti to dump database", - "event_ids": [ - "4688" - ], - "id": "ba261ff0-33d7-32ab-4a68-618467284009", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1005", - "detection.emerging-threats" - ], - "title": "Potential Conti Ransomware Database Dumping Activity Via SQLCmd" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a command used by conti to find volume shadow backups", - "event_ids": [ - "4688" - ], - "id": "cff3f656-4a93-c909-b0a0-0cbc53341fe8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1587.001", - "TA0042", - "detection.emerging-threats", - "T1587" - ], - "title": "Conti Volume Shadow Listing" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process behavior observed with Devil Bait samples", - "event_ids": [ - "4688" - ], - "id": "35938479-283e-16c7-ff2a-78b5f267f8f6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "detection.emerging-threats" - ], - "title": "Potential Devil Bait Malware Reconnaissance" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects command line patterns used by BlackByte ransomware in different operations", - "event_ids": [ - "4688" - ], - "id": "de11bbb4-9429-4ee9-9039-d71a174c512e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "TA0040", - "T1485", - "T1498", - "T1059.001", - "T1140", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential BlackByte Ransomware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects DarkSide Ransomware and helpers", - "event_ids": [ - "4688" - ], - "id": "29b10082-a29d-5f77-a7da-8ef6d105ab32", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204", - "detection.emerging-threats" - ], - "title": "DarkSide Ransomware Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "event_ids": [ - "4688" - ], - "id": "2efc692b-49f5-1d23-c6ca-3e4e63d3026c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1574.001", - "detection.emerging-threats", - "T1574" - ], - "title": "Pingback Backdoor Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.", - "event_ids": [ - "4688" - ], - "id": "0704ac61-5014-80cc-4899-419448a02edf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential Goofy Guineapig Backdoor Activity" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects service creation persistence used by the Goofy Guineapig backdoor", - "event_ids": [ - "7045" - ], - "id": "0375abd6-f86e-a665-27a0-501b2a1621a8", - "level": "critical", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "Goofy Guineapig Backdoor Service Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects \"GoogleUpdate.exe\" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor", - "event_ids": [ - "4688" - ], - "id": "f4ecb52a-58a8-1b58-2edc-0d083d0df505", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "detection.emerging-threats" - ], - "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware", - "event_ids": [ - "4657" - ], - "id": "8376c984-b3da-370c-ff20-3c9c0dc9f18e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "Small Sieve Malware Registry Persistence" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.", - "event_ids": [ - "4688" - ], - "id": "d0813182-98c0-431d-4f35-12d9dc087b3b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1574.001", - "detection.emerging-threats", - "T1574" - ], - "title": "Small Sieve Malware CommandLine Indicator" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "event_ids": [ - "4688" - ], - "id": "be68dda9-dcd8-3f19-1263-fb0ec5c4f624", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546", - "T1053", - "attack.g0125", - "detection.emerging-threats" - ], - "title": "HAFNIUM Exchange Exploitation Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "event_ids": [ - "4688" - ], - "id": "a8018a36-765e-3a40-8a76-cc0bc318f8d6", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "attack.g0115", - "detection.emerging-threats" - ], - "title": "REvil Kaseya Incident Malware Patterns" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "event_ids": [ - "4688" - ], - "id": "9c814658-2890-e222-15ec-41330fd1fad0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1546", - "T1546.015", - "TA0003", - "TA0004", - "detection.emerging-threats" - ], - "title": "SOURGUM Actor Behaviours" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "event_ids": [ - "4688" - ], - "id": "7ff9b9f2-a79d-029b-9d23-1335adb7098c", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1068", - "cve.2019-1388", - "detection.emerging-threats" - ], - "title": "Exploiting CVE-2019-1388" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par", - "event_ids": [ - "4688" - ], - "id": "def2ec32-0d35-d282-5265-940ec8847ce0", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1053.005", - "car.2013-08-001", - "detection.emerging-threats", - "T1053" - ], - "title": "Potential BearLPE Exploitation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects activity that could be related to Baby Shark malware", - "event_ids": [ - "4688" - ], - "id": "c368d44f-914c-dda1-79ca-a54a155c8491", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "TA0007", - "T1012", - "T1059.003", - "T1059.001", - "T1218.005", - "detection.emerging-threats", - "T1218", - "T1059" - ], - "title": "Potential Baby Shark Malware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential QBot activity by looking for process executions used previously by QBot", - "event_ids": [ - "4688" - ], - "id": "178d305a-d6f0-baf2-b49b-89ffaddc2ca1", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential QBot Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "event_ids": [ - "4688" - ], - "id": "588be409-8e98-409a-a4ef-4cccc7b7e865", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0042", - "T1587.001", - "detection.emerging-threats", - "T1587" - ], - "title": "Formbook Process Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects LockerGoga ransomware activity via specific command line.", - "event_ids": [ - "4688" - ], - "id": "9dc3524d-8444-15f1-bde6-e060f0050e94", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1486", - "detection.emerging-threats" - ], - "title": "LockerGoga Ransomware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "event_ids": [ - "4688" - ], - "id": "14cb4558-9252-130c-f8d4-6662b6f951ef", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204", - "detection.emerging-threats" - ], - "title": "Potential Snatch Ransomware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential Dridex acitvity via specific process patterns", - "event_ids": [ - "4688" - ], - "id": "e23a9ec2-a8a3-badf-e230-fcbe8cf7f86e", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1055", - "TA0007", - "T1135", - "T1033", - "detection.emerging-threats" - ], - "title": "Potential Dridex Activity" - }, - { - "category": "registry_add", - "channel": [ - "sec" - ], - "description": "Detects registry keys related to Ursnif malware.", - "event_ids": [ - "4657" - ], - "id": "4adab006-3d6b-cf15-fdcc-f081f50e87f5", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1112", - "detection.emerging-threats" - ], - "title": "Potential Ursnif Malware Activity - Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "event_ids": [ - "4688" - ], - "id": "399756bd-2003-82b3-c6c6-ab44d1516146", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential Emotet Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential Dtrack RAT activity via specific process patterns", - "event_ids": [ - "4688" - ], - "id": "39724b62-2e68-3ffc-c675-c018f6c9ce11", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1490", - "detection.emerging-threats" - ], - "title": "Potential Dtrack RAT Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Ryuk ransomware activity", - "event_ids": [ - "4688" - ], - "id": "d7037073-136c-baf0-a9d7-cb2c03fcd245", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "detection.emerging-threats", - "T1547" - ], - "title": "Potential Ryuk Ransomware Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential EmpireMonkey APT activity", - "event_ids": [ - "4688" - ], - "id": "88973540-d514-9331-f28d-73a9e8f21ac1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "detection.emerging-threats", - "T1218" - ], - "title": "Potential EmpireMonkey Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific export function name used by one of EquationGroup tools", - "event_ids": [ - "4688" - ], - "id": "26d86e32-1dec-3706-ae72-6314e702cb7e", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0020", - "TA0005", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "Equation Group DLL_U Export Function Load" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "event_ids": [ - "4688" - ], - "id": "5951b1c5-52a0-6011-73e8-d5feb1c407fb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1587.001", - "TA0042", - "detection.emerging-threats", - "T1587" - ], - "title": "Mustang Panda Dropper" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", - "event_ids": [ - "4688" - ], - "id": "3743899d-8da9-a497-6649-9838de358f7e", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1552.001", - "T1003.003", - "detection.emerging-threats", - "T1003", - "T1552" - ], - "title": "Potential Russian APT Credential Theft Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report", - "event_ids": [ - "4688" - ], - "id": "95e7263a-c0ff-b3c4-7947-3f452d58d181", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0006", - "attack.g0128", - "T1003.001", - "T1560.001", - "detection.emerging-threats", - "T1003", - "T1560" - ], - "title": "APT31 Judgement Panda Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects activity mentioned in Operation Wocao report", - "event_ids": [ - "4688" - ], - "id": "5a419751-992b-77c8-867f-49e5097ecddd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012", - "TA0005", - "T1036.004", - "T1027", - "TA0002", - "T1053.005", - "T1059.001", - "detection.emerging-threats", - "T1059", - "T1036", - "T1053" - ], - "title": "Operation Wocao Activity" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects activity mentioned in Operation Wocao report", - "event_ids": [ - "4799" - ], - "id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012", - "TA0005", - "T1036.004", - "T1027", - "TA0002", - "T1053.005", - "T1059.001", - "detection.emerging-threats", - "T1036", - "T1059", - "T1053" - ], - "title": "Operation Wocao Activity - Security" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local", - "event_ids": [ - "4688" - ], - "id": "c3a27568-59dc-1d9d-e90f-dd041655ebdf", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "detection.emerging-threats", - "T1218" - ], - "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.\nCVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.\n", - "event_ids": [ - "4688" - ], - "id": "acecfe24-cf2a-2635-dded-a45c357eea3f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1190", - "cve.2025-53770", - "detection.emerging-threats" - ], - "title": "Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation of remote code execution vulnerability CVE-2025-33053\nwhich involves unauthorized code execution via WebDAV through external control of file names or paths.\nThe exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating\ntheir working directories to point to attacker-controlled WebDAV servers, causing them to execute\nmalicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries\nthrough Process.Start() search order manipulation.\n", - "event_ids": [ - "4688" - ], - "id": "5cceaffb-6b96-605b-5c7e-58a2f125f151", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218", - "TA0008", - "T1105", - "detection.emerging-threats", - "cve.2025-33053" - ], - "title": "Potential Exploitation of RCE Vulnerability CVE-2025-33053" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as\nCVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.\nThe detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.\n", - "event_ids": [ - "4688" - ], - "id": "c8db6dc8-96e3-1974-3921-3a7fc78993d4", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0002", - "T1059.001", - "T1059.003", - "T1190", - "cve.2025-31161", - "detection.emerging-threats", - "T1059" - ], - "title": "Suspicious CrushFTP Child Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.", - "event_ids": [ - "4688" - ], - "id": "81ef2b50-ae07-2c4b-4242-6669c7176fec", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0002", - "T1059.001", - "T1059.003", - "T1068", - "T1190", - "cve.2025-54309", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.\nThis allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.\nThe vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.\n", - "event_ids": [ - "4688" - ], - "id": "1df6028e-e6fa-9d43-0ec9-a502e12d85dd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0005", - "T1574.008", - "cve.2025-49144", - "detection.emerging-threats", - "T1574" - ], - "title": "Potential Notepad++ CVE-2025-49144 Exploitation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the \"curl.exe\" command, referencing \"SOCKS\" and \".onion\" domains, which could be indicative of Kalambur backdoor activity.", - "event_ids": [ - "4688" - ], - "id": "073e0fdf-35a4-362b-a1c6-2b1b41c71231", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1090", - "T1573", - "T1071.001", - "T1059.001", - "attack.s0183", - "detection.emerging-threats", - "T1059", - "T1071" - ], - "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "event_ids": [ - "4688" - ], - "id": "a13f506e-fac9-0e14-f1b5-1cfbe9c57e46", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036.005", - "cve.2015-1641", - "detection.emerging-threats", - "T1036" - ], - "title": "Exploit for CVE-2015-1641" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884", - "event_ids": [ - "5140" - ], - "id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "cve.2023-36884", - "detection.emerging-threats" - ], - "title": "Potential CVE-2023-36884 Exploitation - Share Access" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", - "event_ids": [ - "2027" - ], - "id": "0bcc2c11-231f-f491-7985-3571fee7f2c5", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "MSMQ Corrupted Packet Encountered" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.", - "event_ids": [ - "4657" - ], - "id": "d2c33d76-7b09-c3b4-a954-ffd2e0da3cc8", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1137", - "cve.2023-23397", - "detection.emerging-threats" - ], - "title": "Outlook Task/Note Reminder Received" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-SmbClient/Connectivity" - ], - "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.", - "event_ids": [ - "30803", - "30804", - "30806" - ], - "id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8", - "level": "medium", - "service": "smbclient-connectivity", - "subcategory_guids": [], - "tags": [ - "TA0010", - "cve.2023-23397", - "detection.emerging-threats" - ], - "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "event_ids": [ - "4656", - "4663" - ], - "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0001", - "cve.2023-23397", - "detection.emerging-threats" - ], - "title": "CVE-2023-23397 Exploitation Attempt" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.\n", - "event_ids": [ - "4688" - ], - "id": "b7a9b3d7-4d7a-c3f3-3d76-9b3c30db223c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "TA0001", - "T1190", - "cve.2023-22518", - "detection.emerging-threats" - ], - "title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.", - "event_ids": [ - "4688" - ], - "id": "1afd58da-cc18-91ca-c728-f9ead1f47317", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "detection.emerging-threats", - "TA0002", - "T1203", - "cve.2023-38331" - ], - "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Detects a crash of \"WinRAR.exe\" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477", - "event_ids": [ - "1000" - ], - "id": "f33feae7-db95-01a2-c35f-a6361e690ebb", - "level": "medium", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002", - "cve.2023-40477", - "detection.emerging-threats" - ], - "title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Rorschach ransomware execution activity", - "event_ids": [ - "4688" - ], - "id": "76838840-9141-18d6-5182-11d8297d9574", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059.001", - "TA0005", - "detection.emerging-threats", - "T1059" - ], - "title": "Rorschach Ransomware Execution Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.\nThe malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries\n", - "event_ids": [ - "4688" - ], - "id": "36b7b5cb-6442-2a32-49bd-894a5b3ece4e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055.012", - "detection.emerging-threats", - "T1055" - ], - "title": "Potential Pikabot Hollowing Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process tree behavior linked to \"rundll32\" executions, wherein the associated DLL lacks a common \".dll\" extension, often signaling potential Pikabot activity.\n", - "event_ids": [ - "4688" - ], - "id": "465c812b-bb1a-4652-0a2a-5e9216ae9b5b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "detection.emerging-threats" - ], - "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.\nThe malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).\n", - "event_ids": [ - "4688" - ], - "id": "4d7c1d43-5e75-8d5e-69ed-1a208dd23249", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1016", - "T1049", - "T1087", - "detection.emerging-threats" - ], - "title": "Potential Pikabot Discovery Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\nCommands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\nIn the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\n", - "event_ids": [ - "4688" - ], - "id": "2386a20f-b877-d41b-4f24-5561a8b788d2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1105", - "T1218", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of installed GuLoader malware on the host.\nGuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.\n", - "event_ids": [ - "4688" - ], - "id": "aaa26b8b-7089-ddc7-6b3d-b0786555177e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1055", - "detection.emerging-threats" - ], - "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects RunDLL32.exe executing a single digit DLL named \"1.dll\" with the export function \"DllRegisterServer\". This behaviour was often seen used by malware and especially IcedID", - "event_ids": [ - "4688" - ], - "id": "28ffa72a-4fdf-40aa-4912-e53083a61f96", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report", - "event_ids": [ - "4688" - ], - "id": "4b4e4330-74b5-c191-3016-18ec0b0e8c15", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential SNAKE Malware Installation Binary Indicator" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects any registry event that targets the key 'SECURITY\\Policy\\Secrets\\n' which is a key related to SNAKE malware as described by CISA", - "event_ids": [ - "4657" - ], - "id": "58f3d2fb-ee2d-19e8-3792-abdf0eca4067", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "SNAKE Malware Covert Store Registry Key" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the creation of a service named \"WerFaultSvc\" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report", - "event_ids": [ - "7045" - ], - "id": "abdb2e55-7d24-7f3d-6091-2b42abca2e67", - "level": "critical", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "SNAKE Malware Service Persistence" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific child/parent process relationship indicative of a \"WerFault\" process running from the \"WinSxS\" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.", - "event_ids": [ - "4688" - ], - "id": "d5f802ef-a213-5704-405c-10cefe798d45", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential SNAKE Malware Persistence Service Execution" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects the creation of a registry value in the \".wav\\OpenWithProgIds\" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA", - "event_ids": [ - "4657" - ], - "id": "2d1ec565-2a6e-eb8c-5e3e-454aa8a32614", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report", - "event_ids": [ - "4688" - ], - "id": "4597ab1c-27ca-a1fa-2aec-793a9478be04", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process tree behavior of a \"rundll32\" execution with exports linked with Qakbot activity.", - "event_ids": [ - "4688" - ], - "id": "15f0b692-9547-f109-f9cc-ac165a71dfdb", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "detection.emerging-threats" - ], - "title": "Qakbot Rundll32 Exports Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process tree behavior of a \"rundll32\" execution often linked with potential Qakbot activity.", - "event_ids": [ - "4688" - ], - "id": "4cbce5db-f238-eaa5-7272-ed7b8122ded6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential Qakbot Rundll32 Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a specific command line of \"regsvr32\" where the \"calc\" keyword is used in conjunction with the \"/s\" flag. This behavior is often seen used by Qakbot", - "event_ids": [ - "4688" - ], - "id": "7a1d5134-71db-5e78-20af-387288b261fe", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "detection.emerging-threats" - ], - "title": "Qakbot Regsvr32 Calc Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet", - "event_ids": [ - "4688" - ], - "id": "c5241d42-29a7-201c-7ad6-96648cc368c3", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Qakbot Uninstaller Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific process tree behavior of a \"rundll32\" execution where the DLL doesn't have the \".dll\" extension. This is often linked with potential Qakbot activity.", - "event_ids": [ - "4688" - ], - "id": "28b6ad8c-6543-08dc-cc45-4088c5d03882", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "detection.emerging-threats" - ], - "title": "Qakbot Rundll32 Fake DLL Extension Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.\n", - "event_ids": [ - "4688" - ], - "id": "e1154da5-5e71-c3d4-e8b6-f6a18c1eaf54", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "detection.emerging-threats" - ], - "title": "Ursnif Redirection Of Discovery Commands" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky", - "event_ids": [ - "4688" - ], - "id": "7d4d1b66-641e-c78a-a574-37e2658d3b05", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Griffon Malware Attack Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of local users via the net.exe command with the name of \"DarkGate\"", - "event_ids": [ - "4688" - ], - "id": "2ea44b75-58f5-f91b-6aa1-6ff2c71bbb5a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "detection.emerging-threats", - "T1136" - ], - "title": "DarkGate - User Created Via Net.EXE" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within\nthe DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate\ncommand-and-control server.\n", - "event_ids": [ - "4688" - ], - "id": "2d2fc033-17e9-53b1-ea07-7d2dde3b2a54", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059", - "detection.emerging-threats" - ], - "title": "DarkGate - Autoit3.EXE Execution Parameters" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the creation of new services potentially related to COLDSTEEL RAT", - "event_ids": [ - "7045" - ], - "id": "d8f1ace1-c01b-3f95-34ed-993d29f876f5", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "detection.emerging-threats" - ], - "title": "COLDSTEEL Persistence Service Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of a process executing as user called \"ANONYMOUS\" seen used by the \"MileStone2016\" variant of COLDSTEEL", - "event_ids": [ - "4688" - ], - "id": "71791144-4c24-e133-0435-de80fac210a6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "detection.emerging-threats" - ], - "title": "COLDSTEEL RAT Anonymous User Process Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the creation of an \"svchost\" process with specific command line flags, that were seen present and used by ColdSteel RAT", - "event_ids": [ - "4688" - ], - "id": "cbb04740-ed1c-9f93-63da-7f0564a3b403", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "detection.emerging-threats" - ], - "title": "COLDSTEEL RAT Service Persistence Execution" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.", - "event_ids": [ - "4657" - ], - "id": "d1c9a56f-847c-149d-8e33-f2f0cc9d0780", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "Potential COLDSTEEL RAT Windows User Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023", - "event_ids": [ - "4688" - ], - "id": "3a5c167a-3ba9-e261-65fb-e6f832c0b3f2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "detection.emerging-threats", - "T1218" - ], - "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Hunts for known SVR-specific scheduled task names", - "event_ids": [ - "4698", - "4699", - "4702" - ], - "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "Hunts for known SVR-specific scheduled task names", - "event_ids": [ - "129", - "140", - "141" - ], - "id": "51850e92-9de2-230e-98f6-5775d63df091", - "level": "high", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "TA0003", - "detection.emerging-threats" - ], - "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52", - "event_ids": [ - "4688" - ], - "id": "d2624d20-f715-94ca-56f5-47923dc797a2", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "attack.g0129", - "detection.emerging-threats" - ], - "title": "Potential APT Mustang Panda Activity Against Australian Gov" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process creation activity related to Peach Sandstorm APT", - "event_ids": [ - "4688" - ], - "id": "ad6cf96f-fa18-2ab2-281f-bbffecb4ab3a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Peach Sandstorm APT Process Activity Indicators" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\n", - "event_ids": [ - "4698" - ], - "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0004", - "TA0003", - "T1053.005", - "detection.emerging-threats", - "T1053" - ], - "title": "Diamond Sleet APT Scheduled Task Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process creation activity indicators related to Diamond Sleet APT", - "event_ids": [ - "4688" - ], - "id": "2e4649c0-d69b-e162-9c39-4d98600de98a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Diamond Sleet APT Process Activity Indicators" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\n", - "event_ids": [ - "4657" - ], - "id": "0a08328e-c93e-0397-cb8e-61d93af17c09", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562", - "detection.emerging-threats" - ], - "title": "Diamond Sleet APT Scheduled Task Creation - Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious child processes of \"pc-app.exe\". Which could indicate potential exploitation of PaperCut", - "event_ids": [ - "4688" - ], - "id": "2a5d2c0f-578d-a591-f955-6a96069d7d9d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "PaperCut MF/NG Potential Exploitation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects exploitation indicators related to PaperCut MF/NG Exploitation", - "event_ids": [ - "4688" - ], - "id": "ebb92368-23b5-851f-104d-95a89838d948", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "PaperCut MF/NG Exploitation Related Indicators" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects potential execution of the PowerShell script POWERTRASH", - "event_ids": [ - "4104" - ], - "id": "b8581aed-5481-addc-116b-c0b8384cecfc", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "attack.g0046", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential POWERTRASH Script Execution" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs", - "event_ids": [ - "4104" - ], - "id": "384a6ce5-d681-2e87-6a43-6e1a0eb0f316", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "attack.g0046", - "detection.emerging-threats", - "T1059" - ], - "title": "Potential APT FIN7 POWERHOLD Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution", - "event_ids": [ - "4688" - ], - "id": "dc315390-7011-bb4e-751f-f08ecd3ca85d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "attack.g0046", - "detection.emerging-threats" - ], - "title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software", - "event_ids": [ - "4688" - ], - "id": "dfd05613-5afb-ff48-86b9-082194e9ae79", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential Compromised 3CXDesktopApp Update Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise", - "event_ids": [ - "4688" - ], - "id": "55dc8b32-c836-8c99-848d-630c50764aeb", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0002", - "T1218", - "detection.emerging-threats" - ], - "title": "Potential Suspicious Child Process Of 3CXDesktopApp" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of known compromised version of 3CXDesktopApp", - "event_ids": [ - "4688" - ], - "id": "35f3ea40-3ec2-86b1-9633-0a8230a46fc6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002", - "detection.emerging-threats" - ], - "title": "Potential Compromised 3CXDesktopApp Execution" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team\n", - "event_ids": [ - "4104" - ], - "id": "47fec53e-ab09-f2b7-fc9a-c7364aefc12f", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "detection.emerging-threats", - "T1059" - ], - "title": "Lace Tempest PowerShell Launcher" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team\n", - "event_ids": [ - "4104" - ], - "id": "017266c4-7b12-7c2b-d2b3-0b8ffe973af8", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "detection.emerging-threats", - "T1059" - ], - "title": "Lace Tempest PowerShell Evidence Eraser" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team", - "event_ids": [ - "4688" - ], - "id": "9cf64f9c-ca0e-07b8-3d01-106dac73ef8b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Lace Tempest Cobalt Strike Download" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team", - "event_ids": [ - "4688" - ], - "id": "d7cc678c-bf6e-c88c-9c51-68ac731baa8b", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Lace Tempest Malware Loader Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity", - "event_ids": [ - "4688" - ], - "id": "bc808841-697e-7b11-dc93-e0c729b17e87", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm", - "event_ids": [ - "4688" - ], - "id": "16662367-d8c5-c609-8ef7-131dda0a9ae9", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm", - "event_ids": [ - "4688" - ], - "id": "4e26299f-1fd3-fa5e-1aad-a0c22275e7ae", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "detection.emerging-threats" - ], - "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "event_ids": [ - "1001" - ], - "id": "ea429061-e3b4-fabd-8bd6-cb98772aeeba", - "level": "high", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1211", - "T1562.001", - "T1562" - ], - "title": "Microsoft Malware Protection Engine Crash - WER" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Diagnosis-Scripted/Operational" - ], - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "event_ids": [ - "101" - ], - "id": "b0e8486c-73f6-e1ba-9684-acba841c2719", - "level": "high", - "service": "diagnosis-scripted", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "Loading Diagcab Package From Remote Path" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Windows Defender logs when the history of detected infections is deleted.", - "event_ids": [ - "1013" - ], - "id": "e9310b5d-113f-86dc-a3e0-3ed5cefa6088", - "level": "informational", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Windows Defender Malware Detection History Deletion" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects Access to LSASS Process", - "event_ids": [ - "1121" - ], - "id": "db45bac6-e4cf-df15-bb73-abdc2bb5b466", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "LSASS Access Detected via Attack Surface Reduction" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", - "event_ids": [ - "5001" - ], - "id": "e6c2628d-e4dc-0b32-e087-1c205385af72", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Real-time Protection Disabled" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects actions taken by Windows Defender malware detection engines", - "event_ids": [ - "1006", - "1015", - "1116", - "1117" - ], - "id": "c70d7033-8146-fe73-8430-90b23c296f9d", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Windows Defender Threat Detected" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.\n", - "event_ids": [ - "5101" - ], - "id": "5a62f5a9-71eb-a0e2-496d-e062350225df", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Grace Period Expired" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects the restoration of files from the defender quarantine", - "event_ids": [ - "1009" - ], - "id": "77f49adb-372a-8c7c-0bee-7e361b09b30e", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Win Defender Restored Quarantine File" + "title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC" }, { "category": "", @@ -42100,6 +51404,66 @@ ], "title": "Windows Defender Real-Time Protection Failure/Restart" }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.\n", + "event_ids": [ + "5101" + ], + "id": "5a62f5a9-71eb-a0e2-496d-e062350225df", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Grace Period Expired" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.", + "event_ids": [ + "5007" + ], + "id": "f8be1673-da49-5b78-517b-16094864fab7", + "level": "low", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Submit Sample Feature Disabled" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects Access to LSASS Process", + "event_ids": [ + "1121" + ], + "id": "db45bac6-e4cf-df15-bb73-abdc2bb5b466", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1003.001", + "T1003" + ], + "title": "LSASS Access Detected via Attack Surface Reduction" + }, { "category": "", "channel": [ @@ -42119,6 +51483,64 @@ ], "title": "Windows Defender AMSI Trigger Detected" }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "event_ids": [ + "5013" + ], + "id": "f0a75367-1237-98a3-79c3-c4e7e4f5bacc", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Microsoft Defender Tamper Protection Trigger" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"\n", + "event_ids": [ + "5007" + ], + "id": "2b57cd91-079d-5f13-07f4-82d7435acd38", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Exploit Guard Tamper" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Windows Defender logs when the history of detected infections is deleted.", + "event_ids": [ + "1013" + ], + "id": "e9310b5d-113f-86dc-a3e0-3ed5cefa6088", + "level": "informational", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005" + ], + "title": "Windows Defender Malware Detection History Deletion" + }, { "category": "", "channel": [ @@ -42161,6 +51583,68 @@ ], "title": "Windows Defender Exclusions Added" }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", + "event_ids": [ + "5001" + ], + "id": "e6c2628d-e4dc-0b32-e087-1c205385af72", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Windows Defender Real-time Protection Disabled" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects actions taken by Windows Defender malware detection engines", + "event_ids": [ + "1006", + "1015", + "1116", + "1117" + ], + "id": "c70d7033-8146-fe73-8430-90b23c296f9d", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Windows Defender Threat Detected" + }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects the restoration of files from the defender quarantine", + "event_ids": [ + "1009" + ], + "id": "77f49adb-372a-8c7c-0bee-7e361b09b30e", + "level": "high", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1562.001", + "T1562" + ], + "title": "Win Defender Restored Quarantine File" + }, { "category": "", "channel": [ @@ -42181,86 +51665,6 @@ ], "title": "Windows Defender Configuration Changes" }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"\n", - "event_ids": [ - "5007" - ], - "id": "2b57cd91-079d-5f13-07f4-82d7435acd38", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Exploit Guard Tamper" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software", - "event_ids": [ - "5010" - ], - "id": "ac622fde-5d5a-e064-bfd2-55cbb5f1eacb", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Malware And PUA Scanning Disabled" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.", - "event_ids": [ - "5007" - ], - "id": "f8be1673-da49-5b78-517b-16094864fab7", - "level": "low", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Submit Sample Feature Disabled" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", - "event_ids": [ - "5013" - ], - "id": "f0a75367-1237-98a3-79c3-c4e7e4f5bacc", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Microsoft Defender Tamper Protection Trigger" - }, { "category": "", "channel": [ @@ -42281,5393 +51685,16 @@ ], "title": "Windows Defender Virus Scanning Feature Disabled" }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package deployment that was blocked by AppLocker policy", - "event_ids": [ - "412" - ], - "id": "a902397c-6118-0a8f-7fab-3f8142297d80", - "level": "medium", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Deployment AppX Package Was Blocked By AppLocker" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", - "event_ids": [ - "401" - ], - "id": "5cfde458-a9e1-f4b7-92cd-959ead47bdd3", - "level": "medium", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Suspicious AppX Package Installation Attempt" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n", - "event_ids": [ - "854" - ], - "id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960", - "level": "high", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Suspicious Remote AppX Package Locations" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package deployment that was blocked by the local computer policy", - "event_ids": [ - "441", - "442", - "453", - "454" - ], - "id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c", - "level": "medium", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Deployment Of The AppX Package Was Blocked By The Policy" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", - "event_ids": [ - "854" - ], - "id": "a3dbb89a-aebc-03c7-295b-ad18d5c7924b", - "level": "medium", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Uncommon AppX Package Locations" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", - "event_ids": [ - "854" - ], - "id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a", - "level": "high", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Suspicious AppX Package Locations" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppXDeploymentServer/Operational" - ], - "description": "Detects potential installation or installation attempts of known malicious appx packages", - "event_ids": [ - "400", - "401" - ], - "id": "8f46b318-b8a3-d268-911f-318d0b43c0f9", - "level": "medium", - "service": "appxdeployment-server", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Potential Malicious AppX Package Installation Attempts" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\n", - "event_ids": [ - "5136" - ], - "id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1484.001", - "T1484" - ], - "title": "Group Policy Abuse for Privilege Addition" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "event_ids": [ - "5145" - ], - "id": "426009da-814c-c1c0-cf41-6631c9ff6a8e", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Suspicious PsExec Execution" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "event_ids": [ - "4624", - "4625", - "4776" - ], - "id": "8b40829b-4556-9bec-a8ad-905688497639", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0002", - "TA0009", - "TA0008", - "T1087", - "T1114", - "T1059", - "T1550.002", - "T1550" - ], - "title": "Hacktool Ruler" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n", - "event_ids": [ - "4656", - "4663" - ], - "id": "777523b0-14f8-1ca2-12c9-d668153661ff", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Exclusion Registry Key - Write Access Requested" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects powershell script installed as a Service", - "event_ids": [ - "4697" - ], - "id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "PowerShell Scripts Installed as Services - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "event_ids": [ - "4661" - ], - "id": "93c95eee-748a-e1db-18a5-f40035167086", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1087" - ], - "title": "AD Privileged Users or Groups Reconnaissance" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "event_ids": [ - "4697" - ], - "id": "e2755f38-e817-94c0-afef-acff29676b43", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1134.001", - "T1134.002", - "T1134" - ], - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "event_ids": [ - "5379" - ], - "id": "586bcb8e-f698-f372-54cf-ff08727352e7", - "level": "high", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0011", - "TA0005", - "T1027", - "T1105", - "T1036" - ], - "title": "Password Protected ZIP File Opened (Suspicious Filenames)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "event_ids": [ - "4698" - ], - "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0004", - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Suspicious Scheduled Task Creation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "event_ids": [ - "5136" - ], - "id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "event_ids": [ - "5379" - ], - "id": "77366099-d04a-214d-365c-c62c537df3ba", - "level": "high", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0001", - "T1027", - "T1566.001", - "T1566" - ], - "title": "Password Protected ZIP File Opened (Email Attachment)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [ - "4697" - ], - "id": "660a0229-700e-8e43-40c7-fafe60c29491", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "event_ids": [ - "4663" - ], - "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1528" - ], - "title": "Suspicious Teams Application Related ObjectAcess Event" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\n", - "event_ids": [ - "4657" - ], - "id": "8948f034-2d45-47bc-c04b-14ab124247f3", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Exclusion List Modified" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects suspicious processes logging on with explicit credentials", - "event_ids": [ - "4648" - ], - "id": "250cf413-1d30-38fd-4b41-ae5a92452700", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1078", - "TA0008" - ], - "title": "Suspicious Remote Logon with Explicit Credentials" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "event_ids": [], - "id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8", - "level": "critical", - "service": "security", - "subcategory_guids": [], - "tags": [ - "cve.2021-42278", - "cve.2021-42287", - "TA0003", - "TA0004", - "T1078" - ], - "title": "Win Susp Computer Name Containing Samtheadmin" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.\n", - "event_ids": [ - "4794" - ], - "id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "Password Change on Directory Service Restore Mode (DSRM) Account" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [ - "4697" - ], - "id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.\n", - "event_ids": [ - "4769" - ], - "id": "4386b4e0-f268-42a6-b91d-e3bb768976d6", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Kerberoasting Activity - Initial Query" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n", - "event_ids": [ - "5136", - "5145" - ], - "id": "bc613d09-5a80-cad3-6f65-c5020f960511", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1484.001", - "T1547", - "T1484" - ], - "title": "Startup/Logon Script Added to Group Policy Object" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob\nmatching the pattern \"1UWhRCAAAAA...BAAAA\". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,\ncommonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to\nattacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.\nwhere adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nPlease investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.\n", - "event_ids": [ - "4662", - "5136", - "5137" - ], - "id": "19da3c91-0fcd-61d5-5b4f-bde550a79070", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1557.003", - "TA0003", - "TA0004", - "T1557" - ], - "title": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "event_ids": [ - "4656", - "4663" - ], - "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012" - ], - "title": "SysKey Registry Keys Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the mount of an ISO image on an endpoint", - "event_ids": [ - "4663" - ], - "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1566.001", - "T1566" - ], - "title": "ISO Image Mounted" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "event_ids": [ - "4768" - ], - "id": "cd01c787-aad1-bbed-5842-aa8e58410aad", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1187" - ], - "title": "PetitPotam Suspicious Kerberos TGT Request" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "event_ids": [ - "4656", - "4663" - ], - "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012" - ], - "title": "Azure AD Health Service Agents Registry Keys Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Mimikatz DC sync security events", - "event_ids": [ - "4662" - ], - "id": "daad2203-665f-294c-6d2f-f9272c3214f2", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "attack.s0002", - "T1003.006", - "T1003" - ], - "title": "Mimikatz DC Sync" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects access to ADMIN$ network share", - "event_ids": [ - "5140" - ], - "id": "37b219bc-37bb-1261-f179-64307c1a1829", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Access To ADMIN$ Network Share" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects an installation of a device that is forbidden by the system policy", - "event_ids": [ - "6423" - ], - "id": "53f7ff98-38dd-f02c-0658-1debbf8deddc", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9248-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "T1200" - ], - "title": "Device Installation Blocked" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\n", - "event_ids": [ - "4697" - ], - "id": "15284efb-90de-5675-59c5-433d34675e8e", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1048" - ], - "title": "Tap Driver Installation - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "event_ids": [ - "4699", - "4701" - ], - "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0004", - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Important Scheduled Task Deleted/Disabled" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect PetitPotam coerced authentication activity.", - "event_ids": [ - "5145" - ], - "id": "bcc12e55-1578-5174-2a47-98a6211a1c6c", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1187" - ], - "title": "Possible PetitPotam Coerce Authentication Attempt" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "event_ids": [ - "5145" - ], - "id": "d415c82b-814d-5cdc-c2f2-a138115b878e", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "DCERPC SMB Spoolss Named Pipe" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "event_ids": [ - "5145" - ], - "id": "308a3356-4624-7c95-24df-cf5a02e5eb56", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "First Time Seen Remote Named Pipe" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects non-system users performing privileged operation os the SCM database", - "event_ids": [ - "4674" - ], - "id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548" - ], - "title": "SCM Database Privileged Operation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [ - "4697" - ], - "id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Stdin - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects DCShadow via create new SPN", - "event_ids": [ - "4742", - "5136" - ], - "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0005", - "T1207" - ], - "title": "Possible DC Shadow Attack" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "event_ids": [ - "4662" - ], - "id": "ec2275df-3a0a-933f-0573-490938cc47ef", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1546.003", - "T1546" - ], - "title": "WMI Persistence - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", - "event_ids": [ - "4768", - "4769", - "4771", - "675" - ], - "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030", - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1212" - ], - "title": "Kerberos Manipulation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [ - "4697" - ], - "id": "826feb8b-536b-0302-0b4e-bd34cc5c4923", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "event_ids": [ - "4697" - ], - "id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1554" - ], - "title": "HybridConnectionManager Service Installation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.", - "event_ids": [ - "4719" - ], - "id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Important Windows Event Auditing Disabled" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "event_ids": [ - "4662" - ], - "id": "c42c534d-16ae-877f-0722-6d6914090855", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.004", - "T1003" - ], - "title": "DPAPI Domain Backup Key Extraction" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [ - "4697" - ], - "id": "89d88072-7a24-8218-a044-0c071bf36bf6", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Rundll32 - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "event_ids": [ - "5145" - ], - "id": "9a0e08fc-d50e-2539-9da0-f2b04439c414", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0003", - "T1021.002", - "T1021" - ], - "title": "Remote Service Activity via SVCCTL Named Pipe" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity", - "event_ids": [ - "4732" - ], - "id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1078", - "TA0003", - "T1098" - ], - "title": "User Added to Local Administrator Group" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [ - "4697" - ], - "id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR+ Launcher - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects external disk drives or plugged-in USB devices.", - "event_ids": [ - "6416" - ], - "id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9248-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1091", - "T1200", - "TA0008", - "TA0001" - ], - "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.\n", - "event_ids": [ - "5157" - ], - "id": "764518e5-4160-b679-1946-cbd0e76705da", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562" - ], - "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "event_ids": [ - "4898", - "4899" - ], - "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9221-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0006" - ], - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "event_ids": [ - "4697" - ], - "id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1543" - ], - "title": "Service Installed By Unusual Client - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", - "event_ids": [ - "4904", - "4905" - ], - "id": "00f253a0-1035-e450-7f6e-e2291dee27ec", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "VSSAudit Security Event Source Registration" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\n", - "event_ids": [ - "4720" - ], - "id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "T1136" - ], - "title": "Local User Creation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", - "event_ids": [ - "5156" - ], - "id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Uncommon Outbound Kerberos Connection - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "event_ids": [ - "4662" - ], - "id": "5c8e2537-5c7f-56d8-de80-1f0746b61067", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.006", - "T1003" - ], - "title": "Active Directory Replication from Non Machine Account" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "event_ids": [ - "4697" - ], - "id": "85e291ec-b85b-2553-1aba-03c9ad116b61", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0002", - "T1543.003", - "T1569.002", - "T1543", - "T1569" - ], - "title": "Remote Access Tool Services Have Been Installed - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\n", - "event_ids": [ - "4719" - ], - "id": "83d7b3c2-220e-60e8-4aad-98e206e841ba", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Windows Event Auditing Disabled" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Alerts on Metasploit host's authentications on the domain.", - "event_ids": [ - "4624", - "4625", - "4776" - ], - "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Metasploit SMB Authentication" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "event_ids": [ - "4706" - ], - "id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9230-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "A New Trust Was Created To A Domain" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "event_ids": [ - "4697" - ], - "id": "566fa294-85f7-af27-80c7-753d9941729b", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "TA0006", - "T1040" - ], - "title": "Windows Pcap Drivers" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\n", - "event_ids": [ - "4663" - ], - "id": "d1909400-93d7-de3c-ba13-153c64499c7c", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "TA0004", - "T1574.011", - "T1574" - ], - "title": "Service Registry Key Read Access Request" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects service ticket requests using RC4 encryption type", - "event_ids": [ - "4769" - ], - "id": "2d20edf4-6141-35c5-e54f-3c578082d1d3", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Suspicious Kerberos RC4 Ticket Encryption" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "event_ids": [ - "4697" - ], - "id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0004", - "TA0008", - "T1021.002", - "T1543.003", - "T1569.002", - "T1021", - "T1543", - "T1569" - ], - "title": "CobaltStrike Service Installations - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", - "event_ids": [ - "4741", - "4743" - ], - "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1207" - ], - "title": "Add or Remove Computer from DC" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.\nThis may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.\n", - "event_ids": [ - "4768" - ], - "id": "15481d86-14a7-85e7-b1a2-ff2eab19060e", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Potential AS-REP Roasting via Kerberos TGT Requests" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "event_ids": [ - "4692" - ], - "id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE922D-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.004", - "T1003" - ], - "title": "DPAPI Domain Master Key Backup Attempt" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "event_ids": [ - "5145" - ], - "id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.009", - "T1547" - ], - "title": "Windows Network Access Suspicious desktop.ini Action" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "event_ids": [ - "5136", - "5145" - ], - "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0008", - "T1053.005", - "T1053" - ], - "title": "Persistence and Execution at Scale via GPO Scheduled Task" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "event_ids": [ - "4825" - ], - "id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f", - "level": "medium", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1021.001", - "T1021" - ], - "title": "Denied Access To Remote Desktop" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "event_ids": [ - "4720" - ], - "id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "T1136" - ], - "title": "Hidden Local User Creation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [ - "4697" - ], - "id": "8ec23dfa-00a7-2b09-1756-678e941d69b2", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Clip - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "event_ids": [ - "5136" - ], - "id": "925d441a-37b4-0afa-1d98-809b5df5fd06", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1001.003", - "TA0011", - "T1001" - ], - "title": "Suspicious LDAP-Attributes Used" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects process handle on LSASS process with certain access mask", - "event_ids": [ - "4656", - "4663" - ], - "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "car.2019-04-004", - "T1003.001", - "T1003" - ], - "title": "Potentially Suspicious AccessMask Requested From LSASS" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "event_ids": [ - "4649" - ], - "id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558" - ], - "title": "Replay Attack Detected" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", - "event_ids": [ - "4634", - "4647" - ], - "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1531" - ], - "title": "User Logoff Event" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n", - "event_ids": [ - "4720", - "4781" - ], - "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036" - ], - "title": "New or Renamed User Account with '$' Character" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects execution of Impacket's psexec.py.", - "event_ids": [ - "5145" - ], - "id": "24e370e0-b9f0-5851-0261-f984742ff2a1", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Impacket PsExec Execution" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects non-system users failing to get a handle of the SCM database.", - "event_ids": [ - "4656" - ], - "id": "474caaa9-3115-c838-1509-59ffb6caecfc", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1010" - ], - "title": "SCM Database Handle Failure" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "event_ids": [ - "4673" - ], - "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0004", - "T1558.003", - "T1558" - ], - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "event_ids": [ - "4738" - ], - "id": "2ea71437-cb4d-5a41-2431-1773fce76de8", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Weak Encryption Enabled and Kerberoast" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "event_ids": [ - "1102", - "517" - ], - "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", - "level": "high", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.001", - "car.2016-04-002", - "T1070" - ], - "title": "Security Eventlog Cleared" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "event_ids": [ - "4702" - ], - "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0004", - "TA0003", - "T1053.005", - "T1053" - ], - "title": "Suspicious Scheduled Task Update" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "event_ids": [ - "4657" - ], - "id": "107a403c-5a05-2568-95a7-a7329d714440", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112", - "T1562" - ], - "title": "ETW Logging Disabled In .NET Processes - Registry" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects NetNTLM downgrade attack", - "event_ids": [ - "4657" - ], - "id": "68f0908b-8434-9199-f0a3-350c27ac97c4", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1112", - "T1562" - ], - "title": "NetNTLM Downgrade Attack" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "event_ids": [ - "4697" - ], - "id": "1b037a84-214e-b58a-53ae-949542063f1f", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1570", - "TA0002", - "T1569.002", - "T1021", - "T1569" - ], - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [ - "4697" - ], - "id": "3dc2d411-4f0e-6564-d243-8351afd3d375", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use MSHTA - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "event_ids": [ - "5156" - ], - "id": "810804a5-98c3-7e56-e8ed-8a95d72ad829", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0011", - "TA0008", - "T1090.001", - "T1090.002", - "T1021.001", - "car.2013-07-002", - "T1021", - "T1090" - ], - "title": "RDP over Reverse SSH Tunnel WFP" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n", - "event_ids": [ - "5441", - "5447" - ], - "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9233-69AE-11D9-BED3-505054503030", - "0CCE9234-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562" - ], - "title": "HackTool - EDRSilencer Execution - Filter Added" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "event_ids": [ - "4656" - ], - "id": "d81faa44-ff28-8f61-097b-92727b8af44b", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "Password Dumper Activity on LSASS" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects well-known credential dumping tools execution via service execution events", - "event_ids": [ - "4697" - ], - "id": "633bd649-4b18-b5bd-d923-07caeccd1ee0", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "TA0002", - "T1003.001", - "T1003.002", - "T1003.004", - "T1003.005", - "T1003.006", - "T1569.002", - "attack.s0005", - "T1003", - "T1569" - ], - "title": "Credential Dumping Tools Service Execution - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "event_ids": [ - "4656", - "4657", - "4663" - ], - "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1123" - ], - "title": "Processes Accessing the Microphone and Webcam" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "event_ids": [ - "5145" - ], - "id": "7695295d-281f-23ce-d52e-8336ebd47532", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "Protected Storage Service Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "event_ids": [ - "5145" - ], - "id": "677980bc-7dcc-1f9a-e161-a7f310ec9652", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003.004", - "T1003.003", - "T1003" - ], - "title": "Possible Impacket SecretDump Remote Activity" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "event_ids": [ - "4611" - ], - "id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0004", - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Register new Logon Process by Rubeus" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects activity when a security-enabled global group is deleted", - "event_ids": [ - "4730", - "634" - ], - "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "A Security-Enabled Global Group Was Deleted" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "event_ids": [ - "4624" - ], - "id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004" - ], - "title": "DiagTrackEoP Default Login Username" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.", - "event_ids": [ - "4625" - ], - "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0003", - "T1078", - "T1190", - "T1133" - ], - "title": "Failed Logon From Public IP" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects activity when a member is removed from a security-enabled global group", - "event_ids": [ - "4729", - "633" - ], - "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "A Member Was Removed From a Security-Enabled Global Group" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects successful logon attempts performed with WMI", - "event_ids": [ - "4624" - ], - "id": "c310cab1-252e-1d98-6b6f-e6e60c88a374", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Successful Account Login Via WMI" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "RDP login with localhost source address may be a tunnelled login", - "event_ids": [ - "4624" - ], - "id": "b3f33f69-1331-d3d0-eb62-81f477abad86", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "car.2013-07-002", - "T1021.001", - "T1021" - ], - "title": "RDP Login from Localhost" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "event_ids": [ - "4625" - ], - "id": "232ecd79-c09d-1323-8e7e-14322b766855", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1210", - "car.2013-07-002" - ], - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", - "event_ids": [ - "4624" - ], - "id": "e8c130a4-cf04-543d-919b-76947bde76b8", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0004", - "T1134.001", - "stp.4u", - "T1134" - ], - "title": "Potential Access Token Abuse" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "event_ids": [ - "4624" - ], - "id": "20f4e87b-c272-42da-9a1f-ad54206e3622", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "attack.s0002", - "T1550.002", - "T1550" - ], - "title": "Successful Overpass the Hash Attempt" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", - "event_ids": [ - "4624" - ], - "id": "5c67a566-7829-eb05-4a1f-0eb292ef993f", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0006", - "T1133", - "T1078", - "T1110" - ], - "title": "External Remote SMB Logon from Public IP" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects activity when a member is added to a security-enabled global group", - "event_ids": [ - "4728", - "632" - ], - "id": "26767093-828c-2f39-bdd8-d0439e87307c", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "A Member Was Added to a Security-Enabled Global Group" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "event_ids": [ - "4624" - ], - "id": "059e7255-411c-1666-a2e5-2e99e294e614", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1550.002", - "T1550" - ], - "title": "Pass the Hash Activity 2" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\n", - "event_ids": [ - "4624" - ], - "id": "96896e3a-28de-da11-c7fd-0040868e3a2f", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0006", - "T1548" - ], - "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects logon events that specify new credentials", - "event_ids": [ - "4624" - ], - "id": "897e25ba-f935-3fd3-c6d5-f9abf379e831", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0008", - "T1550" - ], - "title": "Outgoing Logon with New Credentials" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", - "event_ids": [ - "4624" - ], - "id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0001", - "TA0006", - "T1133", - "T1078", - "T1110" - ], - "title": "External Remote RDP Logon from Public IP" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "event_ids": [ - "4624" - ], - "id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0001", - "T1078.001", - "T1078.002", - "T1078.003", - "car.2016-04-005", - "T1078" - ], - "title": "Admin User Remote Logon" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "event_ids": [ - "4624" - ], - "id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0006", - "T1557.001", - "T1557" - ], - "title": "RottenPotato Like Attack Pattern" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n", - "event_ids": [ - "5038", - "6281" - ], - "id": "4f738466-2a14-5842-1eb3-481614770a49", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027.001", - "T1027" - ], - "title": "Failed Code Integrity Checks" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects WRITE_DAC access to a domain object", - "event_ids": [ - "4662" - ], - "id": "09c08048-5eab-303f-dfe3-706a6052b6f9", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1222.001", - "T1222" - ], - "title": "AD Object WriteDAC Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects known sensitive file extensions accessed on a network share", - "event_ids": [ - "5145" - ], - "id": "4af39497-9655-9586-817d-94f0df38913f", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0009", - "T1039" - ], - "title": "Suspicious Access to Sensitive File Extensions" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", - "event_ids": [ - "5447", - "5449" - ], - "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9233-69AE-11D9-BED3-505054503030", - "0CCE9234-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1134", - "T1134.001" - ], - "title": "HackTool - NoFilter Execution" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "event_ids": [ - "5145" - ], - "id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021" - ], - "title": "SMB Create Remote File Admin Share" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "event_ids": [ - "4697" - ], - "id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects certificate creation with template allowing risk permission subject", - "event_ids": [ - "4898", - "4899" - ], - "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9221-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0006" - ], - "title": "ADCS Certificate Template Configuration Vulnerability" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "event_ids": [ - "4625", - "4776" - ], - "id": "655eb351-553b-501f-186e-aa9af13ecf43", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "TA0004", - "TA0001", - "T1078" - ], - "title": "Account Tampering - Suspicious Failed Logon Reasons" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.", - "event_ids": [ - "4800" - ], - "id": "c4d03743-7286-15e4-d317-c86d1b5fdc09", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040" - ], - "title": "Locked Workstation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [ - "4697" - ], - "id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", - "event_ids": [ - "4616" - ], - "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9210-69AE-11D9-BED3-505054503030", - "69979849-797A-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.006", - "T1070" - ], - "title": "Unauthorized System Time Modification" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "event_ids": [ - "5145" - ], - "id": "85e72fe3-83af-8ed9-39d3-2883e46059f1", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1021.002", - "T1021.003", - "T1021" - ], - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "event_ids": [ - "4704" - ], - "id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9231-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "Enabled User Right in AD to Control User Objects" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "event_ids": [ - "4720" - ], - "id": "e5c627ea-fa27-df99-0573-e47092dc4a98", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1136.001", - "T1136.002", - "T1136" - ], - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", - "event_ids": [ - "4673" - ], - "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "event_ids": [ - "4657", - "4663" - ], - "id": "249d836c-8857-1b98-5d7b-050c2d34e275", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Sysmon Channel Reference Deletion" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects read access to a domain user from a non-machine account", - "event_ids": [ - "4662" - ], - "id": "fe814c5a-505f-a313-7d8c-030187c24e8e", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1087" - ], - "title": "Potential AD User Enumeration From Non-Machine Account" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "event_ids": [ - "5145" - ], - "id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003.001", - "T1003.003", - "T1003" - ], - "title": "Transferring Files with Credential Data via Network Shares" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when the password policy is enumerated.", - "event_ids": [ - "4661" - ], - "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1201" - ], - "title": "Password Policy Enumerated" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "event_ids": [ - "5145" - ], - "id": "93fd0f77-62da-26fb-3e96-71cde45a9680", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0003", - "car.2013-05-004", - "car.2015-04-001", - "T1053.002", - "T1053" - ], - "title": "Remote Task Creation via ATSVC Named Pipe" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "event_ids": [ - "4656", - "4663" - ], - "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012" - ], - "title": "Azure AD Health Monitoring Agent Registry Keys Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "event_ids": [ - "4656", - "4663" - ], - "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1003" - ], - "title": "LSASS Access From Non System Account" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", - "event_ids": [ - "4656", - "4658", - "4663" - ], - "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "TA0005", - "T1070.004", - "T1027.005", - "T1485", - "T1553.002", - "attack.s0195", - "T1070", - "T1027", - "T1553" - ], - "title": "Potential Secure Deletion with SDelete" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects possible addition of shadow credentials to an active directory object.", - "event_ids": [ - "5136" - ], - "id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1556" - ], - "title": "Possible Shadow Credentials Added" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "event_ids": [ - "4661" - ], - "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1087.002", - "T1069.002", - "attack.s0039", - "T1069", - "T1087" - ], - "title": "Reconnaissance Activity" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "event_ids": [ - "5156" - ], - "id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Remote PowerShell Sessions Network Connections (WinRM)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "event_ids": [ - "5145" - ], - "id": "f252afa3-fe83-562c-01c0-1334f55af84c", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047", - "TA0008", - "T1021.002", - "T1021" - ], - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "event_ids": [ - "4656", - "4663" - ], - "id": "de10da38-ee60-f6a4-7d70-4d308558158b", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003", - "attack.s0005" - ], - "title": "WCE wceaux.dll Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "event_ids": [ - "5379" - ], - "id": "7e1daab0-3263-403e-ec26-de48e3bf22c3", - "level": "medium", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Password Protected ZIP File Opened" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "event_ids": [ - "4738", - "4765", - "4766" - ], - "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1134.005", - "T1134" - ], - "title": "Addition of SID History to Active Directory Object" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [ - "4697" - ], - "id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "event_ids": [ - "4738", - "5136" - ], - "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1098", - "TA0003" - ], - "title": "Active Directory User Backdoors" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects handles requested to SAM registry hive", - "event_ids": [ - "4656" - ], - "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1012", - "TA0006", - "T1552.002", - "T1552" - ], - "title": "SAM Registry Hive Handle Request" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-NTLM/Operational" - ], - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "event_ids": [ - "8001" - ], - "id": "b416a5b9-a282-2826-bc58-8b8481d865f6", - "level": "medium", - "service": "ntlm", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Potential Remote Desktop Connection to Non-Domain Host" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-NTLM/Operational" - ], - "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", - "event_ids": [ - "8002" - ], - "id": "c043d322-c767-faa8-92d4-381dcc35cab3", - "level": "low", - "service": "ntlm", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1550.002", - "T1550" - ], - "title": "NTLM Logon" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-NTLM/Operational" - ], - "description": "Detects common NTLM brute force device names", - "event_ids": [ - "8004" - ], - "id": "b7a0fd59-bab8-fec2-28ad-548b2635d87f", - "level": "medium", - "service": "ntlm", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1110" - ], - "title": "NTLM Brute Force" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" - ], - "description": "Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.", - "event_ids": [ - "1007" - ], - "id": "aec05047-d4cd-8eed-6c67-40b018f64c6e", - "level": "medium", - "service": "certificateservicesclient-lifecycle-system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1649" - ], - "title": "Certificate Exported From Local Certificate Store" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-LSA/Operational" - ], - "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", - "event_ids": [ - "300" - ], - "id": "7536b3d3-6765-4433-9269-2d460cb10adf", - "level": "medium", - "service": "lsa-server", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0004" - ], - "title": "Standard User In High Privileged Group" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Ryuk Ransomware command lines", - "event_ids": [ - "4688" - ], - "id": "7b159be0-8034-a6cb-dcb7-f6fbcf9b2680", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204" - ], - "title": "Ryuk Ransomware Command Line Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", - "event_ids": [ - "4688" - ], - "id": "9586750a-6351-1543-241d-6d76087e4b01", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0007", - "T1033" - ], - "title": "Run Whoami as SYSTEM" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process", - "event_ids": [ - "4657" - ], - "id": "9482abf0-5008-838f-0912-a85e0c7792a7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.012", - "T1546" - ], - "title": "SilentProcessExit Monitor Registration" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Credential Acquisition via Registry Hive Dumping", - "event_ids": [ - "4688" - ], - "id": "4973dea2-3985-affa-babc-f0c00821d2a1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Credential Acquisition via Registry Hive Dumping" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", - "event_ids": [ - "4688" - ], - "id": "9f2a9424-8e85-d783-1735-f72375b3b6d8", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "attack.g0016", - "T1059.001", - "T1059" - ], - "title": "APT29" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely", - "event_ids": [ - "4688" - ], - "id": "b7e3098a-6c20-c6d3-df75-9b07536b3310", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003" - ], - "title": "Activity Related to NTDS.dit Domain Hash Retrieval" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "event_ids": [ - "4688" - ], - "id": "f7b13249-d828-2008-3a24-1364b5609ab5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "T1564.004", - "T1552.001", - "T1105", - "T1564", - "T1552" - ], - "title": "Abusing Findstr for Defense Evasion" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.", - "event_ids": [ - "4674" - ], - "id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "TA0002", - "T1021", - "T1059" - ], - "title": "Lateral Movement Indicator ConDrv" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Excel called wmic to finally proxy execute regsvr32 with the payload.\nAn attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).\nBut we have command-line in the event which allow us to \"restore\" this suspicious parent-child chain and detect it.\nMonitor process creation with \"wmic process call create\" and LOLBins in command-line with parent Office application processes.\n", - "event_ids": [ - "4688" - ], - "id": "72d5e2d6-b55d-f6aa-2db3-4a5fd0d1dd98", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204.002", - "T1047", - "T1218.010", - "TA0002", - "TA0005", - "T1218", - "T1204" - ], - "title": "Excel Proxy Executing Regsvr32 With Payload" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a PsExec service start", - "event_ids": [ - "4688" - ], - "id": "0dc4e02b-cd15-c6bf-f6ef-134ff49fa620", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "attack.s0029", - "T1569.002", - "T1569" - ], - "title": "PsExec Service Start" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", - "event_ids": [ - "4688" - ], - "id": "84bff3a1-2282-883e-eaff-6e74ffbf1e5f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Suspicious Execution of Sc to Delete AV Services" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential powershell Base64 encoded Shellcode", - "event_ids": [ - "4688" - ], - "id": "2d9870fb-01d3-f66f-b058-9bd90d56418d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Potential PowerShell Base64 Encoded Shellcode" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of \"xor\" or \"bxor\" in combination of a \"foreach\" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection", - "event_ids": [ - "4688" - ], - "id": "405d20b3-771f-a808-6794-c0aae7cf9cf6", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Potential Xor Encoded PowerShell Command" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a Windows service to be stopped", - "event_ids": [ - "4688" - ], - "id": "5e1aa8a2-0c7e-a580-4093-894302350358", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Stop Windows Service" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\n", - "event_ids": [ - "4660" - ], - "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Exclusion Deleted" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Dnscat exfiltration tool execution", - "event_ids": [ - "4104" - ], - "id": "47d13687-edae-dafa-bdab-416474c95f53", - "level": "critical", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1048", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Dnscat Execution" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "event_ids": [ - "4657" - ], - "id": "20f7b927-82bf-9d38-6573-0ed63831fdc5", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Potential Persistence Via COM Search Order Hijacking" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "event_ids": [ - "4688" - ], - "id": "f378e980-dd67-4968-9df5-2ac09c718d4d", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1553.004", - "T1553" - ], - "title": "Root Certificate Installed" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary might use WMI to execute commands on a remote system", - "event_ids": [ - "4688" - ], - "id": "f58bcb01-a76b-cc94-f698-29be1afd376b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "WMI Remote Command Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may abuse Visual Basic (VB) for execution", - "event_ids": [ - "4688" - ], - "id": "124493b3-4f31-c0bb-dbe9-97f0666635ba", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059" - ], - "title": "Visual Basic Script Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects CrackMapExecWin Activity as Described by NCSC", - "event_ids": [ - "4688" - ], - "id": "9fcbb5dc-f858-0445-bcf4-ade441a89dc3", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0035", - "TA0006", - "TA0007", - "T1110", - "T1087" - ], - "title": "CrackMapExecWin" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Commandlet name for PrintNightmare exploitation.", - "event_ids": [ - "4104" - ], - "id": "5eb9df17-06bd-e2fe-8871-13bd6bd36406", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1548" - ], - "title": "PrintNightmare Powershell Exploitation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", - "event_ids": [ - "4688" - ], - "id": "540f0d7f-8d92-2c4b-ce07-2be23d582ede", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1140", - "TA0011", - "T1105", - "attack.s0160", - "attack.g0007", - "attack.g0010", - "attack.g0045", - "attack.g0049", - "attack.g0075", - "attack.g0096" - ], - "title": "Suspicious Certutil Command Usage" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "event_ids": [ - "4657" - ], - "id": "7c470022-ced9-05c4-b9fc-5aff8e5f4dce", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1112", - "T1053" - ], - "title": "Abusing Windows Telemetry For Persistence - Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", - "event_ids": [ - "4688" - ], - "id": "22061fc3-84a3-c190-7b04-d735915a8912", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.003", - "T1059" - ], - "title": "Read and Execute a File Via Cmd.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Excel called wmic to finally proxy execute regsvr32 with the payload.\nAn attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).\nBut we have command-line in the event which allow us to \"restore\" this suspicious parent-child chain and detect it.\nMonitor process creation with \"wmic process call create\" and LOLBins in command-line with parent Office application processes.\n", - "event_ids": [ - "4688" - ], - "id": "9b2384e8-4067-f192-274f-73d711fc193f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204.002", - "T1047", - "T1218.010", - "TA0002", - "TA0005", - "T1204", - "T1218" - ], - "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [ - "4688" - ], - "id": "2b349adb-9984-0950-4917-0629c50ff73b", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "event_ids": [ - "4104" - ], - "id": "63c2d41b-b587-6c55-c256-9c0bb392f0a9", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1555.003", - "T1555" - ], - "title": "Accessing Encrypted Credentials from Google Chrome Login Database" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious ways to download files or content using PowerShell", - "event_ids": [ - "4688" - ], - "id": "0b1811c8-8c1e-c6bb-1af2-2fe3b42a6b56", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0002", - "T1059.001", - "T1105", - "T1059" - ], - "title": "PowerShell Web Download" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "event_ids": [ - "4688" - ], - "id": "8994ee03-9478-bde3-ab3d-3abafad0bfd1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Rundll32 JS RunHTMLApplication Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects code execution via the Windows Update client (wuauclt)", - "event_ids": [ - "4688" - ], - "id": "a1901cc9-34ea-0ae3-68a7-07397e0d8338", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "TA0005", - "T1105", - "T1218" - ], - "title": "Windows Update Client LOLBIN" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "schtasks.exe create task from user AppData\\Local\\Temp", - "event_ids": [ - "4688" - ], - "id": "cb56735d-37c1-c9ff-010a-4f31ee20e531", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1053.005", - "T1053" - ], - "title": "Suspicious Add Scheduled Task From User AppData Temp" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "event_ids": [ - "4688" - ], - "id": "5ffab4e3-fa0b-4adc-c733-2754d5d2e20a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204.002", - "T1047", - "T1218.010", - "TA0002", - "TA0005", - "T1204", - "T1218" - ], - "title": "Office Applications Spawning Wmi Cli Alternate" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", - "event_ids": [ - "4104" - ], - "id": "113fcff8-c64d-8743-88b7-9ff2539cde7d", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1083" - ], - "title": "Powershell File and Directory Discovery" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "event_ids": [ - "4688" - ], - "id": "62e3a364-8fcf-5d67-d080-27c37fade654", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "event_ids": [ - "4104" - ], - "id": "baee41a3-2063-6125-778e-0d9710474c06", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1490" - ], - "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", - "event_ids": [ - "4688" - ], - "id": "a3b6ca34-23c2-eedd-8733-1294655ca76a", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "T1059" - ], - "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound", - "event_ids": [ - "4104" - ], - "id": "74dda95a-b492-e2ee-4a33-b22a41a1cb57", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0007", - "T1482", - "T1087", - "T1087.001", - "T1087.002", - "T1069.001", - "T1069.002", - "T1069" - ], - "title": "AzureHound PowerShell Commands" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of executables that can be used to bypass Applocker whitelisting", - "event_ids": [ - "4688" - ], - "id": "6e17c2a5-a828-97d2-c2f4-223c82264f3c", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.004", - "T1218.009", - "T1127.001", - "T1218.005", - "T1218", - "T1127" - ], - "title": "Possible Applocker Bypass" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", - "event_ids": [ - "4688" - ], - "id": "83f40f59-3ad9-6e41-f40d-b0c6cba08720", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "Suspicious Cmd Execution via WMI" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", - "event_ids": [ - "4688" - ], - "id": "0fce2028-5a0d-536d-eafa-a00a85f184be", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204.002", - "T1047", - "T1218.010", - "TA0002", - "TA0005", - "T1204", - "T1218" - ], - "title": "New Lolbin Process by Office Applications" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", - "event_ids": [ - "4688" - ], - "id": "807db7b2-c1e5-520b-2e63-7b2c400be00d", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files", - "event_ids": [ - "4688" - ], - "id": "24e2ce91-6438-41b5-d23e-48e775ae72bd", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204" - ], - "title": "Process Start From Suspicious Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", - "event_ids": [ - "4688" - ], - "id": "0557765a-6dad-b15a-5cf0-d92eef2b33ab", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0040", - "T1485" - ], - "title": "Run from a Zip File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", - "event_ids": [ - "4688" - ], - "id": "c4c78b6f-2ead-8d39-dc1b-9ab4e88fc5b6", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Suspicious Characters in CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects suspicious process related to rundll32 based on arguments", - "event_ids": [ - "4688" - ], - "id": "ae18b229-740e-17c7-63f2-b15422d6271e", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.011", - "T1218" - ], - "title": "Suspicious Rundll32 Script in CommandLine" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "event_ids": [ - "4688" - ], - "id": "f4ff3d8e-34aa-51f7-6a8e-5081ec934b65", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "Registry Dump of SAM Creds and Secrets" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "event_ids": [ - "4688" - ], - "id": "dc86094c-5f6f-895a-e92a-8b82229db6b7", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Suspicious File Download Using Office Application" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "event_ids": [ - "4657" - ], - "id": "ea79a782-319f-b5bd-9293-cab2134f5c43", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Office Security Settings Changed" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "event_ids": [ - "4688" - ], - "id": "0bca1760-51b3-cdf0-9756-923f2be12c94", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1204.002", - "T1047", - "T1218.010", - "TA0002", - "TA0005", - "T1204", - "T1218" - ], - "title": "WMI Execution Via Office Process" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a discovery of domain trusts.", - "event_ids": [ - "4688" - ], - "id": "d5dc5032-aa74-54e8-76e0-3d264adc2ea0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1482" - ], - "title": "Domain Trust Discovery" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects various anomalies in relation to regsvr32.exe", - "event_ids": [ - "4688" - ], - "id": "1b8521f9-1e64-123d-b6f0-d133e0b6f34c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.010", - "car.2019-04-002", - "car.2019-04-003", - "T1218" - ], - "title": "Regsvr32 Anomaly" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", - "event_ids": [ - "4657" - ], - "id": "1b78376c-c1d2-a830-93b1-5dee98965490", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.002", - "T1564" - ], - "title": "User Account Hidden By Registry" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a suspicious or unusual location.", - "event_ids": [ - "4657" - ], - "id": "79389718-9e14-e5e9-1cc7-2c027078bf22", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1546.015", - "T1546" - ], - "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", - "event_ids": [ - "4688" - ], - "id": "70824154-ca31-ca8f-0cc1-045e5d217a3a", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1564.004", - "T1564" - ], - "title": "Cmd Stream Redirection" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "event_ids": [ - "1102" - ], - "id": "23f0b75b-66c0-4895-ae63-4243fa898109", - "level": "medium", - "service": "security", - "subcategory_guids": [], - "tags": [ - "T1070.001", - "T1070" - ], - "title": "Security Event Log Cleared" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", - "event_ids": [ - "16" - ], - "id": "f224a2b6-2db1-a1a2-42d4-25df0c460915", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "SAM Dump to AppData" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "event_ids": [ - "4688" - ], - "id": "5f55c592-7555-3ca2-5d49-f1b7b74454ab", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Wscript Execution from Non C Drive" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "event_ids": [ - "4688" - ], - "id": "105c3740-9666-1fe5-4e4f-e9e8bdf29dc1", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1047" - ], - "title": "WMI Reconnaissance List Remote Services" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [ - "4688" - ], - "id": "300c09ba-ba6b-5fea-7022-567fa5593c41", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Rundll32" - }, - { - "category": "", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell download command", - "event_ids": [], - "id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a", - "level": "medium", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Download" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "event_ids": [ - "4688" - ], - "id": "4d7489b1-282a-3c79-a3fe-e852cdea4515", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1036", - "T1003.001", - "T1003" - ], - "title": "Process Memory Dumped Via RdrLeakDiag.EXE" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "event_ids": [ - "4657" - ], - "id": "f9252ab9-0f85-c10d-fd51-576b83182926", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Service Binary in Uncommon Folder" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", - "event_ids": [ - "4688" - ], - "id": "ec8ef858-1a44-a7b3-821d-a85f6cdaa1c9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218.008", - "T1218" - ], - "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects different loaders as described in various threat reports on Lazarus group activity", - "event_ids": [ - "4688" - ], - "id": "c155c295-ca75-0671-80f9-2910740dabe7", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0032", - "TA0002", - "T1059" - ], - "title": "Lazarus Loaders" - }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "event_ids": [ - "4657" - ], - "id": "b8939982-1774-1f45-f838-7bf9ac9be3c2", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1547.001", - "T1547" - ], - "title": "Autorun Keys Modification" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", - "event_ids": [ - "7045" - ], - "id": "22b90bac-a283-6153-761c-7b6059f8f250", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027" - ], - "title": "New Service Uses Double Ampersand in Path" - }, - { - "category": "network_connection", - "channel": [ - "sec" - ], - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "event_ids": [ - "5156" - ], - "id": "58a2d80c-c77b-324c-640d-c97cf5fcbefa", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008" - ], - "title": "Suspicious Epmap Connection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Possible Squirrel Packages Manager as Lolbin", - "event_ids": [ - "4688" - ], - "id": "6dd18e44-e4a2-1c08-3d0e-f4dc7e2fa9cc", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "TA0005", - "T1218" - ], - "title": "Squirrel Lolbin" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Disable Microsoft Office Security Features by registry", - "event_ids": [ - "4657" - ], - "id": "d226853e-3dbf-ce71-60c1-5458858abbbc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Disable Microsoft Office Security Features" - }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "event_ids": [ - "4657" - ], - "id": "6c44673b-8c80-9ce9-718d-46f34b17ffcc", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059.007", - "T1059" - ], - "title": "Adwind RAT / JRAT - Registry" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.", - "event_ids": [ - "4688" - ], - "id": "c21b19ea-3369-9fab-3ca6-767d24c85595", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "attack.s0404", - "T1218" - ], - "title": "Suspicious Esentutl Use" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "event_ids": [ - "4104" - ], - "id": "6587075c-6239-f6e1-4717-4b7972b1c086", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Execution via CL_Invocation.ps1 - Powershell" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.", - "event_ids": [ - "4688" - ], - "id": "86c08df9-01b6-6556-09cc-9ac6feb774e8", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "T1218" - ], - "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "event_ids": [ - "4104" - ], - "id": "f427b1c7-bbad-7bd6-bb0f-65b6170a3cb5", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Execution via CL_Mutexverifiers.ps1" - }, - { - "category": "", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "event_ids": [], - "id": "349e3bb4-b72b-193d-810e-7d9c145b863e", - "level": "medium", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1218" - ], - "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execition of commands and binaries from the context of \"forfiles.exe\". This can be used as a LOLBIN in order to bypass application whitelisting.", - "event_ids": [ - "4688" - ], - "id": "4bea8156-6003-3037-62a5-4be1429183b9", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Indirect Command Exectuion via Forfiles" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects process injection using the signed Windows tool Mavinject32.exe", - "event_ids": [ - "4688" - ], - "id": "1b8fce80-846c-a731-f21e-d6a2823fe38c", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1055.001", - "T1218", - "T1055" - ], - "title": "MavInject Process Injection" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.", - "event_ids": [ - "4688" - ], - "id": "10aa2f9c-45d9-5c31-ffa2-06fc745b7e33", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1482" - ], - "title": "Trickbot Malware Reconnaissance Activity" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", - "event_ids": [ - "4688" - ], - "id": "528921e1-f356-7cca-49a4-c5e1402eb356", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "attack.g0032", - "TA0002", - "T1106" - ], - "title": "Lazarus Activity Apr21" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", - "event_ids": [ - "4689" - ], - "id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE922C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0007", - "T1482", - "T1018", - "T1016" - ], - "title": "Correct Execution of Nltest.exe" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", - "event_ids": [ - "4688" - ], - "id": "dc28bbe4-14ec-d765-8514-2ff2ff532e24", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "TA0003", - "T1197" - ], - "title": "Suspicious Bitstransfer via PowerShell" - }, { "category": "", "channel": [ "Microsoft-Windows-Windows Defender/Operational" ], - "description": "Detects disabling Windows Defender threat protection", + "description": "Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software", "event_ids": [ - "5001", - "5010", - "5012", - "5101" + "5010" ], - "id": "7424bd72-6b38-f5a1-7f25-4665452ec72b", + "id": "ac622fde-5d5a-e064-bfd2-55cbb5f1eacb", "level": "high", "service": "windefend", "subcategory_guids": [], @@ -47676,2230 +51703,194 @@ "T1562.001", "T1562" ], - "title": "Windows Defender Threat Detection Disabled" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "event_ids": [ - "4688" - ], - "id": "13dc41d6-0489-5505-887a-c3bc11ddec90", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0010", - "T1567.002", - "T1567" - ], - "title": "RClone Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects creation of a new service.", - "event_ids": [ - "4688" - ], - "id": "f3c0ce89-d7e4-b1be-b79d-265254701fe6", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "New Service Creation" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detecting DNS tunnel activity for Muddywater actor", - "event_ids": [ - "4688" - ], - "id": "0f27e458-cb56-857e-1e9a-630975f5984a", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1071.004", - "T1071" - ], - "title": "DNS Tunnel Technique from MuddyWater" + "title": "Windows Defender Malware And PUA Scanning Disabled" }, { "category": "", "channel": [ - "sec" + "Microsoft-Windows-SmbClient/Security" ], - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", "event_ids": [ - "4728", - "4729", - "4730", - "632", - "633", - "634" + "31017" ], - "id": "506379d9-8545-c010-e9a3-693119ab9261", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Group Modification Logging" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect download by BITS jobs via PowerShell", - "event_ids": [ - "4688" - ], - "id": "a6124306-bb3c-9e0e-a088-a4dee392c1ee", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "Suspicious Bitsadmin Job via PowerShell" - }, - { - "category": "", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [], - "id": "3db961f4-6217-4957-b717-e5955c82d6e5", - "level": "high", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocations - Specific" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]", - "event_ids": [ - "4688" - ], - "id": "79c252ba-3759-a153-7242-9f3de6ec7ba4", + "id": "610c6a10-ca67-69c5-0f6d-761487fb3b37", "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105", - "T1071.004", - "T1071" - ], - "title": "Nslookup PwSh Download Cradle" - }, - { - "category": "registry_add", - "channel": [ - "sec" - ], - "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", - "event_ids": [ - "4657" - ], - "id": "a08aa16a-ae4f-9e1e-7a2d-3ad02f750ff0", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1070.004", - "T1070" - ], - "title": "Sysinternals SDelete Registry Keys" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", - "event_ids": [ - "4688" - ], - "id": "9ec2c364-89c8-b572-4a96-ddc786444ecf", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "TA0002", - "T1562" - ], - "title": "PowerShell AMSI Bypass Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Hurricane Panda Activity", - "event_ids": [ - "4688" - ], - "id": "6c99d057-c73c-6771-1c7f-a352debc5b84", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "attack.g0009", - "T1068" - ], - "title": "Hurricane Panda Activity" - }, - { - "category": "", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects suspicious PowerShell invocation command parameters", - "event_ids": [], - "id": "391b98f2-3f42-0d06-a295-18a2aa29d39a", - "level": "high", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Invocations - Generic" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", - "event_ids": [ - "4688" - ], - "id": "5294a012-1f07-fe01-599b-94cf8adf630e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Execute MSDT.EXE Using Diagcab File" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", - "event_ids": [ - "4688" - ], - "id": "6ddd7376-3f18-f83d-1e75-58189e39abf1", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Stop Or Remove Antivirus Service" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects PsExec service execution via default service image name", - "event_ids": [ - "4688" - ], - "id": "02e5fd82-2643-35a3-b104-51f4ef19c215", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "PsExec Tool Execution" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects base64 encoded listing Win32_Shadowcopy", - "event_ids": [ - "4688" - ], - "id": "13aab741-9ea4-27bf-57c1-aac004da4b9f", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.001", - "TA0005", - "T1027", - "T1059" - ], - "title": "Base64 Encoded Listing of Shadowcopy" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "event_ids": [ - "4688" - ], - "id": "0a67f769-527a-e79d-fa05-a4bbdcd6fcc4", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "attack.g0092", - "T1106" - ], - "title": "TA505 Dropper Load Pattern" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects Winword.exe loading a custom DLL using the /l flag", - "event_ids": [ - "4688" - ], - "id": "af42e8c8-7702-f542-d278-68bf89a26251", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Winword.exe Loads Suspicious DLL" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).", - "event_ids": [ - "4688" - ], - "id": "62997599-6864-08ee-302c-90c1649f5e1a", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1202" - ], - "title": "Indirect Command Execution" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "event_ids": [ - "4103" - ], - "id": "65efb931-2d64-dea1-b559-544498a9b6f8", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1095" - ], - "title": "Netcat The Powershell Version - PowerShell Module" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", - "event_ids": [ - "4104" - ], - "id": "830423bc-69e4-b19b-5474-414e4ab0c365", - "level": "low", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1546" - ], - "title": "Suspicious Get-WmiObject" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-AppxPackaging/Operational" - ], - "description": "Detects execution of AppX packages with known suspicious or malicious signature", - "event_ids": [ - "157" - ], - "id": "e6dd8206-87ca-b6e9-3c8f-9e097bfc4e31", - "level": "medium", - "service": "appxpackaging-om", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0002" - ], - "title": "Suspicious Digital Signature Of AppX Package" - }, - { - "category": "", - "channel": [ - "DNS Server" - ], - "description": "Detects when a DNS zone transfer failed.", - "event_ids": [ - "6004" - ], - "id": "04768e11-3acf-895f-9193-daae77c4678f", - "level": "medium", - "service": "dns-server", - "subcategory_guids": [], - "tags": [ - "TA0043", - "T1590.002", - "T1590" - ], - "title": "Failed DNS Zone Transfer" - }, - { - "category": "", - "channel": [ - "DNS Server" - ], - "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", - "event_ids": [ - "150", - "770", - "771" - ], - "id": "40077f9e-f597-1087-0c4f-8901d1a07af4", - "level": "high", - "service": "dns-server", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" - }, - { - "category": "wmi_event", - "channel": [ - "Microsoft-Windows-WMI-Activity/Operational" - ], - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "event_ids": [ - "5861" - ], - "id": "93786e05-1808-f3b1-9841-7fee02fd7247", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.005", - "T1059" - ], - "title": "Suspicious Scripting in a WMI Consumer" - }, - { - "category": "wmi_event", - "channel": [ - "Microsoft-Windows-WMI-Activity/Operational" - ], - "description": "Detects suspicious encoded payloads in WMI Event Consumers", - "event_ids": [ - "5861" - ], - "id": "f4e538d8-94a9-8ecc-779e-e03aa85aedb4", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1047", - "TA0003", - "T1546.003", - "T1546" - ], - "title": "Suspicious Encoded Scripts in a WMI Consumer" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS Client Events/Operational" - ], - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "event_ids": [ - "3008" - ], - "id": "f0b3a5e9-e4ee-ed23-3b27-4dd30c5974c8", - "level": "critical", - "service": "dns-client", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1071.004", - "T1071" - ], - "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS Client Events/Operational" - ], - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "event_ids": [ - "3008" - ], - "id": "e1b0fd63-1017-1597-ec08-3f9e1021e564", - "level": "high", - "service": "dns-client", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1090.003", - "T1090" - ], - "title": "Query Tor Onion Address - DNS Client" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS Client Events/Operational" - ], - "description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration", - "event_ids": [ - "3008" - ], - "id": "ec3b018a-d4dd-2d51-4a63-50d078f737dd", - "level": "low", - "service": "dns-client", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1567.002", - "T1567" - ], - "title": "DNS Query To Ufile.io - DNS Client" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS Client Events/Operational" - ], - "description": "Detects DNS queries for subdomains related to MEGA sharing website", - "event_ids": [ - "3008" - ], - "id": "14b17417-8ae7-ff8e-fe36-28aaa337ccd5", - "level": "medium", - "service": "dns-client", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1567.002", - "T1567" - ], - "title": "DNS Query To MEGA Hosting Website - DNS Client" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS Client Events/Operational" - ], - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "event_ids": [ - "3008" - ], - "id": "2abf05fa-98f2-d00b-6a6a-12d07e55233e", - "level": "high", - "service": "dns-client", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1567.002", - "T1567" - ], - "title": "DNS Query for Anonfiles.com Domain - DNS Client" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DNS Client Events/Operational" - ], - "description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.", - "event_ids": [ - "3008" - ], - "id": "9b3ffe56-a479-9b35-d590-9b94c2f7fa35", - "level": "medium", - "service": "dns-client", - "subcategory_guids": [], - "tags": [ - "TA0011" - ], - "title": "DNS Query To Put.io - DNS Client" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", - "event_ids": [], - "id": "469804e4-bb11-7cb1-96ce-f7687daa98a0", - "level": "critical", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "T1587.001", - "TA0042", - "T1587" - ], - "title": "ProxyLogon MSExchange OabVirtualDirectory" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "event_ids": [], - "id": "30eb1897-ab7e-5cc9-6f83-cd5abd8ee0dc", - "level": "high", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1505.003", - "T1505" - ], - "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "event_ids": [], - "id": "47e67dfc-354a-0989-f6b1-f3f888a31278", - "level": "high", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070" - ], - "title": "Remove Exported Mailbox from Exchange Webserver" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects the Installation of a Exchange Transport Agent", - "event_ids": [], - "id": "31aa27f1-7ac6-a316-2786-b13400c130f5", - "level": "medium", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1505.002", - "T1505" - ], - "title": "MSExchange Transport Agent Installation - Builtin" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", - "event_ids": [], - "id": "9c8f1614-f386-ea28-e870-75e3daf99adc", - "level": "critical", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1505.003", - "T1505" - ], - "title": "Certificate Request Export to Exchange Webserver" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", - "event_ids": [], - "id": "684f5f59-5de0-7d7a-e983-1e2758d383d6", - "level": "critical", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1505.003", - "T1505" - ], - "title": "Mailbox Export to Exchange Webserver" - }, - { - "category": "", - "channel": [ - "MSExchange Management" - ], - "description": "Detects a failed installation of a Exchange Transport Agent", - "event_ids": [ - "6" - ], - "id": "29ec9279-2899-b0a0-0b41-6bf40cdda885", - "level": "high", - "service": "msexchange-management", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1505.002", - "T1505" - ], - "title": "Failed MSExchange Transport Agent Installation" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-CAPI2/Operational" - ], - "description": "Detects when an application acquires a certificate private key", - "event_ids": [ - "70" - ], - "id": "dadaca47-d760-88a9-fd35-cbe8a6237499", - "level": "medium", - "service": "capi2", + "service": "smbclient-security", "subcategory_guids": [], "tags": [ "TA0006", - "T1649" - ], - "title": "Certificate Private Key Acquired" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "event_ids": [ - "16990", - "16991" - ], - "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Potential CVE-2021-42287 Exploitation Attempt" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\n", - "event_ids": [ - "16" - ], - "id": "625954f8-9cc1-bc90-d5bd-4d1d82849d37", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "Critical Hive In Suspicious Location Access Bits Cleared" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "event_ids": [ - "5723", - "5805" - ], - "id": "4d943318-24e9-7318-6951-fdf8cb235652", - "level": "critical", - "service": "system", - "subcategory_guids": [], - "tags": [ - "T1210", - "TA0008" - ], - "title": "Zerologon Exploitation Using Well-known Tools" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "event_ids": [ - "5829" - ], - "id": "a82f6b3b-324f-7234-9092-289117234d31", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1548" - ], - "title": "Vulnerable Netlogon Secure Channel Connection Allowed" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects CSExec service installation and execution events", - "event_ids": [ - "7045" - ], - "id": "efef064b-d350-a96b-fe1e-ef4cfe657066", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "CSExec Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [ - "7045" - ], - "id": "8aef41c8-fc2b-f490-5a9b-a683fe107829", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Stdin - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\n", - "event_ids": [ - "7045" - ], - "id": "4de4ea24-8c0c-75ed-78c3-bf620ec06fd5", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "car.2013-09-005", - "T1543.003", - "T1543" - ], - "title": "Uncommon Service Installation Image Path" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "event_ids": [ - "7045" - ], - "id": "a36af175-0d96-acc8-c2f7-f5bb57c974fe", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "TacticalRMM Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "event_ids": [ - "7045" - ], - "id": "e38955da-ce8e-7137-94e5-7890c0bab131", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0004", - "T1543.003", - "T1569.002", - "T1543", - "T1569" - ], - "title": "Sliver C2 Default Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects RemCom service installation and execution events", - "event_ids": [ - "7045" - ], - "id": "1ae1cb63-2c82-d95d-a200-533f229715b2", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "RemCom Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", - "event_ids": [ - "7045" - ], - "id": "cd204548-409b-e025-4fde-4a8fb1fe5332", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0011", - "T1219.002", - "T1219" - ], - "title": "Mesh Agent Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects important or interesting Windows services that got terminated unexpectedly.", - "event_ids": [ - "7034" - ], - "id": "d3c329c7-54bd-4896-cc7d-e04077eba081", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Important Windows Service Terminated Unexpectedly" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [ - "7045" - ], - "id": "f1988b01-7f12-1851-58b5-8a4d63743183", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Rundll32 - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "event_ids": [ - "7045" - ], - "id": "7ca6e518-decb-de46-861e-5673c026b257", - "level": "critical", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "T1543.003", - "T1543" - ], - "title": "Moriya Rootkit - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [ - "7045" - ], - "id": "f5581097-47d5-fd2b-1a94-37dd36318706", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "event_ids": [ - "7045" - ], - "id": "af2b45c1-ed61-0866-791a-13ae39ff80c3", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [ - "7045" - ], - "id": "686d9481-474f-2b85-7c51-e69967c1afcc", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects powershell script installed as a Service", - "event_ids": [ - "7045" - ], - "id": "be1b026a-db82-4f10-0739-68c60f1261c9", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "PowerShell Scripts Installed as Services" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [ - "7045" - ], - "id": "6623b0c3-f904-2d2e-9c24-4cbb81bf55aa", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)", - "event_ids": [ - "7045" - ], - "id": "8623dcbf-e828-afb3-eb29-42cade82b39a", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1543" - ], - "title": "KrbRelayUp Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects NetSupport Manager service installation on the target system.", - "event_ids": [ - "7045" - ], - "id": "ee415dc3-b7c0-9568-e6dd-878777ff237a", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "NetSupport Manager Service Install" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects PAExec service installation", - "event_ids": [ - "7045" - ], - "id": "19b4e2a1-4499-8c65-e93a-5f675df202d8", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569.002", - "T1569" - ], - "title": "PAExec Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "event_ids": [ - "7036", - "7045" - ], - "id": "cd1c0081-d0c8-369f-2ed1-dcc058b08b9c", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0002", - "T1543.003", - "T1569.002", - "T1543", - "T1569" - ], - "title": "Remote Access Tool Services Have Been Installed - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Windows services that got terminated for whatever reason", - "event_ids": [ - "7023" - ], - "id": "c002ec31-f147-d591-b2f2-253774fd4248", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Windows Service Terminated With Error" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", - "event_ids": [ - "7045" - ], - "id": "8682ea60-89d6-e616-7cdd-410a05ed1611", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1543.003", - "T1543" - ], - "title": "New PDQDeploy Service - Server Side" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects service installation with suspicious folder patterns", - "event_ids": [ - "7045" - ], - "id": "1702910b-83b9-ce95-4ae8-2405c2e9faf7", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "car.2013-09-005", - "T1543.003", - "T1543" - ], - "title": "Service Installation with Suspicious Folder Pattern" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [ - "7045" - ], - "id": "e0aa759a-fa97-fb3b-1b02-82aa44f8c068", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use MSHTA - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [ - "7045" - ], - "id": "e92121bb-a1c1-5d5a-6abb-3a25fe37fb41", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation Via Use Clip - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects suspicious service installation commands", - "event_ids": [ - "7045" - ], - "id": "ebfad3e2-5025-b233-20ef-71fc2ada8fe7", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "car.2013-09-005", - "T1543.003", - "T1543" - ], - "title": "Suspicious Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects when the \"Windows Defender Threat Protection\" service is disabled.", - "event_ids": [ - "7036" - ], - "id": "07c5c883-1da4-d066-f69b-6caadbd1d6f9", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.001", - "T1562" - ], - "title": "Windows Defender Threat Detection Service Disabled" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects service installation in suspicious folder appdata", - "event_ids": [ - "7045" - ], - "id": "60ddd708-71a3-e524-27b1-4cdeda02ce46", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "car.2013-09-005", - "T1543.003", - "T1543" - ], - "title": "Service Installation in Suspicious Folder" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "event_ids": [ - "7045" - ], - "id": "6cda0359-f921-911b-a724-cc2f00d661f8", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0010", - "T1048" - ], - "title": "Tap Driver Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects well-known credential dumping tools execution via service execution events", - "event_ids": [ - "7045" - ], - "id": "81562732-3278-cd48-1db2-581bc7158b6e", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0002", - "T1003.001", - "T1003.002", - "T1003.004", - "T1003.005", - "T1003.006", - "T1569.002", - "attack.s0005", - "T1003", - "T1569" - ], - "title": "Credential Dumping Tools Service Execution - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects PsExec service installation and execution events", - "event_ids": [ - "7045" - ], - "id": "cb7a40d5-f1de-9dd4-465d-eada7e316d8f", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "PsExec Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Remote Utilities Host service installation on the target system.", - "event_ids": [ - "7045" - ], - "id": "97bd461f-b35e-a243-c697-06cc0539d7e3", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "Remote Utilities Host Service Install" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "event_ids": [ - "7045" - ], - "id": "51ba8477-86a4-6ff0-35fa-7b7f1b1e3f83", - "level": "critical", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0004", - "TA0008", - "T1021.002", - "T1543.003", - "T1569.002", - "T1543", - "T1569", - "T1021" - ], - "title": "CobaltStrike Service Installations - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects installation or execution of services", - "event_ids": [ - "7036", - "7045" - ], - "id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1569.002", - "attack.s0029", - "T1569" - ], - "title": "HackTool Service Registration or Execution" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [ - "7045" - ], - "id": "19adbb05-25d8-44fe-3721-1590be735426", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation VAR+ Launcher - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", - "event_ids": [ - "7045" - ], - "id": "87d5cdc0-24c5-8411-1230-d717dd6a47e8", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "Anydesk Remote Access Software Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "event_ids": [ - "7045" - ], - "id": "9e870183-fbbc-e736-c380-d20bd74d7dbe", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0004", - "T1543.003", - "T1569.002", - "T1543", - "T1569" - ], - "title": "ProcessHacker Privilege Elevation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", - "event_ids": [ - "7045" - ], - "id": "c5b232f5-bd0a-c0ea-585f-c54fbe370580", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1543.003", - "T1543" - ], - "title": "New PDQDeploy Service - Client Side" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [ - "7045" - ], - "id": "9d5e9ea9-180b-0d92-6e5a-645275e94267", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "event_ids": [ - "7045" - ], - "id": "6218888e-3b1f-f6be-b9f8-9fd758caa380", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "RTCore Suspicious Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "event_ids": [ - "7045" - ], - "id": "384155f0-8906-ff64-5188-211c9a98274e", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0008", - "TA0002", - "T1021.002", - "T1569.002", - "T1569", - "T1021" - ], - "title": "smbexec.py Service Installation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects important or interesting Windows services that got terminated for whatever reason", - "event_ids": [ - "7023" - ], - "id": "bf2272c8-bc92-d925-4fb6-aeb1fe9283aa", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005" - ], - "title": "Important Windows Service Terminated With Error" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [ - "7045" - ], - "id": "414e0fbd-67a8-17e4-371e-4f9f6a8799d0", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1027", - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects suspicious service installation scripts", - "event_ids": [ - "7045" - ], - "id": "778c7f2b-32f5-e591-5c4a-01e47388475c", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "TA0004", - "car.2013-09-005", - "T1543.003", - "T1543" - ], - "title": "Suspicious Service Installation Script" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "event_ids": [ - "7045" - ], - "id": "4639745f-a91a-d296-8935-4c694a97f938", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1134.001", - "T1134.002", - "T1134" - ], - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "event_ids": [ - "7045" - ], - "id": "97b97d4d-e03c-ace5-3215-fa2f51ec5fd5", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004", - "T1543" - ], - "title": "Service Installed By Unusual Client - System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.", - "event_ids": [ - "6038", - "6039" - ], - "id": "cb063566-b04b-c7e4-316b-c69075ed08f5", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0008", - "T1550.002", - "T1550" - ], - "title": "NTLMv1 Logon Between Client and Server" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "event_ids": [ - "50", - "56" - ], - "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1210", - "car.2013-07-002" - ], - "title": "Potential RDP Exploit CVE-2019-0708" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", - "event_ids": [ - "55" - ], - "id": "73b6342c-c17a-d447-2fd3-119ed3cf61ca", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1499.001", - "T1499" - ], - "title": "NTFS Vulnerability Exploitation" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "event_ids": [ - "42" - ], - "id": "87515290-bf9f-09a4-af0e-bac22cb017f6", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\n", - "event_ids": [ - "39", - "41" - ], - "id": "470e08fc-0b52-8769-10d3-5b5c1920327e", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "Certificate Use With No Strong Mapping" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.\n", - "event_ids": [ - "16", - "27" - ], - "id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", - "event_ids": [ - "104" - ], - "id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.001", - "car.2016-04-002", - "T1070" - ], - "title": "Important Windows Eventlog Cleared" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "event_ids": [ - "104" - ], - "id": "8617b59c-812e-c88e-0bd4-5267e0e825f0", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.001", - "car.2016-04-002", - "T1070" - ], - "title": "Eventlog Cleared" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects \"BugCheck\" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.", - "event_ids": [ - "1001" - ], - "id": "d4ccca35-9fd6-1ed8-f5d5-84f755404fdd", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0009", - "T1003.002", - "T1005", - "T1003" - ], - "title": "Crash Dump Created By Operating System" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "event_ids": [ - "10001" - ], - "id": "cd12f5c0-9798-3928-58bf-34b2816ea898", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0002", - "TA0006", - "T1557.001", - "T1557" - ], - "title": "Local Privilege Escalation Indicator TabTip" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.\n", - "event_ids": [ - "53" - ], - "id": "817138f1-cfd3-c653-7392-a3c61051a8d3", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "TA0005", - "T1553.004", - "T1553" - ], - "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\n", - "event_ids": [ - "16", - "20", - "213", - "217", - "24" - ], - "id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0040", - "TA0042", - "T1584" - ], - "title": "Windows Update Error" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects application popup reporting a failure of the Sysmon service", - "event_ids": [ - "26" - ], - "id": "e064a7a6-e709-1464-34e4-626106c91d98", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562" - ], - "title": "Sysmon Application Crashed" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects volume shadow copy mount via Windows event log", - "event_ids": [ - "98" - ], - "id": "15b42b84-becb-a48c-8971-28895065fbd3", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1003.002", - "T1003" - ], - "title": "Volume Shadow Copy Mount" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "event_ids": [ - "1031", - "1032", - "1034" - ], - "id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "DHCP Server Error Failed Loading the CallOut DLL" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "event_ids": [ - "1033" - ], - "id": "87ade82b-7e03-f378-c163-59adb06640ae", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1574.001", - "T1574" - ], - "title": "DHCP Server Loaded the CallOut DLL" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", - "event_ids": [ - "1511" - ], - "id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909", - "level": "low", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", - "event_ids": [ - "4771" - ], - "id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1110.003", - "TA0001", - "TA0004", + "T1110.001", "T1110" ], - "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" + "title": "Suspicious Rejected SMB Guest Logon From IP" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "event_ids": [ + "4672", + "4964" + ], + "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", + "level": "low", + "service": "security", + "subcategory_guids": [ + "0CCE921B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0008", + "TA0006", + "T1558", + "T1649", + "T1550" + ], + "title": "User with Privileges Logon" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Remote registry management using REG utility from non-admin workstation", + "event_ids": [ + "5145" + ], + "id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "TA0005", + "TA0007", + "attack.s0075", + "T1012", + "T1112", + "T1552.002", + "T1552" + ], + "title": "Remote Registry Management Using Reg Utility" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects interactive console logons to Server Systems", + "event_ids": [ + "4624", + "4625", + "528", + "529" + ], + "id": "7298c707-7564-3229-7c76-ec514847d8c2", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1078" + ], + "title": "Interactive Logon to Server Systems" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "event_ids": [ + "4624", + "4625" + ], + "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1550.002", + "car.2016-04-004", + "T1550" + ], + "title": "Potential Pass the Hash Activity" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)", + "event_ids": [ + "4742" + ], + "id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9236-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068", + "cve.2020-1472" + ], + "title": "Potential Zerologon (CVE-2020-1472) Exploitation" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", + "description": "Detects suspicious enumeration of the domain the user is associated with.", "event_ids": [ "4688" ], - "id": "d5482c32-a04b-a0a2-4262-064908b098a3", - "level": "high", + "id": "a0611cee-4fe8-b36f-b9a7-8c31f5d9977b", + "level": "low", "service": "", "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0011", - "T1071", - "T1071.004", - "T1001.003", - "T1041", - "T1001" + "TA0007", + "T1016" ], - "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" + "title": "Userdomain Variable Enumeration" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects an RDP connection originating from a domain controller.", + "event_ids": [ + "5156" + ], + "id": "8b0f1458-5a23-5950-ebc7-f8d7a562dc06", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1021" + ], + "title": "New RDP Connection Initiated From Domain Controller" }, { "category": "", @@ -49925,94 +51916,27 @@ ], "title": "Failed Logins with Different Accounts from Single Source System" }, - { - "category": "", - "channel": [ - "Microsoft-Windows-SmbClient/Security" - ], - "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", - "event_ids": [ - "31010" - ], - "id": "624e39e1-5bc5-13fe-0b2d-5d988a416f24", - "level": "medium", - "service": "smbclient-security", - "subcategory_guids": [], - "tags": [ - "T1021.002", - "TA0008", - "T1021" - ], - "title": "Failed Mounting of Hidden Share" - }, { "category": "", "channel": [ "sec" ], - "description": "Detects a source system failing to authenticate against a remote host with multiple users.", + "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", "event_ids": [ - "4625" + "5156" ], - "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", + "id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822", "level": "medium", "service": "security", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "T1110.003", - "TA0001", - "TA0004", - "T1110" + "TA0007", + "T1087.002", + "T1087" ], - "title": "Multiple Users Remotely Failing To Authenticate From Single Source" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", - "event_ids": [ - "4776" - ], - "id": "bbd02091-a432-94b3-8041-9f776b681fc2", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1110.003", - "TA0001", - "TA0004", - "T1110" - ], - "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "event_ids": [ - "4776" - ], - "id": "203aaec0-5613-4fdc-42b3-a021d6f853dc", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0004", - "T1078" - ], - "title": "Failed NTLM Logins with Different Accounts from Single Source System" + "title": "Enumeration via the Global Catalog" }, { "category": "", @@ -50042,6 +51966,29 @@ ], "title": "Remote Schtasks Creation" }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a single user failing to authenticate to multiple users using explicit credentials.", + "event_ids": [ + "4648" + ], + "id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0001", + "TA0004", + "T1110" + ], + "title": "Password Spraying via Explicit Credentials" + }, { "category": "process_creation", "channel": [ @@ -50068,60 +52015,107 @@ { "category": "", "channel": [ - "sec" + "System" ], - "description": "Search for accessing of fake files with stored credentials", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", "event_ids": [ - "4663" - ], - "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "7045" ], + "id": "a5f841a8-5dcb-5ee4-73ea-5331859bf763", + "level": "critical", + "service": "system", + "subcategory_guids": [], "tags": [ - "TA0006", - "T1555" + "TA0003", + "TA0004", + "T1003", + "T1035", + "T1050", + "car.2013-09-005", + "T1543.003", + "T1569.002", + "T1543", + "T1569" ], - "title": "Stored Credentials in Fake Files" + "title": "Malicious Service Installations" }, { "category": "", "channel": [ - "sec" + "Microsoft-Windows-SmbClient/Security" ], - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", + "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", "event_ids": [ - "4768" + "31010" ], - "id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d", + "id": "624e39e1-5bc5-13fe-0b2d-5d988a416f24", "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], + "service": "smbclient-security", + "subcategory_guids": [], "tags": [ - "T1110.003", - "TA0001", - "TA0004", - "T1110" + "T1021.002", + "TA0008", + "T1021" ], - "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" + "title": "Failed Mounting of Hidden Share" }, { "category": "process_creation", "channel": [ "sec" ], - "description": "Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level", + "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", "event_ids": [ "4688" ], - "id": "d85240fc-d5ad-8061-a795-9eaea580fbf0", + "id": "d5482c32-a04b-a0a2-4262-064908b098a3", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1071", + "T1071.004", + "T1001.003", + "T1041", + "T1001" + ], + "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects multiple suspicious process in a limited timeframe", + "event_ids": [ + "4688" + ], + "id": "53facd0f-d88d-bab7-469e-a36211463245", + "level": "low", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "car.2013-04-002", + "TA0002", + "T1059" + ], + "title": "Quick Execution of a Series of Suspicious Commands" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes", + "event_ids": [ + "4688" + ], + "id": "ca51d442-0a18-77d6-66b8-6f72ef1dc3bd", "level": "high", "service": "", "subcategory_guids": [ @@ -50129,9 +52123,34 @@ ], "tags": [ "TA0004", - "T1068" + "T1548.002", + "T1548" ], - "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" + "title": "MSI Spawned Cmd and Powershell Spawned Processes" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "event_ids": [ + "7045" + ], + "id": "c953a767-8b94-df03-dd53-611baad380fd", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1021.002", + "T1570", + "TA0002", + "T1569.002", + "T1569", + "T1021" + ], + "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, { "category": "", @@ -50164,15 +52183,15 @@ "channel": [ "sec" ], - "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", + "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", "event_ids": [ - "4776" + "4771" ], - "id": "ddbbe639-21f9-7b39-ae7d-821e490d6130", + "id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247", "level": "medium", "service": "security", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" + "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ "T1110.003", @@ -50180,56 +52199,75 @@ "TA0004", "T1110" ], - "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" + "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" }, { "category": "", "channel": [ - "System" + "Microsoft-Windows-TaskScheduler/Operational" ], - "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", + "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", "event_ids": [ - "7045" + "106" ], - "id": "e9acc9e9-8b91-7859-2d0c-446a2c40b937", + "id": "696cf23d-d3f2-0a4d-6aff-b162d692a778", "level": "low", - "service": "system", + "service": "taskscheduler", "subcategory_guids": [], "tags": [ "TA0003", - "TA0004", - "car.2013-09-005", - "T1543.003", - "T1543" + "attack.s0111", + "T1053.005", + "T1053" ], - "title": "Rare Service Installations" + "title": "Rare Scheduled Task Creations" }, { "category": "", "channel": [ - "System" + "sec" ], - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "description": "Detects failed logins with multiple accounts from a single process on the system.", "event_ids": [ - "7045" + "4625" + ], + "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], - "id": "a5f841a8-5dcb-5ee4-73ea-5331859bf763", - "level": "critical", - "service": "system", - "subcategory_guids": [], "tags": [ - "TA0003", + "T1110.003", + "TA0001", "TA0004", - "T1003", - "T1035", - "T1050", - "car.2013-09-005", - "T1543.003", - "T1569.002", - "T1569", - "T1543" + "T1110" ], - "title": "Malicious Service Installations" + "title": "Multiple Users Failing to Authenticate from Single Process" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", + "event_ids": [ + "4768" + ], + "id": "c6c2c3e3-44ee-516c-9e48-63b304511787", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0001", + "TA0004", + "T1110" + ], + "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" }, { "category": "", @@ -50255,26 +52293,6 @@ ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "event_ids": [ - "4104" - ], - "id": "13cf4134-564b-abdb-c83e-dac3ba9bac3c", - "level": "high", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Execution via CL_Invocation.ps1 (2 Lines)" - }, { "category": "ps_script", "channel": [ @@ -50300,11 +52318,100 @@ "channel": [ "sec" ], - "description": "Detects failed logins with multiple accounts from a single process on the system.", + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", + "event_ids": [ + "4768" + ], + "id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE9242-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0001", + "TA0004", + "T1110" + ], + "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "event_ids": [ + "4776" + ], + "id": "203aaec0-5613-4fdc-42b3-a021d6f853dc", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0004", + "T1078" + ], + "title": "Failed NTLM Logins with Different Accounts from Single Source System" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level", + "event_ids": [ + "4688" + ], + "id": "d85240fc-d5ad-8061-a795-9eaea580fbf0", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "T1068" + ], + "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", + "event_ids": [ + "4776" + ], + "id": "ddbbe639-21f9-7b39-ae7d-821e490d6130", + "level": "medium", + "service": "security", + "subcategory_guids": [ + "0CCE923F-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1110.003", + "TA0001", + "TA0004", + "T1110" + ], + "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects a source system failing to authenticate against a remote host with multiple users.", "event_ids": [ "4625" ], - "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", + "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", "level": "medium", "service": "security", "subcategory_guids": [ @@ -50317,46 +52424,88 @@ "TA0004", "T1110" ], - "title": "Multiple Users Failing to Authenticate from Single Process" + "title": "Multiple Users Remotely Failing To Authenticate From Single Source" + }, + { + "category": "ps_script", + "channel": [ + "pwsh", + "pwsh" + ], + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "event_ids": [ + "4104" + ], + "id": "13cf4134-564b-abdb-c83e-dac3ba9bac3c", + "level": "high", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Execution via CL_Invocation.ps1 (2 Lines)" }, { "category": "", "channel": [ "System" ], - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", "event_ids": [ "7045" ], - "id": "c953a767-8b94-df03-dd53-611baad380fd", - "level": "high", + "id": "e9acc9e9-8b91-7859-2d0c-446a2c40b937", + "level": "low", "service": "system", "subcategory_guids": [], "tags": [ - "TA0008", - "T1021.002", - "T1570", - "TA0002", - "T1569.002", - "T1569", - "T1021" + "TA0003", + "TA0004", + "car.2013-09-005", + "T1543.003", + "T1543" ], - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" + "title": "Rare Service Installations" }, { "category": "", "channel": [ "sec" ], - "description": "Detects a single user failing to authenticate to multiple users using explicit credentials.", + "description": "Search for accessing of fake files with stored credentials", "event_ids": [ - "4648" + "4663" ], - "id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc", + "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1555" + ], + "title": "Stored Credentials in Fake Files" + }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", + "event_ids": [ + "4776" + ], + "id": "bbd02091-a432-94b3-8041-9f776b681fc2", "level": "medium", "service": "security", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ "T1110.003", @@ -50364,2822 +52513,673 @@ "TA0004", "T1110" ], - "title": "Password Spraying via Explicit Credentials" + "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" }, { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", - "event_ids": [ - "106" - ], - "id": "696cf23d-d3f2-0a4d-6aff-b162d692a778", - "level": "low", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "TA0003", - "attack.s0111", - "T1053.005", - "T1053" - ], - "title": "Rare Scheduled Task Creations" - }, - { - "category": "process_creation", + "category": "network_connection", "channel": [ "sec" ], - "description": "Detects multiple suspicious process in a limited timeframe", - "event_ids": [ - "4688" - ], - "id": "53facd0f-d88d-bab7-469e-a36211463245", - "level": "low", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "car.2013-04-002", - "TA0002", - "T1059" - ], - "title": "Quick Execution of a Series of Suspicious Commands" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", + "description": "Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.\n", "event_ids": [ "5156" ], - "id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822", + "id": "7e448677-939e-f6d0-e901-91843a3888d7", "level": "medium", - "service": "security", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Local Network Connection Initiated By Script Interpreter" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.\n", + "event_ids": [ + "5156" + ], + "id": "0f4d93f0-a1eb-e6cb-7d79-f38cc95a9a55", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Network Connection Initiated By IMEWDBLD.EXE" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a possible remote connections to Silenttrinity c2", + "event_ids": [ + "5156" + ], + "id": "f96b2d35-57da-bef8-3624-73634617eac6", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "TA0005", + "T1127.001", + "T1127" + ], + "title": "Silenttrinity Stager Msbuild Activity" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.", + "event_ids": [ + "5156" + ], + "id": "cb64ddfa-8325-dc30-db3f-e546a9b1eba5", + "level": "medium", + "service": "", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ "TA0007", - "T1087.002", - "T1087" + "T1046" ], - "title": "Enumeration via the Global Catalog" + "title": "Python Initiated Connection" }, { - "category": "", + "category": "network_connection", "channel": [ "sec" ], - "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", - "event_ids": [ - "4768" - ], - "id": "c6c2c3e3-44ee-516c-9e48-63b304511787", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1110.003", - "TA0001", - "TA0004", - "T1110" - ], - "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" - }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes", - "event_ids": [ - "4688" - ], - "id": "ca51d442-0a18-77d6-66b8-6f72ef1dc3bd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "T1548.002", - "T1548" - ], - "title": "MSI Spawned Cmd and Powershell Spawned Processes" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "event_ids": [ - "16403" - ], - "id": "8a389ad3-d0c7-ef8c-1fb3-5bb7e31bcf7f", - "level": "medium", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", - "event_ids": [ - "16403" - ], - "id": "b37c7d8f-22b8-a92d-1d1c-593de0fa759e", - "level": "medium", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", - "event_ids": [ - "16403" - ], - "id": "5e8a986a-7579-0482-f86e-ad63f6341cd1", - "level": "high", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "BITS Transfer Job Download From Direct IP" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects BITS transfer job downloading files from a file sharing domain.", - "event_ids": [ - "16403" - ], - "id": "4f9e9e60-c580-dd4e-4f06-42a016217d0e", - "level": "high", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "BITS Transfer Job Download From File Sharing Domains" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects the creation of a new bits job by PowerShell", - "event_ids": [ - "3" - ], - "id": "23d76ee6-e5fc-fb90-961a-4b412b97cc94", - "level": "low", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "New BITS Job Created Via PowerShell" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects the creation of a new bits job by Bitsadmin", - "event_ids": [ - "3" - ], - "id": "f72c1543-44f6-f836-c0da-9bab33600dac", - "level": "low", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "New BITS Job Created Via Bitsadmin" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", - "event_ids": [ - "16403" - ], - "id": "26844668-ef48-7a97-5687-9533e59288b7", - "level": "high", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197" - ], - "title": "BITS Transfer Job Download To Potential Suspicious Folder" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-WinRM/Operational" - ], - "description": "", - "event_ids": [ - "6" - ], - "id": "4f321a68-176a-4f1d-873a-8793bc49e3b0", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [ - "PwSh", - "WinRM" - ], - "title": "Win RM Session Created" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Bits-Client/Operational" - ], - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "event_ids": [ - "59" - ], - "id": "18e6fa4a-353d-42b6-975c-bb05dbf4a004", - "level": "informational", - "service": "bits-client", - "subcategory_guids": [], - "tags": [ - "TA0005", - "TA0003", - "T1197", - "lolbas" - ], - "title": "Bits Job Created" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-WMI-Activity/Operational" - ], - "description": "", - "event_ids": [ - "5860" - ], - "id": "d96164c4-9e15-4d48-964f-153ac0dab6e9", - "level": "informational", - "service": "wmi", - "subcategory_guids": [], - "tags": [ - "WMI" - ], - "title": "Temporary WMI Event Consumer" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-WMI-Activity/Operational" - ], - "description": "The time wmiprvse was executed and path to the provider DLL. Attackers may sometimes install malicious WMI provider DLLs.", - "event_ids": [ - "5857" - ], - "id": "547aec97-2635-474a-a36c-7a3a46b07fde", - "level": "informational", - "service": "wmi", - "subcategory_guids": [], - "tags": [ - "WMI" - ], - "title": "WMI Provider Started" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-WMI-Activity/Operational" - ], - "description": "Detects when powershell or cmd is used in WMI. (For persistence, lateral movement, etc...)", - "event_ids": [ - "5861" - ], - "id": "ab4852ca-3e27-4dbb-af6b-5f8458d5717a", - "level": "medium", - "service": "wmi", - "subcategory_guids": [], - "tags": [ - "WMI", - "TA0003", - "TA0008" - ], - "title": "WMI Filter To Consumer Binding_Command Execution" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-WMI-Activity/Operational" - ], - "description": "Created when a EventFilterToConsumerBinding event happens.", - "event_ids": [ - "5861" - ], - "id": "ac9f0a2a-e9c5-4d19-b69e-e3d518ca6797", - "level": "informational", - "service": "wmi", - "subcategory_guids": [], - "tags": [ - "WMI" - ], - "title": "Permanent WMI Event Consumer" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Partition/Diagnostic" - ], - "description": "Device is connected or disconnected", - "event_ids": [ - "1006" - ], - "id": "a6a0d64-75d1-433a-b415-4123bab080ec", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [], - "title": "Device Conn" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-VHDMP-Operational" - ], - "description": "An ISO disk image was mounted. The original event is for when the handle is created. \nThere is an event ID 1 for when it is mounted but this happens at the same time and this event contains more detailed information \nso I am using this instead of EID 1 for VHD mounting.\nAttackers have started to place malware instead .iso files now that office documents downloaded from the internet have their macros blocked by default since 2022.\n", - "event_ids": [ - "12" - ], - "id": "f9915ff9-17ce-4524-9851-cc4bdd9bb35e", - "level": "low", - "service": "vhdmp", - "subcategory_guids": [], - "tags": [], - "title": "ISO Mounted" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-VHDMP-Operational" - ], - "description": "A VHDX (Virtual Hard Disk version 2) image was mounted. They are often used with WSL disk partitions.", - "event_ids": [ - "12" - ], - "id": "2c544083-e209-4a8d-ad28-4f1427353d2e", - "level": "low", - "service": "vhdmp", - "subcategory_guids": [], - "tags": [], - "title": "VHDX Mounted" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-VHDMP-Operational" - ], - "description": "A VMGS or VHD (Virtual Hard Disk) image was mounted. They are often used with HyperV.", - "event_ids": [ - "12" - ], - "id": "d00c370c-c6c2-474f-9d41-a250644852b5", - "level": "low", - "service": "vhdmp", - "subcategory_guids": [], - "tags": [], - "title": "VHD Mounted" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Windows defender malware detection", - "event_ids": [ - "1116" - ], - "id": "1e11c0f0-aecd-45d8-9229-da679c0265ea", - "level": "high", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "malware" - ], - "title": "Defender Alert (High)" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Windows defender malware detection", - "event_ids": [ - "1116" - ], - "id": "3f5005fc-e354-4b0b-b1a1-3eec1d336023", - "level": "medium", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "malware" - ], - "title": "Defender Alert (Moderate)" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Windows defender malware detection", - "event_ids": [ - "1116" - ], - "id": "810bfd3a-9fb3-44e0-9016-8cdf785fddbf", - "level": "critical", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "malware" - ], - "title": "Defender Alert (Severe)" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Windows Defender/Operational" - ], - "description": "Windows defender malware detection", - "event_ids": [ - "1116" - ], - "id": "61056ed8-7be5-46e4-9015-c5f6bc8b93a1", - "level": "low", - "service": "windefend", - "subcategory_guids": [], - "tags": [ - "malware" - ], - "title": "Defender Alert (Low)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "The Windows Filtering Platform has allowed a connection.", + "description": "Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.\n", "event_ids": [ "5156" ], - "id": "d0a61a11-57c9-4afc-b940-3f19b60db08e", - "level": "informational", - "service": "security", + "id": "1ba0b3d6-e0f7-98e9-4611-b307922a0766", + "level": "high", + "service": "", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], - "tags": [], - "title": "Net Conn" + "tags": [ + "TA0011", + "T1105" + ], + "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" }, { - "category": "", + "category": "network_connection", "channel": [ "sec" ], - "description": "The Windows Filtering Platform has blocked a connection.", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "event_ids": [ - "5157" + "5156" ], - "id": "b793a8e6-28a4-4fb8-816e-17a99e4e7b40", - "level": "informational", - "service": "security", + "id": "94af51b6-e4c1-f780-3f48-90c3d7e35ea4", + "level": "medium", + "service": "", "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], - "tags": [], - "title": "Net Conn Blocked" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Scheduled task was deleted.", - "event_ids": [ - "4699" - ], - "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Task Deleted" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Scheduled task created. Malware often persists with tasks but also used legitimately often as well.", - "event_ids": [ - "4698" - ], - "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Task Created" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "", - "event_ids": [ - "5145" - ], - "id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], "tags": [ - "T1039", - "TA0009" + "TA0010", + "T1048.003", + "T1048" ], - "title": "NetShare File Access" + "title": "Suspicious Outbound SMTP Connections" }, { - "category": "", + "category": "network_connection", "channel": [ "sec" ], - "description": "", + "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", "event_ids": [ - "5140" + "5156" ], - "id": "15d042c1-07c6-4e16-ae7d-e0e556ccd9a8", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1039", - "TA0009" - ], - "title": "NetShare Access" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "", - "event_ids": [ - "4688" - ], - "id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e", + "id": "7c743e5c-7a9d-ba96-9ada-1d17687e2a6d", "level": "medium", - "service": "security", + "service": "", "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Susp CmdLine (Possible Meterpreter getsystem)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Process execution.", - "event_ids": [ - "4688" - ], - "id": "ac933178-c222-430d-8dcf-17b4f3a2fed8", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Proc Exec" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "", - "event_ids": [ - "4688" - ], - "id": "6c34b782-a5b5-4298-80f3-1918caf1f558", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "lolbas" - ], - "title": "Possible LOLBIN" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "event_ids": [ - "4688" - ], - "id": "6be7f3fc-8917-11ec-a8a3-0242ac120002", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0006", + "T1558", + "TA0008", + "T1550.003", + "T1550" + ], + "title": "Uncommon Outbound Kerberos Connection" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "event_ids": [ + "5156" + ], + "id": "81ca22c3-fdfd-6c3a-051f-dc404488536c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1572", "TA0008", - "T1563.002", "T1021.001", - "T1563", + "car.2013-07-002", "T1021" ], - "title": "Possible RDP Hijacking" + "title": "RDP Over Reverse SSH Tunnel" }, { - "category": "", + "category": "network_connection", "channel": [ "sec" ], - "description": "Directory Service Object Modified. Log written only to domain controllers (2008+)", + "description": "Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\nAn initial baseline is required before using this utility to exclude third party RDP tooling that you might use.\n", "event_ids": [ - "5136" + "5156" ], - "id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Dir Svc Obj Modified" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Originally \"Special privileges assigned to new logon\". This will create a seperate LID that is used when special admin-level privileges are used.", - "event_ids": [ - "4672" - ], - "id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE921B-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Admin Logon" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Tries to detect token impersonation by tools like Cobalt Strike.", - "event_ids": [ - "4624" - ], - "id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "NewInteractive Logon (Suspicious Process)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information. Despite the naming NetworkCleartext, the password is not sent over the network in cleartext. It is usually for IIS Basic Authentication.", - "event_ids": [ - "4624" - ], - "id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (NetworkCleartext)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information", - "event_ids": [ - "4624" - ], - "id": "8ad8b25f-6052-4cfd-9a50-717cb514af13", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Batch)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints failed logons", - "event_ids": [ - "4625" - ], - "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon Failure (User Does Not Exist)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "This is filtered by default as it is usually system noise.", - "event_ids": [ - "4624" - ], - "id": "b1782e40-d247-4de1-86d1-37392cb62e3b", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Interactive) (Noisy)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Type 9 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "d80facaa-ca97-47bb-aed2-66362416eb49", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (NewCredentials) *Creds in memory*" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Type 2 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "7beb4832-f357-47a4-afd8-803d69a5c85c", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Interactive) *Creds in memory*" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike or Mimikatz for user impersonation.", - "event_ids": [ - "4648" - ], - "id": "7616e857-8e41-4976-bc21-811d122b9fc9", + "id": "e02f9ef8-2edb-79a4-0626-b506436d7ebe", "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0008" - ], - "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Search for many 4625 wrong password failed logon attempts in a short period of time.", - "event_ids": [ - "4625" - ], - "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1110.003", - "TA0006", - "T1110" - ], - "title": "PW Guessing" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Type 13 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "e50e3952-06d9-44a8-ab07-7a41c9801d78", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (CachedUnlock) *Creds in memory*" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Type 11 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (CachedInteractive) *Creds in memory*" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Search for many 4648 explicit credential logon attempts in a short period of time.", - "event_ids": [ - "4648" - ], - "id": "ffd622af-d049-449f-af5a-0492fdcc3a58", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1110.003", - "TA0006", - "T1110" - ], - "title": "PW Spray" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon type 5 service logons.", - "event_ids": [ - "4624" - ], - "id": "408e1304-51d7-4d3e-ab31-afd07192400b", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Service)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Type 12 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (CachedRemoteInteractive) *Creds in memory*" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Outputs system noise", - "event_ids": [ - "4624" - ], - "id": "0266af4f-8825-495e-959c-bff801094349", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Network) (Noisy)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Type 10 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "a4e05f05-ff88-48b9-8524-a88c1c32fe19", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (RemoteInteractive (RDP)) *Creds in memory*" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a failed logon event due to a wrong password", - "event_ids": [ - "4625" - ], - "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Failed Logon - Incorrect Password" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "The logon event happens when the computer boots up.", - "event_ids": [ - "4624" - ], - "id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (System) - Bootup" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information", - "event_ids": [ - "4624" - ], - "id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Unlock)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4625" - ], - "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon Failure (Wrong Password)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Tries to detect token impersonation by tools like Cobalt Strike.", - "event_ids": [ - "4624" - ], - "id": "46614e82-7926-41f9-85aa-006b98c5c2a3", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Possible Token Impersonation" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4625" - ], - "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon Failure (Unknown Reason)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a failed logon event due to a wrong password", - "event_ids": [ - "4648" - ], - "id": "ab1accc0-b6e2-4841-8dfb-5902581392c3", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Failed Logon - Incorrect Password" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n", - "event_ids": [ - "4648" - ], - "id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0008" - ], - "title": "Explicit Logon Attempt (Noisy)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "System Noise", - "event_ids": [ - "4624" - ], - "id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Service) (Noisy)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.", - "event_ids": [ - "4625" - ], - "id": "4574194d-e7ca-4356-a95c-21b753a1787e", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "T1110.003", - "TA0006", - "T1110" - ], - "title": "User Guessing" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects a failed logon event due to an incorrect username", - "event_ids": [ - "4625" - ], - "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Failed Logon - Non-Existent User" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information", - "event_ids": [ - "4624" - ], - "id": "c7b22878-e5d8-4c30-b245-e51fd354359e", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon (Network)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n", - "event_ids": [ - "4648" - ], - "id": "8c1899fe-493d-4faf-aae1-0853a33a3278", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004", - "TA0008" - ], - "title": "Explicit Logon Attempt" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when there is a RDP session reconnect.", - "event_ids": [ - "4778" - ], - "id": "db23f704-61c8-4c95-a5b7-4db61c89f41d", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Session Reconnect" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when there is a RDP session disconnect.", - "event_ids": [ - "4779" - ], - "id": "f3532729-5536-42b4-ad74-d061b61a3891", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Session Disconnect" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4647" - ], - "id": "6bad16f1-02c4-4075-b414-3cd16944bc65", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logoff (User Initiated)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4634" - ], - "id": "84288799-8b61-4d98-bad0-4043c40cf992", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logoff (Noisy)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4634" - ], - "id": "7309e070-56b9-408b-a2f4-f1840f8f1ebf", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logoff" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A process has enumerated credential information in Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.", - "event_ids": [ - "5379" - ], - "id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936", - "level": "low", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1555.004", - "T1555" - ], - "title": "Credential Manager Enumerated" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user has cleared the Security event log.", - "event_ids": [ - "1102" - ], - "id": "c2f690ac-53f8-4745-8cfe-7127dda28c74", - "level": "high", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.001", - "T1070" - ], - "title": "Log Cleared" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A process has read credentials in the Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.", - "event_ids": [ - "5379" - ], - "id": "d478c070-8f84-4e65-9f45-cc432a000e93", - "level": "low", - "service": "security", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1555.004", - "T1555" - ], - "title": "Credential Manager Accessed" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.", - "event_ids": [ - "4825" - ], - "id": "f97a152e-753c-4975-9375-19087fb66f8c", - "level": "informational", - "service": "security", - "subcategory_guids": [], - "tags": [], - "title": "RDP Denied" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", - "event_ids": [ - "6410" - ], - "id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Code Integrity Proble (Possible Modification)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", - "event_ids": [ - "6281" - ], - "id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Code Integrity Error (Invalid Image Page Hash)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", - "event_ids": [ - "5038" - ], - "id": "0c871345-668e-4b71-bdad-61e42ecc31e3", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005" - ], - "title": "Code Integrity Error (Invalid Image Hash)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)", - "event_ids": [ - "4611" - ], - "id": "41ca6049-dd12-462c-a772-7bba78d8e2f0", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Abnormal Logon Proc Registered With LSA" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)", - "event_ids": [ - "4611" - ], - "id": "614c150b-905d-4071-9b8e-0425e370c493", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Logon Proc Registered With LSA" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A new service was installed. (Possibly malware.)", - "event_ids": [ - "4697" - ], - "id": "95fe88c9-5b9d-4454-97b4-957918b84208", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003" - ], - "title": "Svc Installed" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user account changed it's own password. Adversaries might change the password to lockout legitimate user or set the password to a known clear text passwort via Pass the Hash if only the password hash is known. This will allow an adversary to access services where Pass the Hash is not an option.", - "event_ids": [ - "4723" - ], - "id": "3b3046f3-a51c-4378-b059-c716aaa865b4", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004" - ], - "title": "User Password Changed" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A local user account was created.", - "event_ids": [ - "4720" - ], - "id": "13edce80-2b02-4469-8de4-a3e37271dcdb", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "attack.1136.001" - ], - "title": "Local User Account Created" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user accounts password was changed by another account. The current password is not required to reset the password. An adversary might change the password of another account to lock out legitimate users or gain access to the account. This could be done if the account controlled by the attacker has permission to change the password, or as a step in attacks like Pass the Cert.", - "event_ids": [ - "4724" - ], - "id": "0b78aca4-35f0-4bec-acce-c5743ff26614", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0004" - ], - "title": "Password Reset By Admin" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.", - "event_ids": [ - "4720" - ], - "id": "70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "attack.11136.001" - ], - "title": "Hidden User Account Created" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A computer account was created.", - "event_ids": [ - "4741" - ], - "id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Computer Account Created" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user was added to the local Domain Admins group.", - "event_ids": [ - "4732" - ], - "id": "bc58e432-959f-464d-812e-d60ce5d46fa1", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added To Local Domain Admins Grp" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user was added to the local Administrators group. Unfortunately the user name does not get recorded in the log, only the SID, so you need to look up the username via the SID.", - "event_ids": [ - "4732" - ], - "id": "611e2e76-a28f-4255-812c-eb8836b2f5bb", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added To Local Admin Grp" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subject user is the user that performed the action. Only logged on DCs.", - "event_ids": [ - "4728" - ], - "id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added To Global Security Grp" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "A user was added to the Domain Admins group. Only logged on DCs.", - "event_ids": [ - "4728" - ], - "id": "4bb89c86-a138-42a0-baaf-fc2f777a4506", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added To Global Domain Admins Grp" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "User Added To Non-Admin Global Security Group. Only logged on DCs.", - "event_ids": [ - "4728" - ], - "id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0", - "level": "low", - "service": "security", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1098" - ], - "title": "User Added To Non-Admin Global Grp" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.", - "event_ids": [ - "4674" - ], - "id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Possible Hidden Service Created" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. \nFor example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) \nDisk wipers like bcwipe will also generate this.\nMore legitimate filepaths may have to be added to the filter.\nThis is marked as a medium alert as there is a high possibility for false positives.\n", - "event_ids": [ - "4673" - ], - "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9228-69AE-11D9-BED3-505054503030", - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1003.001", - "T1561", - "TA0040", - "T1003" - ], - "title": "Process Ran With High Privilege" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.", - "event_ids": [ - "4768" - ], - "id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.004", - "T1558" - ], - "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4768" - ], - "id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Kerberos TGT Requested" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.", - "event_ids": [ - "4769" - ], - "id": "f19849e7-b5ba-404b-a731-9b624d7f6d19", - "level": "medium", - "service": "security", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Prints logon information.", - "event_ids": [ - "4769" - ], - "id": "da6257f3-cf49-464a-96fc-c84a7ce20636", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "Kerberos Service Ticket Requested" - }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Logged when NTLM authentication is used usually for local accounts but NTLM can also be used with domain accounts. The original event title says it is only generated on domain controllers but that is not true. This also gets logged on clients.", - "event_ids": [ - "4776" - ], - "id": "4fbe94b0-577a-4f77-9b13-250e27d440fa", - "level": "informational", - "service": "security", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "tags": [], - "title": "NTLM Auth" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" - ], - "description": "Logon for RDS (Remote Desktop Services). Formerly known as Terminal Services.\nUses RDP so I am refering to these as RDP Logons as that is what most people will expect.\nOn newer OSes (Win 7+, 2012+), this event is logged only when a user successfully logs on to a RDP session.\nOn older OSes (Vista, 2008), this event is logged when a user logs on to a RDP session, regardless of success.\nThis event might be be created when rdesktop is used as a client and NLA is disabled.\nUser and domain names are empty if the server is configured with Restricted Admin.\nInformation in this event is also found in the Security event log.\n", - "event_ids": [ - "1149" - ], - "id": "e91c514e-08c5-4c42-96d7-ab1f5668a2f7", - "level": "informational", "service": "", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008", - "TA0001" + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" ], - "title": "RDP Logon" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" - ], - "description": "This event is generated when anyone connects to RDP and sends data. It does not need to be a legitimate RDP connection.\nUnfortunately, there are no details about the remote machine.\nThis event is noisy and will generate a lot of logs and is of limited investigative value.\nIf you see a large number of these events, but not successful logon events with EID 1149, etc... then it may indicate a brute force attack.\nThe Security event log will have more information so this event is only useful if the Security event logs are not available.\n", - "event_ids": [ - "261" - ], - "id": "6dbed1df-f08a-47ab-9a58-999c0787d034", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Conn (Noisy)" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Crypto-DPAPI/Debug" - ], - "description": "Detects whenever SPCryptUnprotect is called in the Microsoft-Windows-Crypto-DPAPI/Debug event log.", - "event_ids": [ - "16385" - ], - "id": "420d5d28-78ed-4e43-844a-94ce69db378c", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [], - "title": "CryptoDPAPI Decrypt" - }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "Windows Installer installed software via an MSI file.\n%Data[1]%: Product Name\n%Data[2]%: Product Version\n%Data[3]%: Product Language in LCID format. (Ex: 1033 for English)\n%Data[4]%: Installation status code. 0 means success.\n%Data[5]%: Vendor\n%Data[6]%: Not sure.\nBinary: Not sure how to decode.\n", - "event_ids": [ - "1022", - "1033" - ], - "id": "ef118d4d-ef83-40a7-bb27-2bb3945473ee", - "level": "informational", - "service": "application", - "subcategory_guids": [], - "tags": [], - "title": "MSI Install" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Engine state is changed from None to Available.", - "event_ids": [ - "400" - ], - "id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9", - "level": "informational", - "service": "powershell-classic", - "subcategory_guids": [], - "tags": [ - "PwShClassic" - ], - "title": "PwSh Engine Started" - }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "An attacker may have started Powershell 2.0 to evade detection.", - "event_ids": [ - "400" - ], - "id": "bc082394-73e6-4d00-a9af-e7b524ef5085", - "level": "medium", - "service": "powershell-classic", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.010", - "lolbas", - "T1562" - ], - "title": "PwSh 2.0 Downgrade Attack" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-RDPClient/Operational" - ], - "description": "", - "event_ids": [ - "1024" - ], - "id": "512e70f5-bf70-4de1-9375-2174999a7f8d", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Conn Attempt" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-RDPClient/Operational" - ], - "description": "", - "event_ids": [ - "1102" - ], - "id": "1a850b71-6aef-4f31-a509-f31b2c778476", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Attempt" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "This is an event that shows the computer uptime.This event is important because it also contains the OS timezone information.\n", - "event_ids": [ - "6013" - ], - "id": "982fdd1f-38fe-4243-bea3-6032fc01b723", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "Computer Uptime/Timezone" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "", - "event_ids": [ - "7040" - ], - "id": "ab3507cf-5231-4af6-ab1d-5d3b3ad467b5", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1562.002", - "T1562" - ], - "title": "Event Log Service Startup Type Changed To Disabled" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Tries to look for random-looking service names that are often used by malware for persistence.", - "event_ids": [ - "7045" - ], - "id": "cc429813-21db-4019-b520-2f19648e1ef1", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Suspicious Service Name" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Logs only the first time a device has been plugged in.", - "event_ids": [ - "20001" - ], - "id": "9eaea7e6-6567-4ad0-bcc9-fe568dd27909", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "New Non-USB PnP Device" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Blue Screen Of Death. MS calls these Bug Check Errors.\nparam1 will contain various error codes for debugging:\nexample: 0x0000009f (0x0000000000000003, 0xffffe682fdfaf570, 0xfffff800666c4750, 0xffffe6831844f050)\n - 0x0000009f is the Bug Check Code (a.k.a. Stop Code) meaning DRIVER_POWER_STATE_FAILURE\n - 0x0000000000000003 indicates the type of inconsistency. In this case, 0x3 means the system is transitioning from a sleep state (S4 or S5) to an awake state (S0).\n - 0xffffe682fdfaf570 is a pointer to the DEVICE_OBJECT structure representing the device that is being enumerated.\n - 0xfffff800666c4750 is a pointer to the IRP (I/O Request Packet) that was pending for the device object.\n - 0xffffe6831844f050 is a pointer to the NTSTATUS code indicating the cause of the failure.\nparam2 is the path to a memory dump (ex: C:\\WINDOWS\\MEMORY.DMP)\nparam3 is the report ID (ex: cf65ecb3-8a81-4a04-89ae-8d1fff1aecf8)\n", - "event_ids": [ - "1001" - ], - "id": "082fbbf5-bb05-468c-ad9c-ef2a383bb293", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "BSOD" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Logs only the first time a device has been plugged in.", - "event_ids": [ - "20001" - ], - "id": "f5c0b936-bec8-418a-a79a-89833468fea2", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "New USB PnP Device" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "The system has booted up. It also contains information about the OS version even though this information is not present in the event message. You can tell if the system was started up normally or in safe mode depending on the value of the BootMode. 0 for normal boot. 1 for Safe Mode. 2 for Safe Mode with networking.", - "event_ids": [ - "12" - ], - "id": "a225cc36-bfdc-4e7a-ad01-f544b90e2d2a", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "Computer Startup" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "", - "event_ids": [ - "7031" - ], - "id": "d869bf31-92b3-4e21-a447-708f10156e7c", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1499" - ], - "title": "Service Crashed" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Malware will often create services for persistence and use BASE64 encoded strings to execute malicious code or abuse legitimate binaries like cmd.exe, powershell, etc... inside the path to execute. Normally, services will not run built-in binaries, run from user or temp folders or contain encoded data.", - "event_ids": [ - "7045" - ], - "id": "dbbfd9f3-9508-478b-887e-03ddb9236909", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003", - "T1543.003", - "T1543" - ], - "title": "Suspicious Service Path" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "PSExec is a MS SysInternals tool often abused for lateral movement.", - "event_ids": [ - "7045" - ], - "id": "0694c340-3a46-40ac-acfc-c3444ae6572c", - "level": "high", - "service": "system", - "subcategory_guids": [], "tags": [ "TA0008", - "attack.s0029", - "T1136.002", - "T1543.003", - "T1570", - "T1021.002", - "T1569.002", - "T1136", - "T1543", - "T1569", + "T1021.001", + "car.2013-07-002", "T1021" ], - "title": "PSExec Lateral Movement" + "title": "Outbound RDP Connections Over Non-Standard Tools" }, { - "category": "", + "category": "network_connection", "channel": [ - "System" + "sec" ], - "description": "The system has booted up. It also contains information about the OS version even though this information is not present in the event message. You can tell if the system was started up normally or in safe mode depending on the value of the BootMode. 0 for normal boot. 1 for Safe Mode. 2 for Safe Mode with networking.", + "description": "Detects outbound network connection initiated by Microsoft Dialer.\nThe Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.\nThis is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is \"Rhadamanthys\"\n", "event_ids": [ - "12" + "5156" ], - "id": "8da41a05-364b-4e3c-95d9-397abb82eac4", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "Computer Startup In Safe Mode" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "The computer started up. This event is important because it also contains the OS version information.\n%Data[3]% contains the Service Pack name (Ex: Service Pack 1) for Windows 7 systems but can be infered from the build number so is left out.\n%Data[4]% contains processor license information (Ex: Multiprocessor Free) but is not so useful so is left out.\n%Data[5]% contains the Revision (a.k.a. Update Version) Number in Windows 7 logs.\nWindows 10+ seems to always output 0 for this so it is not a reliable source for identifying the Revision Number.\n", - "event_ids": [ - "6009" - ], - "id": "b27292f1a-18b3-4433-b340-151874a7d4e8", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "Computer Startup" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Somebody cleared an imporant event log.", - "event_ids": [ - "104" - ], - "id": "ed90ed4f-0d93-4f1a-99a2-4b9003b750a7", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0005", - "T1070.001", - "T1070" - ], - "title": "Log File Cleared" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "A new service was installed. (Possibly malware.)", - "event_ids": [ - "7045" - ], - "id": "64c5d39d-10a7-44f4-b5d6-fd0d93d0a69f", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0003" - ], - "title": "Svc Installed" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "", - "event_ids": [ - "7034" - ], - "id": "f5dc6a6d-fdf1-441a-a10c-aa10e2908aa4", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1499" - ], - "title": "Service Crashed" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "The shutdown operation is initiated automatically by a program that uses the InitiateSystemShutdownEx function with the force flag.", - "event_ids": [ - "6008" - ], - "id": "517c0b15-d2bf-48a3-926c-f7b4a96dcec3", - "level": "low", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1499" - ], - "title": "Unexpected Shutdown" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Startup, restarting the event log service, etc...", - "event_ids": [ - "6005" - ], - "id": "11dc7d25-01c9-4b07-9d91-8e07b60d8fd3", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "Event Log Svc Started" - }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Somebody cleared an imporant event log.", - "event_ids": [ - "104" - ], - "id": "f481a1f3-969e-4187-b3a5-b47c272bfebd", + "id": "fa5330d2-19f1-4167-52a0-fb622b6425f8", "level": "high", - "service": "system", - "subcategory_guids": [], + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], "tags": [ - "TA0005", - "T1070.001", - "T1070" + "TA0002", + "TA0011", + "T1071.001", + "T1071" ], - "title": "Important Log File Cleared" + "title": "Outbound Network Connection Initiated By Microsoft Dialer" }, { - "category": "", + "category": "network_connection", "channel": [ - "System" + "sec" ], - "description": "Shutdown, reboot, event log service stopped, etc...", + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", "event_ids": [ - "6006" + "5156" ], - "id": "b6d53116-36b2-4413-a99b-e6708f9c3027", - "level": "informational", - "service": "system", - "subcategory_guids": [], - "tags": [], - "title": "Event Log Svc Stopped" + "id": "1487f05c-b749-4322-d657-d20a2eea7e47", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Outbound Network Connection Initiated By Script Interpreter" }, { - "category": "", + "category": "network_connection", "channel": [ - "System" + "sec" ], - "description": "", + "description": "Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.\n", "event_ids": [ - "7045" + "5156" ], - "id": "76355548-fa5a-4310-9610-0de4b11f4688", + "id": "b2c34a06-251e-87ee-2d3e-fae878185d34", "level": "medium", - "service": "system", - "subcategory_guids": [], + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0007", + "T1087" + ], + "title": "Uncommon Connection to Active Directory Web Services" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.", + "event_ids": [ + "5156" + ], + "id": "34ba9d0c-a415-a91a-013b-30158906f18c", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.\nThis rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\nThis rule will require an initial baseline and tuning that is specific to your organization.\n", + "event_ids": [ + "5156" + ], + "id": "7c154a7f-01a0-3b2e-927d-32c452139322", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1203" + ], + "title": "Office Application Initiated Network Connection To Non-Local IP" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "event_ids": [ + "5156" + ], + "id": "e2d0c6fb-f0de-9cce-076d-f755f6ae4956", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "T1055", + "T1218", + "TA0002", + "TA0005" + ], + "title": "Microsoft Sync Center Suspicious Network Connections" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects programs that connect to uncommon destination ports", + "event_ids": [ + "5156" + ], + "id": "7983db98-5767-b29d-2652-a01fd3e751ad", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], "tags": [ "TA0003", - "T1543.003", - "T1543" + "TA0011", + "T1571" ], - "title": "Possible Metasploit Svc Installed" + "title": "Communication To Uncommon Destination Ports" }, { - "category": "", + "category": "network_connection", "channel": [ - "Microsoft-Windows-WLAN-AutoConfig" + "sec" ], - "description": "Prints connection info to wireless access points.", + "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n", "event_ids": [ - "8001" + "5156" ], - "id": "90dd0797-f481-453d-a97e-dd78436893f9", - "level": "informational", - "service": "", - "subcategory_guids": [], - "tags": [], - "title": "Wifi AP Conn" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-Ntfs/Operational" - ], - "description": "A NTFS volume has been successfully mounted. Introduced in Windows 10 / Windows Server 2016 (Build 14393), with more fields logged (including information on the underlying device) starting with Windows 11 / Windows Server 2022 (Build 22000).", - "event_ids": [ - "4" - ], - "id": "af127790-5563-473e-8d3a-43b3509572b1", - "level": "informational", - "service": "ntfs", - "subcategory_guids": [], - "tags": [], - "title": "NTFS volume mounted" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-DriverFrameworks-UserMode/Operational" - ], - "description": "", - "event_ids": [ - "2003" - ], - "id": "b39b18a5-cece-4e7d-a438-827d0b0e8a82", - "level": "informational", - "service": "driver-framework", - "subcategory_guids": [], - "tags": [], - "title": "USB Plugged In" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Powershell Scriptblock Logging. Windows 10+ will flag suspicious PwSh as level 3 (warning) so \nI am filtering out these events as they are being created with the \"Potentially Malicious PwSh\" rule.\n", - "event_ids": [ - "4104" - ], - "id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba", - "level": "informational", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "PwSh" - ], - "title": "PwSh Scriptblock" - }, - { - "category": "ps_module", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "Powershell Module Loggong. Displays powershell execution", - "event_ids": [ - "4103" - ], - "id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031", - "level": "informational", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "PwSh" - ], - "title": "PwSh Pipeline Exec" - }, - { - "category": "ps_script", - "channel": [ - "pwsh", - "pwsh" - ], - "description": "On Powershell v5+, Windows will automatically log suspicious powershell execution and mark the Level as Warning.", - "event_ids": [ - "4104" - ], - "id": "73be1519-4648-4ed7-b305-605504afc242", + "id": "510d0486-0545-9178-93cb-5f5a8c75930b", "level": "medium", - "service": "powershell", - "subcategory_guids": [], - "tags": [ - "PwSh" - ], - "title": "Potentially Malicious PwSh" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" - ], - "description": "This event is created when a new local session is created for either a local or remote interactive login when a user successfully authenticates and there is no existing local session.\nThis event will be created when a user logs on for the first time or after a logout but not after just a disconnect because the session will still exist.\nIn that case, a reconnect event will be created.\nThe Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins.\nNote that local sessions are different from logon sessions.\nLocal sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. \nSrcIP will be an IP address if it is a remote session and \"LOCAL\" if it is a local session.\nThis event gives the same information in Remote Connection Manager 1149, Local Session Manager 22 and Security 4648.\n", - "event_ids": [ - "21" - ], - "id": "b107551c-409d-44b8-bb0d-3b007c269881", - "level": "informational", - "service": "terminalservices-localsessionmanager", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Logon" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" - ], - "description": "Event 23 is created when a local session logs off. That happens after a user successfully logs off a local or remote interactive logon session. Not just a disconnect.", - "event_ids": [ - "23" - ], - "id": "e14a729f-f4f8-427b-a238-dfbde9c1614b", - "level": "informational", - "service": "terminalservices-localsessionmanager", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Logoff" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" - ], - "description": "Event 24 is created when a local session disconnects. That happens after a user successfully logs off or disconnects a local or remote interactive logon session.\nThis event immediately follows a EID 23 RDP Logoff event.\nThis event has the same information as EID 23 and Security EID 4634.\n", - "event_ids": [ - "24" - ], - "id": "3fc6234f-93a5-4d48-b618-30e2c69c0a86", - "level": "informational", - "service": "terminalservices-localsessionmanager", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Disconnect" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" - ], - "description": "", - "event_ids": [ - "25" - ], - "id": "8fe4a60b-2af3-43d6-95e2-8f13caccc179", - "level": "informational", - "service": "terminalservices-localsessionmanager", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Reconnect" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" - ], - "description": "This event is created when a new local session is created for either a local or remote interactive login.\nOriginal event message: “Shell start notification received”\nThe Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins.\nNote that local sessions are different from logon sessions.\nLocal sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. \nEvent 22 is created when a new local session needs to be created.\nThat happens after a user successfully authenticates for a local or remote interactive logon session and the user does not already have an existing local session.\nThis event follows a Local Session Manager 21 event.\nThis event gives the same information in Remote Connection Manager 1149, Local Session Manager 21 and Security 4648.\n", - "event_ids": [ - "22" - ], - "id": "320e2cb0-a56a-476f-a299-79dc45644fee", - "level": "informational", - "service": "terminalservices-localsessionmanager", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008" - ], - "title": "RDP Sess Start (Noisy)" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "", - "event_ids": [ - "141" - ], - "id": "ff6ada24-c7f0-4ae5-a7a6-f20ddb7b591f", - "level": "informational", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "Task" - ], - "title": "Task Deleted" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "", - "event_ids": [ - "106" - ], - "id": "33599dfb-f3e4-4298-8d3f-59407f65f4e7", - "level": "informational", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "Task" - ], - "title": "Task Created" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "", - "event_ids": [ - "140" - ], - "id": "aba04101-e439-4e2f-b051-4be561993c31", - "level": "informational", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "Task" - ], - "title": "Task Updated" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "", - "event_ids": [ - "200" - ], - "id": "d1923809-955b-47c4-b3e5-37c0e461919c", - "level": "informational", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "Task" - ], - "title": "Task Executed" - }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TerminalServices-Gateway/Operational" - ], - "description": "", - "event_ids": [ - "303" - ], - "id": "e5f74909-58a9-45ec-b70d-21c654dca4f3", - "level": "informational", "service": "", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008", - "TA0001" + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" ], - "title": "RDS GTW Logoff" + "tags": [ + "TA0005", + "TA0011" + ], + "title": "Suspicious Wordpad Outbound Connections" }, { - "category": "", + "category": "network_connection", "channel": [ - "Microsoft-Windows-TerminalServices-Gateway/Operational" + "sec" ], - "description": "", + "description": "Detects a rundll32 that communicates with public IP addresses", "event_ids": [ - "302" + "5156" ], - "id": "27648a93-cfc0-4903-beb2-9395e784a484", - "level": "informational", + "id": "4a7137e3-d863-49dd-6199-5ca7722de62e", + "level": "medium", "service": "", - "subcategory_guids": [], - "tags": [ - "RDP", - "TA0008", - "TA0001" + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" ], - "title": "RDS GTW Logon" + "tags": [ + "TA0005", + "T1218.011", + "TA0002", + "T1218" + ], + "title": "Rundll32 Internet Connection" }, { - "category": "", + "category": "network_connection", "channel": [ - "Microsoft-Windows-TerminalServices-Gateway/Operational" + "sec" ], - "description": "", + "description": "Detects \"RegAsm.exe\" initiating a network connection to public IP adresses", "event_ids": [ - "302" + "5156" ], - "id": "24a04758-729d-4c43-9bd5-cccd31db80d0", - "level": "low", + "id": "a0e133b9-f055-5011-01e6-75ed480ad2da", + "level": "medium", "service": "", - "subcategory_guids": [], + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], "tags": [ - "RDP", + "TA0005", + "T1218.009", + "T1218" + ], + "title": "RegAsm.EXE Initiating Network Connection To Public IP" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", + "event_ids": [ + "5156" + ], + "id": "3c6c2271-decf-a5c0-b983-edaa9cf7077d", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0011", + "T1218.011", + "T1218" + ], + "title": "Outbound Network Connection To Public IP Via Winlogon" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects network connections from the Equation Editor process \"eqnedt32.exe\".", + "event_ids": [ + "5156" + ], + "id": "141fe5f1-4de3-21fd-1b09-8d53f1019340", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1203" + ], + "title": "Network Connection Initiated By Eqnedt32.EXE" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "event_ids": [ + "5156" + ], + "id": "5049ed9f-e700-a499-9498-5e648851d2ad", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1572", "TA0008", - "TA0001" + "T1021.001", + "car.2013-07-002", + "T1021" ], - "title": "RDS GTW Logon Error" + "title": "RDP to HTTP or HTTPS Target Ports" }, { - "category": "", + "category": "network_connection", "channel": [ - "Microsoft-Windows-DNS-Server/Analytical" + "sec" ], - "description": "", + "description": "Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases\n", "event_ids": [ - "260" + "5156" ], - "id": "cd6eb342-9dcd-450d-b448-bebd97cb6e89", - "level": "informational", - "service": "dns-server-analytic", - "subcategory_guids": [], - "tags": [], - "title": "Recursive DNS Request" + "id": "7ac85830-5907-5206-2d25-490b3ace5587", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0011", + "T1571" + ], + "title": "Potentially Suspicious Malware Callback Communication" }, { - "category": "", + "category": "network_connection", "channel": [ - "Microsoft-Windows-DNS-Server/Analytical" + "sec" ], - "description": "", + "description": "Detects a network connection initiated by the certutil.exe utility.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", "event_ids": [ - "261" + "5156" ], - "id": "6db38b96-3772-4cbf-a8ad-c65d8ac5134e", - "level": "informational", - "service": "dns-server-analytic", - "subcategory_guids": [], - "tags": [], - "title": "Recursive DNS Response" + "id": "bc5e54c2-1b8d-cb27-3079-f47318f4ccc7", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105" + ], + "title": "Uncommon Network Connection Initiated By Certutil.EXE" }, { - "category": "", + "category": "network_connection", "channel": [ - "OAlerts" + "sec" ], - "description": "Displays the dialog box message that popped up in Office Activated App for the user.", + "description": "Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.\n", "event_ids": [ - "300" + "5156" ], - "id": "8cab5688-ca77-483d-a295-56dd6c1db944", - "level": "informational", - "service": "security", - "subcategory_guids": [], - "tags": [], - "title": "Office App PopUp" + "id": "5a099129-36a4-b13b-5345-9f37b231fb5c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0011", + "T1219.002", + "T1219" + ], + "title": "Remote Access Tool - AnyDesk Incoming Connection" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.", + "event_ids": [ + "5156" + ], + "id": "8cf1b63a-f161-0e51-a9d2-cc697d06a5a4", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0011" + ], + "title": "Office Application Initiated Network Connection Over Uncommon Ports" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\nThis could indicate a potential command and control communication as this tool doesn't usually initiate network activity.\n", + "event_ids": [ + "5156" + ], + "id": "8d993d6b-e44b-0df0-91c0-6093975b69f8", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "Network Connection Initiated By AddinUtil.EXE" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a network connection initiated by \"Regsvr32.exe\"", + "event_ids": [ + "5156" + ], + "id": "6814d247-c70b-e49e-6553-149fc21c3a81", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1559.001", + "TA0005", + "T1218.010", + "T1218", + "T1559" + ], + "title": "Network Connection Initiated By Regsvr32.EXE" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a network connection that is initiated by the \"notepad.exe\" process.\nThis might be a sign of process injection from a beacon process or something similar.\nNotepad rarely initiates a network communication except when printing documents for example.\n", + "event_ids": [ + "5156" + ], + "id": "e6f76f81-e758-4001-122c-58a3ceef02f9", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "TA0002", + "TA0005", + "T1055" + ], + "title": "Network Connection Initiated Via Notepad.EXE" + }, + { + "category": "network_connection", + "channel": [ + "sec" + ], + "description": "Detects a network connection initiated by Cmstp.EXE\nIts uncommon for \"cmstp.exe\" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.\n", + "event_ids": [ + "5156" + ], + "id": "41d54b25-deb6-4ea3-fbac-3f5b6e200939", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218.003", + "T1218" + ], + "title": "Outbound Network Connection Initiated By Cmstp.EXE" } ] \ No newline at end of file