Update v8.7.1

edit

This section lists all updates associated with version 8.7.1 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

My First Rule

This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity.

new

1

Suspicious Inter-Process Communication via Outlook

Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.

new

1

PowerShell Suspicious Script with Clipboard Retrieval Capabilities

Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.

new

1

PowerShell Mailbox Collection Script

Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.

new

1

Potential Exfiltration via Certreq

Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.

new

1

Ingress Transfer via Windows BITS

Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.

new

1

FirstTime Seen Account Performing DCSync

This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.

new

1

PowerShell Invoke-NinjaCopy script

Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.

new

1

Suspicious Lsass Process Access

Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.

new

1

Suspicious Antimalware Scan Interface DLL

Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.

new

1

Potential Antimalware Scan Interface Bypass via PowerShell

Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.

new

1

Code Signing Policy Modification Through Built-in tools

Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.

new

1

Code Signing Policy Modification Through Registry

Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.

new

1

PowerShell Script with Encryption/Decryption Capabilities

Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.

new

1

File Creation Time Changed

Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.

new

1

Unsigned DLL Side-Loading from a Suspicious Folder

Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.

new

1

Untrusted Driver Loaded

Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.

new

1

Suspicious Execution via Windows Subsystem for Linux

Detects Linux Bash commands from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

new

1

Execution via Windows Subsystem for Linux

Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

new

1

Windows Subsystem for Linux Enabled via Dism Utility

Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.

new

1

Host Files System Changes via Windows Subsystem for Linux

Detects files creation and modification on the host system from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

new

1

Attempt to Install Kali Linux via WSL

Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

new

1

Windows Subsystem for Linux Distribution Installed

Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.

new

1

Enumerating Domain Trusts via DSQUERY.EXE

Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.

new

1

Group Policy Discovery via Microsoft GPResult Utility

Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.

new

1

System Service Discovery through built-in Windows Utilities

Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.

new

1

Potential PowerShell HackTool Script by Function Names

Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.

new

1

First Time Seen Driver Loaded

Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.

new

1

Unsigned DLL Loaded by Svchost

Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.

new

1

SSH Authorized Keys File Modification

The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).

update

102

Possible Consent Grant Attack via Azure-Registered Application

Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.

update

105

Potential DNS Tunneling via Iodine

Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.

update

102

Potential Protocol Tunneling via EarthWorm

Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.

update

102

Potential SSH Password Guessing

Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.

update

3

Sensitive Files Compression

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.

update

102

Potential Linux SSH Brute Force Detected

Identifies multiple consecutive login failures targeting an user account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

update

3

Potential SSH Brute Force Detected on Privileged Account

Identifies multiple consecutive login failures targeting a root user account from the same source address and within a short time interval. Adversaries will often brute force login attempts on privileged accounts with a common or known password, in an attempt to gain privileged access to systems.

update

3

Potential OpenSSH Backdoor Logging Activity

Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.

update

102

Attempt to Disable Syslog Service

Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.

update

102

Base16 or Base32 Encoding/Decoding Activity

Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.

update

102

File made Immutable by Chattr

Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file’s metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).

update

102

Potential Disabling of SELinux

Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.

update

102

File Deletion via Shred

Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

update

102

Creation of Hidden Shared Object File

Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.

update

102

Kernel Module Removal

Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.

update

102

System Log File Deletion

Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.

update

103

Enumeration of Kernel Modules

Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.

update

102

Hping Process Activity

Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.

update

102

Nping Process Activity

Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.

update

102

Virtual Machine Fingerprinting

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

update

102

Abnormal Process ID or Lock File Created

Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

update

104

File Transfer or Listener Established via Netcat

A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.

update

104

Interactive Terminal Spawned via Perl

Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.

update

102

Process Started from Process ID (PID) File

Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.

update

103

Binary Executed from Shared Memory Directory

Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.

update

103

Interactive Terminal Spawned via Python

Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.

update

102

Reverse Shell Created via Named Pipe

Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out (FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established. The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for execution.

update

3

Linux Restricted Shell Breakout via Linux Binary(s)

Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.

update

102

BPF filter applied using TC

Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.

update

102

High Number of Process Terminations

This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.

update

104

Chkconfig Service Add

Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.

update

102

Modification of OpenSSH Binaries

Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.

update

102

Suspicious File Creation in /etc for Persistence

Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.

update

103

Kernel module load via insmod

Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.

update

102

Persistence via KDE AutoStart Script or Desktop File Modification

Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.

update

102

Potential Shell via Web Server

Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.

update

104

Modification of Dynamic Linker Preload Shared Object

Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.

update

102

Potential Privilege Escalation via PKEXEC

Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.

update

102

Namespace Manipulation Using Unshare

Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.

update

3

Spike in Failed Logon Events

A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.

update

101

Spike in Successful Logon Events from a Source IP

A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.

update

101

Unusual Hour for a User to Logon

A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.

update

101

Rare User Logon

A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.

update

101

Unusual Windows Username

A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.

update

101

Spike in Network Traffic To a Country

A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.

update

101

Anomalous Process For a Linux Population

Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.

update

101

Unusual Process For a Linux Host

Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.

update

101

Unusual Process For a Windows Host

Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.

update

103

Unusual Windows Path Activity

Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.

update

101

Anomalous Process For a Windows Population

Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.

update

101

Anomalous Windows Process Creation

Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.

update

101

Encrypting Files with WinRar or 7z

Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.

update

104

Privileged Account Brute Force

Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

update

3

Multiple Logon Failure Followed by Logon Success

Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

update

3

Multiple Logon Failure from the same Source Address

Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

update

3

Potential Credential Access via Windows Utilities

Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.

update

104

Potential Credential Access via DCSync

This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.

update

104

Kerberos Pre-authentication Disabled for User

Identifies the modification of an account’s Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.

update

104

Access to a Sensitive LDAP Attribute

Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.

update

3

LSASS Memory Dump Handle Access

Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.

update

104

Potential Remote Credential Access via Registry

Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.

update

104

Multiple Vault Web Credentials Read

Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

update

4

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

update

104

Potential Shadow Credentials added to AD Object

Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.

update

103

User account exposed to Kerberoasting

Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.

update

104

Suspicious Remote Registry Access via SeBackupPrivilege

Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.

update

104

Clearing Windows Event Logs

Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

update

104

Windows Event Logs Cleared

Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

update

104

Disable Windows Event and Security Logs Using Built-in Tools

Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.

update

104

Potential DLL Side-Loading via Microsoft Antimalware Service Executable

Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.

update

103

Unusual Network Activity from a Windows System Binary

Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.

update

103

Unusual File Creation - Alternate Data Stream

Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.

update

104

Unusual Network Connection via RunDLL32

Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.

update

104

Enumeration of Administrator Accounts

Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.

update

104

PowerShell Suspicious Discovery Related Windows API Functions

This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.

update

105

Enumeration of Privileged Local Groups Membership

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

update

104

Remote System Discovery Commands

Discovery of remote system information using built-in commands, which may be used to move laterally.

update

104

Whoami Process Activity

Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.

update

104

Command Shell Activity Started via RunDLL32

Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.

update

103

Execution from Unusual Directory - Command Line

Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.

update

104

Volume Shadow Copy Deleted or Resized via VssAdmin

Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.

update

104

Windows Script Interpreter Executing Process via WMI

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

update

103

Suspicious MS Office Child Process

Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.

update

104

Unusual File Modification by dns.exe

Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.

update

103

Potential Remote Desktop Shadowing Activity

Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.

update

102

Incoming Execution via WinRM Remote Shell

Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.

update

102

Incoming Execution via PowerShell Remoting

Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.

update

102

Remote Windows Service Installed

Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."

update

3

Remote Logon followed by Scheduled Task Creation

Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.

update

3

Service Control Spawned via Script Interpreter

Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

update

102

AdminSDHolder Backdoor

Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain’s AdminSDHolder object, regaining their Administrative Privileges.

update

102

Account Configured with Never-Expiring Password

Detects the creation and modification of an account with the "Don’t Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.

update

104

KRBTGT Delegation Backdoor

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

update

102

Account Password Reset Remotely

Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.

update

103

A scheduled task was created

Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.

update

4

A scheduled task was updated

Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.

update

4

AdminSDHolder SDProp Exclusion Added

Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain’s AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.

update

104

Suspicious service was installed in the system

Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.

update

3

Temporarily Scheduled Task Creation

Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.

update

3

User Added to Privileged Group

Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.

update

104

Process Creation via Secondary Logon

Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.

update

4

Modification of the msPKIAccountCredentials

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

update

3

Startup/Logon Script added to Group Policy Object

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

update

104

Group Policy Abuse for Privilege Addition

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

update

104

Scheduled Task Execution at Scale via GPO

Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.

update

104

Service Creation via Local Kerberos Authentication

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.

update

102

Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.

update

102

Remote Computer Account DnsHostName Update

Identifies the remote update to a computer account’s DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it’s highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.

update

103

Windows Service Installed via an Unusual Client

Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.

update

102

Web Application Suspicious Activity: No User Agent

A request to a web application server contained no identifying user agent string.

deprecated

101