Alert Rules

Plugins V 5.4.3 (latest)

May 11, 2023

 CONTENTS

1 Alert Rules 1
1.1 Required Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 MITRE ATT&CK Analytics 3

2.1 LP_Suspicious Named Pipe Connection to Azure AD Connect Database . 3
2.2 LP_Suspicious Driver Loaded . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 LP_AADInternals PowerShell Cmdlet Execution . . . . . . . . . . . . . . . 4
2.4 LP_Suspicious Scheduled Task Creation via Masqueraded XML File . . . . 4
2.5 LP_Suspicious Microsoft Equation Editor Child Process . . . . . . . . . . 5
2.6 LP_Windows Error Process Masquerading . . . . . . . . . . . . . . . . . . 5
2.7 LP_Bypass UAC via CMSTP Detected . . . . . . . . . . . . . . . . . . . . . 6
2.8 LP_Application Whitelisting Bypass via Dxcap Detected . . . . . . . . . . 6
2.9 LP_Suspicious WMIC XSL Script Execution . . . . . . . . . . . . . . . . . . 7
2.10 LP_Suspicious File Execution via MSHTA . . . . . . . . . . . . . . . . . . . 7
2.11 LP_Regsvr32 Anomalous Activity Detected . . . . . . . . . . . . . . . . . 8
2.12 LP_Remote File Execution via MSIEXEC . . . . . . . . . . . . . . . . . . . 8
2.13 LP_Execution of Trojanized 3CX Application . . . . . . . . . . . . . . . . . 9
2.14 LP_Msbuild Spawned by Unusual Parent Process . . . . . . . . . . . . . . 9
2.15 LP_Suspicious Files Designated as System Files Detected . . . . . . . . . 9
2.16 LP_UAC Bypass Attempt via Windows Directory Masquerading . . . . . . 10
2.17 LP_Bypass User Account Control using Registry . . . . . . . . . . . . . . . 11
2.18 LP_LSASS Process Access by Mimikatz . . . . . . . . . . . . . . . . . . . . 11
2.19 LP_UAC Bypass via Sdclt Detected . . . . . . . . . . . . . . . . . . . . . . 12
2.20 LP_Unsigned Image Loaded Into LSASS Process . . . . . . . . . . . . . . 12
2.21 LP_Usage of Sysinternals Tools Detected . . . . . . . . . . . . . . . . . . . 12
2.22 LP_Microsoft SharePoint Remote Code Execution Detected . . . . . . . . 13
2.23 LP_DenyAllWAF SQL Injection Attack . . . . . . . . . . . . . . . . . . . . 13
2.24 LP_Mitre - Initial Access - Valid Account - Unauthorized IP Access . . . . . 14
2.25 LP_Windows CryptoAPI Spoofing Vulnerability Detected . . . . . . . . . 14
2.26 LP_Malicious use of Scriptrunner Detected . . . . . . . . . . . . . . . . . 15
2.27 LP_Suspicious process related to Rundll32 Detected . . . . . . . . . . . . 15
2.28 LP_Javascript conversion to executable Detected . . . . . . . . . . . . . . 16
2.29 LP_Suspicious Execution of Gpscript Detected . . . . . . . . . . . . . . . 16

i
2.30 LP_Proxy Execution via Desktop Setting Control Panel . . . . . . . . . . . 16
2.31 LP_ScreenSaver Registry Key Set Detected . . . . . . . . . . . . . . . . . 17
2.32 LP_Xwizard DLL Side Loading Detected . . . . . . . . . . . . . . . . . . . 17
2.33 LP_DLL Side Loading Via Microsoft Defender . . . . . . . . . . . . . . . . 18
2.34 LP_ZIP File Creation or Extraction via Printer Migration CLI Tool . . . . . 18
2.35 LP_Credentials Capture via Rpcping Detected . . . . . . . . . . . . . . . . 19
2.36 LP_Suspicious ConfigSecurityPolicy Execution Detected . . . . . . . . . . 19
2.37 LP_C-Sharp Code Compilation Using Ilasm Detected . . . . . . . . . . . . 19
2.38 LP_Process Dump via Resource Leak Diagnostic Tool . . . . . . . . . . . . 20
2.39 LP_Suspicious DLL execution via Register-Cimprovider . . . . . . . . . . . 20
2.40 Accessibility features - Process . . . . . . . . . . . . . . . . . . . . . . . . 21
2.41 LP_Accessibility Features-Registry . . . . . . . . . . . . . . . . . . . . . . 21
2.42 LP_Account Discovery Detected . . . . . . . . . . . . . . . . . . . . . . . 22
2.43 LP_Active Directory DLLs Loaded By Office Applications . . . . . . . . . . 22
2.44 LP_DCSync detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.45 LP_Active Directory Replication User Backdoor . . . . . . . . . . . . . . . 23
2.46 LP_Active Directory Schema Change Detected . . . . . . . . . . . . . . . 24
2.47 LP_Activity Related to NTDS Domain Hash Retrieval . . . . . . . . . . . . 24
2.48 LP_AD Object WriteDAC Access Detected . . . . . . . . . . . . . . . . . 25
2.49 LP_AD Privileged Users or Groups Reconnaissance Detected . . . . . . . 25
2.50 LP_Addition of SID History to Active Directory Object . . . . . . . . . . . 26
2.51 LP_Admin User Remote Logon Detected . . . . . . . . . . . . . . . . . . . 26
2.52 LP_Adobe Flash Use-After-Free Vulnerability Detected . . . . . . . . . . . 26
2.53 LP_Adwind RAT JRAT Detected . . . . . . . . . . . . . . . . . . . . . . . . 27
2.54 LP_Antivirus Exploitation Framework Detection . . . . . . . . . . . . . . . 27
2.55 LP_Antivirus Password Dumper Detected . . . . . . . . . . . . . . . . . . 28
2.56 LP_Antivirus Web Shell Detected . . . . . . . . . . . . . . . . . . . . . . . 28
2.57 LP_Apache Struts 2 Remote Code Execution Detected . . . . . . . . . . . 29
2.58 LP_AppCert DLLs Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.59 LP_Application Shimming - File Access Detected . . . . . . . . . . . . . . 29
2.60 LP_Application Whitelisting Bypass via Bginfo Detected . . . . . . . . . . 30
2.61 LP_Application Whitelisting Bypass via DLL Loaded by odbcconf Detected 30
2.62 LP_Application Whitelisting Bypass via Dnx Detected . . . . . . . . . . . 31
2.63 LP_Audio Capture Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.64 LP_Authentication Package Detected . . . . . . . . . . . . . . . . . . . . . 32
2.65 LP_Autorun Keys Modification Detected . . . . . . . . . . . . . . . . . . . 32
2.66 LP_Batch Scripting Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.67 LP_BITS Jobs - Network Detected . . . . . . . . . . . . . . . . . . . . . . 33
2.68 LP_BITS Jobs - Process Detected . . . . . . . . . . . . . . . . . . . . . . . 34
2.69 LP_Bloodhound and Sharphound Hack Tool Detected . . . . . . . . . . . 34
2.70 LP_BlueMashroom DLL Load Detected . . . . . . . . . . . . . . . . . . . . 34
2.71 LP_Browser Bookmark Discovery . . . . . . . . . . . . . . . . . . . . . . . 35
2.72 LP_CACTUSTORCH Remote Thread Creation Detected . . . . . . . . . . 35
2.73 LP_Call to a Privileged Service Failed . . . . . . . . . . . . . . . . . . . . . 36
2.74 LP_Capture a Network Trace with netsh . . . . . . . . . . . . . . . . . . . 36

ii
2.75 LP_CEO Fraud - Possible Fraudulent Email Behavior . . . . . . . . . . . . 37
2.76 LP_Certutil Encode Detected . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.77 LP_Chafer Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.78 LP_Change of Default File Association Detected . . . . . . . . . . . . . . 38
2.79 LP_Citrix ADC VPN Directory Traversal Detected . . . . . . . . . . . . . . 39
2.80 LP_Clear Command History . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.81 LP_Clearing of PowerShell Logs Detected . . . . . . . . . . . . . . . . . . 39
2.82 LP_Clipboard Data Access Detected . . . . . . . . . . . . . . . . . . . . . 40
2.83 LP_Clop Ransomware Emails Sent to Attacker . . . . . . . . . . . . . . . . 40
2.84 LP_Clop Ransomware Infected Host Detected . . . . . . . . . . . . . . . . 41
2.85 LP_Cmdkey Cached Credentials Recon Detected . . . . . . . . . . . . . . 41
2.86 LP_CMSTP Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.87 LP_CMSTP Execution Detected . . . . . . . . . . . . . . . . . . . . . . . . 42
2.88 LP_CMSTP UAC Bypass via COM Object Access . . . . . . . . . . . . . . 42
2.89 LP_CobaltStrike Process Injection Detected . . . . . . . . . . . . . . . . . 43
2.90 LP_Windows Command Line Execution with Suspicious URL and
AppData Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.91 LP_Compiled HTML File Detected . . . . . . . . . . . . . . . . . . . . . . 44
2.92 LP_Component Object Model Hijacking Detected . . . . . . . . . . . . . 44
2.93 LP_Connection to Hidden Cobra Source . . . . . . . . . . . . . . . . . . . 45
2.94 LP_Console History Discovery Detected . . . . . . . . . . . . . . . . . . . 45
2.95 LP_Control Panel Items - Process Detected . . . . . . . . . . . . . . . . . 45
2.96 LP_Control Panel Items - Registry Detected . . . . . . . . . . . . . . . . . 46
2.97 LP_Control Panel Items Detected . . . . . . . . . . . . . . . . . . . . . . . 46
2.98 LP_Copy from Admin Share Detected . . . . . . . . . . . . . . . . . . . . 47
2.99 LP_Copying Sensitive Files with Credential Data . . . . . . . . . . . . . . 47
2.100LP_Copyright Violation Email . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.101LP_CrackMapExecWin Detected . . . . . . . . . . . . . . . . . . . . . . . 48
2.102LP_CreateMiniDump Hacktool Detected . . . . . . . . . . . . . . . . . . . 48
2.103LP_CreateRemoteThread API and LoadLibrary . . . . . . . . . . . . . . . 49
2.104LP_Command Obfuscation in Command Prompt . . . . . . . . . . . . . . 49
2.105LP_Command Obfuscation via Character Insertion . . . . . . . . . . . . . 50
2.106LP_Command Obfuscation via Environment Variable Concatenation
Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.107LP_Credential Access via Input Prompt Detected . . . . . . . . . . . . . . 50
2.108LP_Credential Dump Tools Dropped Files Detected . . . . . . . . . . . . 51
2.109LP_Credential Dumping - Process Creation . . . . . . . . . . . . . . . . . 51
2.110LP_Credential Dumping - Process Access . . . . . . . . . . . . . . . . . . 52
2.111LP_Credential Dumping - Registry Save . . . . . . . . . . . . . . . . . . . 52
2.112LP_Credential Dumping with ImageLoad Detected . . . . . . . . . . . . . 53
2.113LP_Credentials Access in Files Detected . . . . . . . . . . . . . . . . . . . 53
2.114LP_Credentials in Registry Detected . . . . . . . . . . . . . . . . . . . . . 54
2.115LP_Curl Start Combination Detected . . . . . . . . . . . . . . . . . . . . . 54
2.116LP_CVE-2019-0708 RDP RCE Vulnerability Detected . . . . . . . . . . . . 55
2.117LP_Data Compression Detected in Windows . . . . . . . . . . . . . . . . 55

iii
2.118LP_Data Staging Process Detected in Windows . . . . . . . . . . . . . . . 55
2.119LP_Default Accepted Traffic From Bad IP . . . . . . . . . . . . . . . . . . . 56
2.120LP_Default Account Created but Password Not Changed . . . . . . . . . 56
2.121LP_Default Account privilege elevation followed by restoration of
previous account state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.122LP_Default Audit Policy Changed . . . . . . . . . . . . . . . . . . . . . . . 57
2.123LP_Default Blocked Inbound Traffic followed by Allowed Event . . . . . . 58
2.124LP_Default Blocked Outbound Traffic followed by Allowed Event . . . . . 58
2.125LP_Default Brute Force Attack Attempt - Multiple Unique Sources . . . . 59
2.126LP_Default Brute Force Attack Attempt - Multiple Unique Users . . . . . 59
2.127LP_Default Brute Force Attack Successful . . . . . . . . . . . . . . . . . . 60
2.128LP_Default Connection Attempts on Closed Port . . . . . . . . . . . . . . 60
2.129LP_Default CPU Usage Status . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.130LP_Default Device Stopped Sending Logs for Half an Hour . . . . . . . . 61
2.131LP_Default DNS Tunneling Detection - Data Transfer Size . . . . . . . . . 61
2.132LP_Default DNS Tunneling Detection - Multiple domains . . . . . . . . . . 62
2.133LP_Default DNS Tunneling Detection - Multiple Subdomains . . . . . . . 62
2.134LP_Default DNS Tunneling Detection - Query Size . . . . . . . . . . . . . 63
2.135LP_Default Excessive Authentication Failures . . . . . . . . . . . . . . . . 63
2.136LP_Default Excessive Blocked Connections . . . . . . . . . . . . . . . . . 64
2.137LP_Default Excessive HTTP Errors . . . . . . . . . . . . . . . . . . . . . . . 64
2.138LP_Default File Association Changed . . . . . . . . . . . . . . . . . . . . . 64
2.139LP_Default Guest Account Added to Administrative Group . . . . . . . . 65
2.140LP_Default High Unique DNS Traffic . . . . . . . . . . . . . . . . . . . . . 65
2.141LP_Default High Unique SMTP Traffic . . . . . . . . . . . . . . . . . . . . . 66
2.142LP_Default High Unique Web-Server traffic . . . . . . . . . . . . . . . . . 66
2.143LP_Default Inbound Connection with Non-Whitelist Country . . . . . . . 67
2.144LP_Default Inbound Queries Denied by Firewalls . . . . . . . . . . . . . . 67
2.145LP_Default Inbound RDP Connection . . . . . . . . . . . . . . . . . . . . . 67
2.146LP_Default Inbound SMB Connection . . . . . . . . . . . . . . . . . . . . . 68
2.147LP_Default Inbound SMTP Connection . . . . . . . . . . . . . . . . . . . . 68
2.148LP_Default Inbound SSH Connection . . . . . . . . . . . . . . . . . . . . . 69
2.149LP_Default Internal Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.150LP_Default Internal Virus Worm Outburst . . . . . . . . . . . . . . . . . . 70
2.151LP_Default IRC connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.152LP_Default Malware Detected . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.153LP_Default Malware Detected in Various Machines . . . . . . . . . . . . . 71
2.154LP_Default Malware not Cleaned . . . . . . . . . . . . . . . . . . . . . . . 71
2.155LP_Default Malware Removed . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.156LP_Default Memory Usage Status . . . . . . . . . . . . . . . . . . . . . . . 72
2.157LP_Default Network Configuration Change on Network Device . . . . . . 72
2.158LP_Default Outbound Connection with Non-Whitelist Country . . . . . . 73
2.159LP_Default Outbound Traffic from Unusual Source . . . . . . . . . . . . . 73
2.160LP_Default Port Scan Detected . . . . . . . . . . . . . . . . . . . . . . . . 74
2.161LP_Default Possible Cross Site Scripting Attack Detected . . . . . . . . . 74

iv
2.162LP_Default Possible Network Performance Degradation Detected . . . . 75
2.163LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected 75
2.164LP_Default Possible Spamming Zombie . . . . . . . . . . . . . . . . . . . 76
2.165LP_Default Possible SQL Injection Attack . . . . . . . . . . . . . . . . . . 76
2.166LP_Default Possible System Instability State Detected . . . . . . . . . . . 76
2.167LP_Default PowerSploit and Empire Schtasks Persistence . . . . . . . . . 77
2.168LP_Default Successful Login outside Normal Hour . . . . . . . . . . . . . 77
2.169LP_Default Successful Login Using a Default Account . . . . . . . . . . . . 78
2.170LP_Default Suspicious DNS Queries with Higher Data Size . . . . . . . . . 78
2.171LP_Default System Time Change . . . . . . . . . . . . . . . . . . . . . . . 79
2.172LP_Default TCP Port Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.173LP_Default TCP Probable SynFlood Attack . . . . . . . . . . . . . . . . . . 80
2.174LP_Default UDP Port Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.175LP_Default Unapproved Port Activity Detected . . . . . . . . . . . . . . . 80
2.176LP_Default Unusual Number of Failed Vendor User Login . . . . . . . . . 81
2.177LP_Detection of PowerShell Execution via DLL . . . . . . . . . . . . . . . 81
2.178LP_Devtoolslauncher Executes Specified Binary . . . . . . . . . . . . . . . 82
2.179LP_DHCP Callout DLL Installation Detected . . . . . . . . . . . . . . . . . 82
2.180LP_DHCP Server Error Failed Loading the CallOut DLL . . . . . . . . . . . 83
2.181LP_DHCP Server Loaded the CallOut DLL . . . . . . . . . . . . . . . . . . 83
2.182LP_Direct Autorun Keys Modification Detected . . . . . . . . . . . . . . . 84
2.183LP_Disable of ETW Trace Detected . . . . . . . . . . . . . . . . . . . . . . 84
2.184LP_MiniNt Registry Key Addition . . . . . . . . . . . . . . . . . . . . . . . 85
2.185LP_Discovery of a System Time Detected . . . . . . . . . . . . . . . . . . 85
2.186LP_Discovery using Bloodhound Detected . . . . . . . . . . . . . . . . . . 86
2.187LP_Discovery via File and Directory Discovery Using Command Prompt . 86
2.188LP_Discovery via Discovery via PowerSploit Recon Module Detected . . 87
2.189LP_DLL Load via LSASS Detected . . . . . . . . . . . . . . . . . . . . . . . 87
2.190LP_DNS Exfiltration Tools Execution Detected . . . . . . . . . . . . . . . 88
2.191LP_DNS Server Error Failed Loading the ServerLevelPluginDLL . . . . . . 88
2.192LP_DNS ServerLevelPluginDll Install . . . . . . . . . . . . . . . . . . . . . 88
2.193LP_Domain Trust Discovery Detected . . . . . . . . . . . . . . . . . . . . . 89
2.194LP_DoppelPaymer Ransomware Connection to Malicious Domains . . . . 89
2.195LP_DoppelPaymer Ransomware Exploitable Vulnerabilities Detected . . 90
2.196LP_DoppelPaymer Ransomware Infected Host Detected . . . . . . . . . . 90
2.197LP_dotNET DLL Loaded Via Office Applications . . . . . . . . . . . . . . . 91
2.198LP_DPAPI Domain Backup Key Extraction Detected . . . . . . . . . . . . 91
2.199LP_DPAPI Domain Master Key Backup Attempt . . . . . . . . . . . . . . . 92
2.200LP_DragonFly - File Upload with Trojan Karagany . . . . . . . . . . . . . . 92
2.201LP_DragonFly - Malicious File Creation . . . . . . . . . . . . . . . . . . . . 92
2.202LP_DragonFly - Watering Hole Sources . . . . . . . . . . . . . . . . . . . . 93
2.203LP_Dridex Process Pattern Detected . . . . . . . . . . . . . . . . . . . . . 93
2.204LP_Droppers Exploiting CVE-2017-11882 Detected . . . . . . . . . . . . 94
2.205LP_Drupal Arbitrary Code Execution Detected . . . . . . . . . . . . . . . 94
2.206LP_DTRACK Process Creation Detected . . . . . . . . . . . . . . . . . . . 94

v
2.207LP_Elevated Command Prompt Activity by Non-Admin User Detected . . 95
2.208LP_Elise Backdoor Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 95
2.209LP_EMC Possible Ransomware Detection . . . . . . . . . . . . . . . . . . 96
2.210LP_Emissary Panda Malware SLLauncher Detected . . . . . . . . . . . . . 96
2.211LP_Emotet Process Creation Detected . . . . . . . . . . . . . . . . . . . . 96
2.212LP_Empire PowerShell Launch Parameters . . . . . . . . . . . . . . . . . . 97
2.213LP_Empire PowerShell UAC Bypass Detected . . . . . . . . . . . . . . . . 97
2.214LP_Enabled User Right in AD to Control User Objects . . . . . . . . . . . 98
2.215LP_Encoded FromBase64String Detected . . . . . . . . . . . . . . . . . . 98
2.216LP_Encoded IEX Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.217LP_Encoded PowerShell Command Detected . . . . . . . . . . . . . . . . 99
2.218LP_Endpoint Protect Multiple Failed Login Attempt . . . . . . . . . . . . 100
2.219LP_Equation Group DLL_U Load Detected . . . . . . . . . . . . . . . . . . 100
2.220LP_Eventlog Cleared Detected . . . . . . . . . . . . . . . . . . . . . . . . 101
2.221LP_ExchangeMT Possible Data Theft - Email with Attachment Outside
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.222LP_ExchangeMT Unusual Outbound Email . . . . . . . . . . . . . . . . . . 102
2.223LP_Executables Stored in OneDrive . . . . . . . . . . . . . . . . . . . . . . 102
2.224LP_Execution in Non-Executable Folder Detected . . . . . . . . . . . . . 102
2.225LP_Execution in Outlook Temp Folder Detected . . . . . . . . . . . . . . 103
2.226LP_Execution in Webserver Root Folder Detected . . . . . . . . . . . . . 103
2.227LP_Execution of Renamed PaExec Detected . . . . . . . . . . . . . . . . . 104
2.228LP_Execution via Control Panel Items . . . . . . . . . . . . . . . . . . . . . 104
2.229LP_Execution via HTA using IE JavaScript Engine Detected . . . . . . . . 105
2.230LP_Execution via Squiblydoo Technique Detected . . . . . . . . . . . . . 105
2.231LP_Execution via Windows Scripting Host Component Detected . . . . . 106
2.232LP_Exfiltration and Tunneling Tools Execution . . . . . . . . . . . . . . . . 106
2.233LP_Exim MTA Remote Code Execution Vulnerability Detected . . . . . . 107
2.234LP_Exim Remote Command Execution Detected . . . . . . . . . . . . . . 107
2.235LP_Existing Service Modification Detected . . . . . . . . . . . . . . . . . . 107
2.236LP_Exploit for CVE-2017-0261 Detected . . . . . . . . . . . . . . . . . . . 108
2.237LP_Exploit for CVE-2017-8759 Detected . . . . . . . . . . . . . . . . . . . 108
2.238LP_Exploiting SetupComplete CVE-2019-1378 Detected . . . . . . . . . . 109
2.239LP_External Disk Drive or USB Storage Device Detected . . . . . . . . . . 109
2.240LP_Fail2ban IP Banned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
2.241LP_File and Directory Discovery Using PowerShell Detected . . . . . . . 110
2.242LP_File Creation by PowerShell Detected . . . . . . . . . . . . . . . . . . 110
2.243LP_File Deletion Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
2.244LP_File or Folder Permissions Modifications . . . . . . . . . . . . . . . . . 111
2.245LP_File System Permissions Weakness . . . . . . . . . . . . . . . . . . . . 112
2.246LP_Fireball Archer Installation Detected . . . . . . . . . . . . . . . . . . . 112
2.247LP_Firewall Configuration Modification Detected . . . . . . . . . . . . . . 113
2.248LP_Firewall Disabled via Netsh Detected . . . . . . . . . . . . . . . . . . . 113
2.249LP_First Time Seen Remote Named Pipe . . . . . . . . . . . . . . . . . . . 114
2.250LP_FirstClass Failed Login Attempt . . . . . . . . . . . . . . . . . . . . . . 114

vi
2.251LP_FirstClass Failed Password Change Attempt . . . . . . . . . . . . . . . 115
2.252LP_Formbook Process Creation Detected . . . . . . . . . . . . . . . . . . 115
2.253LP_FortiGate Admin Login Disable . . . . . . . . . . . . . . . . . . . . . . 115
2.254LP_FortiGate Anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
2.255LP_FortiGate Antivirus Botnet Warning . . . . . . . . . . . . . . . . . . . . 116
2.256LP_FortiGate Antivirus Scan Engine Load Failed . . . . . . . . . . . . . . 117
2.257LP_FortiGate Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
2.258LP_FortiGate Critical Events . . . . . . . . . . . . . . . . . . . . . . . . . . 117
2.259LP_FortiGate Data Leak Protection . . . . . . . . . . . . . . . . . . . . . . 118
2.260LP_FortiGate IPS Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
2.261LP_FortiGate Malicious URL Attack . . . . . . . . . . . . . . . . . . . . . . 119
2.262LP_FortiGate Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
2.263LP_FortiGate VPN SSL User Login Failed . . . . . . . . . . . . . . . . . . . 119
2.264LP_FromBase64String Command Line Detected . . . . . . . . . . . . . . 120
2.265LP_FSecure File Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
2.266LP_FSecure Virus Detection . . . . . . . . . . . . . . . . . . . . . . . . . . 121
2.267LP_Fsutil Suspicious Invocation Detected . . . . . . . . . . . . . . . . . . 121
2.268LP_GAC DLL Loaded Via Office Applications Detected . . . . . . . . . . . 122
2.269LP_Generic Password Dumper Activity on LSASS Detected . . . . . . . . 122
2.270LP_Grabbing Sensitive Hives via Reg Utility . . . . . . . . . . . . . . . . . 123
2.271LP_Hacktool Ruler Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 123
2.272LP_HH Execution Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 123
2.273LP_Hidden Cobra Affected Host . . . . . . . . . . . . . . . . . . . . . . . 124
2.274LP_Hidden Cobra Emails Sent to Attacker . . . . . . . . . . . . . . . . . . 124
2.275LP_Hidden Cobra Vulnerable Sources . . . . . . . . . . . . . . . . . . . . . 125
2.276LP_Hidden Files and Directories - VSS Detected . . . . . . . . . . . . . . 125
2.277LP_Hidden Files and Directories Detected . . . . . . . . . . . . . . . . . . 126
2.278LP_Hidden PowerShell Window Detected . . . . . . . . . . . . . . . . . . 126
2.279LP_Hiding Files with Attrib Detected . . . . . . . . . . . . . . . . . . . . . 127
2.280LP_Hurricane Panda Activity Detected . . . . . . . . . . . . . . . . . . . . 127
2.281LP_IIS Native-Code Module Command Line Installation . . . . . . . . . . 127
2.282LP_Image File Execution Options Injection . . . . . . . . . . . . . . . . . . 128
2.283LP_Service Stop Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
2.284LP_In-memory PowerShell Detected . . . . . . . . . . . . . . . . . . . . . 129
2.285LP_Indicator Blocking - Driver Unloaded . . . . . . . . . . . . . . . . . . . 129
2.286LP_Indicator Blocking - Sysmon Registry Edited . . . . . . . . . . . . . . . 130
2.287LP_Indirect Command Execution Detected . . . . . . . . . . . . . . . . . 130
2.288LP_Install Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
2.289LP_Suspicious InstallUtil Execution . . . . . . . . . . . . . . . . . . . . . . 131
2.290LP_InvisiMole Malware Connection to Malicious Domains . . . . . . . . . 132
2.291LP_InvisiMole Malware Connection to Malicious Sources . . . . . . . . . . 132
2.292LP_InvisiMole Malware Exploitable Vulnerabilities Detected . . . . . . . . 132
2.293LP_InvisiMole Malware Infected Host Detected . . . . . . . . . . . . . . . 133
2.294LP_Invocation of Active Directory Diagnostic Tool Detected . . . . . . . . 133
2.295LP_Java Running with Remote Debugging . . . . . . . . . . . . . . . . . . 134

vii
2.296LP_Judgement Panda Exfil Activity . . . . . . . . . . . . . . . . . . . . . . 134
2.297LP_JunOS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
2.298LP_JunOS Authentication Failed . . . . . . . . . . . . . . . . . . . . . . . . 135
2.299LP_JunOS Policy Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
2.300LP_JunOS Security Log Clear . . . . . . . . . . . . . . . . . . . . . . . . . 136
2.301LP_Kaspersky Antivirus - Outbreak Detection . . . . . . . . . . . . . . . . 136
2.302LP_Kaspersky Antivirus - Update Fail . . . . . . . . . . . . . . . . . . . . . 137
2.303LP_Kaspersky Antivirus Extremely Out of Date Event . . . . . . . . . . . . 137
2.304LP_Kaspersky Antivirus Outbreak Detection by Source . . . . . . . . . . . 137
2.305LP_Kaspersky Antivirus Outbreak Detection by Virus . . . . . . . . . . . . 138
2.306LP_Kaspersky Antivirus Threat Affecting Multiple Host . . . . . . . . . . . 138
2.307LP_Kerberoasting via PowerShell Detected . . . . . . . . . . . . . . . . . 139
2.308LP_Kernel Firewall Connection Denied . . . . . . . . . . . . . . . . . . . . 139
2.309LP_Koadic Execution Detected . . . . . . . . . . . . . . . . . . . . . . . . 140
2.310LP_KRACK Vulnerable Source Detected . . . . . . . . . . . . . . . . . . . 140
2.311LP_Large ICMP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
2.312LP_Local Account Creation on Workstation Detected . . . . . . . . . . . . 141
2.313LP_Local Accounts Discovery Detected . . . . . . . . . . . . . . . . . . . . 141
2.314LP_Local Port Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
2.315LP_LockCrypt Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . 142
2.316LP_LockerGoga Malware Affected Host . . . . . . . . . . . . . . . . . . . 143
2.317LP_LockerGoga Malware Emails Sent to Attacker . . . . . . . . . . . . . . 143
2.318LP_Log Files Creation of Dot-Net-to-JS Detected . . . . . . . . . . . . . . 144
2.319LP_Login with WMI Detected . . . . . . . . . . . . . . . . . . . . . . . . . 144
2.320LP_Logon Scripts Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 144
2.321LP_LSASS Access from Non System Account Detected . . . . . . . . . . . 145
2.322LP_LSASS Memory Dump Detected . . . . . . . . . . . . . . . . . . . . . . 145
2.323LP_LSASS Memory Dump File Creation . . . . . . . . . . . . . . . . . . . . 146
2.324LP_LSSAS Memory Dump with MiniDumpWriteDump API Detected . . . 146
2.325LP_LSASS Memory Dumping Detected . . . . . . . . . . . . . . . . . . . . 147
2.326LP_Macro file Creation Detected . . . . . . . . . . . . . . . . . . . . . . . 147
2.327LP_Magecart Exploitable Vulnerabilities Detected . . . . . . . . . . . . . 148
2.328LP_Magecart Threat Connection to Malicious Domains . . . . . . . . . . . 148
2.329LP_Magecart Threat Connection to Malicious Sources . . . . . . . . . . . 148
2.330LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
2.331LP_Malicious File Execution Detected . . . . . . . . . . . . . . . . . . . . 150
2.332LP_Malicious PowerShell Commandlet Names Detected . . . . . . . . . . 150
2.333LP_Malicious Service Installations Detected . . . . . . . . . . . . . . . . . 151
2.334LP_Malware Shellcode in Verclsid Target Process . . . . . . . . . . . . . . 151
2.335LP_Malware Threat Affected Host . . . . . . . . . . . . . . . . . . . . . . . 152
2.336LP_Malware Threat Connection from Malicious Source . . . . . . . . . . . 152
2.337LP_Malware Threat Connection to Malicious Destination . . . . . . . . . . 152
2.338LP_Malware Threat Connection to Malicious URLs . . . . . . . . . . . . . 153
2.339LP_Malware Threat Emails Sent to Attacker . . . . . . . . . . . . . . . . . 153

viii
2.340LP_Masquerading Extension Detected . . . . . . . . . . . . . . . . . . . . 154
2.341LP_Masquerading File Location Detected . . . . . . . . . . . . . . . . . . 154
2.342LP_Matrix Encrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
2.343LP_Matrix Vulnerable Sources . . . . . . . . . . . . . . . . . . . . . . . . . 155
2.344LP_Maze Ransomware Connection to Malicious Domains . . . . . . . . . 155
2.345LP_Maze Ransomware Connection to Malicious Sources . . . . . . . . . . 156
2.346LP_Maze Ransomware Exploitable Vulnerabilities Detected . . . . . . . . 156
2.347LP_Maze Ransomware Infected Host Detected . . . . . . . . . . . . . . . 157
2.348LP_Meltdown and Spectre Vulnerabilities . . . . . . . . . . . . . . . . . . 157
2.349LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected . . . 158
2.350LP_Microsoft ActiveX Control Code Execution Vulnerability Detected . . 158
2.351LP_Microsoft Binary Github Communication Detected . . . . . . . . . . . 159
2.352LP_Microsoft DotNET Framework Remote Code Execution Detected . . 159
2.353LP_Microsoft Office Memory Corruption Vulnerability CVE-2015-1641
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
2.354LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-0199
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.355LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-11882
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
2.356LP_Microsoft Office Product Spawning Windows Shell . . . . . . . . . . . 161
2.357LP_Mimikatz Command Line Detected . . . . . . . . . . . . . . . . . . . . 161
2.358LP_Mitre - Initial Access - Hardware Addition - Removable Storage
Connected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
2.359LP_Mitre - Initial Access - Valid Accounts - Impossible Travel . . . . . . . . 162
2.360LP_Mitre - Initial Access - Valid Accounts - Inactive User Accounts . . . . 163
2.361LP_Mitre Command and Control Using Uncommonly used Port Detected 163
2.362LP_Mitre Credential Access Using Credentials from Web Browsers
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
2.363LP_Mitre Credential Access Using Credentials in File Detected . . . . . . 164
2.364LP_Mitre Defense Evasion Using Decode Files or Information Detected . 165
2.365LP_Mitre Defense Evasion Using File Deletion Detected . . . . . . . . . . 165
2.366LP_Mitre Discovery Using Account Discovery Detected . . . . . . . . . . 166
2.367LP_Mitre Discovery Using File and Directory Discovery Detected . . . . . 166
2.368LP_Mitre Discovery Using Network Service Scanning Detected . . . . . . 167
2.369LP_Mitre Discovery Using Network Sniffing Detected . . . . . . . . . . . 167
2.370LP_Mitre Discovery Using Password Policy Discovery Detected . . . . . . 168
2.371LP_Mitre Discovery Using Permission Groups Discovery Detected . . . . 168
2.372LP_Mitre Discovery Using Query Registry Detected . . . . . . . . . . . . 169
2.373LP_Mitre Discovery Using Security Software Discovery Detected . . . . . 169
2.374LP_Mitre Discovery Using System Information Discovery Detected . . . . 170
2.375LP_Mitre Discovery Using System Network Configuration Discovery
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
2.376LP_Mitre Discovery Using System Owner or User Discovery Detected . . 171
2.377LP_Mitre Discovery Using System Service Discovery Detected . . . . . . 171
2.378LP_Mitre Exfiltration Over Alternative Protocol Detected . . . . . . . . . 172

ix
2.379LP_Mitre Lateral Movement Using Remote Services Detected . . . . . . . 172
2.380LP_Mitre Persistence Attack through Accessibility Process Feature . . . . 173
2.381LP_Mitre Persistence Attack through AppInit DLLs . . . . . . . . . . . . . 173
2.382LP_Mitre Persistence Using Account Creation Detected . . . . . . . . . . 173
2.383LP_Mitre Persistence Using Account Manipulation Detected . . . . . . . 174
2.384LP_Mitre Persistence via Winlogon Helper DLL Detected . . . . . . . . . 174
2.385LP_Mitre Possible Privilege Escalation using Application Shimming . . . . 175
2.386LP_Mitre Privilege Escalation Using Bypass User Access Control Detected 175
2.387LP_MMC Spawning Windows Shell Detected . . . . . . . . . . . . . . . . 176
2.388LP_Most Exploitable Vulnerabilities Detected . . . . . . . . . . . . . . . . 176
2.389LP_MS Office Product Spawning Exe in User Dir . . . . . . . . . . . . . . 177
2.390LP_MSHTA - File Access Detected . . . . . . . . . . . . . . . . . . . . . . 177
2.391LP_MSHTA - Activity Detected . . . . . . . . . . . . . . . . . . . . . . . . 177
2.392LP_Mshta JavaScript Execution Detected . . . . . . . . . . . . . . . . . . 178
2.393LP_MSHTA Spawning Windows Shell Detected . . . . . . . . . . . . . . . 178
2.394LP_MSHTA Spwaned by SVCHOST Detected . . . . . . . . . . . . . . . . 179
2.395LP_MSHTA Suspicious Execution Detected . . . . . . . . . . . . . . . . . 179
2.396LP_MsiExec Web Install Detected . . . . . . . . . . . . . . . . . . . . . . . 180
2.397LP_MSTSC Shadowing Detected . . . . . . . . . . . . . . . . . . . . . . . 180
2.398LP_Multiple Failed Login Followed by Successful Login Followed by Logoff180
2.399LP_Mustang Panda Dropper Detected . . . . . . . . . . . . . . . . . . . . 181
2.400LP_Named Pipe added to Null Session Detected . . . . . . . . . . . . . . 181
2.401LP_Narrators Feedback-Hub Persistence Detected . . . . . . . . . . . . . 182
2.402LP_Nefilim Ransomware Infected Host Detected . . . . . . . . . . . . . . 182
2.403LP_Net exe Execution Detected . . . . . . . . . . . . . . . . . . . . . . . . 183
2.404LP_Net exe User Account Creation . . . . . . . . . . . . . . . . . . . . . . 183
2.405LP_NetNTLM Downgrade Attack Detected . . . . . . . . . . . . . . . . . 183
2.406LP_Firewall Addition via Netsh Detected . . . . . . . . . . . . . . . . . . . 184
2.407LP_Netsh Helper DLL - Process Detected . . . . . . . . . . . . . . . . . . 184
2.408LP_Netsh Helper DLL - Registry Detected . . . . . . . . . . . . . . . . . . 185
2.409LP_Netsh Port Forwarding Detected . . . . . . . . . . . . . . . . . . . . . 185
2.410LP_Netsh RDP Port Forwarding Detected . . . . . . . . . . . . . . . . . . 186
2.411LP_Network Share Connection Removed . . . . . . . . . . . . . . . . . . . 186
2.412LP_Network Share Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 187
2.413LP_Network Sniffing Detected . . . . . . . . . . . . . . . . . . . . . . . . . 187
2.414LP_New Driver File Creation Detected . . . . . . . . . . . . . . . . . . . . 188
2.415LP_New Firewall Port Opening Detected . . . . . . . . . . . . . . . . . . . 188
2.416LP_New RUN Key Pointing to Suspicious Folder Detected . . . . . . . . . 188
2.417LP_New Service Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
2.418LP_Non Interactive PowerShell Execution . . . . . . . . . . . . . . . . . . 189
2.419LP_NoPowerShell Tool Activity Detected . . . . . . . . . . . . . . . . . . . 190
2.420LP_NotPetya Ransomware Activity Detected . . . . . . . . . . . . . . . . 190
2.421LP_OceanLotus Registry Activity Detected . . . . . . . . . . . . . . . . . . 191
2.422LP_Office365 Multiple Failed Login from Different Host by Single User . 191
2.423LP_Office365 Multiple Failed Login from Same Host . . . . . . . . . . . . 192

x
2.424LP_Office365 Multiple Successful Login from Different Country by Single
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
2.425LP_Office365 Multiple Successful Login From Different Host by Single User193
2.426LP_Office365 Password Resets . . . . . . . . . . . . . . . . . . . . . . . . 193
2.427LP_OpenWith Execution of Specified Binary Detected . . . . . . . . . . . 194
2.428LP_Possible Operation Wocao Activity Detected . . . . . . . . . . . . . . 194
2.429LP_Pandemic Registry Key Detected . . . . . . . . . . . . . . . . . . . . . 195
2.430LP_Password Change on DSRM Account Detected . . . . . . . . . . . . . 195
2.431LP_Password Dumper Remote Thread in LSASS . . . . . . . . . . . . . . . 195
2.432LP_Password Spraying Attack Detected . . . . . . . . . . . . . . . . . . . 196
2.433LP_Persistence and Execution at Scale via GPO Scheduled Task . . . . . . 196
2.434LP_Petya Affected Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
2.435LP_Petya Compromised Files . . . . . . . . . . . . . . . . . . . . . . . . . 197
2.436LP_Ping Hex IP Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
2.437LP_Ping of Death Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
2.438LP_Possible Access to ADMIN Share . . . . . . . . . . . . . . . . . . . . . 198
2.439LP_Possible Account Misuse-Abnormal Login . . . . . . . . . . . . . . . . 199
2.440LP_Possible Account Misuse-Privilege Escalation . . . . . . . . . . . . . . 200
2.441LP_Possible Applocker Bypass Detected . . . . . . . . . . . . . . . . . . . 200
2.442LP_Possible Bitsadmin Download Detected . . . . . . . . . . . . . . . . . 201
2.443LP_Possible Botnet Connection-DNS Server Modified . . . . . . . . . . . 201
2.444LP_Possible Botnet Connection-IRC Port . . . . . . . . . . . . . . . . . . . 202
2.445LP_Possible Botnet Connection-Outbound DDOS . . . . . . . . . . . . . . 202
2.446LP_Possible Botnet Connection-Outbound Spam . . . . . . . . . . . . . . 202
2.447LP_Possible CLR DLL Loaded Via Office Applications . . . . . . . . . . . . 203
2.448LP_Possible Credential Dump-Tools Named Pipes Detected . . . . . . . . 203
2.449LP_Possible Data Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
2.450LP_Possible Data Breach-Off Hour Transfer . . . . . . . . . . . . . . . . . 204
2.451LP_Possible DDOS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
2.452LP_Possible Detection of SafetyKatz . . . . . . . . . . . . . . . . . . . . . 205
2.453LP_Possible DNS Rebinding Detected . . . . . . . . . . . . . . . . . . . . 205
2.454LP_Possible DoS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
2.455LP_Possible Empire Monkey Detected . . . . . . . . . . . . . . . . . . . . 206
2.456LP_Possible Executable Used by PlugX in Uncommon Location . . . . . . 207
2.457LP_Possible Exploitation for CVE-2015-1641 Detected . . . . . . . . . . . 207
2.458LP_Possible Hijack of Legit RDP Session to Move Laterally . . . . . . . . . 208
2.459LP_Possible Impacket Lateralization Detected . . . . . . . . . . . . . . . . 208
2.460LP_Possible Impacket SecretDump Remote Activity . . . . . . . . . . . . 209
2.461LP_Possible Inbound Spamming Detected . . . . . . . . . . . . . . . . . . 209
2.462LP_Possible Insider Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
2.463LP_Possible Land Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
2.464LP_Possible Malicious Payload Download via Office Binaries Detected . . 210
2.465LP_Possible Malware Detected . . . . . . . . . . . . . . . . . . . . . . . . 211
2.466LP_Possible Modification of Boot Configuration . . . . . . . . . . . . . . . 211
2.467LP_Possible Outbound Spamming Detected . . . . . . . . . . . . . . . . . 212

xi
2.468LP_Possible Pass the Hash Activity Detected . . . . . . . . . . . . . . . . 212
2.469LP_Possible Privilege Escalation via Weak Service Permissions . . . . . . 213
2.470LP_Possible Process Hollowing Image Loading . . . . . . . . . . . . . . . 213
2.471LP_Possible SPN Enumeration Detected . . . . . . . . . . . . . . . . . . . 213
2.472LP_Possible SquiblyTwo Detected . . . . . . . . . . . . . . . . . . . . . . . 214
2.473LP_Possible Taskmgr run as LOCAL_SYSTEM Detected . . . . . . . . . . 214
2.474LP_Potential RDP Exploit CVE-2019-0708 Detected . . . . . . . . . . . . 215
2.475LP_Powershell AMSI Bypass via dotNET Reflection . . . . . . . . . . . . . 215
2.476LP_PowerShell Base64 Encoded Shellcode Detected . . . . . . . . . . . . 216
2.477LP_PowerShell Network Connections Detected . . . . . . . . . . . . . . . 216
2.478LP_PowerShell Profile Modification . . . . . . . . . . . . . . . . . . . . . . 216
2.479LP_PowerShell Rundll32 Remote Thread Creation Detected . . . . . . . . 217
2.480LP_PowerShell Script Run in AppData Detected . . . . . . . . . . . . . . . 217
2.481LP_PowerShell Version Downgrade Detected . . . . . . . . . . . . . . . . 218
2.482LP_Process Dump via Comsvcs DLL Detected . . . . . . . . . . . . . . . . 218
2.483LP_Process Dump via Rundll32 and Comsvcs Detected . . . . . . . . . . . 219
2.484LP_Process Hollowing Detected . . . . . . . . . . . . . . . . . . . . . . . . 219
2.485LP_Process Injection Detected . . . . . . . . . . . . . . . . . . . . . . . . . 220
2.486LP_Protected Storage Service Access Detected . . . . . . . . . . . . . . . 220
2.487LP_Prowli Malware Affected Host . . . . . . . . . . . . . . . . . . . . . . . 220
2.488LP_Prowli Malware Connection to Malicious Destination . . . . . . . . . . 221
2.489LP_Prowli Malware Emails Sent to Attacker . . . . . . . . . . . . . . . . . 221
2.490LP_PsExec Tool Execution Detected . . . . . . . . . . . . . . . . . . . . . 222
2.491LP_Psr Capture Screenshots Detected . . . . . . . . . . . . . . . . . . . . 222
2.492LP_Pulse Secure Arbitrary File Reading Detected . . . . . . . . . . . . . . 222
2.493LP_QBot Process Creation Detected . . . . . . . . . . . . . . . . . . . . . 223
2.494LP_QuarksPwDump Clearing Access History Detected . . . . . . . . . . . 223
2.495LP_QuarksPwDump Dump File Detected . . . . . . . . . . . . . . . . . . . 224
2.496LP_Query Registry Network . . . . . . . . . . . . . . . . . . . . . . . . . . 224
2.497LP_Rare Scheduled Task Creations Detected . . . . . . . . . . . . . . . . . 225
2.498LP_RDP Login from Localhost Detected . . . . . . . . . . . . . . . . . . . 225
2.499LP_RDP Over Reverse SSH Tunnel Detected . . . . . . . . . . . . . . . . . 225
2.500LP_RDP over Reverse SSH Tunnel WFP . . . . . . . . . . . . . . . . . . . . 226
2.501LP_RDP Registry Modification . . . . . . . . . . . . . . . . . . . . . . . . . 226
2.502LP_RDP Sensitive Settings Changed . . . . . . . . . . . . . . . . . . . . . 227
2.503LP_Reconnaissance Activity with Net Command . . . . . . . . . . . . . . 227
2.504LP_RedSocks Backdoor Connection . . . . . . . . . . . . . . . . . . . . . . 228
2.505LP_RedSocks Bad Neighborhood Detection . . . . . . . . . . . . . . . . . 228
2.506LP_RedSocks Blacklist URL Detection . . . . . . . . . . . . . . . . . . . . . 229
2.507LP_RedSocks FileSharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
2.508LP_RedSocks Ransomware Connection . . . . . . . . . . . . . . . . . . . . 229
2.509LP_RedSocks Sinkhole Detection . . . . . . . . . . . . . . . . . . . . . . . 230
2.510LP_RedSocks Tor Connection . . . . . . . . . . . . . . . . . . . . . . . . . 230
2.511LP_RedSocks Trojan Connection . . . . . . . . . . . . . . . . . . . . . . . . 231
2.512LP_Register new Logon Process by Rubeus . . . . . . . . . . . . . . . . . 231

xii
2.513LP_Registry Persistence Mechanisms Detected . . . . . . . . . . . . . . . 231
2.514LP_Registry Persistence via Explorer Run Key Detected . . . . . . . . . . 232
2.515LP_Regsvcs-Regasm Detected . . . . . . . . . . . . . . . . . . . . . . . . . 232
2.516LP_Remote PowerShell Session . . . . . . . . . . . . . . . . . . . . . . . . 233
2.517LP_Remote System Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 233
2.518LP_Renamed Binary Detected . . . . . . . . . . . . . . . . . . . . . . . . . 234
2.519LP_Renamed ProcDump Detected . . . . . . . . . . . . . . . . . . . . . . 234
2.520LP_Renamed PsExec Detected . . . . . . . . . . . . . . . . . . . . . . . . 235
2.521LP_Renamed ZOHO Dctask64 Detected . . . . . . . . . . . . . . . . . . . 235
2.522LP_REvil-Sodinokibi Ransomware Connection to Malicious Domains . . . 235
2.523LP_REvil-Sodinokibi Ransomware Connection to Malicious Sources . . . . 236
2.524LP_REvil-Sodinokibi Ransomware Exploitable Vulnerabilities Detected . . 236
2.525LP_REvil-Sodinokibi Ransomware Infected Host Detected . . . . . . . . . 237
2.526LP_RobbinHood Ransomware Exploitable Vulnerabilities Detected . . . . 237
2.527LP_Robbinhood Ransomware Infected Host Detected . . . . . . . . . . . 238
2.528LP_Rogue Access Point Detected . . . . . . . . . . . . . . . . . . . . . . . 238
2.529LP_RSA SecurID Account Lockout . . . . . . . . . . . . . . . . . . . . . . . 239
2.530LP_RSA SecurID Account Lockout . . . . . . . . . . . . . . . . . . . . . . . 239
2.531LP_Rubeus Hack Tool Detected . . . . . . . . . . . . . . . . . . . . . . . . 239
2.532LP_Run PowerShell Script from ADS Detected . . . . . . . . . . . . . . . . 240
2.533LP_Rundll32 Internet Connection Detected . . . . . . . . . . . . . . . . . 240
2.534LP_Ryuk Ransomware Affected Host . . . . . . . . . . . . . . . . . . . . . 241
2.535LP_SAM Registry Hive Dump via Reg Utility . . . . . . . . . . . . . . . . . 241
2.536LP_SAM Registry Hive Handle Request Detected . . . . . . . . . . . . . . 242
2.537LP_Scheduled Task Creation Detected . . . . . . . . . . . . . . . . . . . . 242
2.538LP_SCM Database Handle Failure Detected . . . . . . . . . . . . . . . . . 242
2.539LP_SCM Database Privileged Operation Detected . . . . . . . . . . . . . 243
2.540LP_Screensaver Activities Detected . . . . . . . . . . . . . . . . . . . . . . 243
2.541LP_Secure Deletion with SDelete . . . . . . . . . . . . . . . . . . . . . . . 244
2.542LP_SecurityXploded Tool Detected . . . . . . . . . . . . . . . . . . . . . . 244
2.543LP_Shadow Copy Creation Using OS Utilities Detected . . . . . . . . . . 244
2.544LP_Signed Binary Proxy Execution - Network Detected . . . . . . . . . . 245
2.545LP_Signed Binary Proxy Execution - Process Detected . . . . . . . . . . . 245
2.546LP_Signed Script Proxy Execution . . . . . . . . . . . . . . . . . . . . . . . 246
2.547LP_SILENTTRINITY Stager Execution Detected . . . . . . . . . . . . . . . 246
2.548LP_smbexec Service Installation Detected . . . . . . . . . . . . . . . . . . 247
2.549LP_SolarisLDAP Group Remove from LDAP Detected . . . . . . . . . . . 247
2.550LP_SolarisLDAP Possible Bruteforce Attack Detected . . . . . . . . . . . 248
2.551LP_SolarisLDAP User Account Lockout Detected . . . . . . . . . . . . . . 248
2.552LP_Sophos XG Firewall - Inbound Attack Detected by IDP . . . . . . . . . 248
2.553LP_Sophos XG Firewall - Outbound Attack Detected by IDP . . . . . . . 249
2.554LP_SophosUTM Policy Violation . . . . . . . . . . . . . . . . . . . . . . . . 249
2.555LP_SourceFire DNS Tunneling Detection - Multiple domains . . . . . . . . 250
2.556LP_SSHD Connection Denied . . . . . . . . . . . . . . . . . . . . . . . . . 250
2.557LP_Stealthy Scheduled Task Creation via VBA Macro Detected . . . . . . 251

xiii
2.558LP_Sticky Key Like Backdoor Usage Detected . . . . . . . . . . . . . . . . 251
2.559LP_StoneDrill Service Install Detected . . . . . . . . . . . . . . . . . . . . 252
2.560LP_Stop Windows Service Detected . . . . . . . . . . . . . . . . . . . . . 252
2.561LP_Successful Lateral Movement to Administrator via Pass the Hash
using Mimikatz Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
2.562LP_Successful Overpass the Hash Attempt . . . . . . . . . . . . . . . . . . 253
2.563LP_Suspect Svchost Activity Detected . . . . . . . . . . . . . . . . . . . . 254
2.564LP_Suspect Svchost Memory Access . . . . . . . . . . . . . . . . . . . . . 254
2.565LP_Suspicious Access to Sensitive File Extensions . . . . . . . . . . . . . . 255
2.566LP_Suspicious Calculator Usage Detected . . . . . . . . . . . . . . . . . . 255
2.567LP_Suspicious Call by Ordinal Detected . . . . . . . . . . . . . . . . . . . 255
2.568LP_Suspicious Certutil Command Detected . . . . . . . . . . . . . . . . . 256
2.569LP_Suspicious Code Page Switch Detected . . . . . . . . . . . . . . . . . 256
2.570LP_Suspicious Commandline Escape Detected . . . . . . . . . . . . . . . 257
2.571LP_Suspicious Compression Tool Parameters . . . . . . . . . . . . . . . . 257
2.572LP_Suspicious Control Panel DLL Load Detected . . . . . . . . . . . . . . 258
2.573LP_Suspicious Csc Source File Folder Detected . . . . . . . . . . . . . . . 258
2.574LP_Suspicious Debugger Registration Detected . . . . . . . . . . . . . . . 258
2.575LP_Suspicious Double Extension Detected . . . . . . . . . . . . . . . . . . 259
2.576LP_Suspicious Driver Load from Temp . . . . . . . . . . . . . . . . . . . . 259
2.577LP_Suspicious Eventlog Clear or Configuration Using Wevtutil Detected . 260
2.578LP_Suspicious Execution from Outlook . . . . . . . . . . . . . . . . . . . . 260
2.579LP_Suspicious GUP Usage Detected . . . . . . . . . . . . . . . . . . . . . 261
2.580LP_Suspicious HWP Sub Processes Detected . . . . . . . . . . . . . . . . 261
2.581LP_Suspicious In-Memory Module Execution Detected . . . . . . . . . . . 262
2.582LP_Suspicious Kerberos RC4 Ticket Encryption . . . . . . . . . . . . . . . 262
2.583LP_Suspicious Keyboard Layout Load Detected . . . . . . . . . . . . . . . 262
2.584LP_Suspicious MsiExec Directory Detected . . . . . . . . . . . . . . . . . 263
2.585LP_Suspicious Named Pipes Detected . . . . . . . . . . . . . . . . . . . . 263
2.586LP_Suspicious Outbound Kerberos Connection . . . . . . . . . . . . . . . 264
2.587LP_Suspicious Outbound RDP Connections Detected . . . . . . . . . . . 264
2.588LP_Suspicious Parent of Csc Detected . . . . . . . . . . . . . . . . . . . . 265
2.589LP_Suspicious PowerShell Invocation Based on Parent Process . . . . . . 265
2.590LP_Suspicious PowerShell Parameter Substring Detected . . . . . . . . . 266
2.591LP_Suspicious Process Start Locations Detected . . . . . . . . . . . . . . 266
2.592LP_Suspicious Program Location with Network Connections . . . . . . . 267
2.593LP_Suspicious PsExec Execution Detected . . . . . . . . . . . . . . . . . . 267
2.594LP_Suspicious RDP Redirect Using TSCON Detected . . . . . . . . . . . . 268
2.595LP_Suspicious Remote Thread Created . . . . . . . . . . . . . . . . . . . . 268
2.596LP_Suspicious RUN Key from Download Detected . . . . . . . . . . . . . 269
2.597LP_Suspicious Rundll32 Activity Detected . . . . . . . . . . . . . . . . . . 269
2.598LP_Suspicious Scripting in a WMI Consumer . . . . . . . . . . . . . . . . . 270
2.599LP_Suspicious Service Path Modification Detected . . . . . . . . . . . . . 270
2.600LP_Suspicious Svchost Process Detected . . . . . . . . . . . . . . . . . . . 271
2.601LP_Suspicious SYSVOL Domain Group Policy Access . . . . . . . . . . . . 271

xiv
2.602LP_Suspicious TSCON Start . . . . . . . . . . . . . . . . . . . . . . . . . . 272
2.603LP_Suspicious Typical Malware Back Connect Ports Detected . . . . . . . 272
2.604LP_Suspicious CSharp or FSharp Interactive Console Execution . . . . . . 273
2.605LP_Suspicious Userinit Child Process . . . . . . . . . . . . . . . . . . . . . 273
2.606LP_Suspicious Windows ANONYMOUS LOGON Local Account Creation 273
2.607LP_Suspicious WMI Execution Detected . . . . . . . . . . . . . . . . . . . 274
2.608LP_Svchost DLL Search Order Hijack Detected . . . . . . . . . . . . . . . 274
2.609LP_SysKey Registry Keys Access . . . . . . . . . . . . . . . . . . . . . . . 275
2.610LP_Sysmon Configuration Modification Detected . . . . . . . . . . . . . . 275
2.611LP_Sysmon Driver Unload Detected . . . . . . . . . . . . . . . . . . . . . 276
2.612LP_Sysmon Error Event Detected . . . . . . . . . . . . . . . . . . . . . . . 276
2.613LP_System File Execution Location Anomaly Detected . . . . . . . . . . . 277
2.614LP_System Information Discovery . . . . . . . . . . . . . . . . . . . . . . . 277
2.615LP_System Owner or User Discovery . . . . . . . . . . . . . . . . . . . . . 278
2.616LP_System Service Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 278
2.617LP_System Time Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
2.618LP_Tap Driver Installation Detected . . . . . . . . . . . . . . . . . . . . . . 279
2.619LP_Taskmgr as Parent Detected . . . . . . . . . . . . . . . . . . . . . . . . 279
2.620LP_Tasks Folder Evasion Detected . . . . . . . . . . . . . . . . . . . . . . 280
2.621LP_Terminal Service Process Spawn Detected . . . . . . . . . . . . . . . . 280
2.622LP_Threat Intel Allowed Connections from Suspicious Sources . . . . . . 281
2.623LP_Threat Intel Connections with Suspicious Domains . . . . . . . . . . . 281
2.624LP_Threat Intel Excessive Denied Connections Attempt from IOC . . . . 282
2.625LP_Threat Intel Internal Machine Connecting to Multiple IOCs . . . . . . 282
2.626LP_Threat Intel IOC Connecting to Multiple Internal Machines . . . . . . 283
2.627LP_Time-Stomping of Users Directory Files Detected . . . . . . . . . . . . 283
2.628LP_Transfering Files with Credential Data via Network Shares . . . . . . . 284
2.629LP_TrendMicroDeepSecurity Virus Quarantined . . . . . . . . . . . . . . . 284
2.630LP_UAC Bypass via Event Viewer Detected . . . . . . . . . . . . . . . . . 284
2.631LP_Unix Possible Bruteforce Attack . . . . . . . . . . . . . . . . . . . . . . 285
2.632LP_Unix User Deleted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
2.633LP_Unsigned Driver Loading Detected . . . . . . . . . . . . . . . . . . . . 286
2.634LP_Possible Ursnif Registry Activity . . . . . . . . . . . . . . . . . . . . . . 286
2.635LP_Valak Malware Connection to Malicious Domains . . . . . . . . . . . . 286
2.636LP_Valak Malware Infected Host Detected . . . . . . . . . . . . . . . . . . 287
2.637LP_VBA DLL Loaded by Office . . . . . . . . . . . . . . . . . . . . . . . . . 287
2.638LP_VM - High Risk Vulnerability on High Impact Assets . . . . . . . . . . . 288
2.639LP_VM - High Risk Vulnerability on Low Impact Assets . . . . . . . . . . . 288
2.640LP_VM - High Risk Vulnerability on Medium Impact Assets . . . . . . . . . 288
2.641LP_VM - Medium Risk Vulnerability on High Impact Assets . . . . . . . . . 289
2.642LP_VM - Medium Risk Vulnerability on Low Impact Assets . . . . . . . . . 289
2.643LP_VM - Medium Risk Vulnerability on Medium Impact Assets . . . . . . . 290
2.644LP_WannaCry File Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 290
2.645LP_WannaCry MS17-010 Vulnerable Sources . . . . . . . . . . . . . . . . . 291
2.646LP_WannaCry Sources in Connections to Sinkhole Domain . . . . . . . . . 291

xv
2.647LP_WastedLocker Ransomware Connection to Malicious Domains . . . . 291
2.648LP_WastedLocker Ransomware Connection to Malicious Sources . . . . . 292
2.649LP_WastedLocker Ransomware Infected Host Detected . . . . . . . . . . 292
2.650LP_WCE wceaux dll Access Detected . . . . . . . . . . . . . . . . . . . . . 293
2.651LP_Wdigest Registry Modification . . . . . . . . . . . . . . . . . . . . . . . 293
2.652LP_Weak Encryption Enabled for User . . . . . . . . . . . . . . . . . . . . 293
2.653LP_Webshell Detection With Command Line Keywords . . . . . . . . . . 294
2.654LP_Windows 10 Scheduled Task SandboxEscaper 0 day Detected . . . . 294
2.655LP_Windows Admin Shares - Process . . . . . . . . . . . . . . . . . . . . . 295
2.656LP_Windows Audit Logs Cleared . . . . . . . . . . . . . . . . . . . . . . . 295
2.657LP_Windows Credential Editor Detected . . . . . . . . . . . . . . . . . . . 296
2.658LP_Windows Data Copied to Removable Device . . . . . . . . . . . . . . 296
2.659LP_Windows Defender Exclusion Set Detected . . . . . . . . . . . . . . . 296
2.660LP_Windows Domain Policy Change . . . . . . . . . . . . . . . . . . . . . 297
2.661LP_Windows Excessive Amount of Files Copied to Removable Device . . 297
2.662LP_Windows Failed Login Attempt Using Service Account . . . . . . . . . 298
2.663LP_Windows Failed Login Followed by Lockout Event . . . . . . . . . . . 298
2.664LP_Windows Local User Management . . . . . . . . . . . . . . . . . . . . 299
2.665LP_WMI DLL Loaded by Office . . . . . . . . . . . . . . . . . . . . . . . . 299
2.666LP_Windows Multiple Password Changed by User . . . . . . . . . . . . . 300
2.667LP_Windows Processes Suspicious Parent Directory Detected . . . . . . . 300
2.668LP_Windows Registry Persistence COM Key Linking Detected . . . . . . 301
2.669LP_Windows Shell Spawning Suspicious Program . . . . . . . . . . . . . . 301
2.670LP_Windows SMB Remote Code Execution Vulnerability CVE-2017-0143
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
2.671LP_Windows Suspicious Creation of User Accounts . . . . . . . . . . . . . 302
2.672LP_Windows User Account Created via Command Line . . . . . . . . . . 303
2.673LP_Windows Unusual User Access to an Object . . . . . . . . . . . . . . . 303
2.674LP_Windows User Account Change to End with Dollar Sign . . . . . . . . 304
2.675LP_Windows Webshell Creation Detected . . . . . . . . . . . . . . . . . . 304
2.676LP_Winlogon Helper DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
2.677LP_WMI - Network Connection . . . . . . . . . . . . . . . . . . . . . . . . 305
2.678LP_WMI Backdoor Exchange Transport Agent . . . . . . . . . . . . . . . . 305
2.679LP_WMI Modules Loaded by Suspicious Process . . . . . . . . . . . . . . 306
2.680LP_WMI Persistence - Script Event Consumer Detected . . . . . . . . . . 306
2.681LP_WMI Persistence - Script Event Consumer File Write . . . . . . . . . . 307
2.682LP_WMI Process Execution . . . . . . . . . . . . . . . . . . . . . . . . . . 307
2.683LP_WMI Spawning Windows Shell . . . . . . . . . . . . . . . . . . . . . . . 308
2.684LP_WMIExec VBS Script Detected . . . . . . . . . . . . . . . . . . . . . . 308
2.685LP_Wmiprvse Spawning Process . . . . . . . . . . . . . . . . . . . . . . . 309
2.686LP_WScript or CScript Dropper Detected . . . . . . . . . . . . . . . . . . 309
2.687LP_Wsreset UAC Bypass Detected . . . . . . . . . . . . . . . . . . . . . . 309
2.688LP_XSL Script Processing Detected . . . . . . . . . . . . . . . . . . . . . . 310
2.689LP_ZOHO Dctask64 Process Injection Detected . . . . . . . . . . . . . . . 310
2.690LP_ZxShell Malware Detected . . . . . . . . . . . . . . . . . . . . . . . . . 311

xvi
2.691LP_APT 34 Initial Access Using Spearphishing Link Detected . . . . . . . 311
2.692LP_Automated Collection Detected . . . . . . . . . . . . . . . . . . . . . . 312
2.693LP_Screenshot Capture Detected . . . . . . . . . . . . . . . . . . . . . . . 312
2.694LP_APT 34 Command and Control Using Commonly used Ports Detected 313
2.695LP_APT 34 Command and Control Using Standard Application Layer
Protocol Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
2.696LP_APT 34 Command and Control Using Uncommonly used Port Detected314
2.697LP_Credential Dumping using procdump Detected . . . . . . . . . . . . . 314
2.698LP_Access Using Browser Stored Credential Detected . . . . . . . . . . . 315
2.699LP_GUI Input Capture Detected . . . . . . . . . . . . . . . . . . . . . . . . 315
2.700LP_Files and Directory Discovery Process Detected . . . . . . . . . . . . . 316
2.701LP_Account Discovery Process Detected . . . . . . . . . . . . . . . . . . . 316
2.702LP_Suspicious File Deletion Detected . . . . . . . . . . . . . . . . . . . . . 316
2.703LP_File or Information Decode Process Detected . . . . . . . . . . . . . . 317
2.704LP_Access of Password Policy Detected . . . . . . . . . . . . . . . . . . . 317
2.705LP_Access of Permission Groups Detected . . . . . . . . . . . . . . . . . . 318
2.706LP_Security Software Discovery Process Detected . . . . . . . . . . . . . 318
2.707LP_System Network Configuration Discovery . . . . . . . . . . . . . . . . 319
2.708LP_System Network Connections Discovery . . . . . . . . . . . . . . . . . 319
2.709LP_Exfiltration over Cloud Application Detected . . . . . . . . . . . . . . 320
2.710LP_Remote File Copy Detected . . . . . . . . . . . . . . . . . . . . . . . . 320
2.711LP_Account Created for Persistence Detected . . . . . . . . . . . . . . . 320
2.712LP_Account Manipulated for Persistence Detected . . . . . . . . . . . . . 321
2.713LP_Privilege Escalation - Bypassing User Account Control Detected . . . 321
2.714LP_Executable Dropped in Suspicious Location . . . . . . . . . . . . . . . 322
2.715LP_Process Execution from Suspicious Location . . . . . . . . . . . . . . . 322
2.716LP_Active Directory Enumeration via ADFind . . . . . . . . . . . . . . . . 323
2.717LP_Antivirus Software Discovery via WMI . . . . . . . . . . . . . . . . . . 323
2.718LP_Possible Command Prompt Process Hollowing . . . . . . . . . . . . . 324
2.719LP_Suspicious Taskkill Activity . . . . . . . . . . . . . . . . . . . . . . . . . 324
2.720LP_Suspicious File or Directory Permission Modification . . . . . . . . . . 325
2.721LP_Ryuk Wake-On-LAN Activity . . . . . . . . . . . . . . . . . . . . . . . . 325
2.722LP_EXE or DLL Dropped in Perflogs Folder . . . . . . . . . . . . . . . . . 325
2.723LP_Credential Access via LaZagne . . . . . . . . . . . . . . . . . . . . . . 326
2.724LP_RDP Connection Inititated from Domain Controller . . . . . . . . . . . 326
2.725LP_Active Directory Module Load in PowerShell . . . . . . . . . . . . . . 327
2.726LP_Possible Active Directory Enumeration via AD Module . . . . . . . . . 327
2.727LP_Microsoft Defender Disabling Attempt via PowerShell . . . . . . . . . 327
2.728LP_Possible Kerberoasting via Rubeus . . . . . . . . . . . . . . . . . . . . 328
2.729LP_Suspicious Scheduled Task Creation . . . . . . . . . . . . . . . . . . . 328
2.730LP_RDP Connection Inititated from Suspicious Country . . . . . . . . . . 329
2.731LP_Scheduled Task Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.732LP_Possible GootKit WScript Execution . . . . . . . . . . . . . . . . . . . 330
2.733LP_Winnti IoC Domain Match . . . . . . . . . . . . . . . . . . . . . . . . . 330
2.734LP_Winnti IoC Hash Match . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

xvii
2.735LP_Zerologon CVE-2020-1472 Exploitation Detected . . . . . . . . . . . . 331
2.736LP_Allowed NetLogon Connections - CVE-2020-1472 . . . . . . . . . . . 332
2.737LP_Denied NetLogon Connections - CVE-2020-1472 . . . . . . . . . . . . 332
2.738LP_Allowed NetLogon Connections via Group Policy - CVE-2020-1472 . . 332
2.739LP_Exchange Remote Code Execution CVE-2020-0688 Attempt . . . . . 333
2.740LP_BlueKeep Vulnerability CVE-2019-0708 Exploitation . . . . . . . . . . 333
2.741LP_Confluence Remote Code Execution CVE-2019-3398 Attempt . . . . 334
2.742LP_ZoHo ManageEngine Pre-Auth File Upload CVE-2019-8394
Exploitation Attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
2.743LP_ZoHo ManageEngine Desktop Central CVE-2020-10189 Exploitation
Attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
2.744LP_Atlassian Crowd Remote Code Execution CVE-2019-11580
Exploitation Attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
2.745LP_Fortinet Pre-Auth File Read CVE-2018-13379 Exploitation Attempt . 336
2.746LP_Adobe ColdFusion Remote Code Execution CVE-2018-15961 Attempt 336
2.747LP_Creation of Encrypted Winrar archive via CLI . . . . . . . . . . . . . . 337
2.748LP_Default Hard disk Usage Status . . . . . . . . . . . . . . . . . . . . . . 337
2.749LP_Default License Grace State . . . . . . . . . . . . . . . . . . . . . . . . 337
2.750LP_Default License Invalid . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
2.751LP_Microsoft Build Engine Loading Credential Libraries . . . . . . . . . . 338
2.752LP_Microsoft Build Engine started by Office . . . . . . . . . . . . . . . . . 339
2.753LP_Potential Botnet Infected Host Detected . . . . . . . . . . . . . . . . . 339
2.754LP_Potential Phishing Attack Detected . . . . . . . . . . . . . . . . . . . . 339
2.755LP_Potential Malware Infected Host Detected . . . . . . . . . . . . . . . . 340
2.756LP_PowerShell Module Logging Setting Discovery . . . . . . . . . . . . . 340
2.757LP_PowerShell Module Logging Setting Discovery . . . . . . . . . . . . . 341
2.758LP_Safe DLL Search Mode Disabled . . . . . . . . . . . . . . . . . . . . . . 341
2.759LP_Potential Intrusion Detected . . . . . . . . . . . . . . . . . . . . . . . . 342
2.760LP_Windows Crash Dump Disabled . . . . . . . . . . . . . . . . . . . . . . 342
2.761LP_Suspicious Shells Spawn by SQL Server . . . . . . . . . . . . . . . . . 342
2.762LP_HermeticWiper Driver Load . . . . . . . . . . . . . . . . . . . . . . . . 343
2.763LP_UltraVNC Execution via Command Line . . . . . . . . . . . . . . . . . 343
2.764LP_Office Security Settings Changed . . . . . . . . . . . . . . . . . . . . . 344
2.765LP_HermeticWiper IoC Hashes Detected . . . . . . . . . . . . . . . . . . . 344
2.766LP_IsaacWiper IoC Hashes Detected . . . . . . . . . . . . . . . . . . . . . 345
2.767LP_Actinium IoC Hashes Detected . . . . . . . . . . . . . . . . . . . . . . 345
2.768LP_WhisperGate IoC Hashes Detected . . . . . . . . . . . . . . . . . . . . 345
2.769LP_GhostWriter IoC Detected . . . . . . . . . . . . . . . . . . . . . . . . . 346
2.770LP_Actinium IoC Domains Detected . . . . . . . . . . . . . . . . . . . . . 346
2.771LP_Suspicious VMToolsd Child Process . . . . . . . . . . . . . . . . . . . . 347
2.772LP_Credential Access via Pypykatz . . . . . . . . . . . . . . . . . . . . . . 347
2.773LP_Atlassian Confluence CVE-2021-26084 Exploitation . . . . . . . . . . . 348
2.774LP_Impacket PsExec Execution . . . . . . . . . . . . . . . . . . . . . . . . 348
2.775LP_Oracle WebLogic CVE-2021-2109 Exploitation . . . . . . . . . . . . . 349
2.776LP_Possible JSP Webshell Detected . . . . . . . . . . . . . . . . . . . . . 349

xviii
2.777LP_PowerShell ADRecon Execution . . . . . . . . . . . . . . . . . . . . . . 349
2.778LP_PowerView PowerShell Commandlets . . . . . . . . . . . . . . . . . . 350
2.779LP_PowerView PowerShell Commandlets . . . . . . . . . . . . . . . . . . 351
2.780LP_SpringShell Indicators of Compromise Detected . . . . . . . . . . . . 352
2.781LP_SpringShell Indicators of Compromise Detected . . . . . . . . . . . . 352
2.782LP_SpringShell Webshell Detected in URL . . . . . . . . . . . . . . . . . . 353
2.783LP_Stealthy VSTO Persistence . . . . . . . . . . . . . . . . . . . . . . . . . 353
2.784LP_Suspicious DLL or VBS Files being created in ProgramData . . . . . . 353
2.785LP_Suspicious VMToolsd Child Process . . . . . . . . . . . . . . . . . . . . 354
2.786LP_Suspicious WMPRVSE Child Process . . . . . . . . . . . . . . . . . . . 354
2.787LP_TerraMaster TOS CVE-2020-28188 Exploitation . . . . . . . . . . . . . 355
2.788LP_VMware VSphere CVE-2021-21972 Exploitation . . . . . . . . . . . . . 355
2.789LP_VMware View Planner CVE-2021-21978 Exploitation . . . . . . . . . . 356
2.790LP_Zoho ManageEngine ADSelfService Plus CVE-2021-40539 Exploitation356
2.791LP_Possible Access to ADMIN Share . . . . . . . . . . . . . . . . . . . . . 356
2.792LP_PsExec Tool Execution Detected . . . . . . . . . . . . . . . . . . . . . 357
2.793LP_Screensaver Activities Detected . . . . . . . . . . . . . . . . . . . . . . 357
2.794LP_Suspect Svchost Activity Detected . . . . . . . . . . . . . . . . . . . . 358
2.795LP_Time-Stomping of Users Directory Files Detected . . . . . . . . . . . . 358
2.796LP_Windows Defender Exclusion Set Detected . . . . . . . . . . . . . . . 359
2.797LP_Suspicious Netsh DLL Persistence Detected . . . . . . . . . . . . . . . 359
2.798LP_Suspicious Use of Procdump Detected . . . . . . . . . . . . . . . . . . 360
2.799LP_Usage of Procdump Detected . . . . . . . . . . . . . . . . . . . . . . . 360
2.800LP_Conhost Spawning Suspicious Processes . . . . . . . . . . . . . . . . . 360
2.801LP_Proxy Execution via Explorer . . . . . . . . . . . . . . . . . . . . . . . 361
2.802LP_Wlrmdr Lolbin Use as Launcher . . . . . . . . . . . . . . . . . . . . . . 361
2.803LP_Suspicious Process Execution via Pester Detected . . . . . . . . . . . 361
2.804LP_Root Certificate Installation Detected . . . . . . . . . . . . . . . . . . 362
2.805LP_Suspicious process spawned by FTP . . . . . . . . . . . . . . . . . . . 362
2.806LP_ChromeLoader IoC Domains Detected . . . . . . . . . . . . . . . . . . 363
2.807LP_ChromeLoader IoC Hashes Detected . . . . . . . . . . . . . . . . . . . 363
2.808LP_Chromeloader Cross-Process Injection to Load Extention . . . . . . . 364
2.809LP_Proxy Execution via Explorer . . . . . . . . . . . . . . . . . . . . . . . 364
2.810LP_Suspicious Root Certificate installation Detected . . . . . . . . . . . . 364
2.811LP_Windows Logon Reminder Usage as Launcher . . . . . . . . . . . . . . 365
2.812LP_Suspicious File Transfer Using Replace . . . . . . . . . . . . . . . . . . 365
2.813LP_Proxy Execution via Program Compatibility Wizard . . . . . . . . . . . 366
2.814LP_Suspicious Driver Installation via PnPUtil . . . . . . . . . . . . . . . . . 366
2.815LP_Application Whitelisting Bypass via PresentationHost . . . . . . . . . 367
2.816LP_Suspicious File Extraction via Expand Detected . . . . . . . . . . . . . 367
2.817LP_Shell spawn via HTML Help Detected . . . . . . . . . . . . . . . . . . . 368
2.818LP_DLL Injection with Tracker Detected . . . . . . . . . . . . . . . . . . . 368
2.819LP_Powershell Code Execution via SyncAppvPublishingServer . . . . . . 369
2.820LP_Malicious PE Execution by Microsoft Visual Studio Debugger . . . . . 369
2.821LP_Suspicious Atbroker Registry Change Detected . . . . . . . . . . . . . 370

xix
2.822LP_DLL loaded Via Certoc Binary Detected . . . . . . . . . . . . . . . . . 370
2.823LP_Suspicious Remote Binary Usage Detected . . . . . . . . . . . . . . . 371
2.824LP_Suspicious File Execution Using wscript or cscript . . . . . . . . . . . . 371
2.825LP_Suspicious ASP NET Compiler Execution Detected . . . . . . . . . . . 372
2.826LP_Suspicious LoadAssembly PowerShell Diagnostic Script Execution . . 372
2.827LP_Suspicious Invocation PowerShell Diagnostic Script Execution . . . . . 373
2.828LP_Registry Configured RunOnce Task Execution . . . . . . . . . . . . . . 373
2.829LP_RunOnce Registry Key Configuration Change . . . . . . . . . . . . . . 374
2.830LP_Suspicious WSL Bash Execution . . . . . . . . . . . . . . . . . . . . . . 374
2.831LP_WSL Execution Detected . . . . . . . . . . . . . . . . . . . . . . . . . . 374
2.832LP_Supsicious Usage of Csharp or Roslyn Csharp Interactive Console . . 375
2.833LP_Suspicious Use of CSharp Interactive Console Detected . . . . . . . . 375
2.834LP_Suspicious File Download via Certreq . . . . . . . . . . . . . . . . . . . 376
2.835LP_Process Dump via Rundll32 and Comsvcs . . . . . . . . . . . . . . . . 376
2.836LP_Registry Key Import Detected . . . . . . . . . . . . . . . . . . . . . . . 377
2.837LP_Suspicious MachineGUID Query Detected . . . . . . . . . . . . . . . . 377
2.838LP_Process Injection Via Mavinject Detected . . . . . . . . . . . . . . . . 378
2.839Possible File Transfer Using Finger Detected . . . . . . . . . . . . . . . . 378
2.840LP_Suspicious Use of Findstr Detected . . . . . . . . . . . . . . . . . . . . 379
2.841LP_Suspicious File Overwrite Using extrac32 Detected . . . . . . . . . . . 379
2.842LP_Suspicious Sysmon Driver Unload Detected . . . . . . . . . . . . . . . 380
2.843LP_Windows Packet Monitoring Tool Usage Detected . . . . . . . . . . . 380
2.844LP_Suspicious Execution via IE per User Utility . . . . . . . . . . . . . . . 381
2.845LP_Proxy Execution via xWizard . . . . . . . . . . . . . . . . . . . . . . . . 381
2.846LP_Suspicious MSHTA Process Pattern . . . . . . . . . . . . . . . . . . . . 382
2.847LP_COM Object Execution via Shell Extension CLSID Verification Host . 382
2.848LP_Suspicious Setup Information File Invoked via DefaultInstall . . . . . . 383
2.849LP_Creation of Alternate Data Stream . . . . . . . . . . . . . . . . . . . . 383
2.850LP_Alternate Data Stream Created using Findstr . . . . . . . . . . . . . . 384
2.851LP_Suspicious Download Using Diantz . . . . . . . . . . . . . . . . . . . . 384
2.852LP_Ngrok RDP Tunnel Detected . . . . . . . . . . . . . . . . . . . . . . . . 385
2.853LP_Ngrok Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
2.854LP_AD Privesc CVE-2022-26923 Exploitation . . . . . . . . . . . . . . . . 386
2.855LP_Possible Ransomware Deletion Volume Shadow Copies Detected . . 386
2.856LP_Windows Defender Uninstall via PowerShell . . . . . . . . . . . . . . . 387
2.857LP_Hijacked Binary Execution via Settings Synchronizer . . . . . . . . . . 387
2.858LP_Suspicious Execution of Dump64 . . . . . . . . . . . . . . . . . . . . . 388
2.859LP_Code Compilation via Visual Basic Command Line Compiler . . . . . . 388
2.860LP_File Downloaded from Suspicious URL Using GfxDownloadWrapper . 389
2.861LP_Suspicious CLR Logs File Creation . . . . . . . . . . . . . . . . . . . . 389
2.862LP_CLR DLL Loaded via Scripting Application . . . . . . . . . . . . . . . . 390
2.863LP_Obfuscation Script Usage via MSHTA to Execute Vbscript . . . . . . . 390
2.864LP_Microsoft Defender Logging Disabled . . . . . . . . . . . . . . . . . . 391
2.865LP_UAC Bypass via CMLUA or CMSTPLUA . . . . . . . . . . . . . . . . . 391
2.866LP_High Number of Service Stop or Task Kill in Short Span . . . . . . . . 391

xx
 2.867LP_LSA Protected Process Light Disabled . . . . . . . . . . . . . . . . . . 392
2.868LP_Suspicious Invocation of Microsoft Workflow Compiler . . . . . . . . . 393
2.869LP_Process Dump via Sqldumper Detected . . . . . . . . . . . . . . . . . 393
2.870LP_Suspicious Usage of SQLToolsPS Detected . . . . . . . . . . . . . . . . 394
2.871LP_Proxy Execution of Malicious Payload via Pubprn . . . . . . . . . . . . 394
2.872LP_File Download via IMEWDBLD . . . . . . . . . . . . . . . . . . . . . . . 395
2.873LP_Memory Dump via Adplus . . . . . . . . . . . . . . . . . . . . . . . . . 395
2.874LP_TTDInject Usage Detected . . . . . . . . . . . . . . . . . . . . . . . . . 396
2.875LP_Remote Thread Created via Ttdinject . . . . . . . . . . . . . . . . . . . 396
2.876LP_Proxy Download via OneDriveStandaloneUpdater . . . . . . . . . . . 396
2.877LP_Suspicious WMIC ActiveScriptEventConsumer Created . . . . . . . . 397
2.878LP_Remote Connection Established via Msbuild . . . . . . . . . . . . . . . 397
2.879LP_Executables Started in Suspicious Folder . . . . . . . . . . . . . . . . . 398
2.880LP_Windows RDP Port Modified . . . . . . . . . . . . . . . . . . . . . . . 398
2.881LP_Binary Creation in System Folder Detected . . . . . . . . . . . . . . . 399
2.882LP_Curl Silent Mode Execution Detected . . . . . . . . . . . . . . . . . . 399
2.883LP_High Volume of File Modification or Deletion in Short Span . . . . . . 400
2.884LP_Non-Existent User Login Attempt Detected . . . . . . . . . . . . . . . 400
2.885LP_Execution of Temporary Files Via Office Application . . . . . . . . . . 401
2.886LP_Execution of Temporary Files Via Office Application . . . . . . . . . . 401
2.887LP_Malicious Image Loaded Via Excel . . . . . . . . . . . . . . . . . . . . 402
2.888LP_Malicious Chrome Extension Detected . . . . . . . . . . . . . . . . . . 402
2.889LP_Chrome Extension Installed Outside of the Webstore . . . . . . . . . 402
2.890LP_Chrome Extension Installed with DevTools Permission . . . . . . . . . 403
2.891LP_Defender SpyNet Reporting Disabled . . . . . . . . . . . . . . . . . . 403
2.892LP_Suspicious WMIC Process Creation . . . . . . . . . . . . . . . . . . . . 404
2.893LP_Browser Credential Files Accessed . . . . . . . . . . . . . . . . . . . . 404
2.894LP_Windows Defender Antivirus Definitions Removal Detected . . . . . . 405
2.895LP_Exchange ProxyShell Pattern Detected . . . . . . . . . . . . . . . . . . 405
2.896LP_Successful Exchange ProxyShell Attack . . . . . . . . . . . . . . . . . . 406
2.897LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
2.898LP_DLL Loaded Via AllocConsole and RunDLL32 . . . . . . . . . . . . . . 407
2.899LP_Active Directory Database Dump Attempt . . . . . . . . . . . . . . . . 408
2.900LP_Suspicious Child Process Creation via OneNote . . . . . . . . . . . . . 408
2.901LP_Usage of Web Request Command . . . . . . . . . . . . . . . . . . . . 409
2.902LP_Reconnaissance Activity with Nltest . . . . . . . . . . . . . . . . . . . . 409
2.903LP_Regsvr32 Network Activity Detected . . . . . . . . . . . . . . . . . . . 410
2.904LP_Possible Reconnaissance Activity . . . . . . . . . . . . . . . . . . . . . 410
2.905LP_Privilege Escalation via Kerberos KrbRelayUp . . . . . . . . . . . . . . 411
2.906LP_Suspicious Execution of LNK File . . . . . . . . . . . . . . . . . . . . . 411
2.907LP_Insecure Policy Set via Set-ExecutionPolicy . . . . . . . . . . . . . . . 412
2.908LP_Network Connection to Suspicious Server . . . . . . . . . . . . . . . . 413

3 NON-MITRE ATT&CK Analytics 414

xxi
3.1 LP_Windows Login Attempt on Disabled Account . . . . . . . . . . . . . 414
3.2 LP_VMware Link Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
3.3 LP_VMware Link Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
3.4 LP_LogPoint License Expiry Status . . . . . . . . . . . . . . . . . . . . . . 415
3.5 LP_Mitre Initial Access Using Spearphishing link Detected . . . . . . . . . 415
3.6 LP_Mitre Command and Control Using Standard Application Layer
Protocol Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
3.7 LP_Endpoint Protect Threat Content Detected . . . . . . . . . . . . . . . 416
3.8 LP_Endpoint Protect Device Disconnect . . . . . . . . . . . . . . . . . . . 417
3.9 LP_Endpoint Protect File Delete . . . . . . . . . . . . . . . . . . . . . . . . 417
3.10 LP_Endpoint Protect File Copied To USB Device . . . . . . . . . . . . . . 417
3.11 LP_System Owner or User Discovery Process Detected . . . . . . . . . . 418
3.12 LP_System Services Discovery Detected . . . . . . . . . . . . . . . . . . . 418
3.13 LP_SolarisLDAP Password Spraying Attack Detected . . . . . . . . . . . . 419
3.14 LP_Bumblebee IoC Domains Detected . . . . . . . . . . . . . . . . . . . . 419
3.15 LP_Bumblebee IoC Hashes Detected . . . . . . . . . . . . . . . . . . . . . 420
3.16 LP_Bumblebee User Agent Detected . . . . . . . . . . . . . . . . . . . . . 420
3.17 LP_Microsoft Defender AMSI Trigger . . . . . . . . . . . . . . . . . . . . . 420
3.18 LP_Petitpotam - Anonymous RPC and File Share . . . . . . . . . . . . . . 421
3.19 LP_RDP Sensitive Settings Changed . . . . . . . . . . . . . . . . . . . . . 421
3.20 LP_Secure Deletion with SDelete . . . . . . . . . . . . . . . . . . . . . . . 422
3.21 LP_Suspicious Keyboard Layout Load Detected . . . . . . . . . . . . . . . 422
3.22 LP_Remote Code Execution using WMI Win32_Process Class over WinRM422
3.23 LP_Remote Code Execution using WMI Win32_Service Class over WinRM 423
3.24 LP_Suspicious Microsoft SQL Server PowerShell Module Use Detected . 423
3.25 LP_Shadow Copy Deletion Using OS Utilities Detected . . . . . . . . . . 424
3.26 LP_Child Process Spawned via Diskshadow Detected . . . . . . . . . . . 425
3.27 LP_Code Execution Via Diskshadow Detected . . . . . . . . . . . . . . . . 425
3.28 LP_Process Pattern Match For CVE-2021-40444 Exploitation . . . . . . . 426
3.29 LP_Suspicious Extexport Execution Detected . . . . . . . . . . . . . . . . 426
3.30 LP_Proxy Execution via Workfolders . . . . . . . . . . . . . . . . . . . . . 427
3.31 LP_Proxy Execution via Windows Update Client . . . . . . . . . . . . . . . 427
3.32 LP_Suspicious DLL Execution Using Windows Address Book . . . . . . . 428
3.33 LP_Suspicious Use of Dotnet Detected . . . . . . . . . . . . . . . . . . . . 428
3.34 LP_Execution of Arbitrary Executable Using Stordiag . . . . . . . . . . . . 429
3.35 LP_Process Creation via Time Travel Tracer . . . . . . . . . . . . . . . . . 429
3.36 LP_Time Travel Debugging Utility DLL Loaded . . . . . . . . . . . . . . . 430
3.37 LP_File Execution via Msdeploy . . . . . . . . . . . . . . . . . . . . . . . . 430
3.38 LP_CVE-2022-40684 Exploitation Detected . . . . . . . . . . . . . . . . . 430
3.39 LP_Possible Proxy Execution of Malicious Code . . . . . . . . . . . . . . . 431
3.40 LP_Suspicious Usage of BitLocker Management Script . . . . . . . . . . . 431
3.41 LP_Proxy Execution of Payloads via Microsoft Signed Script . . . . . . . . 432
3.42 LP_Execution of Windows Defender Offline Shell from Suspicious Folder 432
3.43 LP_DLL Loaded Via AccCheckConsole . . . . . . . . . . . . . . . . . . . . 433
3.44 LP_Proxy Execution via Appvlp . . . . . . . . . . . . . . . . . . . . . . . . 433

xxii
 3.45 LP_Proxy DLL Execution via UtilityFunctions . . . . . . . . . . . . . . . . . 434
3.46 LP_Suspicious Usage of Squirrel Binary . . . . . . . . . . . . . . . . . . . . 434
3.47 LP_Suspicious File Share Permission . . . . . . . . . . . . . . . . . . . . . 435
3.48 LP_Legitimate Application Dropping Script File . . . . . . . . . . . . . . . 435

4 Alert Rules Dashboards 436

4.1 Adding the Alert Rules Dashboard . . . . . . . . . . . . . . . . . . . . . . 436

5 KB-Lists 440

6 Appendix 446

xxiii
 CHAPTER

ONE

ALERT RULES

Alert Rules consists of alert packages, a dashboard package and Knowledge Base
(KB) lists for analytics integrated into Logpoint. It provides a compliance and triage
dashboard, enabling you to analyze trends and behaviors of entities and users within the
organization and perform defensive gap assessment with MITRE ATT&CK. The alerts
triggered by Logpoint are categorized based on the MITRE ATT&CK framework and
are the starting point to build various detection techniques. When Logpoint identifies
threats within your environment, it triggers security alerts based on predetermined
rules, allowing you to detect the malicious activity, advanced malware and their
Techniques, Tactics and Procedures (TTPs) early, so you can take corrective actions
against them. You can customize dashboards and alerts to suit your needs and perform
in-depth analysis with customized data and searches.
Logpoint’s ATT&CK navigator shows the coverage of the ATT&CK framework in Logoint.
You can use the navigator to match Logpoint alerts with the relevant ATT&CK techniques
and tactics. Read more about MITRE ATT&CK techniques and tactics in addition to their
integration in Logpoint on the Logpoint website.
Alert Rules consists of the following components:

1. Dashboard Package

LP_Mitre Attack Analytics Overview

2. Alert Packages

Details of the Alert Rules are discussed in the chapter MITRE ATT&CK
Analytics and NON-MITRE ATT&CK Analytics.

3. KB-Lists

Details of the Alert Rules are discussed in the chapter KB Lists.

1.1 Required Log Source

MITRE ATT&CK Analytics

1
 Alert Rules Documentation, Release latest

• Windows Security Audit

• Windows Sysmon

Default Alert Rules

• All applicable log sources

1.1. Required Log Source 2

 CHAPTER

TWO

MITRE ATT&CK ANALYTICS

The MITRE ATT&CK alerts available in Alert Rules are:

2.1 LP_Suspicious Named Pipe Connection to Azure AD

Connect Database
• Trigger condition: Named pipe connection to Azure AD Connect database from
suspicious processes coming from command shells like PowerShell, which may
indicate attackers attempting to dump plaintext credentials of AD and Azure AD
connector account using tools such as AADInternals is detected.

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Pipe label=Connect pipe="*\tsql\query" -image IN [

,→"*\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe", "*\Tools\Binn\SqlCmd.exe

,→"]

2.2 LP_Suspicious Driver Loaded

• Trigger condition: Misuse of known drivers by adversaries for malicious purposes
is detected. The driver itself are not malicious but are misused by threat actors.
For this alert to trigger SUSPICIOUS_DRIVER list is required.

• ATT&CK Tag: -

• ATT&CK ID: -

3
 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Image label=Load image IN SUSPICIOUS_DRIVER

2.3 LP_AADInternals PowerShell Cmdlet Execution

• Trigger condition: The execution of AADInternals commandlets is detected.
AADInternals (S0677) toolkit is a PowerShell module containing tools for
administering and hacking Azure AD and Office 365. Adversaries use AADInternals
to extract the credentials from the system where the AAD Connect server was
installed and compromise the AAD environment.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows, PowerShell

• Query:

norm_id=WinServer event_source="Microsoft-Windows-PowerShell" event_id=4104�

,→script_block IN AADINTERNALS_CMDLETS

2.4 LP_Suspicious Scheduled Task Creation via

Masqueraded XML File
• Trigger condition: The creation of a suspicious scheduled task using an XML file
with a masqueraded extension is detected.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: Masquerading, Match Legitimate Name or Location, Scheduled

Task/Job and Scheduled Task

• ATT&CK ID: T1036, T1036.005, T1053 and T1053.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

2.3. LP_AADInternals PowerShell Cmdlet Execution 4

 Alert Rules Documentation, Release latest

label=create label="process" "process"="*\schtasks.exe" command IN ["*/create*", "*-

,→create*"] command IN ["*/xml*","*-xml*"] (-integrity_level=system OR -integrity_

,→label=*system*) -command = *.xml* ((-parent_process IN [

,→"*:\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe",

,→"*:\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe",

,→"*:\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe",

,→"*:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe", "*:\Program�

,→Files\Dell\SupportAssist\pcdrcui.exe" ] ) OR (-parent_process = "*\rundll32.exe"�

,→command = "*:\\WINDOWS\\Installer\\MSI*.tmp,

,→zzzzInvokeManagedCustomActionOutOfProc" ))

2.5 LP_Suspicious Microsoft Equation Editor Child Process

• Trigger condition: A suspicious child process of Microsoft’s equation editor is
detected as a sign of possible exploitation of CVE-2017-11882. CVE-2017-11882
is a vulnerability in Microsoft Office’s Equation Editor component.
• ATT&CK Category: Execution
• ATT&CK Tag: Exploitation for Client Execution
• ATT&CK ID: T1203
• Minimum Log Source Requirement: Windows Sysmon, Windows

label="Process" label=Create parent_process="*\EQNEDT32.exe" -"process" IN [

,→"C:\Windows\System32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe"]

2.6 LP_Windows Error Process Masquerading

• Trigger condition: Suspicious Windows error reporting process behavior, where
network connections are made after execution is detected.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: Masquerading
• ATT&CK ID: T1036
• Minimum Log Source Requirement: Windows Sysmon

[norm_id=WindowsSysmon event_id=1 "process" IN ["*\WerMgr.exe", "*\WerFault.exe"]]�

,→as s1 followed by [norm_id=WindowsSysmon event_id=3 "process" IN ["*\WerMgr.exe",

,→ "*\WerFault.exe"]] as s2 within 1 minute on s1.process_guid=s2.process_guid | rename�

,→s1.host as host, s1.user as user, s1.domain as domain, s1.image as image, s2.destination_

(continues on next page)
,→address as destination_address, s2.destination_port as destination_port

2.5. LP_Suspicious Microsoft Equation Editor Child Process 5

 Alert Rules Documentation, Release latest

(continued from previous page)

2.7 LP_Bypass UAC via CMSTP Detected

• Trigger condition: Child processes of automatically elevated instances of Microsoft
Connection Manager Profile Installer (cmstp.exe) are detected.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: CMSTP, Abuse Elevation Control Mechanism, Bypass User Account
Control

• ATT&CK ID: T1218.003, T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\cmstp.exe" command IN ["*/s*", "*/au*", "*/

,→ni*", "*-s*", "*-au*", "*-ni*"] -user IN EXCLUDED_USERS

2.8 LP_Application Whitelisting Bypass via Dxcap

Detected
• Trigger condition: Adversaries bypass process and/or signature-based defenses
by execution of Dxcap.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: T1127

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\dxcap.exe" command="*-c*" command="*.

,→exe*" -user IN EXCLUDED_USERS

2.7. LP_Bypass UAC via CMSTP Detected 6

 Alert Rules Documentation, Release latest

2.9 LP_Suspicious WMIC XSL Script Execution

• Trigger condition: Loading of a Windows Script module through wmic by Microsoft
Core XML Services (MSXML) process is detected to bypass application whitelisting.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: XSL Script Processing

• ATT&CK ID: T1220

• Minimum Log Source Requirement: Windows Sysmon

• Query:

[norm_id=WindowsSysmon event_id=1 file="wmic.exe" command IN ["* format*:*", "*/

,→format*:*", "*-format*:*"] -command IN ["*format:list*", "*format:table*",

,→"*format:htable", "*format:texttablewsys*", "*format:texttable*", "*format:textvaluelist*

,→", "*format:TEXTVALUELIST*", "*format:csv*", "*format:value*"]] as s1 followed by�

,→[norm_id=WindowsSysmon event_id=7 image IN ["*\jscript.dll", "*\vbscript.dll"]] as s2�

,→within 2 minute on s1.process_guid=s2.process_guid | rename s1.image as image, s1.

,→host as host, s1.domain as domain, s1.command as command, s2.image as loaded_

,→image

2.10 LP_Suspicious File Execution via MSHTA

• Trigger condition: Execution of javascript or VBScript files and other abnormal
extension files executed via mshta binary is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: JavaScript, Deobfuscate/Decode Files or Information, Mshta

• ATT&CK ID: T1059.007, T1140, T1218.005

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\mshta.exe" command IN ["*javascript*",

,→"*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"] -user IN�

,→EXCLUDED_USERS

2.9. LP_Suspicious WMIC XSL Script Execution 7

 Alert Rules Documentation, Release latest

2.11 LP_Regsvr32 Anomalous Activity Detected

• Trigger condition: Various anomalies concerning regsvr32.exe are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

• ATT&CK ID: T1218, T1218.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\regsvr32.exe" command="*\Temp\*")�

,→OR (image="*\regsvr32.exe" parent_image="*\powershell.exe") OR (image=

,→"*\regsvr32.exe" parent_image="*\cmd.exe") OR (image="*\regsvr32.exe" command�

,→IN ["*/i:http* scrobj.dll", "*/i:ftp* scrobj.dll"]) OR (image="*\wscript.exe" parent_image=

,→"*\regsvr32.exe") OR (image="*\EXCEL.EXE" command="*..\..\..

,→\Windows\System32\regsvr32.exe *")) -user IN EXCLUDED_USERS

2.12 LP_Remote File Execution via MSIEXEC

• Trigger condition: Suspicious use of msiexec.exe to install remote Microsoft
Software Installer (MSI) files is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Msiexec

• ATT&CK ID: T1218, T1218.007

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WindowsSysmon event_id=1 file="msiexec.exe" command="*http://*"�

,→command IN ["*/i*", "*-i*"] command IN ["*/q*", "*/quiet*", "*/qn*", "*-q*", "*-quiet*",

,→ "*-qn*"] -(parent_image="*setup*") -integrity_level=SYSTEM

2.11. LP_Regsvr32 Anomalous Activity Detected 8

 Alert Rules Documentation, Release latest

2.13 LP_Execution of Trojanized 3CX Application

• Trigger Condition: Execution of the trojanized version of the 3CX Desktop is
detected. 3CX Desktop versions 18.12.407 and 18.12.416 are known to be
trojanized by the Lazarus Group and are also signed using the 3CX signature.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masqueradings

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 file="3CXDesktopApp.exe" product IN ["*3CX Ltd*

,→","*3CX Desktop App*"] file_version IN ["*18.12.407*","18.12.416*"]

2.14 LP_Msbuild Spawned by Unusual Parent Process

• Trigger condition: Suspicious use of msbuild.exe by an uncommon parent process
is detected. msbuild.exe is a legitimate Microsoft tool used for building and
deploying software applications.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution, MSBuild

• ATT&CK ID: T1127, T1127.001

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label=Create label="Process" "process"="*\MSBuild.exe" -parent_process in ["*\devenv.

,→exe", "*\cmd.exe", "*\msbuild.exe", "*\python.exe", "*\explorer.exe", "*\nuget.exe"]

2.15 LP_Suspicious Files Designated as System Files

Detected
• Trigger condition: The execution of the +s option of the attrib command is
detected to designate scripts or executable files in suspicious locations as system

2.13. LP_Execution of Trojanized 3CX Application 9

 Alert Rules Documentation, Release latest

files, hiding them from users and making them difficult to detect or remove.
attrib.exe is a Windows command-line utility that allows users to adjust file or folder
attributes such as read-only, hidden and system.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

• ATT&CK ID: T1564, T1564.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" "process"="*\attrib.exe" command = "* +s *" command in [

,→"* %*", "*\Users\Public\*", "*\AppData\Local\*", "*\ProgramData\*",

,→"*\Windows\Temp\*"] command in ["*.bat*", "*.dll*", "*.exe*", "*.hta*", "*.ps1*", "*.

,→vbe*", "*.vbs*"] -command="*\Windows\TEMP\*.exe*"

2.16 LP_UAC Bypass Attempt via Windows Directory

Masquerading
• Trigger condition: User Account Control (UAC) bypass attempt is detected by
masquerading as a Microsoft trusted Windows directory. Masquerading is a
technique where adversaries manipulate features of their artifacts to make them
appear legitimate or benign to users and security tools.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create integrity_level=High "process" IN ["C:\Windows�

,→\System32\*.exe", "C:\Windows \SysWOW64\*.exe", "C:\ Windows*\System32\*.exe",

,→"C:\ Windows*\SysWOW64\*.exe"]

2.16. LP_UAC Bypass Attempt via Windows Directory Masquerading 10

 Alert Rules Documentation, Release latest

2.17 LP_Bypass User Account Control using Registry

• Trigger condition: Bypass of User Account Control (UAC) is detected.
Adversaries bypass UAC mechanisms to elevate process privileges on
the system. The alert queries for *\mscfile\shell\open\command\* or
*\ms-settings\shell\open\command\*.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Bypass User Account Control

• ATT&CK ID: T1548

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\mscfile\shell\open\command\*" or target_object="*\ms-

,→settings\shell\open\command\*") -user IN EXCLUDED_USERS

2.18 LP_LSASS Process Access by Mimikatz

• Trigger condition: Process access to LSASS is detected, which is
typical for Mimikatz (0x1000 PROCESS_QUERY_LIMITED_INFORMATION,
0x0400 PROCESS_QUERY_INFORMATION “only old versions”, 0x0010
PROCESS_VM_READ).

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=10 image="C:\windows\system32\lsass.exe" access�

,→IN ["0x1410", "0x1010"] -user IN EXCLUDED_USERS

2.17. LP_Bypass User Account Control using Registry 11

 Alert Rules Documentation, Release latest

2.19 LP_UAC Bypass via Sdclt Detected

• Trigger condition: User Account Control (UAC) bypass methods via changes
to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand and
HKCU:\Software\Classes\Folder\shell\open\command.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Bypass User Account Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id="13" target_object IN [

,→"HKU\*Classes\exefile\shell\runas\command\isolatedCommand",

,→"HKU\*Classes\Folder\shell\open\command"]

2.20 LP_Unsigned Image Loaded Into LSASS Process

• Trigger condition: Loading of unsigned images like DLL or EXE into the LSASS
process is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, LSASS Memory

• ATT&CK ID: T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 image="*\lsass.exe" signed="false" -user IN�

,→EXCLUDED_USERS

2.21 LP_Usage of Sysinternals Tools Detected

• Trigger condition: The use of Sysinternals tools is detected due to the addition of
accepteula key to a registry.

• ATT&CK Category: Defense Evasion

2.19. LP_UAC Bypass via Sdclt Detected 12

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id="13" target_object="*\EulaAccepted") OR (event_id="1" command="* -

,→accepteula*")

2.22 LP_Microsoft SharePoint Remote Code Execution

Detected
• Trigger condition: The execution of a remote code in Microsoft SharePoint
(CVE-2019-19781).

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, IDS/IPS, Web server

• Query:

request_method=POST (url='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*'�
,→OR resource='*_layouts/15/Picker.aspx*WebControls.ItemPickerDialog*')

2.23 LP_DenyAllWAF SQL Injection Attack

• Trigger condition: DenyALLWAF detects SQL injection attack.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: DenyAll WAF

• Query:

2.22. LP_Microsoft SharePoint Remote Code Execution Detected 13

 Alert Rules Documentation, Release latest

norm_id=DenyAllWAF label=SQL label=Injection

2.24 LP_Mitre - Initial Access - Valid Account -

Unauthorized IP Access
• Trigger condition: A user login event is detected from unauthorized countries.
For this alert to work, you must update the KNOWN_COUNTRY list with countries
where login is denied.

• ATT&CK Category: Initial Access, Persistence, Privilege Escalation, Defense

Evasion

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

label=User label=Login source_address=* | process geoip(source_address) as country |�

,→search -country IN KNOWN_COUNTRY

2.25 LP_Windows CryptoAPI Spoofing Vulnerability

Detected
• Trigger condition: Vulnerability related to CVE-2020-0601 is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Subvert Trust Controls, Code Signing

• ATT&CK ID: T1553, T1553.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=CVE label=Exploit label=Detect cve_id="CVE-2020-0601" -

,→user IN EXCLUDED_USERS

2.24. LP_Mitre - Initial Access - Valid Account - Unauthorized IP Access 14

 Alert Rules Documentation, Release latest

2.26 LP_Malicious use of Scriptrunner Detected

• Trigger condition: The malicious use of Scriptrunner.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="create" label="process" ("process"="*\ScriptRunner.exe" OR file="ScriptRunner.

,→exe") command="* -appvscript *"

2.27 LP_Suspicious process related to Rundll32 Detected

• Trigger condition: A suspicious process related to RunDLL32.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Rundll32

• ATT&CK ID: T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="create" label="process" (command IN ["*javascript:*", "*.RegisterXLL*"] OR�

,→(command="*url.dll*" command="*OpenURL*") OR (command="*url.dll*" command=

,→"*OpenURLA*") OR (command="*url.dll*" command="*FileProtocolHandler*") OR�

,→(command="*zipfldr.dll*" command="*RouteTheCall*") OR (command="*shell32.dll*"�

,→command="*Control_RunDLL*") OR (command="*shell32.dll*" command="*ShellExec_

,→RunDLL*") OR (command="*mshtml.dll*" command="*PrintHTML*") OR (command=

,→"*advpack.dll*" command="*LaunchINFSection*") OR (command="*advpack.dll*"�

,→command="*RegisterOCX*") OR (command="*ieadvpack.dll*" command=

,→"*LaunchINFSection*") OR (command="*ieadvpack.dll*" command="*RegisterOCX*")�

,→OR (command="*ieframe.dll*" command="*OpenURL*") OR (command="*shdocvw.dll*

,→" command="*OpenURL*") OR (command="*syssetup.dll*" command=

,→"*SetupInfObjectInstallAction'*") OR (command="*setupapi.dll*" command=

,→"*InstallHinfSection*") OR (command="*pcwutl.dll*" command="*LaunchApplication*

,→") OR (command="*dfshim.dll*" command="*ShOpenVerbApplication*"))

2.26. LP_Malicious use of Scriptrunner Detected 15

 Alert Rules Documentation, Release latest

2.28 LP_Javascript conversion to executable Detected

• Trigger condition: A windows executable jsc.exe is used to convert javascript files
to craft malicious executables.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: TT1127

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="create" label="process" "process"="*\jsc.exe" command="*.js*"

2.29 LP_Suspicious Execution of Gpscript Detected

• Trigger condition: A group policy script gpscript.exe is used to execute logon or
startup scripts configured in Group Policy.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="create" label="process" "process"="*\gpscript.exe" command IN ["* /logon*", "*�

,→/startup*"]

2.30 LP_Proxy Execution via Desktop Setting Control

Panel
• Trigger condition: A windows internal binary rundll32 with desk.cpl is used to
execute spoof binary with “.cpl” extension.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Rundll32

2.28. LP_Javascript conversion to executable Detected 16

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "process"="*\rundll32.exe" command="*desk.

,→cpl*InstallScreenSaver*.scr*"

2.31 LP_ScreenSaver Registry Key Set Detected

• Trigger condition: A file name masqueraded as .scr extension ran via rundll32 with
desk.cpl, is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Rundll32

• ATT&CK ID: T1218.011

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Registry label=Value label=Set "process"="*\rundll32.exe" detail="*.scr" -detail in [

,→"*C:\Windows\system32\*","*C:\Windows\SysWOW64\*" ] target_object="*\Control�

,→Panel\Desktop\SCRNSAVE.EXE"

2.32 LP_Xwizard DLL Side Loading Detected

• Trigger condition: The use of xwizard binary from the non-default directory is
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: DLL Side-Loading

• ATT&CK ID: T1574.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.31. LP_ScreenSaver Registry Key Set Detected 17

 Alert Rules Documentation, Release latest

label="Process" label=Create "process"="*\xwizard.exe" -"process"=

,→"C:\Windows\System32\*"

2.33 LP_DLL Side Loading Via Microsoft Defender

• Trigger condition: An execution of mpcmdrun binary from non default path is
detected.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: DLL Side-Loading (2)

• ATT&CK ID: T1574.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Image label=Load "process" IN ["*\MpCmdRun.exe","*\NisSrv.exe"] -"process" IN [

,→"C:\Program Files\Windows Defender\*","'C:\ProgramData\Microsoft\Windows�

,→Defender\Platform\*"] image="*\mpclient.dll"

2.34 LP_ZIP File Creation or Extraction via Printer

Migration CLI Tool
• Trigger condition: The creation or extraction of .zip file via printbrm utility is
detected.

• ATT&CK Category: Defense Evasion, Command and Control

• ATT&CK Tag: Ingress Tool Transfer, NTFS File Attributes

• ATT&CK ID: T1105, T1564.004

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "process"="*\printbrm.exe" command="*f *" command=

,→"*.zip*"

2.33. LP_DLL Side Loading Via Microsoft Defender 18

 Alert Rules Documentation, Release latest

2.35 LP_Credentials Capture via Rpcping Detected

• Trigger condition: The creation of Remote Procedure Call (RPC) via Rpcping binary
is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "process"="*\rpcping.exe" command="*s *" (�

,→(command="*u *" command="*NTLM*") OR ( command="*t *" command="*ncacn_np*

,→"))

2.36 LP_Suspicious ConfigSecurityPolicy Execution

Detected
• Trigger condition: A local file upload via ConfigSecurityPolicy binary to attack the
control server is detected.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Web Service

• ATT&CK ID: T1567

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "process"="*\ConfigSecurityPolicy.exe" command IN [

,→"*https://*","*http://*","*ftp://*"]

2.37 LP_C-Sharp Code Compilation Using Ilasm Detected

• Trigger condition: C# code is either compiled into executables or into DLL using
Ilasm utility.

• ATT&CK Category: Defense Evasion

2.35. LP_Credentials Capture via Rpcping Detected 19

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution

• ATT&CK ID: T1127

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="Process" label="Create" ("process"="*\ilasm.exe" OR file="ilasm.exe")

2.38 LP_Process Dump via Resource Leak Diagnostic Tool

• Trigger condition: A process dump is detected using a Microsoft Windows native
tool rdrleakdiag.exe.

• ATT&CK Category: Credential Access

• ATT&CK Tag: LSASS Memory

• ATT&CK ID: T1003.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create ("process"="*\RdrLeakDiag.exe" or file="RdrLeakDiag.exe

,→") command="*fullmemdmp*"

2.39 LP_Suspicious DLL execution via Register-Cimprovider

• Trigger condition: A dll file load/execution is detected using a Microsoft Windows
native tool Register-Cimprovider.exe.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow

• ATT&CK ID: TT1574

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\register-cimprovider.exe" command="*-

,→path*" command="*dll*"

2.38. LP_Process Dump via Resource Leak Diagnostic Tool 20

 Alert Rules Documentation, Release latest

2.40 Accessibility features - Process

• Trigger condition: An adversary establishes persistence and/or elevate privileges
by executing malicious content by process features.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546,T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*winlogon.exe" (image="*sethc.

,→exe" or image="*utilman.exe" or image="*osk.exe" or image="*magnify.exe" or�

,→image="*displayswitch.exe" or image="*narrator.exe" or image="*atbroker.exe") -

,→user IN EXCLUDED_USERS

2.41 LP_Accessibility Features-Registry

• Trigger condition: An adversary establishes persistence and/or elevates privileges
by executing malicious content, replacing accessibility feature binaries, pointers,
or references to these binaries in the registry.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546,T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object=

,→"*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution�

,→Options\*" -user IN EXCLUDED_USERS

2.40. Accessibility features - Process 21

 Alert Rules Documentation, Release latest

2.42 LP_Account Discovery Detected

• Trigger condition: Adversaries attempt to get a listing of accounts on a system or
within an environment that can help them determine which accounts exist to aid in
follow-on behavior.

• ATT&CK Category: -

• ATT&CK Tag: Account Discovery, Local Account, Domain Account

• ATT&CK ID: T1087,T1087.001,T1087.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*powershell.exe")�

,→(command="*net* user*" or command="*net* group*" or command="*net* localgroup*

,→" or command="*cmdkey*\/list*" or command="*get-localuser*" or command="*get-

,→localgroupmembers*" or command="*get-aduser*" or command="*query*user*") -

,→user IN EXCLUDED_USERS

2.43 LP_Active Directory DLLs Loaded By Office

Applications
• Trigger condition: Kerberos DLL or DSParse DLL loaded by the Office products
like WinWord, Microsoft PowerPoint, Microsoft Excel, or Microsoft Outlook.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566,T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.

,→exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*\kerberos.dll*","*\dsparse.dll*"] -

,→user IN EXCLUDED_USERS

2.42. LP_Account Discovery Detected 22

 Alert Rules Documentation, Release latest

2.44 LP_DCSync detected

• Trigger condition: The abuse of Active Directory Replication Service (ADRS)
detected from a non-machine account to request credentials or DC Sync by creating
a new SPN.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, DCSync

• ATT&CK ID: T1003,T1003.006

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=WinServer event_id=4662 access_mask="0x100" properties IN ["*1131f6aa-

,→9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",

,→"*89e95b76-444d-4c62-991a-0facbeda640c*", "*Replicating Directory Changes All*"] -

,→user="*$" -user="MSOL_*") or (norm_id=WinServer event_id=4742

service="*GC/*"))-user IN EXCLUDED_USERS

2.45 LP_Active Directory Replication User Backdoor

• Trigger condition: Modification of the security descriptor of a domain object for
granting Active Directory replication permissions to a user.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: File and Directory Permissions Modification, Windows File and
Directory Permissions Modification

• ATT&CK ID: T1222,T1222.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5136 ldap_display="ntsecuritydescriptor" attribute_value�

,→IN ["*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-

,→00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"] -user IN EXCLUDED_

,→USERS

2.44. LP_DCSync detected 23

 Alert Rules Documentation, Release latest

2.46 LP_Active Directory Schema Change Detected

• Trigger condition: The directory service object is changed, created, moved,
deleted, or restored.

• ATT&CK Category: Persistence, Privilege Escalation, Credential Access

• ATT&CK Tag: Create or Modify System Process, Windows Service, Exploitation for
Credential Access, Exploitation for Privilege Escalation

• ATT&CK ID: T1212, T1068, T1543, T1543.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=Directory label=Service label=Object (label=Change or�

,→label=Create or label=Move or label=Delete or label=Undelete) -user IN EXCLUDED_

,→USERS

2.47 LP_Activity Related to NTDS Domain Hash Retrieval

• Trigger condition: Suspicious commands related to an activity that uses volume
shadow copy to steal and retrieve hashes from the NTDS.dit file remotely is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, NTDS

• ATT&CK ID: T1003, T1003.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create command IN [ "*vssadmin.exe Delete Shadows*",

,→"*vssadmin create shadow /for=C:*", "*copy \\?

,→\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*", "*copy \\?

,→\GLOBALROOT\Device\\*\config\SAM*", "*vssadmin delete shadows /for=C:*", "*reg�

,→SAVE HKLM\SYSTEM*", "*esentutl.exe /y /vss *\ntds.dit*", "*esentutl.exe /y /vss *\SAM*

,→", "*esentutl.exe /y /vss *\SYSTEM*"]

2.46. LP_Active Directory Schema Change Detected 24

 Alert Rules Documentation, Release latest

2.48 LP_AD Object WriteDAC Access Detected

• Trigger condition: WRITE_DAC, which can modify the discretionary access-control
list (DACL) in the object security descriptor, is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: File and Directory Permissions Modification

• ATT&CK ID: T1222

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4662 object_server="DS" access_mask=0x40000 object_

,→type IN ["19195a5b-6da0-11d0-afd3-00c04fd930c9", "domainDNS"] -user IN�

,→EXCLUDED_USERS

2.49 LP_AD Privileged Users or Groups Reconnaissance

Detected
• Trigger condition: priv users or groups recon based on 4661 event ID and
privileged users or groups SIDs are detected. The object names must be; domain
admin, KDC service account, admin account, enterprise admin, group policy
creators and owners, backup operator, or remote desktop users.

• ATT&CK Category: Discovery

• ATT&CK Tag: Account Discovery, Local Account, Domain Account

• ATT&CK ID: T1087,T1087.001,T1087.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4661 object_type IN ["SAM_USER", "SAM_GROUP"]�

,→object_name IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551",

,→"*-555", "*admin*"] -user IN EXCLUDED_USERS

2.48. LP_AD Object WriteDAC Access Detected 25

 Alert Rules Documentation, Release latest

2.50 LP_Addition of SID History to Active Directory Object

• Trigger condition: Addition of SID History to Active Directory Object is detected.
An attacker can use the SID history attribute to gain additional privileges.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Access Token Manipulation, SID-History Injection

• ATT&CK ID: T1134,T1134.005

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer (event_id IN ["4765", "4766"] OR (norm_id=WinServer event_id=4738�

,→-SidHistory IN ["-", "%%1793"])) -user IN EXCLUDED_USERS

2.51 LP_Admin User Remote Logon Detected

• Trigger condition: Successful remote login by the administrator depending on the
internal pattern is detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4624 logon_type="10" (authentication_package=

,→"Negotiate" OR package="Negotiate") user="Admin-*" -user IN EXCLUDED_USERS |�

,→rename package as authentication_package

2.52 LP_Adobe Flash Use-After-Free Vulnerability

Detected
• Trigger condition: The exploitation of use-after-free vulnerability (CVE-2018-4878)
in Adobe Flash is detected.

2.50. LP_Addition of SID History to Active Directory Object 26

 Alert Rules Documentation, Release latest

• ATT&CK Category: Execution

• ATT&CK Tag: User Execution

• ATT&CK ID: T1204

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Image label=Load source_image IN ["*winword.exe",

,→"*excel.exe"] image='*Flash32*.ocx' -user IN EXCLUDED_USERS

2.53 LP_Adwind RAT JRAT Detected

• Trigger condition: The applications like javaw.exe, cscript in the AppData folder,
or set values of Windows Run* register used by Adwind or JRAT are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, Visual Basic, JavaScript/JScript,

Windows Command Shell, PowerShell

• ATT&CK ID: T1059, T1059.001, T1059.003, T1059.005, T1059.007

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id=1 command IN ["*\AppData\Roaming\Oracle*\java*.exe *", "*cscript.exe�

,→*Retrive*.vbs *"]) OR (event_id=11 file IN ["*\AppData\Roaming\Oracle\bin\java*.exe",

,→"*\Retrive*.vbs"]) OR (event_id=13 target_object=

,→"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*" detail="%AppData

,→%\Roaming\Oracle\bin\*")

2.54 LP_Antivirus Exploitation Framework Detection

• Trigger condition: Antivirus’s alert reports exploitation in a framework.

• ATT&CK Category: Execution, Command and Control

• ATT&CK Tag: Exploitation for Client Execution,Remote Access Tools

• ATT&CK ID: T1203,T1219

• Minimum Log Source Requirement: Antivirus

2.53. LP_Adwind RAT JRAT Detected 27

 Alert Rules Documentation, Release latest

• Query:

signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*

,→", "*CobaltSrike*", "*Swrort*", "*Rozena*", "*Backdoor.Cobalt*", "*Msfvenom*",

,→"*armor*", "*Empire*" ,"*SilentTrinity*", "*Ntlmrelayx"]

2.55 LP_Antivirus Password Dumper Detected

• Trigger condition: Antivirus’s alert reports a password dumper.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

status IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*",

,→"*PWDump*", "*SecurityTool*", "*PShlSpy*","*laZagne*"]

2.56 LP_Antivirus Web Shell Detected

• Trigger condition: Antivirus’s alert reports a Web Shell.

• ATT&CK Category: Persistence

• ATT&CK Tag: Server Software Component, Web Shell

• ATT&CK ID: T1505, T1505.003

• Minimum Log Source Requirement: Antivirus

• Query:

signature IN ["PHP/Backdoor*", "JSP/Backdoor*", "ASP/Backdoor*", "Backdoor.PHP*",

,→"Backdoor.JSP*", "Backdoor.ASP*", "*Webshell*"]

2.55. LP_Antivirus Password Dumper Detected 28

 Alert Rules Documentation, Release latest

2.57 LP_Apache Struts 2 Remote Code Execution

Detected
• Trigger condition: A remote code execution vulnerability (CVE-2017-5638) in
Apache Struts 2 is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: ApacheTomcat

• Query:

norm_id=ApacheTomcatServer label=Content label=Invalid label=Type | norm on content_

,→type #cmd=<command:quoted>

2.58 LP_AppCert DLLs Detected

• Trigger condition: Adversaries establish persistence and/or elevate privileges by
executing malicious content triggered by AppCert DLLs loaded into processes.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, AppCert DLLs

• ATT&CK ID: T1546, T1546.009

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object=

,→"*\System\CurrentControlSet\Control\Session Manager\AppCertDlls\*" -user IN�

,→EXCLUDED_USERS

2.59 LP_Application Shimming - File Access Detected

• Trigger condition: Adversaries establish persistence and/or elevate privileges by
executing malicious content initiated by application shims.

• ATT&CK Category: Persistence, Privilege Escalation

2.57. LP_Apache Struts 2 Remote Code Execution Detected 29

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Event Triggered Execution, Application Shimming

• ATT&CK ID: T1546,T1546.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon ((event_id=11 file="*C:\Windows\AppPatch\Custom\*") or�

,→(event_id=1 image="*sdbinst.exe") or ((event_id=12 or event_id=13 or event_id=14)�

,→target_object="*\SOFTWARE\Microsoft\Windows�

,→NT\CurrentVersion\AppCompatFlags\InstalledSDB\*")) -user IN EXCLUDED_USERS

2.60 LP_Application Whitelisting Bypass via Bginfo

Detected
• Trigger condition: Adversaries bypass the process and/or signature-based
defenses by executing a VBscript code referenced within the .bgi file.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\bginfo.exe" command="*/popup*"�

,→command="*/nolicprompt*" -user IN EXCLUDED_USERS

2.61 LP_Application Whitelisting Bypass via DLL Loaded

by odbcconf Detected
• Trigger condition: Adversaries bypass the process and/or signature-based
defenses via odbcconf.exe execution to load DLL.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Odbcconf

• ATT&CK ID: T1218, T1218.008

2.60. LP_Application Whitelisting Bypass via Bginfo Detected 30

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\odbcconf.exe" command IN ["*-f*",

,→"*regsvr*"]) OR (parent_image="*\odbcconf.exe" image="*\rundll32.exe")) -user IN�

,→EXCLUDED_USERS

2.62 LP_Application Whitelisting Bypass via Dnx Detected

• Trigger condition: Adversaries bypass the process and/or signature-based
defenses by execution of C# code located in the consoleapp folder.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\dnx.exe" -user IN EXCLUDED_USERS

2.63 LP_Audio Capture Detected

• Trigger condition: The use of Powershell, sound recorder application, or command
to get the audio device is detected. Adversaries attempt to leverage peripheral
devices or applications to obtain audio recordings for sensitive conversations.

• ATT&CK Category: Collection

• ATT&CK Tag: Audio Capture

• ATT&CK ID: T1123

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*SoundRecorder.exe" and command="*/

,→FILE*") or command="*Get-AudioDevice*" or command="*WindowsAudioDevice-

,→Powershell-Cmdlet*") -user IN EXCLUDED_USERS

2.62. LP_Application Whitelisting Bypass via Dnx Detected 31

 Alert Rules Documentation, Release latest

2.64 LP_Authentication Package Detected

• Trigger Condition: The LSA process is loaded by services other than lssac, svchos,
msiexec, and services. Windows authentication package DLLs are loaded by the
Local Security Authority (LSA) process at the system start. Adversaries may abuse
authentication packages to execute DLLs when the system boots.
• ATT&CK Category: Persistence
• ATT&CK Tag: Boot or Logon Autostart Execution, Authentication Package,
Security Support Provider
• ATT&CK ID: T1547, T1547.002, T1547.005
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\SYSTEM\CurrentControlSet\Control\Lsa\*") -image in [

,→"*C:\WINDOWS\system32\lsass.exe","*C:\Windows\system32\svchost.exe",

,→"*C:\Windows\system32\services.exe","C:\Windows\system32\msiexec.exe",

,→"C:\Windows\system32\Msiexec.exe"]

-user IN EXCLUDED_USERS

2.65 LP_Autorun Keys Modification Detected

• Trigger Condition: Modification of autostart extensibility point (ASEP) in the
registry is detected. ASEP allows a particular program to run automatically when
a user logs into the system. Adversaries may achieve persistence by adding a
program to a startup folder or referencing it with a Registry run key.
• ATT&CK Category: Persistence, Privilege Escalation
• ATT&CK Tag: T1547 - Boot or Logon Autostart Execution (2), T1547.001 - Registry
Run Keys / Startup Folder (2)
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=13 target_object IN [

,→"*\software\Microsoft\Windows\CurrentVersion\Run*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunOnce*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunServices*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*",
(continues on next page)
,→"*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*",

,→"*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*",
2.64. ,→LP_Authentication Package Detected
"*\software\Microsoft\Windows NT\CurrentVersion\Windows*", 32
,→"*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*"] -user IN�

,→EXCLUDED_USERS
 Alert Rules Documentation, Release latest

(continued from previous page)

2.66 LP_Batch Scripting Detected

• Trigger Condition: Adversaries abuse command and script interpreters to execute
commands, scripts or binaries.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file in ["*.bat", "*.cmd"] -user IN EXCLUDED_

,→USERS

2.67 LP_BITS Jobs - Network Detected

• Trigger Condition: The BITS job network connection is detected. An adversary
abuses BITS jobs to execute or clean up after executing malicious payload.

• ATT&CK Category: Defense Evasion, Persistence

• ATT&CK Tag: BITS Jobs

• ATT&CK ID: T1197

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 image="*bitsadmin.exe" -user IN EXCLUDED_

,→USERS

2.66. LP_Batch Scripting Detected 33

 Alert Rules Documentation, Release latest

2.68 LP_BITS Jobs - Process Detected

• Trigger Condition: Creation of the BITS job process. An adversary abuses BITS
jobs to execute or clean up after executing the malicious payload.

• ATT&CK Category: Defense Evasion, Persistence

• ATT&CK Tag: BITS Jobs

• ATT&CK ID: T1197

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*bitsamin.exe" or command="*Start-

,→BitsTransfer*") -user IN EXCLUDED_USERS

2.69 LP_Bloodhound and Sharphound Hack Tool Detected

• Trigger Condition: Command-line parameters used by Bloodhound and
Sharphound hack tools are detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Account Discovery

• ATT&CK ID: T1087

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image IN ["*\Bloodhound.exe*", "*\SharpHound.

,→exe*"] OR command IN ["* -CollectionMethod All *", "*.exe -c All -d *", "*Invoke-

,→Bloodhound*", "*Get-BloodHoundData*"] OR (command="* -JsonFolder *" command=

,→"* -ZipFileName *") OR (command="* DCOnly *" command="* --NoSaveCache *")) -

,→user IN EXCLUDED_USERS

2.70 LP_BlueMashroom DLL Load Detected

• Trigger Condition: DLL loading from AppData Local path described in
BlueMashroom report is detected.

• ATT&CK Category: Defense Evasion

2.68. LP_BITS Jobs - Process Detected 34

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

• ATT&CK ID: T1218, T1218.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*\regsvr32*\AppData\Local\*",

,→"*\AppData\Local\*, DllEntry*"] -user IN EXCLUDED_USERS

2.71 LP_Browser Bookmark Discovery

• Trigger Condition: An enumeration attempt on browser bookmarks to learn more
about compromised hosts is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Browser Bookmark Discovery

• ATT&CK ID: T1217

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="Process" label=Create "process"="*\where.exe" command in ["*places.sqlite*",

,→"*cookies.sqlite*", "*formhistory.sqlite*", "*logins.json*", "*key4.db*","*key3.db*",

,→"*sessionstore.jsonlz4*", "*History*", "*Bookmarks*", "*Cookies*", "*Login Data*" ]

2.72 LP_CACTUSTORCH Remote Thread Creation

Detected
• Trigger Condition: Creation of a remote thread from CACTUSTORCH.

• ATT&CK Category: Execution

• ATT&CK Tag: Process Injection, Command and Scripting Interpreter

• ATT&CK ID: T1055, T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.71. LP_Browser Bookmark Discovery 35

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=8 source_image IN ["*\System32\cscript.exe",

,→"*\System32\wscript.exe", "*\System32\mshta.exe", "*\winword.exe", "*\excel.exe"]�

,→image="*\SysWOW64\*" -start_module=* -user IN EXCLUDED_USERS

2.73 LP_Call to a Privileged Service Failed

• Trigger Condition: The privileged service call using LsaRegisterLogonProcess fails.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Valid Account

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4673 service="LsaRegisterLogonProcess()" event_type=

,→"*Failure*" -user IN EXCLUDED_USERS

2.74 LP_Capture a Network Trace with netsh

• Trigger Condition: Network trace capture via netsh.exe trace functionality is
detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Sniffing

• ATT&CK ID: T1040

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*netsh*" command="*trace*"�

,→command="*start*" -user IN EXCLUDED_USERS

2.73. LP_Call to a Privileged Service Failed 36

 Alert Rules Documentation, Release latest

2.75 LP_CEO Fraud - Possible Fraudulent Email Behavior

• Trigger Condition: An email received from a threat source in the internal network
exhibits fraudulent behavior. For this alert to work, you must update the following:
– HOME_DOMAIN, which is the list of selected domain names. For example,
logpoint.com
– MANAGERS, which is the list of selected managers and executives. For
example, Alice
– SERVER_ADDRESS, which is the list of trusted clients or servers from where
the emails are received.
• ATT&CK Category: Initial Access
• ATT&CK Tag: Phishing
• ATT&CK ID: T1566, T1566.001
• Minimum Log Source Requirement: Exchange MT
• Query:

norm_id=ExchangeMT event_id=receive sender=* receiver IN HOME_DOMAIN original_

,→client_address=* -original_client_address IN SERVER_ADDRESS | norm on sender

,→<target_manager:all>@<domain:string> |

norm on message_id @<original_domain:'.*'><:'\>'> | search target_manager IN�

,→MANAGERS

2.76 LP_Certutil Encode Detected

• Trigger Condition: The certutil command, sometimes used for data exfiltration, is
used to encode files.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: Obfuscated Files or Information
• ATT&CK ID: T1027
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=1 command IN ["certutil -f -encode *", "certutil.exe -

,→f -encode *", "certutil -encode -f *", "certutil.exe -encode -f *"] -user IN EXCLUDED_

,→USERS

2.75. LP_CEO Fraud - Possible Fraudulent Email Behavior 37

 Alert Rules Documentation, Release latest

2.77 LP_Chafer Activity Detected

• Trigger Condition: The Chafer activity attributed to OilRig reported in Nyotron
report in March 2018 is detected.

• ATT&CK Category: Execution, Persistence, Privilege Escalation

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WindowsSysmon event_id=1 (command="*Get-History*" or command=

,→"*AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.

,→txt*" or command="*(Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_

,→USERS

2.78 LP_Change of Default File Association Detected

• Trigger Condition: A registry value is set to change the file association.
Adversaries establish persistence by executing malicious content triggered by a
file type association.

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, Change Default File Association

• ATT&CK ID: T1546, T1546.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="*HKEY_

,→CLASSES_ROOT\mscfile*" detail in ["*powershell*", "*.exe*", "*.dat*"] -user IN�

,→EXCLUDED_USERS

2.77. LP_Chafer Activity Detected 38

 Alert Rules Documentation, Release latest

2.79 LP_Citrix ADC VPN Directory Traversal Detected

• Trigger Condition: The exploitation of directory traversal vulnerability
(CVE-2019-19781) in Citrix ADC is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: External Remote Services

• ATT&CK ID: T1133

• Minimum Log Source Requirement: Webserver, Firewall

• Query:

norm_id=* (url="*/../vpns/*" OR resource="*/../vpns/*")

2.80 LP_Clear Command History

• Trigger Condition: Deletion of command history is detected. Adversaries delete
or alter generated artifacts on a host system, including logs or captured files such
as quarantined malware.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host, Clear Command History

• ATT&CK ID: T1070, T1070.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).

,→HistorySavePath*" or command="*del (Get-PSReadlineOption).HistorySavePath*" or�

,→command="*Set-PSReadlineOption -HistorySaveStyle SaveNothing*" or command=

,→"*Remove-Item (Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_USERS

2.81 LP_Clearing of PowerShell Logs Detected

• Trigger Condition: Clearance of console history logs is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host

2.79. LP_Citrix ADC VPN Directory Traversal Detected 39

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1070

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4103 (command_name="Remove-Item" OR command=

,→"Remove-Item") payload="*consolehost*history*" -user IN EXCLUDED_USERS |�

,→rename command_name as command

2.82 LP_Clipboard Data Access Detected

• Trigger Condition: Adversaries collect data stored in a clipboard from users
copying information within or between applications.

• ATT&CK Category: Collection

• ATT&CK Tag: Clipboard Data

• ATT&CK ID: T1115

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*clip.exe" or command="*Get-Clipboard*

,→") -user IN EXCLUDED_USERS

2.83 LP_Clop Ransomware Emails Sent to Attacker

• Trigger Condition: Email communication is established to or from Clop
Ransomware listed emails.

• ATT&CK Category: Exfiltration, Collection

• ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

• ATT&CK ID: T1041, T1114

• Minimum Log Source Requirement: Exchange MT

• Query:

2.82. LP_Clipboard Data Access Detected 40

 Alert Rules Documentation, Release latest

(receiver in CLOP_RANSOMWARE_EMAILS OR sender in CLOP_RANSOMWARE_EMAILS)�

,→sender=* receiver=* (host=* OR source_host=*) | rename source_host as host

2.84 LP_Clop Ransomware Infected Host Detected

• Trigger Condition: Clop ransomware infected host is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Windows Sysmon

• Query:

host=* hash=* hash IN CLOP_RANSOMWARE_HASHES

2.85 LP_Cmdkey Cached Credentials Recon Detected

• Trigger Condition: The usage of cmdkey to detect cached credentials.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\cmdkey.exe" command="* /list *" -user�

,→IN EXCLUDED_USERS

2.86 LP_CMSTP Detected

• Trigger Condition: Adversary abuses CMSTP for proxy execution of malicious
code. CMSTP.exe accepts an installation information file (INF) as a parameter
and installs a service profile leveraged for remote access connections. Also, the
adversary supplies CMSTP.exe with INF files infected with malicious commands.

2.84. LP_Clop Ransomware Infected Host Detected 41

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, CMSTP

• ATT&CK ID: T1218, T1218.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*CMSTP.exe" -user IN EXCLUDED_USERS

2.87 LP_CMSTP Execution Detected

• Trigger Condition: Loading and execution of local or remote payloads using
CMSTP. Adversaries abuse CMSTP.exe to load and execute DLLs and/or COM
scriptlets (SCT) from remote servers. The execution bypasses AppLocker, and
other whitelisting defenses since CMSTP.exe is a legitimate and signed Microsoft
application.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, CMSTP

• ATT&CK ID: T1218, T1218.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id=12 target_object="*\cmmgr32.exe*") OR (event_id=13 target_object=

,→"*\cmmgr32.exe*") OR (event_id=10 call_trace="*cmlua.dll*") OR (event_id=1 parent_

,→image="*\cmstp.exe")

2.88 LP_CMSTP UAC Bypass via COM Object Access

• Trigger Condition: Loading and execution of local or remote payloads using
CMSTP. Adversaries abuse CMSTP.exe to bypass User Account Control and
execute arbitrary commands from a malicious INF through an auto-elevated COM
interface.

• ATT&CK Category: Defense Evasion, Privilege Escalation, Execution

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control,
Signed Binary Proxy Execution, CMSTP

2.87. LP_CMSTP Execution Detected 42

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1548, T1218, T1218.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_command="*\DllHost.exe" parent_

,→command IN ["*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "*{3E000D72-A845-4CD9-

,→BD83-80C07C3B881F}"] -user IN EXCLUDED_USERS

2.89 LP_CobaltStrike Process Injection Detected

• Trigger Condition: Creation of remote threat with specific characteristics that are
typical for Cobalt Strike beacons.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"] -

,→user IN EXCLUDED_USERS

2.90 LP_Windows Command Line Execution with

Suspicious URL and AppData Strings
• Trigger Condition: Execution of Windows command line with command line
parameters URL and AppData string used by droppers.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.89. LP_CobaltStrike Process Injection Detected 43

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=8 start_address IN ["*0B80", "*0C7C", "*0C88"] -

,→user IN EXCLUDED_USERS

2.91 LP_Compiled HTML File Detected

• Trigger Condition: Adversary abuses Compiled HTML files (.chm) to conceal
malicious code.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Compiled HTML File

• ATT&CK ID: T1218, T1218.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*hh.exe" -user IN EXCLUDED_USERS

2.92 LP_Component Object Model Hijacking Detected

• Trigger Condition: Adversaries establish persistence by executing malicious
content triggered by hijacked references to Component Object Model (COM)
objects.

• ATT&CK Category: Defense Evasion, Persistence

• ATT&CK Tag: Inter-Process Communication, Event Triggered Execution,

Component Object Model Hijacking

• ATT&CK ID: T1546, T1546.015

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object=

,→"*\Software\Classes\CLSID*" -user IN EXCLUDED_USERS

2.91. LP_Compiled HTML File Detected 44

 Alert Rules Documentation, Release latest

2.93 LP_Connection to Hidden Cobra Source

• Trigger Condition: Hosts establish an outbound connection to Hidden Cobra
sources.

• ATT&CK Category: Command and Control, Defense Evasion

• ATT&CK Tag: Command and Control, Defense Evasion

• ATT&CK ID: T1090, T1211

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(source_address=* OR destination_address=*) destination_address in HIDDEN_COBRA_

,→IPS | process dns(source_address) as host | process geoip(destination_address) as�

,→country

2.94 LP_Console History Discovery Detected

• Trigger Condition: Adversaries attempt to get detailed information about the
console history discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Information Discovery

• ATT&CK ID: T1082

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*Get-History*" or command=

,→"*AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.

,→txt*" or command="*(Get-PSReadlineOption).HistorySavePath*") -user IN EXCLUDED_

,→USERS

2.95 LP_Control Panel Items - Process Detected

• Trigger Condition: Adversary abuses control.exe for proxy execution of malicious
payloads.

• ATT&CK Category: Defense Evasion

2.93. LP_Connection to Hidden Cobra Source 45

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

• ATT&CK ID: T1218, T1218.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*control \/name*" or command=

,→"*rundll32 shell32.dll, Control_RunDLL*") -user IN EXCLUDED_USERS

2.96 LP_Control Panel Items - Registry Detected

• Trigger Condition: Adversary abuses control.exe for proxy execution of malicious
payloads.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

• ATT&CK ID: T1218, T1218.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace*

,→" or target_object="*\Software\Microsoft\Windows\CurrentVersion\Controls�

,→Folder\*\Shellex\PropertySheetHandlers\*" or target_object=

,→"*\Software\Microsoft\Windows\CurrentVersion\Control Panel\*") -user IN EXCLUDED_

,→USERS

2.97 LP_Control Panel Items Detected

• Trigger Condition: Adversary attempts to use a control panel item (.cpl) outside
the System32 folder.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

• ATT&CK ID: T1218, T1218.002

• Minimum Log Source Requirement: Windows Sysmon

2.96. LP_Control Panel Items - Registry Detected 46

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command="*.cpl" -command IN ["*\System32\*",

,→"*%System%*"] -user IN EXCLUDED_USERS

2.98 LP_Copy from Admin Share Detected

• Trigger Condition: A copy command from a remote CorADMIN share is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services, Remote File Copy

• ATT&CK ID: T1021, T1105

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*copy *\c�", "�copy�\ADMIN*"]-

,→user IN EXCLUDED_USERS

2.99 LP_Copying Sensitive Files with Credential Data

• Trigger Condition: Copying of sensitive files with credential data is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\esentutl.exe" command IN ["*vss*", "* /

,→m *", "* /y *"]) OR command IN ["*\windows\ntds\ntds.dit*", "*\config\sam*",

,→"*\config\security*", "*\config\system *", "*\repair\sam*", "*\repair\system*",

,→"*\repair\security*", "*\config\RegBack\sam*", "*\config\RegBack\system*",

,→"*\config\RegBack\security*"]) -user IN EXCLUDED_USERS

2.98. LP_Copy from Admin Share Detected 47

 Alert Rules Documentation, Release latest

2.100 LP_Copyright Violation Email

• Trigger Condition: An email with copyright or infringement contents as message
subject is received. For this alert to work, the list KNOWN_SERVER_HOST must
be updated known mail servers.

• ATT&CK Category: Collection

• ATT&CK Tag: Email Collection

• ATT&CK ID: T1114

• Minimum Log Source Requirement: ExchangeMT

• Query:

device_category=Email* sender=* receiver=* -source_host IN KNOWN_SERVER_HOST�

,→subject IN ["*copyright*", "*infringement*"] | norm on receiver <user:all>@

,→<domain:string>

2.101 LP_CrackMapExecWin Detected

• Trigger Condition: CrackMapExecWin activity as described by NCSC is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\crackmapexec.exe"] -user IN�

,→EXCLUDED_USERS

2.102 LP_CreateMiniDump Hacktool Detected

• Trigger Condition: The use of the CreateMiniDump hack tool to dump the LSASS
process memory for credential extraction on the attacker’s machine is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping, LSASS Memory

2.100. LP_Copyright Violation Email 48

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id=1 (image="*\CreateMiniDump.exe*" OR hash=

,→"4a07f944a83e8a7c2525efa35dd30e2f")) OR (event_id=11 file="*\lsass.dmp*")

2.103 LP_CreateRemoteThread API and LoadLibrary

• Trigger Condition: The use of CreateRemoteThread API and LoadLibrary function
to inject DLL into a process is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=8 start_module="*\kernel32.dll" start_function=

,→"LoadLibraryA" -user IN EXCLUDED_USERS

2.104 LP_Command Obfuscation in Command Prompt

• Trigger Condition: Adversaries abuse the Windows command shell for the
execution of commands, scripts, or binaries.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell

• ATT&CK ID: T1059, T1059.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command IN ['*^

,→*^*^*^*', '*set*=*call*%*%*','*s^*e^*t*']

2.103. LP_CreateRemoteThread API and LoadLibrary 49

 Alert Rules Documentation, Release latest

2.105 LP_Command Obfuscation via Character Insertion

• Trigger Condition: Command obfuscation of command prompt by character
insertion is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell

• ATT&CK ID: T1059, T1059.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command=

,→'cmd*/c*' | norm on parent_command <command_match:'[^\w](s\^+e\^*t|s\^*e\^+t)[^

,→\w]'>| search command_match=*

2.106 LP_Command Obfuscation via Environment Variable

Concatenation Reassembly
• Trigger Condition: Command obfuscation in command prompt by environment
variable concatenation reassembly is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, Windows Command Shell

• ATT&CK ID: T1059, T1059.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image='*cmd.exe' parent_command=

,→'cmd*/c*' | norm on parent_command <command_match:'%[^%]+%{4}'> | search�

,→command_match=*

2.107 LP_Credential Access via Input Prompt Detected

• Trigger Condition: Adversary captures user input to obtain credentials or collect
information via Input Prompt.

2.105. LP_Command Obfuscation via Character Insertion 50

 Alert Rules Documentation, Release latest

• ATT&CK Category: Credential Access, Collection

• ATT&CK Tag: Input Capture, GUI Input Capture

• ATT&CK ID: T1056, T1056.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4104 (scriptblocktext="*UI.prompt*credential*" OR script_

,→block="*UI.prompt*credential*") -user IN EXCLUDED_USERS | rename scriptblocktext�

,→as script_block

2.108 LP_Credential Dump Tools Dropped Files Detected

• Trigger Condition: Creation of files with a well-known filename (i.e., parts of
credential dump software or files produced by them) is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file IN ["*\pwdump*", "*\kirbi*", "*\pwhashes*",

,→"*\wce_ccache*", "*\wce_krbtkts*", "*\fgdump-log*", "*\test.pwd", "*\lsremora64.dll",

,→"*\lsremora.dll", "*\fgexec.exe", "*\wceaux.dll", "*\SAM.out", "*\SECURITY.out",

,→"*\SYSTEM.out", "*\NTDS.out", "*\DumpExt.dll", "*\DumpSvc.exe", "*\cachedump64.

,→exe", "*\cachedump.exe", "*\pstgdump.exe", "*\servpw.exe", "*\servpw64.exe",

,→"*\pwdump.exe", "*\procdump64.exe"] -user IN EXCLUDED_USERS

2.109 LP_Credential Dumping - Process Creation

• Trigger Condition: An adversary attempts to dump credentials for obtaining
account login and credential material using different commands like ntdsutil,
procdump, wce, or gsecdump, in the form of a hash or a clear text password from
operating systems and software.

• ATT&CK Category: Credential Access

2.108. LP_Credential Dump Tools Dropped Files Detected 51

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*Invoke-Mimikatz -DumpCreds*" or�

,→command="*gsecdump -a*" or command="*wce -o*" or command="*procdump -ma�

,→lsass.exe" or command="*ntdsutil*ac i ntds*ifm*create full*") -user IN EXCLUDED_

,→USERS

2.110 LP_Credential Dumping - Process Access

• Trigger Condition: An adversary attempts to dump credentials for obtaining
account login and credential material using different commands like ntdsutil,
procdump, wce, or gsecdump, in the form of a hash or a clear text password from
operating systems and software.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=10 target_image="*C:\Windows\system32\lsass.exe

,→" (access="*0x1010*" or access="*0x1410*" or access="*0x147a*" or access="*0x143a*

,→") call_trace="*C:\Windows\SYSTEM32\ntdll.dll" or call_trace=

,→"*C:\Windows\system32\KERNELBASE.dll" or call_trace="*|UNKNOWN(*)" -user IN�

,→EXCLUDED_USERS

2.111 LP_Credential Dumping - Registry Save

• Trigger Condition: Credential dumping activities is detected. Adversary attempts
to dump credentials for obtaining account login and credential material exploiting
registries, generally in the form of a hash or a clear text password from operating
systems and software using different commands like ntdsutil, procdump, wce or
gsecdump.

• ATT&CK Category: Credential Access

2.110. LP_Credential Dumping - Process Access 52

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\reg.exe" command IN ["*save*HKLM\sam*

,→", "*save*HKLM\system*"] -user IN EXCLUDED_USERS

2.112 LP_Credential Dumping with ImageLoad Detected

• Trigger Condition: Adversaries dump credentials to obtain account login and
credential material using dll images.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 (image="*C:\Windows\System32\samlib.dll*" or�

,→image="*C:\Windows\System32\WinSCard.dll*" or image=

,→"*C:\Windows\System32\cryptdll.dll*" or image="*C:\Windows\System32\hid.dll*" or�

,→image="*C:\Windows\System32\vaultcli.dll*") (image!="*\Sysmon.exe" or image!=

,→"*\svchost.exe" or image!="*\logonui.exe") -user IN EXCLUDED_USERS

2.113 LP_Credentials Access in Files Detected

• Trigger Condition: Adversaries searching for files containing insecurely stored
credentials in local file systems and remote file shares are detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Unsecured Credentials, Credentials in Files

• ATT&CK ID: T1552, T1552.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.112. LP_Credential Dumping with ImageLoad Detected 53

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 (command="*findstr* /si pass*" or command=

,→"*select-string -Pattern pass*" or command="*list vdir*/text:password*") -user IN�

,→EXCLUDED_USERS

2.114 LP_Credentials in Registry Detected

• Trigger Condition: Adversaries search registry of compromised systems to obtain
insecurely stored credentials.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Unsecured Credentials, Credentials in Registry

• ATT&CK ID: T1552, T1552.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*reg query HKLM \/f password \/t�

,→REG_SZ \/s*" or command="*reg query HKCU \/f password \/t REG_SZ \/s*" or�

,→command="*Get-UnattendedInstallFile*" or command="*Get-Webconfig*" or�

,→command="*Get-ApplicationHost*" or command="*Get-SiteListPassword*" or�

,→command="*Get-CachedGPPPassword*" or command="*Get-RegistryAutoLogon*") -

,→user IN EXCLUDED_USERS

2.115 LP_Curl Start Combination Detected

• Trigger Condition: Adversaries attempt to use curl to download payloads remotely
and execute them. Windows 10 build 17063 and later includes Curl by default.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*curl* start *" -user IN EXCLUDED_

,→USERS

2.114. LP_Credentials in Registry Detected 54

 Alert Rules Documentation, Release latest

2.116 LP_CVE-2019-0708 RDP RCE Vulnerability Detected

• Trigger Condition: The use of a scanner by zerosum 0x0 discovers targets
vulnerable to CVE-2019-0708 RDP RCE known as BlueKeep.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Exploitation of Remote Services

• ATT&CK ID: T1210

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4625 user="AAAAAAA" -user IN EXCLUDED_USERS

2.117 LP_Data Compression Detected in Windows

• Trigger Condition: Adversary compresses and/or encrypts data that is collected
before exfiltration is detected using PowerShell or RAR.

• ATT&CK Category: Collection

• ATT&CK Tag: Archive Collected Data

• ATT&CK ID: T1560

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" ("process"="*/powershell.exe" command="*-Recurse�

,→Compress-Archive*") or ("process"="*/rar.exe" command="*rar*a*") -user IN�

,→EXCLUDED_USERS

2.118 LP_Data Staging Process Detected in Windows

• Trigger Condition: Adversaries attempt to stage collected data in a central
location or directory before exfiltration is detected.

• ATT&CK Category: Collection

• ATT&CK Tag: Data Staged

2.116. LP_CVE-2019-0708 RDP RCE Vulnerability Detected 55

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1074

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((command="*DownloadString" command="*Net.

,→WebClient*") or (command="*New-Object" command="*IEX*")) -user IN EXCLUDED_

,→USERS

2.119 LP_Default Accepted Traffic From Bad IP

• Trigger Condition: A connection is allowed from known bad IP. For this alert to
work, you must update the list ALERT_BAD_IP.

• ATT&CK Category: Command and Control, Initial Access

• ATT&CK Tag: Proxy, External Remote Services

• ATT&CK ID: T1090, T1133

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection label=Allow source_address IN ALERT_BAD_IP

2.120 LP_Default Account Created but Password Not

Changed
• Trigger Condition: Creation of a new account with a default password and the
password is not changed within 24 hours, is detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Account Manipulation, Create Account

• ATT&CK ID: T1078, T1098, T1136

• Minimum Log Source Requirement: Windows

• Query:

2.119. LP_Default Accepted Traffic From Bad IP 56

 Alert Rules Documentation, Release latest

[label=User label=Create label=Account] as s1 left join [label=User label=Password�

,→(label=Change OR label=Reset)] as s2 on s1.target_user=s2.user | search -s2.user=* |�

,→rename s1.target_user as User, s1.log_ts as UserCreated_ts | process current_time(a) as�

,→time_ts | chart max((time_ts - UserCreated_ts)/60/60) as Duration by User, UserCreated_

,→ts | search Duration>24

2.121 LP_Default Account privilege elevation followed by

restoration of previous account state
• Trigger Condition: A user is added to a group or assigned privilege followed by
restoration or removal from those rights.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Account Manipulation, Exploitation for Privilege Escalation

• ATT&CK ID: T1098, T1068

• Minimum Log Source Requirement: Windows

• Query:

[label=User label=Group label=Management label=Add | rename target_user as�

,→account]as s1 followed by [ label=User label=Group (label=Remove or label=Delete) -

,→target_user=*$ | rename target_user as account] as s2 on s1.account=s2.account |�

,→rename s1.log_ts as ElevationTime_ts, s2.log_ts as RestorationTime_ts, s1.user as�

,→UserElevation, s2.user as UserRestoration, s1.account as Account, s1.message as�

,→PrivilegeElevation, s2.message as PrivilegeRestoration

2.122 LP_Default Audit Policy Changed

• Trigger Condition: An audit policy is changed in the system.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Domain Policy Modification, Group Policy Modification

• ATT&CK ID: T1484, T1484.001

• Minimum Log Source Requirement: Windows

• Query:

2.121. LP_Default Account privilege elevation followed by restoration of previous account state 57
 Alert Rules Documentation, Release latest

label=Audit label=Policy label=Change

2.123 LP_Default Blocked Inbound Traffic followed by

Allowed Event
• Trigger Condition: Blocked inbound traffic followed by allowed traffic is detected.
• ATT&CK Category: Command and Control
• ATT&CK Tag: Proxy
• ATT&CK ID: T1090
• Minimum Log Source Requirement: Firewall, IDS/IPS
• Query:

[norm_id=*firewall or norm_id=*IDS label=Block or label=Deny label=Connection -source_

,→address IN HOMENET destination_address IN HOMENET] as s1 followed by [norm_

,→id=*firewall label=Allow label=Connection -source_address IN HOMENET destination_

,→address IN HOMENET] as s2 on s1.source_address=s2.source_address | rename s1.

,→source_address as source

2.124 LP_Default Blocked Outbound Traffic followed by

Allowed Event
• Trigger Condition: Blocked outbound traffic followed by allowed traffic is
detected.
• ATT&CK Category: Command and Control
• ATT&CK Tag: Proxy
• ATT&CK ID: T1090
• Minimum Log Source Requirement: Firewall, IDS/IPS
• Query:

[norm_id=*firewall or norm_id=*IDS label=Block or label=Deny label=Connection source_

,→address IN HOMENET -destination_address IN HOMENET] as s1 followed by [norm_

,→id=*firewall label=Allow label=Connection source_address IN HOMENET -destination_

,→address IN HOMENET]

as s2 on s1.source_address=s2.source_address | rename s1.source_address as source

2.123. LP_Default Blocked Inbound Traffic followed by Allowed Event 58

 Alert Rules Documentation, Release latest

2.125 LP_Default Brute Force Attack Attempt - Multiple

Unique Sources
• Trigger Condition: Failed login attempts from the same user using multiple
sources. The default value for multiple unique sources is five.

• ATT&CK Category: Credential Access, Privilege Escalation, Defense Evasion

• ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts

• ATT&CK ID: T1110, T1187, T1078

• Minimum Log Source Requirement: Windows

• Query:

label=User label=Login label=Fail | rename target_user as user | chart distinct_

,→count(source_address) as DC by user | search DC>5

2.126 LP_Default Brute Force Attack Attempt - Multiple

Unique Users
• Trigger Condition: Multiple user authentication fails from the same source within
ten minutes. The default value for unique multiple users is five.

• ATT&CK Category: Credential Access, Initial Access, Persistence, Privilege

Escalation, Defense Evasion

• ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts

• ATT&CK ID: T1110, T1187, T1078

• Minimum Log Source Requirement: Windows

• Query:

label=User label=Login label=Fail source_address=* -target_user=*$| rename target_user�

,→as user | chart distinct_count(user) as DC by source_address | search DC>5

2.125. LP_Default Brute Force Attack Attempt - Multiple Unique Sources 59

 Alert Rules Documentation, Release latest

2.127 LP_Default Brute Force Attack Successful

• Trigger Condition: Five failed users login attempts followed by a successful login
from the same user within five minutes is detected.

• ATT&CK Category: Credential Access, Initial Access, Persistence, Privilege

Escalation, Defense Evasion

• ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts

• ATT&CK ID: T1110, T1187, T1078

• Minimum Log Source Requirement: Windows

• Query:

[label=User label=Login label=Fail -target_user=*$ | rename target_user as user | chart�

,→count() as cnt by user | search cnt > 5 ] as s1 followed by [label=User label=Login�

,→label=Successful | rename target_user as user] as s2 on s1.user = s2.user | rename s2.

,→user as User

2.128 LP_Default Connection Attempts on Closed Port

• Trigger Condition: A connection is established on closed ports. For the alert to
work, you must update the list ALERT_OPEN_PORTS, which includes a list of open
ports.

• ATT&CK Category: Command And Control, Persistence, Privilege Escalation

• ATT&CK Tag: Traffic Signaling, Port Knocking

• ATT&CK ID: T1205, T1205.001

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection -destination_port IN ALERT_OPEN_PORTS source_address=*�

,→destination_port=*

2.127. LP_Default Brute Force Attack Successful 60

 Alert Rules Documentation, Release latest

2.129 LP_Default CPU Usage Status

• Trigger Condition: The use of CPU exceeds 90%.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: LogPoint

• Query:

label=Metrics label=CPU label=Usage use>90

2.130 LP_Default Device Stopped Sending Logs for Half

an Hour
• Trigger Condition: A device has not sent logs for more than half an hour. You can
customize the time according to your need.

• ATT&CK Category: Impact, Defense Evasion

• ATT&CK Tag: Service Stop, Data Destruction, Indicator Removal on Host

• ATT&CK ID: T1489, T1485, T1070

• Minimum Log Source Requirement: All the log sources

• Query:

| chart max(col_ts) as max_time_ts by device_ip | process current_time(a) as time | chart�

,→max(time-max_time_ts) as elapsed_time by max_time_ts, device_ip | search elapsed_

,→time>1800

2.131 LP_Default DNS Tunneling Detection - Data Transfer

Size
• Trigger Condition: The size of data transmitted using the Application Layer
Protocol and DNS port is greater than 10MB in five minutes.

• ATT&CK Category: Command and Control, Exfiltration

2.129. LP_Default CPU Usage Status 61

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Application Layer Protocol, DNS, Data Transfer Size Limits

• ATT&CK ID: T1071, T1071.004, T1030

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

destination_port=53 source_address IN HOMENET -destination_address IN HOMENET |�

,→chart sum(datasize) as DNSBYTES by source_address | search DNSBYTES > 10000000

2.132 LP_Default DNS Tunneling Detection - Multiple

domains
• Trigger Condition: A source address with queries for more than 50 domains are
detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain

Generation Algorithms, Proxy, Domain Fronting

• ATT&CK ID: T1071, T1071.004, T1568, T1568.002, T1090, T1090.004

• Minimum Log Source Requirement: Webserver, Firewall

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | chart distinct_

,→count(domain) as DomainCount by source_address | search DomainCount > 50

2.133 LP_Default DNS Tunneling Detection - Multiple

Subdomains
• Trigger Condition: Domains with more than ten subdomains from a single source
address are detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain

Generation Algorithms, Proxy, Domain Fronting

• ATT&CK ID: T1071, T1071.004, T1568, T1568.002, T1090, T1090.004

2.132. LP_Default DNS Tunneling Detection - Multiple domains 62

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Webserver, Firewall

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | norm on domain

,→<subdomain:.*><:'\.'><main_domain:'[a-z0-9]+.\w{3}'> | search subdomain=* | chart�

,→distinct_count(subdomain) as uniqueSubdomain by main_domain, source_address�

,→|search uniqueSubdomain>10

2.134 LP_Default DNS Tunneling Detection - Query Size

• Trigger Condition: Traffic with more than 64 characters in Application Layer
Protocol and DNS is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Application Layer Protocol, DNS, Dynamic Resolution, Domain

Generation Algorithms

• ATT&CK ID: T1071,T1071.004,T1568,T1568.002

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver, DNS Server

• Query:

norm_id=* "DNS" qname=* | process count_char(qname) as charCount | search�

,→charCount>64

2.135 LP_Default Excessive Authentication Failures

• Trigger Condition: More than 100 authentication failures of a user within ten
minutes is detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access, Credential Access

• ATT&CK Tag: Valid Accounts, Brute Force

• ATT&CK ID: T1078, T1110

• Minimum Log Source Requirement: Windows

• Query:

2.134. LP_Default DNS Tunneling Detection - Query Size 63

 Alert Rules Documentation, Release latest

label=Fail label=Authentication -user=*$| chart count() as cnt by user | search cnt>100

2.136 LP_Default Excessive Blocked Connections

• Trigger Condition: 50 blocked or denied connections are observed from the same
source within a minute.

• ATT&CK Category: Impact, Command and Control

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy

• ATT&CK ID: T1498, T1499, T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

[50 label=Connection (label=Deny OR label=Block) source_address=* having same source_

,→address within 1 minute]

2.137 LP_Default Excessive HTTP Errors

• Trigger Condition: 20 or more unique HTTP errors are detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service

• ATT&CK ID: T1498

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* status_code IN HTTP_ERROR | chart distinct_count(status_code) as cnt by host,

,→ source_address, norm_id | search cnt>20

2.138 LP_Default File Association Changed

• Trigger Condition: Adversaries establish persistence and/or elevate privileges by
executing malicious content triggered by a file type association.

• ATT&CK Category: Persistence

2.136. LP_Default Excessive Blocked Connections 64

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Event Triggered Execution, Change Default File Association

• ATT&CK ID: T1546, T1546.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\SOFTWARE\Classes\*" or target_object=

,→"*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\GlobalAssocChangedCounter*

,→") -user IN EXCLUDED_USERS

2.139 LP_Default Guest Account Added to Administrative

Group
• Trigger Condition: A guest account is added to security group management.

• ATT&CK Category: Credential Access, Persistence, Privilege Escalation, Defense

Evasion, Initial Access

• ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass

User Access Control, Valid Accounts

• ATT&CK ID: T1098, T1548, T1548.002, T1078

• Minimum Log Source Requirement: Windows

• Query:

label=Security label=Group label=Management label=Add (member_sid="S-1-5-21-*-501

,→" OR target_id="S-1-5-21-*-501") | rename target_user as member, group as group_

,→name

2.140 LP_Default High Unique DNS Traffic

• Trigger Condition: Application Layer Protocol and DNS traffic event greater than
50 is detected.

• ATT&CK Category: Command And Control

• ATT&CK Tag: Application Layer Protocol, DNS

• ATT&CK ID: T1071, T1071.004

2.139. LP_Default Guest Account Added to Administrative Group 65

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

destination_port=53 source_address=* | chart count() as Event by source_address | search�

,→Event>50

2.141 LP_Default High Unique SMTP Traffic

• Trigger Condition: More than 50 SMTP traffics from the same source within a
minute is detected.

• ATT&CK Category: Command And Control

• ATT&CK Tag: Application Layer Protocol, Mail Protocols

• ATT&CK ID: T1071, T1071.003

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

source_address=* destination_port=25 | chart count() as Event by source_address | search�

,→Event>50

2.142 LP_Default High Unique Web-Server traffic

• Trigger Condition: More than 50 web server traffics from the same source within
a minute is detected.

• ATT&CK Category: Command And Control

• ATT&CK Tag: Application Layer Protocol, Web Protocols

• ATT&CK ID: T1071, T1071.001

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

source_address=* destination_port=80 | chart count() as Event by source_address | search�

,→Event>50

2.141. LP_Default High Unique SMTP Traffic 66

 Alert Rules Documentation, Release latest

2.143 LP_Default Inbound Connection with Non-Whitelist

Country
• Trigger Condition: An inbound connection established with a non-whitelisted
country is detected. For this alert to work, you must update the list
WHITELIST_COUNTRY.

• ATT&CK Category: Command And Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

-source_address IN HOMENET destination_address IN HOMENET | process geoip(source_

,→address) as country | search -country IN WHITELIST_COUNTRY

2.144 LP_Default Inbound Queries Denied by Firewalls

• Trigger Condition: A firewall denies more than 100 inbound connections within
five minutes.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service

• ATT&CK ID: T1498

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection label=Deny -source_address IN HOMENET destination_address in�

,→HOMENET | chart count() as Event by source_address, destination_address | search�

,→Event>100

2.145 LP_Default Inbound RDP Connection

• Trigger Condition: Inbound RDP traffic events on destination port 3389 is
detected.

2.143. LP_Default Inbound Connection with Non-Whitelist Country 67

 Alert Rules Documentation, Release latest

• ATT&CK Category: Lateral Movement, Command And Control

• ATT&CK Tag: Remote Services, Application Layer Protocol

• ATT&CK ID: T1021, T1071

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection -source_address IN HOMENET destination_address in HOMENET�

,→destination_port=3389

2.146 LP_Default Inbound SMB Connection

• Trigger Condition: Inbound SMB traffic events on destination port 445 is detected.

• ATT&CK Category: Lateral Movement, Command And Control

• ATT&CK Tag: Application Layer Protocol

• ATT&CK ID: T1071

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection -source_address IN HOMENET destination_address in HOMENET�

,→destination_port=445

2.147 LP_Default Inbound SMTP Connection

• Trigger Condition: Inbound SMTP traffic event on destination ports 25, 456, 587,
2525, and 2526 is detected.

• ATT&CK Category: Command And Control

• ATT&CK Tag: Application Layer Protocol

• ATT&CK ID: T1071

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

2.146. LP_Default Inbound SMB Connection 68

 Alert Rules Documentation, Release latest

label=Connection -source_address IN HOMENET destination_address in HOMENET�

,→destination_port in [25,465,587,2525,2526]

2.148 LP_Default Inbound SSH Connection

• Trigger Condition: Inbound Remote Services SSH traffic event on destination port
22 is detected.

• ATT&CK Category: Lateral Movement, Command and Control

• ATT&CK Tag: Remote Services, Application Layer Protocol

• ATT&CK ID: T1021, T1071

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection -source_address IN HOMENET destination_address in HOMENET�

,→destination_port=22

2.149 LP_Default Internal Attack

• Trigger Condition: More than ten attack patterns from a home network are
detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

• ATT&CK ID: T1498, T1499

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Attack -label=Deny source_address IN HOMENET | chart count() as Event by source_

,→address, destination_address | search Event>10

2.148. LP_Default Inbound SSH Connection 69

 Alert Rules Documentation, Release latest

2.150 LP_Default Internal Virus Worm Outburst

• Trigger Condition: Ten or more viruses in a host is detected within an hour.

• ATT&CK Category: Impact, Defense Evasion

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

• ATT&CK ID: T1021, T1071

• Minimum Log Source Requirement: Antivirus

• Query:

(label=Worm OR label=Virus OR label=Malware) source_address IN HOMENET�

,→malware=* | chart distinct_count(malware) as Virus by source_address | search Virus>10

2.151 LP_Default IRC connection

• Trigger Condition: The IRC connection is detected. For this alert to work, you
must update ALERT_IRC_PORT list with possible IRC ports.

• ATT&CK Category: Command and Control, Discovery

• ATT&CK Tag: Proxy, Network Service Scanning

• ATT&CK ID: T1090, T1046

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

(destination_port IN ALERT_IRC_PORT OR destination_port=6667)

2.152 LP_Default Malware Detected

• Trigger Condition: A malware or a virus is detected in the system.

• ATT&CK Category: Resource Development

• ATT&CK Tag: Develop Capabilities, Malware

• ATT&CK ID: T1587, T1587.001

• Minimum Log Source Requirement: Antivirus

2.150. LP_Default Internal Virus Worm Outburst 70

 Alert Rules Documentation, Release latest

• Query:

(label=Virus OR label=Malware ) (label=Detect OR label=Find) (virus=* OR malware=* OR�

,→file=* OR path=*) | rename malware as virus

2.153 LP_Default Malware Detected in Various Machines

• Trigger Condition: The same malware or virus is detected on multiple hosts.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery, Impair Defenses,Impair
Defenses, Disable or Modify Tools

• ATT&CK ID: T1046, T1211, T1518, T1518.001, T1562, T1562.001

• Minimum Log Source Requirement: Antivirus

• Query:

(label=Virus OR label=Malware ) (label=Detect OR label=Find) source_address=*�

,→malware=* | chart distinct_count(source_address) as Event by malware | search Event>1

2.154 LP_Default Malware not Cleaned

• Trigger Condition: A malware clean events including deletion, removal, and
quarantine, is followed by detecting the same malware in the same host.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning,Exploitation for Defense

Evasion,Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Antivirus

• Query:

norm_id=* malware=* action IN ["*delete*", "*remove*", "*quarantine*"] ] as s1 followed�

,→by [norm_id=* malware=* source_address=*] as s2 on s1.malware=s2.malware | process�

,→compare(s1.source_address, s2.source_address) as match | search match=true | rename�

,→s1.source_address as source_address, s1.malware as malware

2.153. LP_Default Malware Detected in Various Machines 71

 Alert Rules Documentation, Release latest

2.155 LP_Default Malware Removed

• Trigger Condition: Removal of malware or a virus from the system is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host, Obfuscated Files or Information,

Indicator Removal from Tools

• ATT&CK ID: T1070, T1027, T1027.005

• Minimum Log Source Requirement: Antivirus

• Query:

(label=Virus OR label=Malware ) (label=Remove OR label=Clean OR label=Delete) -label=

,→"Not" -label=Error | rename malware as virus | search virus=*

2.156 LP_Default Memory Usage Status

• Trigger Condition: The memory usage exceeds 90% of the total memory available.

• ATT&CK Category: Collection

• ATT&CK Tag: Automated Collection

• ATT&CK ID: T1119

• Minimum Log Source Requirement: LogPoint

• Query:

label=Metrics label=Memory label=Usage use>90

2.157 LP_Default Network Configuration Change on

Network Device
• Trigger Condition: A change in the core network event source, such as a router or
switch, is detected.

• ATT&CK Category: Persistence, Credential Access, Defense Evasion, Privilege

Escalation

2.155. LP_Default Malware Removed 72

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Modify Existing Service, Account Manipulation, Abuse Elevation

Control Mechanism, Bypass User Access Control, Impair Defenses, Indicator
Blocking, Modify Registry, Exploitation for Privilege Escalation

• ATT&CK ID: T1098, T1548, T1562, T1562.006, T1112, T1068

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Network label=Configuration (label=Change OR label=Modify OR label=Reset OR�

,→label=Enable OR label=Disable OR label=Add or label=Delete or label=Undelete)

2.158 LP_Default Outbound Connection with

Non-Whitelist Country
• Trigger Condition: Outbound connections with non-whitelisted countries are
detected. For this alert to work, you must update the list WHITELIST_COUNTRY.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

source_address IN HOMENET -destination_address IN HOMENET | process�

,→geoip(destination_address) as country | search -country IN WHITELIST_COUNTRY

2.159 LP_Default Outbound Traffic from Unusual Source

• Trigger Condition: Outbound traffic is detected from an unusual source. For this
alert to work, you must update the list ALERT_UNUSUAL_SOURCE with source
addresses from which outbound connections are not established.

• ATT&CK Category: Command and Control, Exfiltration

• ATT&CK Tag: Proxy, Automated Exfiltration, Exfiltration Over C2 Channel

• ATT&CK ID: T1090, T1020, T1041

• Minimum Log Source Requirement: Firewall, IDS/IPS

2.158. LP_Default Outbound Connection with Non-Whitelist Country 73

 Alert Rules Documentation, Release latest

• Query:

source_address IN ALERT_UNUSUAL_SOURCE source_address IN HOMENET�

,→(label=Traffic OR label=Connection) -destination_address IN HOMENET

2.160 LP_Default Port Scan Detected

• Trigger Condition: A source hits a destination on 50 different ports in five minutes.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

destination_port=* | chart distinct_count(destination_port) as CNT by source_address,�

,→destination_address | search CNT>50

2.161 LP_Default Possible Cross Site Scripting Attack

Detected
• Trigger Condition: The script tag indicating the XSS attack is detected in the URL.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploiting Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* url IN ["*<script>*", "*%3c%73%63%72%69%70%74%3e*", "*%3cscript%3e*"]�

,→or resource IN ["*<script>*", "*%3c%73%63%72%69%70%74%3e*", "*%3cscript%3e*"]�

,→| rename resource as url

2.160. LP_Default Port Scan Detected 74

 Alert Rules Documentation, Release latest

2.162 LP_Default Possible Network Performance

Degradation Detected
• Trigger Condition: 100 or more network-related errors are detected in security
devices within five minutes.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service

• ATT&CK ID: T1498

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

norm_id=* ((label=Connection (label=Error or label=Fail or label=Deny or label=Drop)) or�

,→(label="Limit" label=Exceed) or (label=Packet label=Drop) or (label=Protocol�

,→label=Deny)) | chart count() as Event by device_ip, norm_id | search Event>1000

2.163 LP_Default Possible Non-PCI Compliant Inbound

Network Traffic Detected
• Trigger Condition: An inbound connection is detected in secure devices over
non-compliant ports as specified by PCI compliance practices. For this alert to
work, you must update the list NON_PCI_COMPLIANT_PORT.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Inbound label=Connection destination_port IN NON_PCI_COMPLIANT_PORT -

,→source_address IN HOMENET

2.162. LP_Default Possible Network Performance Degradation Detected 75

 Alert Rules Documentation, Release latest

2.164 LP_Default Possible Spamming Zombie

• Trigger Condition: Systems other than mail servers attempt to establish an
outbound SMTP connection is detected. For this alert to work, you must update
the list MAIL_SERVERS with possible mail servers to remove false positives. For
example, exchange, postfix, and so on.

• ATT&CK Category: Command and Control, Impact

• ATT&CK Tag: Proxy, Application Layer Protocol, Network Denial of Service

• ATT&CK ID: T1090, T1071, T1498

• Minimum Log Source Requirement: All except Mail Server

• Query:

-norm_id IN MAIL_SERVERS destination_port IN ["25", "587"]

2.165 LP_Default Possible SQL Injection Attack

• Trigger Condition: SQL character injection in the input field of a web application
is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* url IN SQL_INJECTION_CHARACTER or resource IN SQL_INJECTION_

,→CHARACTER | rename resource as url

2.166 LP_Default Possible System Instability State

Detected
• Trigger Condition: The instability of a system is detected. For example, a system
shut down or restarts more than five times within ten minutes. A correlation rule is
designed to detect if a system has become unstable.

2.164. LP_Default Possible Spamming Zombie 76

 Alert Rules Documentation, Release latest

• ATT&CK Category: Impact

• ATT&CK Tag: System Shutdown/Reboot

• ATT&CK ID: T1529

• Minimum Log Source Requirement: OS

• Query:

[5 (-label=Require -label=Request -label=Reply) (label=Restart OR label=Shutdown OR�

,→label=Boot) having same device_ip within 10 minutes]

2.167 LP_Default PowerSploit and Empire Schtasks

Persistence
• Trigger Condition: Creation of a schtask via PowerSploit or Empire Default
Configuration is detected.

• ATT&CK Category: Execution, Persistence, Privilege Escalation

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task, Command and Scripting

Interpreter, PowerShell + ATT&CK ID: T1053, T1053.005, T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create parent_process="*\powershell.exe" "process"="*\schtasks.

,→exe" command = "*/Create*" command = "*/SC*" (command in ["*ONLOGON*",

,→"*DAILY*", "*ONIDLE*", "*Updater*"] command = "*/TN*" command = "*Updater*"�

,→command = "*/TR*"command = "*powershell*")

2.168 LP_Default Successful Login outside Normal Hour

• Trigger Condition: Successful user login beyond regular office hour is detected.
You can adjust the regular work hour according to your company.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

2.167. LP_Default PowerSploit and Empire Schtasks Persistence 77

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows

• Query:

label=Login label=Successful target_user=* ((day_of_week(log_ts)=2 OR day_of_week(log_

,→ts)=3 OR day_of_week(log_ts)=4 OR day_of_week(log_ts)=5 OR day_of_week(log_ts)=6)�

,→(hour(log_ts)>0 hour(log_ts)<9) OR hour(log_ts)>17) OR (day_of_week(log_ts) IN [1, 7]) |�

,→rename target_user as user

2.169 LP_Default Successful Login Using a Default

Account
• Trigger Condition: Successful login attempts using a vendor default account is
detected. The alert is essential for those organizations employing Payment Card
Industry (PCI) Compliance.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Default Accounts

• ATT&CK ID: T1078, T1078.001

• Minimum Log Source Requirement: Windows

• Query:

label=User label=Login label=Successful (target_user=* OR user=*) (target_user IN�

,→DEFAULT_USERS OR user IN DEFAULT_USERS) | rename target_user as user

2.170 LP_Default Suspicious DNS Queries with Higher

Data Size
• Trigger Condition: DNS queries having data size greater than 2K signaling
exfiltration of data via DNS.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Exfiltration Over Alternative Protocol, Exfiltration Over

Unencrypted/Obfuscated Non-C2 Protocol

• ATT&CK ID: T1048, T1048.003

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

2.169. LP_Default Successful Login Using a Default Account 78

 Alert Rules Documentation, Release latest

• Query:

datasize=* destination_port=53 datasize>2000

2.171 LP_Default System Time Change

• Trigger Condition: The system time is changed or when LogPoint command
/opt/immune/installed/system/root_actions/*_ntp.sh is executed.

• ATT&CK Category: Persistence, Impact

• ATT&CK Tag: Modify Existing Service, Data Destruction

• ATT&CK ID: T1485

• Minimum Log Source Requirement: Windows

• Query:

(label=System label=Time label=Change) OR (label=Execute label=Command command=

,→"/opt/immune/installed/system/root_actions/*_ntp.sh")

2.172 LP_Default TCP Port Scan

• Trigger Condition: 100 or more different TCP port sweep events are detected
within five minutes from external sources.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection label=Traffic -source_address IN HOMENET destination_address IN�

,→HOMENET protocol=TCP | chart distinct_count(destination_port) as DistinctPort by�

,→source_address, destination_address order by DistinctPort desc | search DistinctPort>100

2.171. LP_Default System Time Change 79

 Alert Rules Documentation, Release latest

2.173 LP_Default TCP Probable SynFlood Attack

• Trigger Condition: Security devices detect ten TCP Syn flood events within a
minute.

• ATT&CK Category: Impact

• ATT&CK Tag: Endpoint Denial of Service

• ATT&CK ID: T1499

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

[10 TCP SYN having same source_address within 1 minute]

2.174 LP_Default UDP Port Scan

• Trigger Condition: 100 or more different UDP port sweep events are detected
within five minutes from an external source.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection label=Traffic -source_address IN HOMENET destination_address IN�

,→HOMENET protocol=UDP |

chart distinct_count(destination_port) as DistinctPort by source_address, destination_

,→address order by

DistinctPort desc | search DistinctPort>100

2.175 LP_Default Unapproved Port Activity Detected

• Trigger Condition: A user uses unapproved ports.

• ATT&CK Category: Defense Evasion, Persistence, Command And Control

2.173. LP_Default TCP Probable SynFlood Attack 80

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors, Traffic Signaling,
Port Knocking

• ATT&CK ID: T1547, T1547.01, T1205, T1205.001

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* source_port IN UNAPPROVED_PORT or destination_port IN UNAPPROVED_

,→PORT or port IN UNAPPROVED_PORT | rename source_port as port, destination_port�

,→as port

2.176 LP_Default Unusual Number of Failed Vendor User

Login
• Trigger Condition: Failed user logins using default credentials for more than
10 times are detected. For this alert to work, you must update the list
DEFAULT_USERS with default vendor user names.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Default Accounts

• ATT&CK ID: T1078, T1078.001

• Minimum Log Source Requirement: Windows

• Query:

label=User label=Login label=Fail (target_user=* OR user=*) (target_user IN DEFAULT_

,→USERS OR user IN DEFAULT_USERS) |rename target_user as user | chart count() as�

,→Event by user, source_address | search Event>10

2.177 LP_Detection of PowerShell Execution via DLL

• Trigger Condition: Command and Scripting Interpreter, PowerShell strings applied
to rundllas observed in PowerShdll.dll is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

2.176. LP_Default Unusual Number of Failed Vendor User Login 81

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*\rundll32.exe" OR message="*Windows-

,→Hostprozess (Rundll32)*") command IN ["*Default.GetString*", "*FromBase64String*"] -

,→user IN EXCLUDED_USERS

2.178 LP_Devtoolslauncher Executes Specified Binary

• Trigger Condition: When adversaries attempt to bypass process and/or
signature-based defenses by proxying execution of malicious content with signed
binaries using devtoolslauncher (which is a part of VS/VScode installation) and
LaunchForDeploy command.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\devtoolslauncher.exe" command=

,→"*LaunchForDeploy*" -user IN EXCLUDED_USERS

2.179 LP_DHCP Callout DLL Installation Detected

• Trigger Condition: Installation of a Callout DLL via CalloutDlls and CalloutEnabled
parameters in the registry, used to execute code in the context of the DHCP server
is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Modify Registry

• ATT&CK ID: T1574, T1574.002, T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.178. LP_Devtoolslauncher Executes Specified Binary 82

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=13 target_object IN [

,→"*\Services\DHCPServer\Parameters\CalloutDlls",

,→"*\Services\DHCPServer\Parameters\CalloutEnabled"] -user IN EXCLUDED_USERS

2.180 LP_DHCP Server Error Failed Loading the CallOut

DLL
• Trigger Condition: DHCP server error in which a specified Callout DLL in registry
cannot be loaded.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

• ATT&CK ID: T1574, T1574.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer event_id IN ["1031", "1032", "1034"] event_source="Microsoft-

,→Windows-DHCP-Server" -user IN EXCLUDED_USERS

2.181 LP_DHCP Server Loaded the CallOut DLL

• Trigger Condition: A DHCP server loads callout DLL in the registry. The alert has
been translated from its corresponding sigma rule. For more information, you can
check the sigma rule.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

• ATT&CK ID: T1574, T1574.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=1033 -user IN EXCLUDED_USERS

2.180. LP_DHCP Server Error Failed Loading the CallOut DLL 83

 Alert Rules Documentation, Release latest

2.182 LP_Direct Autorun Keys Modification Detected

• Trigger Condition: A modification to the direct autorun keys on a system (ASEP)
in the registry using reg.exe. These keys are used to run programs or scripts
automatically when a specific event occurs, such as when the system starts up or
when a user logs in. Adversaries may use this technique to establish persistence
on a system and ensure that their malware or other malicious programs are
launched automatically whenever the system is restarted. They may also use it to
evade detection by disguising their malware as a legitimate program automatically
launched by the system. This alert requires registry auditing to be enabled. When
an admin user modifies the keys, false positive alerts may be triggered.

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/tartup Folder

• ATT&CK ID: T1547, T1547.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command="*add*" command�

,→IN ["*\software\Microsoft\Windows\CurrentVersion\Run*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunOnce*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunOnceEx*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunServices*",

,→"*\software\Microsoft\Windows\CurrentVersion\RunServicesOnce*",

,→"*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*",

,→"*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*",

,→"*\software\Microsoft\Windows NT\CurrentVersion\Windows*",

,→"*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*",

,→"*\system\CurrentControlSet\Control\SafeBoot\AlternateShell*"] -user IN EXCLUDED_

,→USERS

2.183 LP_Disable of ETW Trace Detected

• Trigger Condition: A command that clears or disables the ETW trace log, indicating
a logging evasion attempt by adversaries. Adversaries can cease the flow of
logging temporarily or permanently without generating any additional event clear
log entries from this method.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

2.182. LP_Direct Autorun Keys Modification Detected 84

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="process" ((command="* cl */Trace*") OR (command="* clear-log */

,→Trace*") OR (command="* sl* /e:false*") OR (command="* set-log* /e:false*") OR�

,→(command="*Remove-EtwTraceProvider*" command="*EventLog-Microsoft-Windows-

,→WMI-Activity-Trace*" command="*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*") OR�

,→(command="*Set-EtwTraceProvider*" command="*{1418ef04-b0b4-4623-bf7e-

,→d74ab47bbdaa}*" command="*EventLog-Microsoft-Windows-WMI-Activity-Trace*"�

,→command="*0x11*") OR (command="*logman update trace*" command="* --p *"�

,→command="* -ets *")) -user IN EXCLUDED_USERS

2.184 LP_MiniNt Registry Key Addition

• Trigger Condition: The addition of a key MiniNt to the registry is detected.
Windows Event Log service will stop the write events after reboot.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Registry label=Set label=Value target_object=

,→"HKLM\SYSTEM\CurrentControlSet\Control\MiniNt" -user IN EXCLUDED_USERS

2.185 LP_Discovery of a System Time Detected

• Trigger Condition: The use of various commands to query a system’s time is
identified. Adversaries may attempt to manipulate the system time to throw off
logs’ accuracy or hide their activities. They may also use the system time to trigger
the execution of malicious payloads or scripts at specific times.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Time Discovery

• ATT&CK ID: T1124

2.184. LP_MiniNt Registry Key Addition 85

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image IN ["*\net.exe", "*\net1.exe"] command=

,→"*time*") OR (image="*\w32tm.exe" command="*tz*") OR (image="*\powershell.exe"�

,→command="*Get-Date*")) -user IN EXCLUDED_USERS

2.186 LP_Discovery using Bloodhound Detected

• Trigger Condition: Enumeration attempt by a user using the IPC$ share.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Owner/User Discovery

• ATT&CK ID: T1033

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 service=ldap image IN ['*cmd.exe', '*powershell.

,→exe', '*sharphound.exe'] -user IN EXCLUDED_USERS | chart count() as eventCount by�

,→host, service, image | search eventCount > 10

2.187 LP_Discovery via File and Directory Discovery Using

Command Prompt
• Trigger Condition: A file and directory enumerated, or searching of a specific
location of a host or network share within a file system using command prompt
is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: File and Directory Discovery

• ATT&CK ID: T1083

• Minimum Log Source Requirement: Windows

• Query:

2.186. LP_Discovery using Bloodhound Detected 86

 Alert Rules Documentation, Release latest

norm_id=WinServer event_id=4688 (commandline = "tree*" OR command = "tree*") -

,→user IN EXCLUDED_USERS | rename commandline as command

2.188 LP_Discovery via Discovery via PowerSploit Recon

Module Detected
• Trigger Condition: Adversaries abuse Command and Script Interpreters to
execute scripts via the PowerSploitReconnaissance module. For this alert to work,
you must update the list POWERSPLOIT_RECON_MODULES.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4104 (scriptblocktext in POWERSPLOIT_RECON_

,→MODULES OR script_block in POWERSPLOIT_RECON_MODULES) -user IN EXCLUDED_

,→USERS | rename scriptblocktext as script_block

2.189 LP_DLL Load via LSASS Detected

• Trigger Condition: A method to load DLL via the LSASS process using an
undocumented registry key is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Boot or Logon Autostart Execution, LSASS Driver

• ATT&CK ID: T1547, T1547.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id IN ["12", "13"] target_object IN [

,→"*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*",

,→"*\CurrentControlSet\Services\NTDS\LsaDbExtPt*"]

2.188. LP_Discovery via Discovery via PowerSploit Recon Module Detected 87

 Alert Rules Documentation, Release latest

2.190 LP_DNS Exfiltration Tools Execution Detected

• Trigger Condition: Execution of tools for Application Layer Protocol and DNS
Exfiltration.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Alternative Protocol

• ATT&CK ID: T1048

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*\iodine.exe" OR image="*\dnscat2*") -

,→user IN EXCLUDED_USERS

2.191 LP_DNS Server Error Failed Loading the

ServerLevelPluginDLL
• Trigger Condition: Application Layer Protocol and DNS server error where a
specified plugin DLL in the registry connot be loaded.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

• ATT&CK ID: T1574, T1574.002

• Minimum Log Source Requirement: DNS Server

• Query:

event_source="DNS Server" event_id IN ["150", "770"]

2.192 LP_DNS ServerLevelPluginDll Install

• Trigger Condition: Installation of a plugin DLL via the ServerLevelPluginDll
parameter in the registry used to execute code in Application Layer Protocol and
DNS server.

• ATT&CK Category: Defense Evasion

2.190. LP_DNS Exfiltration Tools Execution Detected 88

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

• ATT&CK ID: T1574, T1574.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=13 target_object=

,→"*\services\DNS\Parameters\ServerLevelPluginDll") OR (event_id=1 command=

,→"dnscmd.exe /config /serverlevelplugindll *") -user IN EXCLUDED_USERS

2.193 LP_Domain Trust Discovery Detected

• Trigger Condition: Adversaries attempt to gather information on domain trust
relationships. Domain trust is a relationship between two domains that allows users
in one domain to be authenticated in the other domain. It enables users to access
resources in a trusted domain as if they were local. Adversaries may attempt to
establish domain trusts to gain access to additional resources or to move laterally
within an organization’s network. They may also use domain trusts to hide their
activities or to evade detection.

• ATT&CK Category: Discovery

• ATT&CK Tag: Domain Trust Discovery

• ATT&CK ID: T1482

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\dsquery.exe" command="*-filter*"�

,→command="*trustedDomain*") OR (image="*\nltest.exe" command="*domain_trusts*

,→")) -user IN EXCLUDED_USERS

2.194 LP_DoppelPaymer Ransomware Connection to

Malicious Domains
• Trigger Condition: Any connection to DoppelPaymer Double Extortion
ransomware related domains is detected.

• ATT&CK Category: Command and Control

2.193. LP_Domain Trust Discovery Detected 89

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* (url IN DOPPELPAYMENR_RANSOMWARE_DOMAINS OR domain IN�

,→DOPPELPAYMENR_RANSOMWARE_DOMAINS)

2.195 LP_DoppelPaymer Ransomware Exploitable

Vulnerabilities Detected
• Trigger Condition: Vulnerability management detects the presence of vulnerability
linked to DoppelPaymer ransomware.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software

Discovery

• ATT&CK ID: T1046, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

norm_id=VulnerabilityManagement cve_id="*CVE-2019-19781*"

2.196 LP_DoppelPaymer Ransomware Infected Host

Detected
• Trigger Condition: DoppelPaymer Double Extortion ransomware-infected host is
detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

2.195. LP_DoppelPaymer Ransomware Exploitable Vulnerabilities Detected 90

 Alert Rules Documentation, Release latest

host=* hash=* hash IN DOPPELPAYMER_RANSOMWARE_HASHES

2.197 LP_dotNET DLL Loaded Via Office Applications

• Trigger Condition: Assembly of DLL loaded by the Office Product is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.

,→exe*", "*\excel.exe*", "*\outlook.exe*"] image="*C:\Windows\assembly\\*" -user IN�

,→EXCLUDED_USERS

2.198 LP_DPAPI Domain Backup Key Extraction Detected

• Trigger Condition: Tools extracting the LSA secret DPAPI domain backup key from
Domain Controllers are detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

(norm_id=WinServer event_id=4662 object_type="SecretObject" access_mask="0x2"�

,→object_name="*BCKUPKEY") -user IN EXCLUDED_USERS

2.197. LP_dotNET DLL Loaded Via Office Applications 91

 Alert Rules Documentation, Release latest

2.199 LP_DPAPI Domain Master Key Backup Attempt

• Trigger Condition: An attempt to backup DPAPI master key is detected. The event
is generated on the source and not on the Domain Controller.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4692 -user IN EXCLUDED_USERS

2.200 LP_DragonFly - File Upload with Trojan Karagany

• Trigger Condition: Updation of a file with the use of Trojan Karagany is detected.

• ATT&CK Category: Defense Evasion, Credential Access, Privilege Escalation

• ATT&CK Tag: Exploitation for Defense Evasion, Exploitation for Credential Access,
Exploitation for Privilege Escalation, Exploitation for Defense Evasion

• ATT&CK ID: T1211, T1212, T1068, T1211

• Minimum Log Source Requirement: -

• Query:

filename "identifiant"| norm on filename=<file:all>&identifiant | search file=*

2.201 LP_DragonFly - Malicious File Creation

• Trigger Condition: Creation of a malicious file.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Integrity Scanner

2.199. LP_DPAPI Domain Master Key Backup Attempt 92

 Alert Rules Documentation, Release latest

• Query:

("*TMPprovider*" OR "*sysmain*" OR "*sydmain*") OR (norm_id=IntegrityScanner file_

,→path IN DRAGONFLY_MALICIOUS_FILES OR file_path IN DRAGONFLY_MALICIOUS_

,→FOLDER OR registry IN DRAGONFLY_MALICIOUS_FILES) | rename registry as file_path�

,→| norm on file_path <path:.*>\<file:string> | process regex("(?P<file>(TMPprovider[0-9]

,→{3}\.dll|sy[ds]main\.dll))", msg) | search file=*

2.202 LP_DragonFly - Watering Hole Sources

• Trigger Condition: Dragonfly watering hole sources are detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Drive by Compromise

• ATT&CK ID: T1189

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* url IN ["*script*iframe*", "*dwd", "*dwe", "*fnd", "*fne"] source_address=*

2.203 LP_Dridex Process Pattern Detected

• Trigger Condition: A typical dridex process patterns are detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*\svchost.exe C:\Users\*\Desktop\*"�

,→OR (parent_image="*\svchost.exe*" command IN ["*whoami.exe /all", "*net.exe view

,→"])) -user IN EXCLUDED_USERS

2.202. LP_DragonFly - Watering Hole Sources 93

 Alert Rules Documentation, Release latest

2.204 LP_Droppers Exploiting CVE-2017-11882 Detected

• Trigger Condition: The exploitation using CVE-2017-11882 to start
EQNEDT32.EXE and other sub-processes like mshta.exe are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Exploitation for Defense Evasion

• ATT&CK ID: T1211

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\EQNEDT32.EXE" -user IN�

,→EXCLUDED_USERS

2.205 LP_Drupal Arbitrary Code Execution Detected

• Trigger Condition: The exploitation of arbitrary code execution vulnerability
(CVE-2018-7600) in Drupal, is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* label=Access request_method=POST resource='*ajax_form*drupal*ajax*'

2.206 LP_DTRACK Process Creation Detected

• Trigger Condition: Specific process parameters, as seen in DTRACK infections are
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

2.204. LP_Droppers Exploiting CVE-2017-11882 Detected 94

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="* echo EEEE > *" -user IN EXCLUDED_

,→USERS

2.207 LP_Elevated Command Prompt Activity by

Non-Admin User Detected
• Trigger Condition: The execution of an elevated command prompt by a non-admin
user.
• ATT&CK Category: Execution
• ATT&CK Tag: Command-Line Interface
• ATT&CK ID: T1059
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=4688 -user IN ADMINS "process"="*cmd.exe" token_

,→elevation_type="*(2)*" -user IN EXCLUDED_USERS

2.208 LP_Elise Backdoor Detected

• Trigger Condition: Elise backdoor activity used by APT32 is detected.
• ATT&CK Category: Execution, Privilege Escalation, Defense Evasion
• ATT&CK Tag: Windows Command Shell, Abuse Elevation Control Mechanism
• ATT&CK ID: T1059.003, T1548
• Minimum Log Source Requirement: Windows Sysmon, Windows
• Query:

label="Process" label="Create" (("process"="*\Microsoft\Network\svchost.exe") OR�

,→(command = "*\Windows\Caches\NavShExt.dll*" command = "*/c del*" )) OR�

,→(command in ["*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll",

,→"*\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll"] command="*,Setting*

,→")

2.207. LP_Elevated Command Prompt Activity by Non-Admin User Detected 95

 Alert Rules Documentation, Release latest

2.209 LP_EMC Possible Ransomware Detection

• Trigger Condition: Suspicious data activity affecting more than 200 files or in-house
baseline is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy

• ATT&CK ID: T1486, T1485, T1090

• Minimum Log Source Requirement: EMC

• Query:

label=EMC -"bytesWritten"="0" -"bytesWritten"="0x0" event="0x80" flag=0x2�

,→userSid=*| chart count() as handle by userSid, clientIP | search handle>200

2.210 LP_Emissary Panda Malware SLLauncher Detected

• Trigger Condition: The execution of DLL side-loading malware used by threat
group Emissary Panda, also known as APT27 is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Exploitation for Defense Evasion

• ATT&CK ID: T1211

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\sllauncher.exe" image=

,→"*\svchost.exe" -user IN EXCLUDED_USERS

2.211 LP_Emotet Process Creation Detected

• Trigger Condition: Emotet like process executions that are not covered by the
more generic rules are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

2.209. LP_EMC Possible Ransomware Detection 96

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["* -e* PAA*",

,→"*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*",

,→"*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*",

,→"*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*",

,→"*IgAoACcAKgAnACkAOwAkA*",

"*IAKAAnACoAJwApADsAJA*", "*iACgAJwAqACcAKQA7ACQA*",
,→"*JABGAGwAeAByAGgAYwBmAGQ*"] -user IN EXCLUDED_USERS

2.212 LP_Empire PowerShell Launch Parameters

• Trigger Condition: Suspicious PowerShell command line parameters used in
Empire are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["* -NoP -sta -NonI -W Hidden -Enc *

,→", "* -noP -sta -w 1 -enc *", "* -NoP -NonI -W Hidden -enc *"] -user IN EXCLUDED_

,→USERS

2.213 LP_Empire PowerShell UAC Bypass Detected

• Trigger Condition: Empire Command and Scripting Interpreter and PowerShell
UAC bypass methods are detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

• ATT&CK ID: T1548

• Minimum Log Source Requirement: Windows Sysmon

2.212. LP_Empire PowerShell Launch Parameters 97

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["* -NoP -NonI -w Hidden -c x =((gp�

,→HKCU:Software\Microsoft\Windows Update).Update)*", "* -NoP -NonI -c x =((gp�

,→HKCU:Software\Microsoft\Windows Update).Update)*"] -user IN EXCLUDED_USERS

2.214 LP_Enabled User Right in AD to Control User

Objects
• Trigger Condition: LogPoint detects a scenario where if a user is assigned the
SeEnableDelegation Privilege right in Active Directory, thay will be allowed to
control other Active Directory user’s objects.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4704 message="*SeEnableDelegationPrivilege*" -user IN�

,→EXCLUDED_USERS

2.215 LP_Encoded FromBase64String Detected

• Trigger Condition: The .NET method “FromBase64String” decodes a
Base64-encoded string. Base64 is a widely used encoding scheme representing
binary data in an ASCII string format. It is often used to encode data for transfer
over networks or store data in databases or files. Adversaries may use Base64
encoding to conceal the contents of their payloads or communications, making it
more difficult for defenders to detect and analyze their activities. They may also
use the “FromBase64String” method to decode Base64-encoded data as part
of their attack. False Positive: Some legitimate processes might use encoded
commands

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell,

Deobfuscate/Decode Files or Information

• ATT&CK ID: T1059, T1059.001, T1140

2.214. LP_Enabled User Right in AD to Control User Objects 98

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*OjpGcm9tQmFzZTY0U3RyaW5n*",

,→ "*o6RnJvbUJhc2U2NFN0cmluZ*", "*6OkZyb21CYXNlNjRTdHJpbm*"] -user IN�

,→EXCLUDED_USERS

2.216 LP_Encoded IEX Detected

• Trigger Condition: When the use of the “IEX” (Invoke-Expression) cmdlet is
detected to execute encoded PowerShell commands. “IEX” is a built-in cmdlet
in PowerShell that allows users to run scripts or commands that are stored in a
string. Adversaries may use encoding to conceal the contents of their scripts
or commands, making it more difficult for defenders to detect and analyze their
activities. Adversaries may use the “IEX” cmdlet to execute encoded PowerShell
commands as part of their attack. They may also use encoding to hide their
activities’ true nature or evade detection. False Positive: Some legitimate
processes might use encoded commands.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell,

Deobfuscate/Decode Files or Information

• ATT&CK ID: T1059, T1059.001, T1140

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*SUVYIChb*", "*lFWCAoW*",

,→"*JRVggKF*", "*aWV4IChb*", "*lleCAoW*", "*pZXggKF*", "*aWV4IChOZX*",

,→"*lleCAoTmV3*", "*pZXggKE5ld*", "*SUVYIChOZX*", "*lFWCAoTmV3*",

,→"*JRVggKE5ld*"] -user IN EXCLUDED_USERS

2.217 LP_Encoded PowerShell Command Detected

• Trigger Condition: Execution of encoded Command and Scripting Interpreter and
PowerShell commands are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

2.216. LP_Encoded IEX Detected 99

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*powershell.exe" command IN ["*-enc*",

,→"*-ec*"] -user IN EXCLUDED_USERS

2.218 LP_Endpoint Protect Multiple Failed Login Attempt

• Trigger Condition: A user fails to log in even after multiple attempts.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege

Escalation, Exploitation for Defense Evasion, Brute Force

• ATT&CK ID: T1212, T1068, T1211, T1110

• Minimum Log Source Requirement: EndPoint Protector

• Query:

norm_id=EndPointProtector label=User (label=Login OR label=Authentication) label= Fail�

,→user=* caller_user=* | chart count() as CNT by user, caller_user order by CNT desc |�

,→search "CNT">5

2.219 LP_Equation Group DLL_U Load Detected

• Trigger Condition: A specific tool and export used by the EquationGroup is
detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command-Line Interface, Signed Binary Proxy Execution, Rundll32

• ATT&CK ID: T1059, T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.218. LP_Endpoint Protect Multiple Failed Login Attempt 100

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 ((image="*\rundll32.exe" command="*, dll_u")�

,→OR command="* -export dll_u *") -user IN EXCLUDED_USERS

2.220 LP_Eventlog Cleared Detected

• Trigger Condition: One of the Windows Event logs has been cleared.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host

• ATT&CK ID: T1070

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=104 event_source="Microsoft-Windows-Eventlog" -user IN�

,→EXCLUDED_USERS

2.221 LP_ExchangeMT Possible Data Theft - Email with

Attachment Outside Organization
• Trigger Condition: An email with attachment is sent to the receiver outside the
organization domain.

• ATT&CK Category: Exfiltration, Collection

• ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

• ATT&CK ID: T1041, T1114

• Minimum Log Source Requirement: ExchangeMT

• Query:

norm_id=ExchangeMT -receiver IN HOME_DOMAIN datasize=* |chart sum(datasize/

,→1000000) as "Emailsize(MB)" by sender |search "Emailsize(MB)">50

2.220. LP_Eventlog Cleared Detected 101

 Alert Rules Documentation, Release latest

2.222 LP_ExchangeMT Unusual Outbound Email

• Trigger Condition: 60 or more emails are sent from the same sender within an
hour.

• ATT&CK Category: Command and Control, Exfiltration, Collection

• ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email

Collection

• ATT&CK ID: T1090, T1041, T1020, T1114

• Minimum Log Source Requirement: ExchangeMT

• Query:

norm_id=ExchangeMT sender=* receiver=* -receiver in HOME_DOMAIN| chart�

,→count(receiver=*) as MailSent by sender | search MailSent>60

2.223 LP_Executables Stored in OneDrive

• Trigger Condition: A user stores files that are executable in OneDrive.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Office365

• Query:

event_source=OneDrive source_file_extension IN EXECUTABLES | chart count() by user_id,

,→ source_address, source_file, source_file_extension, source_relative_url

2.224 LP_Execution in Non-Executable Folder Detected

• Trigger Condition: Execution of a suspicious program from a different folder is
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

2.222. LP_ExchangeMT Unusual Outbound Email 102

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Office365

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\$Recycle.bin", "*\Users\All Users\*",

,→"*\Users\Default\*", "*\Users\Public\*", "C:\Perflogs\*", "*\config\systemprofile\*",

,→"*\Windows\Fonts\*", "*\Windows\IME\*", "*\Windows\addins\*"] -user IN EXCLUDED_

,→USERS

2.225 LP_Execution in Outlook Temp Folder Detected

• Trigger Condition: Execution of a suspicious program in the Outlook’s temp folder
is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\Temporary Internet Files\Content.

,→Outlook\*" -user IN EXCLUDED_USERS

2.226 LP_Execution in Webserver Root Folder Detected

• Trigger Condition: Execution of a suspicious program in the Outlook’s temp folder
is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.225. LP_Execution in Outlook Temp Folder Detected 103

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 image="*\Temporary Internet Files\Content.

,→Outlook\*" -user IN EXCLUDED_USERS

2.227 LP_Execution of Renamed PaExec Detected

• Trigger Condition: Execution of renamed paexec via imphash and executable
product string is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 product IN ["*PAExec*"] hash_imphash IN [

,→"11D40A7B7876288F919AB819CC2D9802", "6444f8a34e99b8f7d9647de66aabe516",

,→"dfd6aa3f7b2b1035b76b718f1ddc689f", "1a6cca4d5460b1710a12dea39e4a592c"] -

,→image="*paexec*" -user IN EXCLUDED_USERS

2.228 LP_Execution via Control Panel Items

• Trigger Condition: Execution of binary via Signed Binary Proxy Execution, Control
Panel items are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Control Panel Items

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*control.exe" command="*control*cpl*" -

,→user IN EXCLUDED_USERS

2.227. LP_Execution of Renamed PaExec Detected 104

 Alert Rules Documentation, Release latest

2.229 LP_Execution via HTA using IE JavaScript Engine

Detected
• Trigger Condition: The execution of an HTA (HTML Application) file using the
Internet Explorer JavaScript engine. HTAs are standalone applications written
in HTML and can execute scripts, such as JavaScript or VBScript, on a system.
Adversaries may use HTAs as a delivery mechanism for their payloads or execute
arbitrary code on a system. Adversaries may use HTAs as a way to bypass security
controls or to evade detection. They may also use them to execute arbitrary
code on a system, potentially allowing them to access sensitive information or
compromise the system.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image="*mshta.exe" image="*jscript9.dll"�

,→-user IN EXCLUDED_USERS

2.230 LP_Execution via Squiblydoo Technique Detected

• Trigger Condition: Execution of the Squiblydoo technique is detected. Squiblydoo
runs payloads or scripts by leveraging the Windows Script Host (WSH) and its
default file associations. Adversaries may use Squiblydoo to bypass security
controls or to evade detection. Adversaries may use the Squiblydoo technique to
execute arbitrary code on a system, potentially allowing them to access sensitive
information or compromise the system. They may also use it to hide their activities’
true nature or evade detection.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Regsvr32

• ATT&CK ID: T1218, T1218.01

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.229. LP_Execution via HTA using IE JavaScript Engine Detected 105

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=7 image="*scrobj.dll" -user IN EXCLUDED_USERS

2.231 LP_Execution via Windows Scripting Host

Component Detected
• Trigger Condition: This alert detects the execution of a script using the Windows
Scripting Host (WSH) component on a system. WSH is a Microsoft technology that
allows users to run scripts and automate tasks on Windows systems. Adversaries
may use WSH to execute their payloads or automate their system activities.
Adversaries may use the WSH component to execute arbitrary code on a system,
potentially allowing them to access sensitive information or compromise the
system. They may also use it to hide their activities’ true nature or evade detection.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 image in ["*wshom.ocs", "*scrrun.dll", "*vbscript.dll

,→"] -user IN EXCLUDED_USERS

2.232 LP_Exfiltration and Tunneling Tools Execution

• Trigger Condition: Execution of tools for data exfiltration and tunneling are
detected.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Automated Exfiltration

• ATT&CK ID: T1020

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 new_process IN ["*\plink.exe", "*\socat.exe",

,→"*\stunnel.exe", "*\httptunnel.exe"] -user IN EXCLUDED_USERS

2.231. LP_Execution via Windows Scripting Host Component Detected 106

 Alert Rules Documentation, Release latest

2.233 LP_Exim MTA Remote Code Execution Vulnerability

Detected
• Trigger Condition: Remote code execution vulnerability in Exim MTA is detected.
The U.S. National Security Agency (NSA) reported that Russian military cyber
actors, also known as Sandworm Team, have been actively exploiting a critical
vulnerability in Exim MTA since August 2019.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software

Discovery

• ATT&CK ID: T1046, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

norm_id=VulnerabilityManagement cve_id="*CVE-2019-10149*"

2.234 LP_Exim Remote Command Execution Detected

• Trigger Condition: Remote command execution in Exim is detected
(CVE-2019-10149 is detected).

• ATT&CK Category: Execution

• ATT&CK Tag: Exploitation for Client Execution

• ATT&CK ID: T1203

• Minimum Log Source Requirement: Mail Server

• Query:

norm_id=* receiver="*${run*"

2.235 LP_Existing Service Modification Detected

• Trigger Condition: A modification of an existing service via the sc.exe system utility
is detected. Adversaries abuse the Windows Service Control Manager to execute
malicious commands or payloads without creating new services.

2.233. LP_Exim MTA Remote Code Execution Vulnerability Detected 107

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Create or Modify System Process, Windows Service

• ATT&CK ID: T1543, T1543.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" "process" IN ["*sc.exe", "*powershell.exe", "*cmd.exe"]�

,→command="*sc*" command="*config*" command="*binpath*" -user IN EXCLUDED_

,→USERS

2.236 LP_Exploit for CVE-2017-0261 Detected

• Trigger Condition: Winword initiating an uncommon subprocess FLTLDR.exe used
for exploitation of CVE-2017-0261 and CVE-2017-0262 is detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image=

,→"*\FLTLDR.exe*" -user IN EXCLUDED_USERS

2.237 LP_Exploit for CVE-2017-8759 Detected

• Trigger Condition: Winword starting unfamiliar subprocess csc.exe used in
exploits for CVE-2017-8759 is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Exploitation for Client Execution

• ATT&CK ID: T1203

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.236. LP_Exploit for CVE-2017-0261 Detected 108

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image="*\csc.

,→exe" -user IN EXCLUDED_USERS

2.238 LP_Exploiting SetupComplete CVE-2019-1378

Detected
• Trigger Condition: The exploitation attempt of privilege escalation vulnerability
via Setup Complete.cmd and PartnerSetup Complete.cmd described in
CVE-2019-1378 is detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_command IN ["*\cmd.exe /c�

,→C:\Windows\Setup\Scripts\SetupComplete.cmd", "*\cmd.exe /c�

,→C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd"] -image IN [

,→"C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*",

,→"C:\Windows\Setup\*"] -user IN EXCLUDED_USERS

2.239 LP_External Disk Drive or USB Storage Device

Detected
• Trigger Condition: External disk drives or plugged in USB devices are detected.

• ATT&CK Category: Lateral Movement, Initial Access

• ATT&CK Tag: Replication Through Removable Media, Hardware Additions

• ATT&CK ID: T1091, T1200

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer ((event_id IN ["6416"] class="DiskDrive") OR message="USB Mass�

,→Storage Device") -user IN EXCLUDED_USERS

2.238. LP_Exploiting SetupComplete CVE-2019-1378 Detected 109

 Alert Rules Documentation, Release latest

2.240 LP_Fail2ban IP Banned

• Trigger Condition: A client’s IP address is banned after exceeding the limit for
failed authentications.
• ATT&CK Category: Credential Access, Persistence
• ATT&CK Tag: Brute Force, Valid Accounts, Account Manipulation
• ATT&CK ID: T1110, T1078, T1098
• Minimum Log Source Requirement: Fail2ban
• Query:

norm_id=Fail2ban label=IP label=Block | process geoip(source_address) as country

2.241 LP_File and Directory Discovery Using PowerShell

Detected
• Trigger Condition: Enumeration of files and directories via Command and Scripting
Interpreter and PowerShell is detected.
• ATT&CK Category: Discovery
• ATT&CK Tag: File and Directory Discovery
• ATT&CK ID: T1083
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=4103 (command_name="get-childitem*" OR command=

,→"get-childitem*") -user IN EXCLUDED_USERS | rename command_name as command

2.242 LP_File Creation by PowerShell Detected

• Trigger Condition: The creation of a new file using PowerShell on a system.
PowerShell is a powerful scripting language that is built into Windows and can
be used to automate a wide variety of tasks. Adversaries may use PowerShell
to create new files, potentially to drop and execute malicious payloads or store
data for later retrieval. False positive Notice: Administrative tasks and genuine
processes might cause the alert to trigger as well. Proper analysis and whitelisting
are recommended.

2.240. LP_Fail2ban IP Banned 110

 Alert Rules Documentation, Release latest

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file=* source_image="*powershell.exe" -file IN ["_

,→_PSScriptPolicyTest_*", "PowerShell_transcript.*", "powershell.exe.log",

,→"StartupProfileData*", "ModuleAnalysisCache"] -user IN EXCLUDED_USERS -file IN ["*.

,→mui"]

2.243 LP_File Deletion Detected

• Trigger Condition: Adversaries delete files to erase the traces of the intrusion.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host, File Deletion

• ATT&CK ID: T1070, T1070.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*remove-item*" or command=

,→"*vssadmin*Delete Shadows /All /Q*" or command="*wmic*shadowcopy delete*" or�

,→command="*wbdadmin* delete catalog -q*" or command="*bcdedit*bootstatuspolicy�

,→ignoreallfailures*" or command="*bcdedit*recoveryenabled no*") -user IN EXCLUDED_

,→USERS

2.244 LP_File or Folder Permissions Modifications

• Trigger Condition: Modifications to the permissions of files or folders on a system.
File and folder permissions control a system’s access to files and directories and
determine which users and processes are allowed to read, write, or execute them.
Adversaries may attempt to modify these permissions to gain unauthorized access
to sensitive files or to execute arbitrary code on a system. They may also use
these modifications to escalate their system privileges or move laterally within an
organization’s network.

2.243. LP_File Deletion Detected 111

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: File and Directory Permissions Modification

• ATT&CK ID: T1222

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image IN ["*\takeown.exe", "*\cacls.exe",

,→"*\icacls.exe"] command="*/grant*") OR (image="*\attrib.exe" command="*-r*")) -

,→user IN EXCLUDED_USERS

2.245 LP_File System Permissions Weakness

• Trigger Condition: A weakness in the file system permissions on a system is
detected. File system permissions control access to files and directories and
determine which users and processes can read, write, or execute them. Adversaries
may exploit weaknesses in file system permissions to gain unauthorized access to
sensitive files or execute arbitrary code on a system.

• ATT&CK Category: Persistence, Privilege Escalation, Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, Services File Permissions Weakness

• ATT&CK ID: T1574,T1574.010

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 (image="*\Temp\*" or image="*C:\Users\*" or�

,→status!="*Valid*") -user IN EXCLUDED_USERS

2.246 LP_Fireball Archer Installation Detected

• Trigger Condition: Invocation of an Archer malware via rundll32 is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command-Line Interface,Signed Binary Proxy Execution, Rundll32

• ATT&CK ID: T1059, T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

2.245. LP_File System Permissions Weakness 112

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command="*\rundll32.exe *, InstallArcherSvc" -

,→user IN EXCLUDED_USERS

2.247 LP_Firewall Configuration Modification Detected

• Trigger Condition: When there is a change or modification to the Windows firewall
configuration on a system. This could indicate malicious activity, as an adversary
may be attempting to disable or bypass the firewall to gain unauthorized access to
the system or network. False Positive Notice: Legitimate system maintenance or
system administration tasks may involve the modification of firewall configurations,
and these could potentially trigger the alert. It is essential to carefully review and
investigate any instances of this alert before taking action to ensure that the activity
detected is genuinely malicious.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Non-Standard Port

• ATT&CK ID: T1571

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4946 rule=* -user IN EXCLUDED_USERS

2.248 LP_Firewall Disabled via Netsh Detected

• Trigger Condition: netsh command turns off the Windows firewall.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["netsh firewall set opmode�

,→mode=disable", "netsh advfirewall set * state off"] -user IN EXCLUDED_USERS

2.247. LP_Firewall Configuration Modification Detected 113

 Alert Rules Documentation, Release latest

2.249 LP_First Time Seen Remote Named Pipe

• Trigger Condition: The alert rule excludes the named pipes accessible remotely
and notifies on new cases. Also, it helps to detect lateral movement and remote
execution using named pipes.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5145 share_name="IPC$" -relative_target IN ["atsvc", "samr

,→", "lsarpc", "winreg", "netlogon", "srvsvc", "protected_storage", "wkssvc", "browser",

,→"netdfs", "svcctl", "spoolss", "ntsvcs", "LSM_API_service", "HydraLsPipe", "TermSrv_

,→API_service", "MsFteWds"] -user IN EXCLUDED_USERS

2.250 LP_FirstClass Failed Login Attempt

• Trigger Condition: A user or a gateway attempts to log in with an incorrect
password.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Exploitation for Credential Access, Exploitation for Privilege

Escalation, Brute Force

• ATT&CK ID: T1212, T1068, T1110

• Minimum Log Source Requirement: Firstclass

• Query:

norm_id=FirstClass label=Login label=Fail

2.249. LP_First Time Seen Remote Named Pipe 114

 Alert Rules Documentation, Release latest

2.251 LP_FirstClass Failed Password Change Attempt

• Trigger Condition: A user fails to change their password.

• ATT&CK Category: Credential Access, Persistence

• ATT&CK Tag: Account Manipulation, Exploitation for Credential Access,

Exploitation for Privilege Escalation

• ATT&CK ID: T1098, T1212, T1068

• Minimum Log Source Requirement: Firstclass

• Query:

norm_id=FirstClass label=Password label=Change label=Fail

2.252 LP_Formbook Process Creation Detected

• Trigger Condition: Formbook like process executions injecting code into a set of
files in the System32 folder, which executes a unique command line to delete the
dropper from the AppData Temp folder is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_command IN ["C:\Windows\System32\*.exe

,→", "C:\Windows\SysWOW64\*.exe"] command IN ["* /c del�

,→*C:\Users\*\AppData\Local\Temp\*.exe", "* /c del *C:\Users\*\Desktop\*.exe", "* /C�

,→type nul > *C:\Users\*\Desktop\*.exe"] -user IN EXCLUDED_USERS

2.253 LP_FortiGate Admin Login Disable

• Trigger Condition: The administrator login is disabled in the system.

• ATT&CK Category: Impact, Credential Access, Persistence

• ATT&CK Tag: Account Access Removal, Account Manipulation

2.251. LP_FirstClass Failed Password Change Attempt 115

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1531, T1098

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=event sub_category=system message_id=32021 user=*

2.254 LP_FortiGate Anomaly

• Trigger Condition: An anomaly in the system is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=anomaly sub_category=anomaly log_level=alert attack=*�

,→| process geoip(source_address) as source_country | process geoip(destination_address)�

,→as destination_country

2.255 LP_FortiGate Antivirus Botnet Warning

• Trigger Condition: A botnet warning from antivirus is detected.

• ATT&CK Category: Command and Control, Impact

• ATT&CK Tag: Proxy, Network Denial of Service

• ATT&CK ID: T1090, T1498

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* (event_category=av OR event_category=antivirus) sub_category=botnet�

,→message_id=9248 | process geoip(source_address) as source_country | process�

,→geoip(destination_address) as destination_country

2.254. LP_FortiGate Anomaly 116

 Alert Rules Documentation, Release latest

2.256 LP_FortiGate Antivirus Scan Engine Load Failed

• Trigger Condition: Antivirus Scan Engine Load Failure is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=av sub_category=scanerror message_id=8974 | process�

,→geoip(source_address) as source_location | process geoip(destination_address) as�

,→destination_location

2.257 LP_FortiGate Attack

• Trigger Condition: An attack in the system is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service

• ATT&CK ID: T1498

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* attack=* | process geoip(source_address) as source_country | process�

,→geoip(destination_address) as destination_country

2.258 LP_FortiGate Critical Events

• Trigger Condition: Critical events in the system are detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

2.256. LP_FortiGate Antivirus Scan Engine Load Failed 117

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=event sub_category=system log_level=critical

2.259 LP_FortiGate Data Leak Protection

• Trigger Condition: An attempt to data leak is detected.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Automated Exfiltration

• ATT&CK ID: T1020

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=utm sub_category=dlp file=* | process geoip(source_

,→address) as source_country | process geoip(destination_address) as destination_country

2.260 LP_FortiGate IPS Events

• Trigger Condition: An intrusion attempt is detected in the system.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

• ATT&CK ID: T1046, T1211

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=utm sub_category=ips user=* | process geoip(source_

,→address) as source_country | process geoip(destination_address) as destination_country

2.259. LP_FortiGate Data Leak Protection 118

 Alert Rules Documentation, Release latest

2.261 LP_FortiGate Malicious URL Attack

• Trigger Condition: A malicious attack in a system is detected. This alert rule is
valid only for FortiOS V6.0.4.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Link

• ATT&CK ID: T1566, T1566.002

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=ips sub_category="malicious-url" message_id=16399 |�

,→process geoip(source_address) as source_country | process geoip(destination_address)�

,→as destination_country

2.262 LP_FortiGate Virus

• Trigger Condition: A virus attack is detected.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

• ATT&CK ID: T1046, T1211

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=utm sub_category=virus | process geoip(source_address)�

,→as source_country | process geoip(destination_address) as destination_country

2.263 LP_FortiGate VPN SSL User Login Failed

• Trigger Condition: A VPN SSL login failure is detected.

• ATT&CK Category: Initial Access, Credential Access

• ATT&CK Tag: Valid Accounts, Brute Force

• ATT&CK ID: T1078, T1110

2.261. LP_FortiGate Malicious URL Attack 119

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Fortigate

• Query:

norm_id=Forti* event_category=event sub_category=vpn message_id=39426 user=*

2.264 LP_FromBase64String Command Line Detected

• Trigger Condition: When the “FromBase64String” command is used in a
command line interface on a system. This command decodes a string that has
been encoded using base64 encoding. The FromBase64String command is not
necessarily malicious, as it can be used for legitimate purposes such as decoding
base64-encoded data. However, an adversary may use this command as part of
a malicious attack. For example, they may use it to decode a base64-encoded
payload injected into the system to execute arbitrary code. False positive Notice:
Legitimate system maintenance or system administration tasks may involve the use
of the FromBase64String command, and these could potentially trigger the alert.
It is essential to carefully review and investigate any instances of this alert before
taking any action to ensure that the activity being detected is truly malicious.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: T1059.001 - PowerShell, T1059.003 - Windows Command Shell,

T1140 - Deobfuscate/Decode Files or Information

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*::FromBase64String(*" -user IN�

,→EXCLUDED_USERS

2.265 LP_FSecure File Infection

• Trigger Condition: An infected file is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, File and Directory Discovery

• ATT&CK ID: T1046, T1083

• Minimum Log Source Requirement: Fsecure Gatekeeper

• Query:

2.264. LP_FromBase64String Command Line Detected 120

 Alert Rules Documentation, Release latest

norm_id=FSecureGatekeeper label=Infection label=File label=Attack

2.266 LP_FSecure Virus Detection

• Trigger Condition: Virus alert is detected while scanning.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion

• ATT&CK ID: T1046, T1211

• Minimum Log Source Requirement: Fsecure

• Query:

norm_id=FSecure* label=Detect label=Malware malware=*

2.267 LP_Fsutil Suspicious Invocation Detected

• Trigger Condition: When the “fsutil” command is used in a suspicious or potentially
malicious way on a system. The fsutil command is a utility that allows users to
perform various file system tasks, such as creating hard links, managing to reparse
points and dismounting volumes. It might indicate that a ransomware attack (seen
by NotPetya and others) has occurred.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host

• ATT&CK ID: T1070

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*\fsutil.exe" OR file="fsutil.exe")�

,→command IN ["*deletejournal*", "*createjournal*"] -user IN EXCLUDED_USERS

2.266. LP_FSecure Virus Detection 121

 Alert Rules Documentation, Release latest

2.268 LP_GAC DLL Loaded Via Office Applications

Detected
• Trigger Condition: GAC DLL loaded by an Office Product is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.

,→exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*C:\Windows\Microsoft.

,→NET\assembly\GAC_MSIL*"] -user IN EXCLUDED_USERS

2.269 LP_Generic Password Dumper Activity on LSASS

Detected
• Trigger Condition: Process handle on LSASS process with access mask is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer (event_id=4656 OR event_id="4663") object_name="*\lsass.exe"�

,→access_mask IN ["*0x40*", "*0x1400*", "*0x1000*", "*0x100000*", "*0x1410*", "*0x1010*

,→", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*

,→"] -user IN EXCLUDED_USERS

2.268. LP_GAC DLL Loaded Via Office Applications Detected 122

 Alert Rules Documentation, Release latest

2.270 LP_Grabbing Sensitive Hives via Reg Utility

• Trigger Condition: Grabbing of Sensitive Hives via Reg Utility.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\reg.exe" command IN ["*save*",

,→"*export*"] command IN ["*hklm*", "*hkey_local_machine*"] command IN ["*\system",

,→"*\sam", "*\security"] -user IN EXCLUDED_USERS

2.271 LP_Hacktool Ruler Detected

• Trigger Condition: Sensepost uses a Hacktool ruler.

• ATT&CK Category: Discovery, Execution

• ATT&CK Tag: Account Discovery, Use Alternate Authentication Material, Pass the
Hash, Email Collection, Command-Line Interface + ATT&CK ID: T1087, T1550,
T1550.002, T1114, T1059

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["4776", "4624", "4625"] workstation="RULER" -user IN�

,→EXCLUDED_USERS

2.272 LP_HH Execution Detected

• Trigger Condition: When the “hh.exe” process is detected running on a system.
HH.exe is a legitimate process associated with the Windows HTML Help feature and
is used to display compiled help files (.chm) on a system. While the execution of
hh.exe in itself is not necessarily malicious, an adversary may use this process as part
of a larger attack. For example, they may embed malicious code in a compiled help
file and use hh.exe to execute it on a target system. False Positive Note: Legitimate
applications or system processes may use hh.exe to display help files, which could

2.270. LP_Grabbing Sensitive Hives via Reg Utility 123

 Alert Rules Documentation, Release latest

potentially trigger the alert. It is essential to carefully review and investigate any
instances of this alert before taking any action to ensure that the activity being
detected is truly malicious.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Compiled HTML File

• ATT&CK ID: T1218, T1218.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\hh.exe" command="*.chm*" -user IN�

,→EXCLUDED_USERS

2.273 LP_Hidden Cobra Affected Host

• Trigger Condition: Windows Server is affected by Hidden Cobra.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Windows

• Query:

(object IN HIDDEN_COBRA_FILES OR file in HIDDEN_COBRA_FILES OR hash in HIDDEN_

,→COBRA_FILES) host=* | rename object as file

2.274 LP_Hidden Cobra Emails Sent to Attacker

• Trigger Condition: LogPoint detects an email sent to Hidden Cobra listed emails.

• ATT&CK Category: Exfiltration, Collection

• ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

• ATT&CK ID: T1041, T1114

• Minimum Log Source Requirement: Mail Server

2.273. LP_Hidden Cobra Affected Host 124

 Alert Rules Documentation, Release latest

• Query:

sender=* receiver=* receiver in HIDDEN_COBRA_EMAIL (host=* OR source_host=*) |�

,→rename source_host as host

2.275 LP_Hidden Cobra Vulnerable Sources

• Trigger Condition: Vulnerability Scanning Tools detect Hidden Cobra’s vulnerable
hosts.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

cve_id in HIDDEN_COBRA_CVE source_address=* | rename title as vulnerability, domain�

,→as host

2.276 LP_Hidden Files and Directories - VSS Detected

• Trigger Condition: Adversaries hide files and directories to evade detection.

• ATT&CK Category: Defense Evasion, Persistence

• ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

• ATT&CK ID: T1564, T1564.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*\VolumeShadowCopy*\*" or command=

,→"*\VolumeShadowCopy*\*") -user IN EXCLUDED_USERS

2.275. LP_Hidden Cobra Vulnerable Sources 125

 Alert Rules Documentation, Release latest

2.277 LP_Hidden Files and Directories Detected

• Trigger Condition: When the presence of hidden files and directories on a system
is detected. Adversaries may use hidden files and directories to conceal malicious
files or activities from the victim. They may also use these files to store command
and control information or to persist on a system after an initial compromise.
By hiding their files and directories, adversaries can make it more difficult for
defenders to detect and respond to their activities.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

• ATT&CK ID: T1564, T1564.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*attrib.exe" (command="*+h*" or�

,→command="*+s*") -user IN EXCLUDED_USERS

2.278 LP_Hidden PowerShell Window Detected

• Trigger Condition: When a hidden PowerShell window is detected on the system.
Adversaries can use hidden PowerShell windows to conceal their actions and
execute malicious code without the victim’s knowledge. These windows can be
challenging to detect and can be used to persist on a system after an initial
compromise. It is important to identify and address hidden PowerShell windows,
as they may indicate an active adversary on the system. Log source requirement:
This alert requires the log source to be a system event log with Event ID 1074.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, Hidden Window

• ATT&CK ID: T1564, T1564.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 "process"="*powershell.exe" (commandline="*-

,→w*hid*" OR command="*-w*hid*") -user IN EXCLUDED_USERS

2.277. LP_Hidden Files and Directories Detected 126

 Alert Rules Documentation, Release latest

2.279 LP_Hiding Files with Attrib Detected

• Trigger Condition: The use of attrib.exe to hide files from users is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, Hidden Files and Directories

• ATT&CK ID: T1564, T1564.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" "process"="*\attrib.exe" command = "* +h *" -(command�

,→= "*\desktop.ini*" OR (parent_process = "*\cmd.exe" command = "*+R +H +S +A \*.

,→cui*" parent_command = "*C:\WINDOWS\system32\*.bat*"))

2.280 LP_Hurricane Panda Activity Detected

• Trigger Condition: LogPoint detects Hurricane Panda activity.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["* localgroup administrators admin /

,→add", "*\Win64.exe*"] -user IN EXCLUDED_USERS

2.281 LP_IIS Native-Code Module Command Line

Installation
• Trigger Condition: LogPoint detects suspicious IIS native-code module
installations via the command line.

• ATT&CK Category: Persistence

• ATT&CK Tag: Server Software Component, Web Shell

2.279. LP_Hiding Files with Attrib Detected 127

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1505, T1505.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*\APPCMD.EXE install module /

,→name:*"] -user IN EXCLUDED_USERS

2.282 LP_Image File Execution Options Injection

• Trigger Condition: Adversaries establish persistence and/or elevate privileges by
executing malicious content triggered by Image File Execution Options (IFEO)
debuggers.

• ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion

• ATT&CK Tag: Event Triggered Execution, Image File Execution Options Injection

• ATT&CK ID: T1546, T1546.012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*" or�

,→target_object="*\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File�

,→Execution Options\*") -user IN EXCLUDED_USERS

2.283 LP_Service Stop Detected

• Trigger Condition: Adversaries maliciously modify components of a victim
environment to hinder or disable defensive mechanisms.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.282. LP_Image File Execution Options Injection 128

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*sc.exe")�

,→command="*stop*" -user IN EXCLUDED_USERS

2.284 LP_In-memory PowerShell Detected

• Trigger Condition: Loading of essential DLL used by PowerShell, but not by the
process powershell.exe is detected. In addition, it detects the Meterpreter’s Load
PowerShell extension.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 image IN ["*\System.Management.Automation.Dll",

,→ "*\System.Management.Automation.ni.Dll"] -source_image IN ["*\powershell.exe",

,→"*\powershell_ise.exe", "*\WINDOWS\System32\sdiagnhost.exe", "*\mscorsvw.exe",

,→"*\WINDOWS\System32\RemoteFXvGPUDisablement.exe"] -user="NT�

,→AUTHORITY\SYSTEM" -user IN EXCLUDED_USERS

2.285 LP_Indicator Blocking - Driver Unloaded

• Trigger Condition: Adversary blocks indicators or events captured by sensors from
being gathered and analyzed.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*fltmc.exe" or command="*fltmc*unload*

,→") -user IN EXCLUDED_USERS

2.284. LP_In-memory PowerShell Detected 129

 Alert Rules Documentation, Release latest

2.286 LP_Indicator Blocking - Sysmon Registry Edited

• Trigger Condition: An indicator blocking via registry editing is detected.
Adversaries might block indicators or events typically captured by sensors from
being gathered and analyzed to evade detection.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id IN [12,13,14] target_object in [

,→"*HKLM\System\CurrentControlSet\Services\SysmonDrv\*",

,→"*HKLM\System\CurrentControlSet\Services\Sysmon\*",

,→"*HKLM\System\CurrentControlSet\Services\Sysmon64\*"] -"process" IN ["*\Sysmon64.

,→exe","*\Sysmon.exe"] -event_type=INFO -user IN EXCLUDED_USERS

2.287 LP_Indirect Command Execution Detected

• Trigger Condition: When indirect command execution via Program Compatibility
Assistant is detected. pcalua.exe, forfiles.exe. or pcalua.exe is a command-line tool
that allows users to run programs with administrator access rights on Windows
operating systems. It is useful for running programs that require elevated
permissions, such as installing or modifying system-level software. forfiles.exe is
a command-line tool that enables a user to run a command on multiple files in
a specified directory. It helps batch process multiple files, such as deleting or
renaming them. Adversaries can use it to achieve indirect command execution.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indirect Command Execution

• ATT&CK ID: T1202

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image IN ["*\pcalua.exe", "*\forfiles.exe"] -

,→user IN EXCLUDED_USERS

2.286. LP_Indicator Blocking - Sysmon Registry Edited 130

 Alert Rules Documentation, Release latest

2.288 LP_Install Root Certificate

• Trigger Condition: Adversaries undermine security controls that will either warn
users of the untrusted activity or prevent the execution of untrusted programs.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Subvert Trust Controls, Install Root Certificate

• ATT&CK ID: T1553, T1553.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) image!=

,→"*svchost.exe" (target_object=

,→"*\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*" or target_object=

,→"*\Microsoft\SystemCertificates\Root\Certificates\*") -user IN EXCLUDED_USERS

2.289 LP_Suspicious InstallUtil Execution

• Trigger Condition: Adversaries use InstallUtil for proxy execution of code through
a trusted Windows utility. InstallUtil is a command-line utility that allows installation
and uninstallation of resources by executing specific installer components specified
in .NET binaries. Typically, adversaries will utilize the most commonly found way to
invoke via the InstallUtil Uninstall method.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, InstallUtil

• ATT&CK ID: T1218, T1218.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 (image="*InstallUtil.exe" or command="*\/

,→logfile= \/LogToConsole=false \/U*") -user IN EXCLUDED_USERS

2.288. LP_Install Root Certificate 131

 Alert Rules Documentation, Release latest

2.290 LP_InvisiMole Malware Connection to Malicious

Domains
• Trigger Condition: A connection with domain related to the InvisiMole Malware is
detected.
• ATT&CK Category: Command and Control
• ATT&CK Tag: Proxy
• ATT&CK ID: T1090
• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver
• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in�

,→INVISIMOLE_MALWARE_DOMAINS

2.291 LP_InvisiMole Malware Connection to Malicious

Sources
• Trigger Condition: A host makes an outbound connection to InvisiMole malware
sources.
• ATT&CK Category: Command and Control
• ATT&CK Tag: Proxy
• ATT&CK ID: T1090
• Minimum Log Source Requirement: Firewall, IDS/IPS
• Query:

(destination_address IN INVISIMOLE_MALWARE_IPS OR source_address IN INVISIMOLE_

,→MALWARE_IPS) | process geoip(destination_address) as country

2.292 LP_InvisiMole Malware Exploitable Vulnerabilities

Detected
• Trigger Condition: Vulnerability Management detects the presence of
vulnerabilities linked to InvisiMole malware that targets high-profile military
and diplomatic entities.

2.290. LP_InvisiMole Malware Connection to Malicious Domains 132

 Alert Rules Documentation, Release latest

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software

Discovery

• ATT&CK ID: T1046, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

norm_id=VulnerabilityManagement (cve_id="*CVE-2017-0144*" OR cve_id="*CVE-2019-

,→0708*")

2.293 LP_InvisiMole Malware Infected Host Detected

• Trigger Condition: InvisiMole malware-infected host is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Destruction, Proxy

• ATT&CK ID: T1485, T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* hash=* hash IN INVISIMOLE_MALWARE_HASHES

2.294 LP_Invocation of Active Directory Diagnostic Tool

Detected
• Trigger Condition: Execution of ntdsutil.exe used for various attacks against the
OS Credential Dumping, NTDS database (OS Credential Dumping, NTDS.DIT) is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

2.293. LP_InvisiMole Malware Infected Host Detected 133

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command="*\ntdsutil*" -user IN EXCLUDED_

,→USERS

2.295 LP_Java Running with Remote Debugging

• Trigger Condition: LogPoint detects a JAVA process running with remote
debugging, allowing the local host to connect.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*transport=dt_socket, address=*" -

,→command="*address=127.0.0.1*" -command="*address=localhost*" -user IN�

,→EXCLUDED_USERS

2.296 LP_Judgement Panda Exfil Activity

• Trigger Condition: Judgement Panda activity described in Global Threat Report
2019 by Crowdstrike is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credentials in Files, Credential Dumping

• ATT&CK ID: T1552, T1552.001, T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\xcopy.exe" command="* /S /E /C /Q /

,→H *") OR (image="*\adexplorer.exe" command="* -snapshot * c:\users\*")) -user IN�

,→EXCLUDED_USERS

2.295. LP_Java Running with Remote Debugging 134

 Alert Rules Documentation, Release latest

2.297 LP_JunOS Attack

• Trigger Condition: LogPoint detects an attack pattern.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

• ATT&CK ID: T1498, T1499

• Minimum Log Source Requirement: JunOS

• Query:

norm_id=JunOS (label=Application OR label=appddos OR threat=*dos*) label=Attack�

,→(label=Warning OR label=Successful)

2.298 LP_JunOS Authentication Failed

• Trigger Condition: Failure of an authentication.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Brute Force

• ATT&CK ID: T1078, T1110

• Minimum Log Source Requirement: JunOS

• Query:

norm_id=JunOS label=User (label=Authentication OR Login) label=Fail

2.299 LP_JunOS Policy Violation

• Trigger Condition: A policy violation is detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation, Credential Access

• ATT&CK Tag: Bypass User Access Control, Exploitation for Credential Access,
Exploitation for Privilege Escalation

• ATT&CK ID: T1548, T1212, T1068

2.297. LP_JunOS Attack 135

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: JunOS

• Query:

norm_id=JunOS label=Policy (label=Violation OR label=Error)

2.300 LP_JunOS Security Log Clear

• Trigger Condition: An administrator has cleared one or more audit logs.

• ATT&CK Category: Defense Evasion, Impact

• ATT&CK Tag: Indicator Removal on Host, Data Destruction, Indicator Removal on

Host, File Deletion

• ATT&CK ID: T1070, T1485, T1070, T1070.004

• Minimum Log Source Requirement: JunOS

• Query:

norm_id=JunOS label=Log label=Clear

2.301 LP_Kaspersky Antivirus - Outbreak Detection

• Trigger Condition: This alert rule is triggered whenever a threat is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Software Discovery, Security Software Discovery

• ATT&CK ID: T1518, T1518.001

• Minimum Log Source Requirement: Kaspersky

• Query:

norm_id=KasperskyAntivirus event_type="*threat*detected" | rename wstrPar5 as virus |�

,→chart distinct_count(win_name) as CNT by virus, event_type

2.300. LP_JunOS Security Log Clear 136

 Alert Rules Documentation, Release latest

2.302 LP_Kaspersky Antivirus - Update Fail

• Trigger Condition: Automatic updates are disabled, not all the components are
updated, or there is a network error.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Kaspersky

• Query:

norm_id=KasperskyAntivirus (event_type="Automatic updates are disabled" OR event_

,→type="Not all components were updated" OR event_type="Network update error" OR�

,→event_type="Error updating component"

OR description="Error downloading update files" OR description="Update files are�

,→corrupted") | rename event_type as reason, description as reason

2.303 LP_Kaspersky Antivirus Extremely Out of Date

Event
• Trigger Condition: Outdated events are detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Kaspersky

• Query:

norm_id=KasperskyAntivirus event_type="*extremely out of date*"

2.304 LP_Kaspersky Antivirus Outbreak Detection by

Source
• Trigger Condition: More than one source is affected by the same virus.

2.302. LP_Kaspersky Antivirus - Update Fail 137

 Alert Rules Documentation, Release latest

• ATT&CK Category: Impact

• ATT&CK Tag: Software Discovery, Security Software Discovery

• ATT&CK ID: T1518, T1518.001

• Minimum Log Source Requirement: Kaspersky

• Query:

norm_id=KasperskyAntivirus "event_type"="Threats have been detected" | chart distinct_

,→count(win_name) as DC | search DC>1

2.305 LP_Kaspersky Antivirus Outbreak Detection by

Virus
• Trigger Condition: More than ten viruses are detected in the system.

• ATT&CK Category: Impact

• ATT&CK Tag: Software Discovery, Security Software Discovery

• ATT&CK ID: T1518, T1518.001

• Minimum Log Source Requirement: Kaspersky

• Query:

norm_id=KasperskyAntivirus "event_type"="Threats have been detected" | chart distinct_

,→count(wstrPar5) as DC | search DC>10

2.306 LP_Kaspersky Antivirus Threat Affecting Multiple

Host
• Trigger Condition: The same threat is detected in multiple hosts.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Kaspersky

• Query:

2.305. LP_Kaspersky Antivirus Outbreak Detection by Virus 138

 Alert Rules Documentation, Release latest

norm_id=KasperskyAntivirus event_type="*threat*detected" | chart distinct_count(win_

,→name) as HostCount by event_type | process quantile(HostCount) | chart count() by�

,→event_type, quantile, HostCount

2.307 LP_Kerberoasting via PowerShell Detected

• Trigger Condition: Steal or forge Kerberos tickets, Kerberoasting via Command
and Scripting Interpreter, and PowerShell is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

• ATT&CK ID: T1558, T1558.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4103 (command_name="Invoke-Kerberoast" OR command=

,→"Invoke-Kerberoast") -user IN EXCLUDED_USERS | rename command_name as�

,→command

2.308 LP_Kernel Firewall Connection Denied

• Trigger Condition: Ten firewall connections are denied from the same source to
the same destination in a minute.

• ATT&CK Category: Impact, Command and Control

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service, Proxy

• ATT&CK ID: T1498, T1499, T1090

• Minimum Log Source Requirement: Kernel

• Query:

[10 norm_id=Kernel label=Firewall label=Connection label=Deny having same source_

,→address, destination_address within 1 minute]

2.307. LP_Kerberoasting via PowerShell Detected 139

 Alert Rules Documentation, Release latest

2.309 LP_Koadic Execution Detected

• Trigger Condition: Command line parameters used by the Koadic hack tool is
detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*cmd.exe* /q /c chcp *"] -user IN�

,→EXCLUDED_USERS

2.310 LP_KRACK Vulnerable Source Detected

• Trigger Condition: Sources vulnerable to KRACK are detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

qualys_id=* qualys_id IN [176179, 91411, 196947, 170424, 170428, 196947] source_

,→address=*

2.311 LP_Large ICMP Traffic

• Trigger Condition: ICMP datagrams with a size greater than 1024 bytes are
received.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

2.309. LP_Koadic Execution Detected 140

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

((label=Receive label=Packet) or label=Illegal label=Receive label=Packet) (packet_length>

,→1024 or fragment_length>1024)

2.312 LP_Local Account Creation on Workstation

Detected
• Trigger Condition: Creation of a local account on a domain workstation that is not
Windows Domain Controller (DC).

• ATT&CK Category: Persistence

• ATT&CK Tag: Create Account

• ATT&CK ID: T1136

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=User label=Account label=Create -target_user="*$" target_

,→user=* -host in WINDOWS_DC -user IN EXCLUDED_USERS

2.313 LP_Local Accounts Discovery Detected

• Trigger Condition: Valid Accounts, Account Discovery, or Local Accounts
Discovery is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Owner/User Discovery, Account Discovery

• ATT&CK ID: T1033, T1087

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.312. LP_Local Account Creation on Workstation Detected 141

 Alert Rules Documentation, Release latest

(norm_id=WindowsSysmon event_id=1 (((image="*\whoami.exe" OR (image="*\wmic.exe

,→" command="*useraccount*" command="*get*") OR image IN ["*\quser.exe",

,→"*\qwinsta.exe"] OR (image="*\cmdkey.exe" command="*/list*") OR (image="*\cmd.

,→exe" command="*/c*" command="*dir *" command="*\Users\\*")) -(command IN ["*�

,→rmdir *"])) OR ((image IN ["*\net.exe", "*\net1.exe"] command="*user*") -(command�

,→IN ["*/domain*", "*/add*", "*/delete*", "*/active*", "*/expires*", "*/passwordreq*", "*/

,→scriptpath*", "*/times*", "*/workstations*"])))) -user IN EXCLUDED_USERS

2.314 LP_Local Port Monitor

• Trigger Condition: Adversaries configure system settings to automatically execute
a program during system boot or logon to maintain persistence or gain higher-level
privileges on compromised systems.
• ATT&CK Category: Persistence, Privilege Escalation
• ATT&CK Tag: Boot or Logon Autostart Execution, Port Monitors
• ATT&CK ID: T1547, T1547.01
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object=

,→"*\SYSTEM\CurrentControlSet\Control\Print\Monitors\*" -user IN EXCLUDED_USERS

2.315 LP_LockCrypt Ransomware

• Trigger Condition: LockCrypt ransomware encrypts a file.
• ATT&CK Category: Impact
• ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data
Destruction
• ATT&CK ID: T1561, T1561.001, T1486, T1485
• Minimum Log Source Requirement: Integrity Scanner
• Query:

norm_id=IntegrityScanner label = File label="Rename" new_file=*.lock | norm on new_

,→file <path:.*><:'\\'><EncryptedFileName:.*> | norm on file_path <:.*><:'\\'>

,→<OriginalFileName:.*> | rename hostname as host | chart count() by log_ts, host, path,�

,→OriginalFileName, EncryptedFileName order by count() desc limit 10

(continues on next page)

2.314. LP_Local Port Monitor 142

 Alert Rules Documentation, Release latest

(continued from previous page)

2.316 LP_LockerGoga Malware Affected Host

• Trigger Condition: LockerGoga malware infects a host.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* (hash IN LOCKERGOGA_HASHES OR hash_sha1 IN LOCKERGOGA_HASHES OR�

,→hash_sha256 IN LOCKERGOGA_HASHES OR file IN LOCKERGOGA_FILES OR object�

,→IN LOCKERGOGA_FILES) | rename hash_sha1 as hash, hash_sha256 as hash, object as�

,→file

2.317 LP_LockerGoga Malware Emails Sent to Attacker

• Trigger Condition: An email is sent to or from LockerGoga malware listed emails.

• ATT&CK Category: Command and Control, Exfiltration

• ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email

Collection

• ATT&CK ID: T1090, T1041, T1020, T1114

• Minimum Log Source Requirement: Mail Server

• Query:

(receiver in LOCKERGOGA_EMAILS OR sender in LOCKERGOGA_EMAILS) sender=*�

,→receiver=* (host=* OR source_host=*) | rename source_host as host

2.316. LP_LockerGoga Malware Affected Host 143

 Alert Rules Documentation, Release latest

2.318 LP_Log Files Creation of Dot-Net-to-JS Detected

• Trigger Condition: Creation of log files of Dot-Net-to-JavaScript.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 path="*UsageLogs*" file in ["*cscript.exe.log",

,→"*wscript.exe.log", "*wmic.exe.log", "*mshta.exe.log", "*svchost.exe.log", "*regsvr32.

,→exe.log", "*rundll32.exe.log"] -user IN EXCLUDED_USERS

2.319 LP_Login with WMI Detected

• Trigger Condition: Logins performed with WMI are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4624 "process"="*\WmiPrvSE.exe" -user IN EXCLUDED_

,→USERS

2.320 LP_Logon Scripts Detected

• Trigger Condition: Creation or execution of UserInitMprLogon Script persistence
method.

• ATT&CK Category: Persistence, Lateral Movement

• ATT&CK Tag: Logon Scripts

• ATT&CK ID: T1037

2.318. LP_Log Files Creation of Dot-Net-to-JS Detected 144

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=1 ((parent_image="*\userinit.exe" -image=

,→"*\explorer.exe" -command IN ["*\netlogon.bat", "*\UsrLogon.cmd"]) OR (command=

,→"*UserInitMprLogonScript*"))) OR (event_id IN ["11", "12", "13", "14"] target_object=

,→"*UserInitMprLogonScript*") -user IN EXCLUDED_USERS

2.321 LP_LSASS Access from Non System Account

Detected
• Trigger Condition: Potential mimikatz-like tools accessing LSASS from non system
account is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["4663", "4656"] object_type="Process" object_name=

,→"*\lsass.exe" -user="*$" -user IN EXCLUDED_USERS

2.322 LP_LSASS Memory Dump Detected

• Trigger Condition: Process LSASS memory dump using procdump or taskmgr
based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for Winodws10 is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.321. LP_LSASS Access from Non System Account Detected 145

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=10 image="C:\windows\system32\lsass.exe" access=

,→"0x1fffff" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"] -user IN EXCLUDED_USERS

2.323 LP_LSASS Memory Dump File Creation

• Trigger Condition: LSASS memory dump creation using operating systems utilities
is detected. Procdump uses process name in the output file if no name is specified.
• ATT&CK Category: Credential Access
• ATT&CK Tag: Credential Dumping
• ATT&CK ID: T1003
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=11 file="*lsass*dmp" -user IN EXCLUDED_USERS

2.324 LP_LSSAS Memory Dump with MiniDumpWriteDump

API Detected
• Trigger Condition: The use of MiniDumpWrite Dump API for dumping lsass.exe
memory in a stealth way is detected.Tools like ProcessHacker and some attacker
tradecract use this API found in dbghelp.dll or dbgcore.dll. For example,
SilentTrynity C2 Framework has a module that leverages this API to dump the
contents of Lsass.exe and transfer it over the network back to the attacker’s
machine.
• ATT&CK Category: Credential Access
• ATT&CK Tag: Credential Dumping
• ATT&CK ID: T1003
• Minimum Log Source Requirement: Windows Sysmon
• Query:

(norm_id=WindowsSysmon event_id=7 source_image IN ["*\dbghelp.dll", "*\dbgcore.dll

,→"] image IN ["*\msbuild.exe", "*\cmd.exe", "*\svchost.exe", "*\rundll32.exe",

,→"*\powershell.exe", "*\word.exe", "*\excel.exe", "*\powerpnt.exe", "*\outlook.exe",

,→"*\monitoringhost.exe", "*\wmic.exe", "*\msiexec.exe", "*\bash.exe", "*\wscript.exe",

,→"*\cscript.exe", "*\mshta.exe", "*\regsvr32.exe", "*\schtasks.exe", "*\dnx.exe",

(continues on next page)
,→"*\regsvcs.exe", "*\sc.exe", "*\scriptrunner.exe"] -image="*Visual Studio*") OR (event_

,→id=7 source_image IN ["*\dbghelp.dll", "*\dbgcore.dll"] Signed="FALSE" -image=

2.323.,→"*Visual
LP_LSASS Memory -user
Studio*") DumpINFile Creation
EXCLUDED_USERS 146
 Alert Rules Documentation, Release latest

(continued from previous page)

2.325 LP_LSASS Memory Dumping Detected

• Trigger Condition: Creation of dump files containing the memory space of
lsass.exe, containing sensitive credentials is detected. It identifies the use of
Sysinternals procdump.exe to export the memory space of lsass.exe containing
sensitive credentials.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((command="*lsass*" command="*.dmp*" -

,→image="*\werfault.exe") OR (image="*\procdump*" image="*.exe" command="*lsass*

,→")) -user IN EXCLUDED_USERS

2.326 LP_Macro file Creation Detected

• Trigger Condition: Creation of a macro file is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file in ["*.docm", "*.pptm", "*.xlsm", "*.xlm", "*.

,→dotm", "*.xltm", "*.potm", "*.ppsm", "*.sldm", "*.xlam", "*.xla"] -user IN EXCLUDED_

,→USERS

2.325. LP_LSASS Memory Dumping Detected 147

 Alert Rules Documentation, Release latest

2.327 LP_Magecart Exploitable Vulnerabilities Detected

• Trigger Condition: Vulnerability Management detects the presence of Magento
vulnerability linked to Magecart Card Skimming attack on E-Commerce Business.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software

Discovery

• ATT&CK ID: T1046, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

norm_id=VulnerabilityManagement cve_id="*CVE-2016-4010*"

2.328 LP_Magecart Threat Connection to Malicious

Domains
• Trigger Condition: Any connection to Magecart related domains is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in�

,→MAGECART_DOMAINS

2.329 LP_Magecart Threat Connection to Malicious

Sources
• Trigger Condition: Hosts make an outbound connection to Magecart sources.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

2.327. LP_Magecart Exploitable Vulnerabilities Detected 148

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS
• Query:

(destination_address IN MAGECART_IPS OR source_address IN MAGECART_IPS) |�

,→process geoip(destination_address) as country

2.330 LP_Malicious Base64 Encoded PowerShell

Keywords in Command Lines Detected
• Trigger Condition: When base64 encoded strings are used in hidden malicious
Command and Scripting Interpreter, PowerShell command lines. Adversaries hide
their activities by encoding commands to bypass detection with this technique.
• ATT&CK Category: Execution
• ATT&CK Tag: Command and Scripting Interpreter, PowerShell
• ATT&CK ID: T1059, T1059.001
• Minimum Log Source Requirement: Windows Sysmon, Windows
• Query:

norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" command IN ["*�

,→hidden *", "*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*",

,→"*aXRzYWRtaW4gL3RyYW5zZmVy*",

"*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*",
,→"*JpdHNhZG1pbiAvdHJhbnNmZX*",

,→"*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*",

,→"*Yml0c2FkbWluIC90cmFuc2Zlc*",

"*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*
,→", "*JGNodW5rX3Npem*","*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*",

,→"*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*",

"*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*",
,→"*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*",

"*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*",
,→"*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*",

,→"*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*",

"*lPLk1lbW9yeVN0cmVhb*","*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*",
,→ "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*",

,→"*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*",

,→"*AEcAZQB0AEMAaAB1AG4Aaw*",

"*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*","*R2V0Q2h1bm*",
,→"*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*",
(continues on next page)
,→"*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*",

2.330. LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected 149
 Alert Rules Documentation, Release latest

(continued from previous page)

"*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*",
,→"*VEhSRUFEX0lORk82N*",

"*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*",
,→"*cmVhdGVSZW1vdGVUaHJlYW*",

,→"*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*",

,→"*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*",

"*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*",
,→"*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*",

,→"*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"] -user IN EXCLUDED_

,→USERS

2.331 LP_Malicious File Execution Detected

• Trigger Condition: Execution of a suspicious file by wscript and cscript.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\wscript.exe", "*\cscript.exe"]�

,→command IN ["*.jse", "*.vbe", "*.js", "*.vba"] -user IN EXCLUDED_USERS

2.332 LP_Malicious PowerShell Commandlet Names

Detected
• Trigger Condition: LogPoint detects Commandlet names from well-known
Command and Scripting Interpreter, and PowerShell exploitation frameworks.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.331. LP_Malicious File Execution Detected 150

 Alert Rules Documentation, Release latest

(norm_id=WindowsSysmon event_id=11 file IN MALICIOUS_POWERSHELL_

,→COMMANDLET_NAMES) or (norm_id=WinServer command IN MALICIOUS_

,→POWERSHELL_COMMANDS) -user IN EXCLUDED_USERS

2.333 LP_Malicious Service Installations Detected

• Trigger Condition: Malicious service installs appearing in lateral movement,
credential dumping, and other suspicious activity are detected.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Credential Dumping, System Services, Service Execution, New

Service

• ATT&CK ID: T1003, T1569, T1569.002, T1543

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=7045 service in ["*\PAExec*", "mssecsvc2.0", "*net user*",

,→"WCESERVICE", "WCE SERVICE", "winexesvc.exe*", "*\DumpSvc.exe", "pwdump*",

,→"gsecdump*", "cachedump*"] -user IN EXCLUDED_USERS

2.334 LP_Malware Shellcode in Verclsid Target Process

• Trigger Condition: A process accessing verclsid.exe that injects shellcode from a
Microsoft Office application or VBA macro is detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection, Signed Binary Proxy Execution, Verclsid

• ATT&CK ID: T1055, T1218, T1218.012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=10 image="*\verclsid.exe" access="0x1FFFFF" (call_trace=

,→"*|UNKNOWN(*VBE7.DLL*" OR (source_image="*\Microsoft Office\*" call_trace=

,→"*|UNKNOWN*")) -user IN EXCLUDED_USERS

2.333. LP_Malicious Service Installations Detected 151

 Alert Rules Documentation, Release latest

2.335 LP_Malware Threat Affected Host

• Trigger Condition: A malware infects a host.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Windows

• Query:

(object IN MALWARE_FILES OR file in MALWARE_FILES OR hash in MALWARE_HASHES)�

,→host=* | rename object as file

2.336 LP_Malware Threat Connection from Malicious

Source
• Trigger Condition: Inbound connection from malicious sources is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(source_address=* OR destination_address=*) source_address in MALWARE_IP�

,→destination_address IN HOMENET | process geoip(source_address) as country

2.337 LP_Malware Threat Connection to Malicious

Destination
• Trigger Condition: Hosts make an outbound connection to malicious sources.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

2.335. LP_Malware Threat Affected Host 152

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(source_address=* OR destination_address=*) destination_address in MALWARE_IP�

,→source_address IN HOMENET |process geoip(destination_address) as country

2.338 LP_Malware Threat Connection to Malicious URLs

• Trigger Condition: A connection to a malicious URL is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

url=* source_address=* | process domain(url) as domain| search domain in MALWARE_URL

2.339 LP_Malware Threat Emails Sent to Attacker

• Trigger Condition: Email is sent to malware listed emails.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy, Exfiltration Over C2 Channel, Automated Exfiltration, Email

Collection

• ATT&CK ID: T1090, T1041, T1020, T1114

• Minimum Log Source Requirement: Mail Server

• Query:

(receiver in MALWARE_EMAILS OR sender in MALWARE_EMAILS) sender=* receiver=*�

,→(host=* OR source_host=*) | rename source_host as host

2.338. LP_Malware Threat Connection to Malicious URLs 153

 Alert Rules Documentation, Release latest

2.340 LP_Masquerading Extension Detected

• Trigger Condition: Masquerading of file extension is detected. Adversaries
manipulate features of their artifacts to evade defenses and observation.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*.doc.*" or image="*.docx.*" or image=

,→"*.xls.*" or image="*.xlsx.*" or image="*.pdf.*" or image="*.rtf.*" or image="*.jpg.*"�

,→or image="*.png.*" or image="*.jpeg.*" or image="*.zip.*" or image="*.rar.*" or�

,→image="*.ppt.*" or image="*.pptx.*") -user IN EXCLUDED_USERS

2.341 LP_Masquerading File Location Detected

• Trigger Condition: Masquerading of file location is detected. Adversaries
manipulate features of their artifacts to evade defenses and observation.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 (source_image="*SysWOW64*" or source_image=

,→"*System32*" or source_image="*AppData*" or image="*Temp*") (file="*.exe" or file=

,→"*.dll*" or file="*.bat*" or file="*.com*" or file="*.ps1*" or file="*.py*" or file="*.js*"�

,→or file="*.vbs*" or file="*.hta*") -user IN EXCLUDED_USERS

2.340. LP_Masquerading Extension Detected 154

 Alert Rules Documentation, Release latest

2.342 LP_Matrix Encrypted Files

• Trigger Condition: Matrix malware encrypted files are detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact, Data Encrypted, Data Destruction

• ATT&CK ID: T1486, T1022, T1485

• Minimum Log Source Requirement: Integrity Scanner

• Query:

norm_id=IntegrityScanner label="Rename" label=File new_file IN MATRIX_FILE | norm on�

,→new_file <path:.*><:'\\'><EncryptedFileName:string> | norm on file_path <:.*><:'\\'>

,→<OriginalFileName:string>

2.343 LP_Matrix Vulnerable Sources

• Trigger Condition: Vulnerability scanner detects vulnerability related to Internet
Explorer and Flash Player that relates to the Matrix Ransomware.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

cve_id="*CVE-2016-0189*" or cve_id="*CVE-2015-8651*" source_address=*

2.344 LP_Maze Ransomware Connection to Malicious

Domains
• Trigger Condition: Maze Double Extortion ransomware-related domains is
detected.

• ATT&CK Category: Command and Control

2.342. LP_Matrix Encrypted Files 155

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in MAZE_

,→RANSOMWARE_DOMAINS

2.345 LP_Maze Ransomware Connection to Malicious

Sources
• Trigger Condition: Hosts make an outbound connection to Maze Double Extortion
ransomware sources.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(destination_address IN MAZE_RANSOMWARE_IPS OR source_address IN MAZE_

,→RANSOMWARE_IPS) | process geoip(destination_address) as country

2.346 LP_Maze Ransomware Exploitable Vulnerabilities

Detected
• Trigger Condition: Vulnerability management detects presence of vulnerability
linked to Maze Double Extortion Ransomware.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software

Discovery

• ATT&CK ID: T1046, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

2.345. LP_Maze Ransomware Connection to Malicious Sources 156

 Alert Rules Documentation, Release latest

• Query:

norm_id=VulnerabilityManagement cve_id IN MAZE_RANSOMWARE_CVE

2.347 LP_Maze Ransomware Infected Host Detected

• Trigger Condition: MAZE Double Extortion ransomware-infected host is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* hash=* hash IN MAZE_RANSOMWARE_HASHES

2.348 LP_Meltdown and Spectre Vulnerabilities

• Trigger Condition: Meltdown and Spectre vulnerabilities are detected in the
system.

• ATT&CK Category: Discovery

• ATT&CK Tag: Software Discovery, Security Software Discovery

• ATT&CK ID: T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

title=*spectre* or title=*meltdown* source_address=* | rename host as source_address |�

,→chart count() by source_address, severity, cve_id, solution order by count() desc

2.347. LP_Maze Ransomware Infected Host Detected 157

 Alert Rules Documentation, Release latest

2.349 LP_Meterpreter or Cobalt Strike Getsystem Service

Start Detected
• Trigger Condition: The use of getsystem Meterpreter or Cobalt Strike command
to obtain SYSTEM privileges by detecting a specific service starting.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Access Token Manipulation

• ATT&CK ID: T1134

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\services.exe" command IN [

,→'*cmd* /c * echo *\pipe\*', '*%COMPSEC%* /c * echo *\pipe\*', '*rundll32*.dll,a*/p:*'] -

,→command="*MpCmdRun*" -user IN EXCLUDED_USERS

2.350 LP_Microsoft ActiveX Control Code Execution

Vulnerability Detected
• Trigger Condition: Remote code execution in Microsoft ActiveX Control
(CVE-2012-0158) is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Exploitation for Client Execution

• ATT&CK ID: T1203

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Key label="Map" label=Registry target_object=

,→'*Software\Microsoft\Office*Resiliency' -user IN EXCLUDED_USERS

2.349. LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected 158

 Alert Rules Documentation, Release latest

2.351 LP_Microsoft Binary Github Communication

Detected
• Trigger Condition: Executable accessing GitHub in the Windows folder is
detected.
• ATT&CK Category: Microsoft Build Engine Loading Credential Libraries
• ATT&CK Tag: Ingress Tool Transfer
• ATT&CK ID: T1105
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=3 initiated="true" destination_host IN ["*.github.com

,→", "*.githubusercontent.com"] image="C:\Windows\*" -user IN EXCLUDED_USERS

2.352 LP_Microsoft DotNET Framework Remote Code

Execution Detected
• Trigger Condition: Remote code execution vulnerability (CVE-2017-8759) in
Microsoft .NET Framework is detected.
• ATT&CK Category: Execution
• ATT&CK Tag: User Execution, Malicious File
• ATT&CK ID: T1204, T1204.002
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon label="Process" label=Create parent_image='*WINWORD.exe

,→' parent_command='*.rtf*' image='*csc.exe' -user IN EXCLUDED_USERS

2.353 LP_Microsoft Office Memory Corruption

Vulnerability CVE-2015-1641 Detected
• Trigger Condition: The exploitation of memory corruption vulnerability
(CVE-2015-1641) in Microsoft Office is detected.

2.351. LP_Microsoft Binary Github Communication Detected 159

 Alert Rules Documentation, Release latest

• ATT&CK Category: Execution

• ATT&CK Tag: User Execution

• ATT&CK ID: T1204

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Image label=Load source_image IN ['*WINWORD.exe',

,→'*EXCEL.exe'] image='*MSVCR71.DLL' -user IN EXCLUDED_USERS

2.354 LP_Microsoft Office Memory Corruption

Vulnerability CVE-2017-0199 Detected
• Trigger Condition: The exploitation of memory corruption vulnerability
(CVE-2017-0199) in Microsoft Office is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: User Execution

• ATT&CK ID: T1204

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Network label=Connection image='*WINWORD.exe'�

,→destination_address IN MOST_EXPLOITABLE_IPS -user IN EXCLUDED_USERS

2.355 LP_Microsoft Office Memory Corruption

Vulnerability CVE-2017-11882 Detected
• Trigger Condition: The exploitation of memory corruption vulnerability
(CVE-2017-11882) in Microsoft Office is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: User Execution

• ATT&CK ID: T1204

• Minimum Log Source Requirement: Windows Sysmon

2.354. LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-0199 Detected 160

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon label="Process" label=Create parent_image='*EQNEDT32.EXE

,→' parent_command='*EQNEDT32.EXE*-Embedding' image='*.exe' -user IN EXCLUDED_

,→USERS

2.356 LP_Microsoft Office Product Spawning Windows

Shell
• Trigger Condition: When Windows command line executables started from
Microsoft Word, Excel, Powerpoint, Publisher and Visio are detected. Adversaries
can use phishing to deliver malicious office documents and lure victims into
executing the malicious file and gaining initial access to the system.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell,

T1059.003 - Windows Command Shell, T1204.002 - Malicious File

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE",

,→"*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE",

,→"*\MSACCESS.EXE","*EQNEDT32.EXE", "*\Onenote.exe"]

"process" IN ["*\cmd.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe", "*\cscript.

,→exe", "*\sh.exe", "*\bash.exe", "*\scrcons.exe", "*\schtasks.exe", "*\regsvr32.exe",

,→"*\hh.exe", "*\wmic.exe", "*\mshta.exe", "*\rundll32.exe", "*\msiexec.exe", "*\forfiles.

,→exe", "*\scriptrunner.exe", "*\mftrace.exe", "*\AppVLP.exe", "*\svchost.exe",

,→"*\msbuild.exe"]

2.357 LP_Mimikatz Command Line Detected

• Trigger Condition: mimikatz command line argument is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

2.356. LP_Microsoft Office Product Spawning Windows Shell 161

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*DumpCreds*", "*Invoke-Mimikatz*

,→", "*rpc::*", "*token::*", "*crypto::*", "*dpapi::*", "*sekurlsa::*", "*kerberos::*",

,→"*lsadump::*", "*privilege::*", "*process::*", "*misc::aadcookie*", "*misc::detours*",

,→"*misc::memssp*", "*misc::mflt*", "*misc::ncroutemon*", "*misc::ngcsign*",

,→"*misc::printnightmare*", "*misc::skeleton*", "*service::preshutdown*", "*ts::mstsc*",

,→"*ts::multirdp*"] -user IN EXCLUDED_USERS

2.358 LP_Mitre - Initial Access - Hardware Addition -

Removable Storage Connected
• Trigger Condition: Removable storage is connected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Hardware Additions

• ATT&CK ID: T1200

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* event_id=2003 event_source="Microsoft-Windows-

,→DriverFrameworks-UserMode/Operational" -user IN EXCLUDED_USERS

2.359 LP_Mitre - Initial Access - Valid Accounts - Impossible

Travel
• Trigger Condition: A user logs in from more than one GeoIP location.

• ATT&CK Category: Initial Access, Persistence, Privilege Escalation and Defense

Evasion

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

2.358. LP_Mitre - Initial Access - Hardware Addition - Removable Storage Connected 162
 Alert Rules Documentation, Release latest

label=User label=Login source_address=* | process geoip(source_address) as country |�

,→chart distinct_count(country) as DC, distinct_list(country) as countries by user | search�

,→DC>1

2.360 LP_Mitre - Initial Access - Valid Accounts - Inactive

User Accounts
• Trigger Condition: User accounts are inactive for more than 30 days.
• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial
Access
• ATT&CK Tag: Valid Accounts
• ATT&CK ID: T1078
• Minimum Log Source Requirement: Windows
• Query:

table AD_Users -lastLogon=0 lastLogon=* | process current_time(a) as time| chart�

,→max((time- (lastLogon/10000000 - 11644473600))/60/60/24) as number_of_days by�

,→sAMAccountName | search number_of_days>29

2.361 LP_Mitre Command and Control Using Uncommonly

used Port Detected
• Trigger Condition: Command and Control activity using uncommonly used ports
is detected.
• ATT&CK Category: Command and Control
• ATT&CK Tag: Non-Standard Port
• ATT&CK ID: T1571
• Minimum Log Source Requirement: Proxy Server
• Query:

norm_id=*Proxy* source_address=* destination_address=* destination_port IN�

,→COMMON_PORTS | process ti(destination_address)| rename et_category as ti_category�

,→| process eval("attack_class='Command and Control'")| process eval("technique=

,→'Commonly Used Port'") | search ti_category="*Command and Control*"

2.360. LP_Mitre - Initial Access - Valid Accounts - Inactive User Accounts 163
 Alert Rules Documentation, Release latest

2.362 LP_Mitre Credential Access Using Credentials from

Web Browsers Detected
• Trigger Condition: Credential Access is detected using credentials from password
stores and credentials from web browsers.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credentials from Password Stores, Credentials from Web Browsers

• ATT&CK ID: T1555, T1555.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=Object label=Access label=File "process"="*wsus.exe" (path=

,→"*firefox*" OR path="*chrome*") -user IN EXCLUDED_USERS | process eval("attack_

,→class='Credential Access'")| process eval("technique='Credentials from Web Browsers'

,→") | chart count() by user, domain, host, log_ts, path, file, attack_class, technique order�

,→by count() desc limit 10

2.363 LP_Mitre Credential Access Using Credentials in File

Detected
• Trigger Condition: Credential Access using attack technique Credentials in File is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credentials in Files

• ATT&CK ID: T1552, T1552.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*laZagne*.exe*" OR�

,→command="*laZagne*.exe*") -user IN EXCLUDED_USERS | process eval("attack_class=

,→'Credential Access'")| process eval("technique='Credentials in File'") | rename�

,→commandline as command | chart count() by user, host, domain, log_ts, command,�

,→attack_class, technique order by count() desc limit 10

2.362. LP_Mitre Credential Access Using Credentials from Web Browsers Detected 164
 Alert Rules Documentation, Release latest

2.364 LP_Mitre Defense Evasion Using Decode Files or

Information Detected
• Trigger Condition: Defense evasion uses decode files or information.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Deobfuscate/Decode Files or Information

• ATT&CK ID: T1140

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer label="Process" label=Create (command="*certutil.exe*" OR�

,→commandline="*certutil.exe*") -user IN EXCLUDED_USERS| process eval("attack_class=

,→'Defense Evasion'")| process eval("technique='Deobfuscate/Decode Files or Information'

,→")| rename commandline as command

2.365 LP_Mitre Defense Evasion Using File Deletion

Detected
• Trigger Condition: Defense evasion uses file deletion technique.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Data Destruction, Indicator Removal on Host, File Deletion

• ATT&CK ID: T1485, T1070, T1070.004

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=Object label=Access access="*delete*" (relative_target="*.exe

,→" OR relative_target="*.bat") -user IN EXCLUDED_USERS | process eval("attack_class=

,→'Defense Evasion'")| process eval("technique='File Deletion'") | rename relative_target�

,→as file

2.364. LP_Mitre Defense Evasion Using Decode Files or Information Detected 165
 Alert Rules Documentation, Release latest

2.366 LP_Mitre Discovery Using Account Discovery

Detected
• Trigger Condition: An attack Discovery uses an attack technique Account
Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: Account Discovery

• ATT&CK ID: T1087

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*dsquery*" OR�

,→command="*dsquery*") -user IN EXCLUDED_USERS | process eval("attack_class=

,→'Discovery'")| process eval("technique='Account Discovery'") | rename commandline as�

,→command | chart count() by user, host, domain, log_ts, command, attack_class,�

,→technique order by count() desc limit 10

2.367 LP_Mitre Discovery Using File and Directory

Discovery Detected
• Trigger Condition: Discovery uses an attack technique File and Directory
Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: File and Directory Discovery

• ATT&CK ID: T1083

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create -commandline="*findstr*"�

,→(commandline="*cmd.exe*dir *" OR commandline="*tree.com*") -user IN EXCLUDED_

,→USERS | process eval("attack_class='Discovery'")| process eval("technique='File and�

,→Directory Discovery'") | rename commandline as command | chart count() by user, host,�

,→domain, log_ts, command, attack_class, technique order by count() desc limit 10

2.366. LP_Mitre Discovery Using Account Discovery Detected 166

 Alert Rules Documentation, Release latest

2.368 LP_Mitre Discovery Using Network Service Scanning

Detected
• Trigger Condition: Discovery uses an attack technique Network Service Scanning.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*nmap*" OR�

,→commandline="*RpcPing.exe*" OR commandline="*telnet.exe*") -user IN EXCLUDED_

,→USERS | process eval("attack_class='Discovery'")| process eval("technique='Network�

,→Service Scanning'") | rename commandline as command | chart count() by user, host,�

,→domain, log_ts, command, attack_class, technique order by count() desc limit 10

2.369 LP_Mitre Discovery Using Network Sniffing

Detected
• Trigger Condition: Discovery uses an attack technique Network Sniffing.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Network Sniffing

• ATT&CK ID: T1040

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create commandline="*tshark.exe*" -user IN�

,→EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique=

,→'Network Sniffing'") | rename commandline as command | chart count() by user, host,�

,→domain, log_ts, command, attack_class, technique order by count() desc limit 10

2.368. LP_Mitre Discovery Using Network Service Scanning Detected 167

 Alert Rules Documentation, Release latest

2.370 LP_Mitre Discovery Using Password Policy

Discovery Detected
• Trigger Condition: Discovery uses an attack technique Password Policy Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: Password Policy Discovery

• ATT&CK ID: T1201

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create commandline="*net.exe* accounts*" -

,→user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval(

,→"technique='Password Policy Discovery'") | rename commandline as command | chart�

,→count() by user, host, domain, log_ts, command, attack_class, technique order by count()�

,→desc limit 10

2.371 LP_Mitre Discovery Using Permission Groups

Discovery Detected
• Trigger Condition: Discovery uses an attack technique Permission Groups
Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: Permission Groups Discovery

• ATT&CK ID: T1069

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (command="*net*localgroup*" OR�

,→command="*net*group*" OR command="*get*localgroup*" OR commandline=

,→"*net*localgroup*" OR commandline="*net*group*" OR commandline=

,→"*get*localgroup*") -user IN EXCLUDED_USERS | process eval("attack_class='Discovery'

,→")| process eval("technique='Permission Groups Discovery'") | rename commandline as�

,→command | chart count() by user, host, domain, log_ts, command, attack_class,�

,→technique order by count() desc limit 10

2.370. LP_Mitre Discovery Using Password Policy Discovery Detected 168

 Alert Rules Documentation, Release latest

2.372 LP_Mitre Discovery Using Query Registry Detected

• Trigger Condition: Discovery uses an attack technique Query Registry.

• ATT&CK Category: Discovery

• ATT&CK Tag: Query Registry

• ATT&CK ID: T1012

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create commandline="*reg query*" -user IN�

,→EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique=

,→'Query Registry'")| rename commandline as command | chart count() by user, host,�

,→domain, log_ts, command, attack_class, technique order by count() desc limit 10

2.373 LP_Mitre Discovery Using Security Software

Discovery Detected
• Trigger Condition: Discovery uses an attack techniques Software Discovery and
Security Software Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: Software Discovery, Security Software Discovery

• ATT&CK ID: T1518, T1518.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*findstr.exe*virus" OR�

,→commandline="*findstr.exe*cylance" OR commandline="*findstr.exe*defender" OR�

,→commandline="*findstr.exe*cb") -user IN EXCLUDED_USERS | process eval("attack_

,→class='Discovery'")| process eval("technique='Security Software Discovery'") | rename�

,→commandline as command |

chart count() by user, host, domain, log_ts, command, attack_class, technique order by�
,→count() desc limit 10

2.372. LP_Mitre Discovery Using Query Registry Detected 169

 Alert Rules Documentation, Release latest

2.374 LP_Mitre Discovery Using System Information

Discovery Detected
• Trigger Condition: Discovery uses an attack technique System Information
Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Information Discovery

• ATT&CK ID: T1082

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create commandline="*net.exe*config*" -

,→user IN EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval(

,→"technique='System Information Discovery'") | rename commandline as command |�

,→chart count() by user, host, domain, log_ts, command, attack_class, technique order by�

,→count() desc limit 10

2.375 LP_Mitre Discovery Using System Network

Configuration Discovery Detected
• Trigger Condition: Discovery uses an attack technique System Network
Configuration Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Network Configuration Discovery

• ATT&CK ID: T1016

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*ipconfig.exe*" OR�

,→commandline="*route.exe*" OR commandline="*netsh advfirewall*" OR commandline=

,→"*arp.exe*" OR commandline="*nbtstat.exe*" OR commandline="*netsh.exe*interface�

,→show" OR commandline="*net*config") -user IN EXCLUDED_USERS | process eval(

,→"attack_class='Discovery'")| process eval("technique='System Network Configuration�

,→Discovery'") | rename commandline as command | chart count() by user, host, domain,�

,→log_ts, command, attack_class, technique order by count() desc limit 10

2.374. LP_Mitre Discovery Using System Information Discovery Detected 170

 Alert Rules Documentation, Release latest

2.376 LP_Mitre Discovery Using System Owner or User

Discovery Detected
• Trigger Condition: Discovery uses an attack technique System Owner or User
Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Owner/User Discovery

• ATT&CK ID: T1033

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*whoami*" OR�

,→commandline="*quser*" OR commandline="*wmic.exe*useraccount get*") -user IN�

,→EXCLUDED_USERS | process eval("attack_class='Discovery'")| process eval("technique=

,→'System Owner/User Discovery'") | rename commandline as command | chart count() by�

,→user, host, domain, log_ts, command, attack_class, technique order by count() desc limit�

,→10

2.377 LP_Mitre Discovery Using System Service Discovery

Detected
• Trigger Condition: Discovery uses an attack technique System Service Discovery.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Service Discovery

• ATT&CK ID: T1007

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*net.exe*start*" OR�

,→commandline="*tasklist.exe*") -user IN EXCLUDED_USERS | process eval("attack_class=

,→'Discovery'")| process eval("technique='System Service Discovery'") | rename�

,→commandline as command | chart count() by user, host, domain, log_ts, command,�

,→attack_class, technique order by count() desc limit 10

2.376. LP_Mitre Discovery Using System Owner or User Discovery Detected 171
 Alert Rules Documentation, Release latest

2.378 LP_Mitre Exfiltration Over Alternative Protocol

Detected
• Trigger Condition: LogPoint detects exfiltration of data over alternative protocol.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Alternative Protocol Detected

• ATT&CK ID: T1048

• Minimum Log Source Requirement: Proxy Server

• Query:

norm_id=*Proxy* source_address=* destination_address=* destination_address IN�

,→CLOUD_APPLICATION_IP | process eval("attack_class='Exfiltration'")| process eval(

,→"technique='Exfiltration Over Alternative Protocol'")

2.379 LP_Mitre Lateral Movement Using Remote Services

Detected
• Trigger Condition: Lateral Movement uses an attack technique Remote Services.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Exploitation of Remote Services

• ATT&CK ID: T1210

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=7045 start_type="auto start" service="remotesvc" -user IN�

,→EXCLUDED_USERS | process eval("attack_class='Lateral Movement'")| process eval(

,→"technique='Remote Services'") | chart count() by user, image, log_ts, service, service_

,→type, attack_class, technique order by count() desc limit 10

2.378. LP_Mitre Exfiltration Over Alternative Protocol Detected 172

 Alert Rules Documentation, Release latest

2.380 LP_Mitre Persistence Attack through Accessibility

Process Feature
• Trigger Condition: An OS’s accessibility features are used adversely to get a
command prompt or backdoor without logging in to the system.

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

• ATT&CK ID: T1546, T1546.008

• Minimum Log Source Requirement: Windows

• Query:

(label="Process" label=Create "process" IN PERSISTENCE_ACCESSIBILITY_PROCESS)�

,→OR (parent_image IN PERSISTENCE_ACCESSIBILITY_PROCESS) OR (target_object IN�

,→PERSISTENCE_ACCESSIBILITY_OBJECT) -user IN EXCLUDED_USERS

2.381 LP_Mitre Persistence Attack through AppInit DLLs

• Trigger Condition: Suspicious AppInit_DLL functionality is detected in an
environment that could be a persistence attack.

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, AppInit DLLs

• ATT&CK ID: T1546, T1546.01

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(target_object="HKLM\Software\Microsoft\Windows�
,→NT\CurrentVersion\Windows\AppInit_DLLs" OR target_object=

,→"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs")

2.382 LP_Mitre Persistence Using Account Creation

Detected
• Trigger Condition: The creation of an account with persistence is detected.

2.380. LP_Mitre Persistence Attack through Accessibility Process Feature 173

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence

• ATT&CK Tag: Account Manipulation

• ATT&CK ID: T1098

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create commandline="*net*/add /y" -user IN�

,→EXCLUDED_USERS | process eval("attack_class='Persistence'")| process eval(

,→"technique='Create Account'") | rename commandline as command

2.383 LP_Mitre Persistence Using Account Manipulation

Detected
• Trigger Condition: Persistence uses an attack technique Account Manipulation.

• ATT&CK Category: Persistence

• ATT&CK Tag: Account Manipulation

• ATT&CK ID: T1098

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create commandline="*net.exe*localgroup*/

,→add" -user IN EXCLUDED_USERS | process eval("attack_class='Persistence'")| process�

,→eval("technique='Account Manipulation'") | rename commandline as command

2.384 LP_Mitre Persistence via Winlogon Helper DLL

Detected
• Trigger Condition: Modifications in Winlogon registry keys are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Boot or Logon Autostart Execution, Winlogon Helper DLL

• ATT&CK ID: T1547, T1547.004

• Minimum Log Source Requirement: Windows

2.383. LP_Mitre Persistence Using Account Manipulation Detected 174

 Alert Rules Documentation, Release latest

• Query:

norm_id=WinServer event_id=4657 object=Winlogon event_category=Registry path=

,→"*Windows NT\CurrentVersion*" new_value=* -user IN EXCLUDED_USERS

2.385 LP_Mitre Possible Privilege Escalation using

Application Shimming
• Trigger Condition: Installation or registration of shim databases to escalate
privilege in an environment is detected.
• ATT&CK Category: Privilege Escalation
• ATT&CK Tag: Event Triggered Execution, Application Shimming
• ATT&CK ID: T1546, T1546.011
• Minimum Log Source Requirement: Windows
• Query:

('process'=*sdbinst.exe OR image=*sdbinst.exe OR target_object IN APPLICATION_SHIM_

,→OBJECTS) | rename 'process' as image

2.386 LP_Mitre Privilege Escalation Using Bypass User

Access Control Detected
• Trigger Condition: Privilege Escalation using Abuse Elevation Control Mechanism
or Bypass User Access Control is detected.
• ATT&CK Category: Privilege Escalation
• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control
• ATT&CK ID: T1548
• Minimum Log Source Requirement: Windows Sysmon
• Query:

(norm_id=WindowsSysmon OR (commandline=* norm_id=WinServer)) label="Process"�

,→label=Create (command="*eventvwr.exe*" OR commandline="*eventvwr.exe*" OR�

,→command="*wscript.exe*" OR commandline="*wscript.exe*" OR token_elevation_

,→type="TokenElevationTypeLimited*") -user IN EXCLUDED_USERS | process eval("attack_

,→class='Privilege Escalation'")| process eval("technique='Bypass User Access Control'") |�

,→rename commandline as command

(continues on next page)

2.385. LP_Mitre Possible Privilege Escalation using Application Shimming 175

 Alert Rules Documentation, Release latest

(continued from previous page)

2.387 LP_MMC Spawning Windows Shell Detected

• Trigger Condition: Windows command line executable starting from MMC is
detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, Indirect Command Execution

• ATT&CK ID: T1059, T1202

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\mmc.exe" image IN ["*\cmd.exe

,→", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe", "*\reg.

,→exe", "*\regsvr32.exe", "*\BITSADMIN*"] -user IN EXCLUDED_USERS

2.388 LP_Most Exploitable Vulnerabilities Detected

• Trigger Condition: The most exploitable vulnerabilities from 2015 are detected in
a network. For this alert to work, MOST_EXPLOITABLE_CVE must be updated with
the list of exploitable vulnerabilities.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning, Software Discovery, Security Software

Discovery

• ATT&CK ID: T1046, T1518, T1518.001

• Minimum Log Source Requirement: Vulnerability Management

• Query:

norm_id=VulnerabilityManagement cve_id IN MOST_EXPLOITABLE_CVE

2.387. LP_MMC Spawning Windows Shell Detected 176

 Alert Rules Documentation, Release latest

2.389 LP_MS Office Product Spawning Exe in User Dir

• Trigger Condition: An executable in the users directory from Microsoft Word,
Excel, Powerpoint, Publisher, or Visio is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command-Line Interface, Indirect Command Execution

• ATT&CK ID: T1059, T1202

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image IN ["*\WINWORD.EXE", "*\EXCEL.

,→EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\OUTLOOK.EXE"] image�

,→IN ["C:\users\*.exe"] -user IN EXCLUDED_USERS

2.390 LP_MSHTA - File Access Detected

• Trigger Condition: Creation of a file with .hta extension. Adversaries abuse
mshta.exe for proxy execution of malicious .hta files, and Javascript or VBScript
through a trusted Windows utility.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=11 or event_id=15) file="*.hta*" -user IN�

,→EXCLUDED_USERS

2.391 LP_MSHTA - Activity Detected

• Trigger Condition: LogPoint detects network connection events initiated by
mshta.exe. Adversaries abuse mshta.exe for proxy execution of malicious .hta files,
and Javascript or VBScript through a trusted Windows utility.

2.389. LP_MS Office Product Spawning Exe in User Dir 177

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 (command="*mshta.exe" or parent_command=

,→"*mshta.exe") -user IN EXCLUDED_USERS

2.392 LP_Mshta JavaScript Execution Detected

• Trigger Condition: The mshta.exe command is detected.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\mshta.exe" command="*javascript*" -

,→user IN EXCLUDED_USERS

2.393 LP_MSHTA Spawning Windows Shell Detected

• Trigger Condition: Windows command line executable started from MSHTA is
detected.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.392. LP_Mshta JavaScript Execution Detected 178

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 parent_image="*\mshta.exe" image IN ["*\cmd.

,→exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\sh.exe", "*\bash.exe",

,→"*\reg.exe", "*\regsvr32.exe", "*\BITSADMIN*"] -user IN EXCLUDED_USERS

2.394 LP_MSHTA Spwaned by SVCHOST Detected

• Trigger Condition: mshta.exe spawned by SVCHOST observed in LethalHTA is
detected.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta

• ATT&CK ID: T1218, T1218.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\svchost.exe" image="*\mshta.

,→exe" -user IN EXCLUDED_USERS

2.395 LP_MSHTA Suspicious Execution Detected

• Trigger Condition: mshta.exe suspicious execution patterns sometimes involving
file polyglotism is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Deobfuscate/Decode Files or Information

• ATT&CK ID: T1140

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=1 image="*\mshta.exe" command IN ["*vbscript*", "*.jpg*", "*.png*", "*.lnk*",

,→"*.xls*", "*.doc*", "*.zip*"] -user IN EXCLUDED_USERS

2.394. LP_MSHTA Spwaned by SVCHOST Detected 179

 Alert Rules Documentation, Release latest

2.396 LP_MsiExec Web Install Detected

• Trigger Condition: The msiexec process starts with the web address as a
parameter.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Msiexec

• ATT&CK ID: T1218, T1218.007

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="* msiexec*://*" -user IN EXCLUDED_

,→USERS

2.397 LP_MSTSC Shadowing Detected

• Trigger Condition: Hijacking of Remote Desktop Protocol (RDP) session using
Microsoft Terminal Services Client (MSTSC) shadowing is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking

• ATT&CK ID: T1563, T1563.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" command="*noconsentprompt*" command="*shadow:*" -

,→user IN EXCLUDED_USERS

2.398 LP_Multiple Failed Login Followed by Successful

Login Followed by Logoff
• Trigger Condition: Multiple failed login attempts are followed by successful login,
and then by log off from the same user are detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access, Credential Access

2.396. LP_MsiExec Web Install Detected 180

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Valid Accounts, Brute Force

• ATT&CK ID: T1078, T1110

• Minimum Log Source Requirement: Windows

• Query:

[incident_name="Multiple Failed User Login Followed by Successful Login" incident_

,→user=*] as FirstAlert followed by [norm_id=WinServer* label=User label=Logoff user=* -

,→user IN EXCLUDED_USERS] as Logoff on FirstAlert.incident_user=Logoff.user | rename�

,→Logoff.user as User, FirstAlert.incident_address as SourceAddress

2.399 LP_Mustang Panda Dropper Detected

• Trigger Condition: Specific process parameters used by Mustang Panda droppers
are detected.

• ATT&CK Category: Resource Development, Defense Evasion

• ATT&CK Tag: Exploitation for Defense Evasion, Malware

• ATT&CK ID: T1211, T1587.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" ((command in ["*Temp\wtask.exe /create*", "*%windir:~-3,1

,→%%PUBLIC:~-9,1%*", "*/tn *Security Script*", "*%windir:~-1,1%*"] command ="*/

,→E:vbscript*:\Users*.txt*/F*") OR ("process"="*\Temp\winwsh.exe"))

2.400 LP_Named Pipe added to Null Session Detected

• Trigger Condition: Lateral Movement attempt by enabling of null session through
named pipe is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.399. LP_Mustang Panda Dropper Detected 181

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=13 image="*reg.exe" target_object=

,→"*lanmanserver*NullSessionPipes" detail="Binary Data" -user IN EXCLUDED_USERS

2.401 LP_Narrators Feedback-Hub Persistence Detected

• Trigger Condition: Abusing Windows 10 Narrator’s Feedback-Hub is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup

Folder

• ATT&CK ID: T1547, T1547.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id=12 event_type="DeleteValue" target_object=

,→"*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute")�

,→OR (event_id=13 target_object=

,→"*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)")

2.402 LP_Nefilim Ransomware Infected Host Detected

• Trigger Condition: Nefilim double extortion ransomware-infected host is
detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* hash=* hash IN NEFILIM_RANSOMWARE_HASHES

2.401. LP_Narrators Feedback-Hub Persistence Detected 182

 Alert Rules Documentation, Release latest

2.403 LP_Net exe Execution Detected

• Trigger Condition: The execution of Net.exe, which can be suspicious or benign,
is detected.

• ATT&CK Category: Lateral Movement, Discovery, Defense Evasion

• ATT&CK Tag: Obfuscated Files or Information, System Network Connections

Discovery, Remote Services, Network Share Discovery

• ATT&CK ID: T1027, T1049, T1021, T1135

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\net.exe", "*\net1.exe"] command IN [

,→"* group*", "* localgroup*", "* user*", "* view*", "* share", "* accounts*", "* use*", "*�

,→stop *"] -user IN EXCLUDED_USERS

2.404 LP_Net exe User Account Creation

• Trigger Condition: The creation of local users via the net.exe command is
detected.

• ATT&CK Category: Persistence, Credential Access

• ATT&CK Tag: Create Account

• ATT&CK ID: T1136

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\net.exe", "*\net1.exe"] command=

,→"*user*" command="*add*" -user IN EXCLUDED_USERS

2.405 LP_NetNTLM Downgrade Attack Detected

• Trigger Condition: When post-exploitation using NetNTLM downgrade attacks
are detected. NetNTLM is a proprietary authentication protocol used by Microsoft
Windows. Adversaries may use a downgrade attack to force the use of a weaker
version of the protocol, allowing them to intercept and crack the password hashes

2.403. LP_Net exe Execution Detected 183

 Alert Rules Documentation, Release latest

used for authentication. This can allow the adversary to gain unauthorized access
to the system.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools, Modify Registry

• ATT&CK ID: T1562, T1562.001, T1112

• Minimum Log Source Requirement: Windows

• Query:

(event_id=13 target_object IN ["*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel",

,→ "*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec",

,→"*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic"]) OR (norm_

,→id=WinServer event_id=4657 object_name=

,→"\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa" object_value IN [

,→"LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"]) -user IN�

,→EXCLUDED_USERS

2.406 LP_Firewall Addition via Netsh Detected

• Trigger Condition: A connection is allowed by port or application on Windows
firewall.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify System Firewall

• ATT&CK ID: T1562, T1562.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*netsh firewall add*"] -user IN�

,→EXCLUDED_USERS

2.407 LP_Netsh Helper DLL - Process Detected

• Trigger Condition: Adversaries use Netshell helper DLLs to execute arbitrary code
persistently. Netsh.exe is a command-line scripting utility used to interact with the
network configuration of a system.

2.406. LP_Firewall Addition via Netsh Detected 184

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

• ATT&CK ID: T1546, T1546.007

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*netsh.exe" command="*helper*") -user�

,→IN EXCLUDED_USERS

2.408 LP_Netsh Helper DLL - Registry Detected

• Trigger Condition: Windows registry at HKLMSOFTWAREMicrosoftNetsh is
detected. HKLMSOFTWAREMicrosoftNetsh is a path to registered netsh.exe
helper DLLs.

• ATT&CK Category: Persistence

• ATT&CK Tag: Event Triggered Execution, Netsh Helper DLL

• ATT&CK ID: T1546, T1546.007

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) target_object=

,→"*\SOFTWARE\Microsoft\Netsh\*" -user IN EXCLUDED_USERS

2.409 LP_Netsh Port Forwarding Detected

• Trigger Condition: The netsh command used in the configuration of port
forwarding is detected. Port forwarding is a pivoting technique that redirects traffic
from one port to another.

• ATT&CK Category: Lateral Movement, Command and Control

• ATT&CK Tag: Proxy, Exploitation of Remote Services

• ATT&CK ID: T1090, T1210

• Minimum Log Source Requirement: Windows Sysmon, Windows

2.408. LP_Netsh Helper DLL - Registry Detected 185

 Alert Rules Documentation, Release latest

• Query:

label="create" label="process" "process"="*\netsh.exe"command in ["*interface�

,→portproxy add v4tov4 *", "*i p a v*"] -user IN EXCLUDED_USERS

2.410 LP_Netsh RDP Port Forwarding Detected

• Trigger Condition: The netsh command used in the configuration of port
forwarding of port 3389 for RDP is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["netsh i* p*=3389 c*"] -user IN�

,→EXCLUDED_USERS

2.411 LP_Network Share Connection Removed

• Trigger Condition: The removal of a share connection is detected. Adversaries
remove share connections that are no longer useful to clean traces of their
operation.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host, Network Share Connection Removal

• ATT&CK ID: T1070, T1070.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*net.exe" command="*net delete*") or�

,→command="*Remove-SmbShare*" or command="*Remove-FileShare*" -user IN�

,→EXCLUDED_USERS

2.410. LP_Netsh RDP Port Forwarding Detected 186

 Alert Rules Documentation, Release latest

2.412 LP_Network Share Discovery

• Trigger Condition: The net utility is used to query a system for available shared
drives using net view or net share command. Adversaries look for folders and
drive shared on remote systems to identify sources of information to gather as a
precursor for collection and identification of potential systems of interest for Lateral
Movement.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Share Discovery

• ATT&CK ID: T1135

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*net.exe" (command="*net view*" or�

,→command="*net share*")) or command="*get-smbshare -Name*" -user IN EXCLUDED_

,→USERS

2.413 LP_Network Sniffing Detected

• Trigger Condition: When the execution of network sniffing tools is detected.
Adversaries may use network sniffing to intercept sensitive information, such as
passwords or confidential data, as it is transmitted over the network. They may
also use sniffing to gain visibility into network traffic and identify vulnerabilities or
weaknesses.

• ATT&CK Category: Credential Access, Discovery

• ATT&CK Tag: Network Sniffing

• ATT&CK ID: T1040

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*tshark.exe" or image="*windump.exe"�

,→or image="*logman.exe" or image="*tcpdump.exe" or image="*wprui.exe" or image=

,→"*wpr.exe") -user IN EXCLUDED_USERS

2.412. LP_Network Share Discovery 187

 Alert Rules Documentation, Release latest

2.414 LP_New Driver File Creation Detected

• Trigger Condition: Creation of a new driver file.

• ATT&CK Category: Execution

• ATT&CK Tag: Shared Modules

• ATT&CK ID: T1129

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 path="C:\Windows*Drivers*" -user IN�

,→EXCLUDED_USERS

2.415 LP_New Firewall Port Opening Detected

• Trigger Condition: An opening of a new port in a firewall is detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Non-Standard Port

• ATT&CK ID: T1571

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4657 object=FirewallRules event_category=Registry object_

,→name="*ControlSet*FirewallPolicy\FirewallRules" new_value=* -user IN EXCLUDED_

,→USERS | norm on new_value <:all>Action=<action:word><:all>Active=<active:word>

,→<:all>Dir=<direction:word><:all>Protocol=<proto:int><:all>Port=<port:int><:all>

,→Name=<rule:string><:'\|'> | process eval("protocol = if(proto == 6) {return 'TCP'} else

,→{return 'UDP'}")

2.416 LP_New RUN Key Pointing to Suspicious Folder

Detected
• Trigger Condition: A new suspicious RUN key element pointing to an executable
in a folder is detected.

2.414. LP_New Driver File Creation Detected 188

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup

Folder

• ATT&CK ID: T1547, T1547.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=13 target_object IN ["*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*",

,→"*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*"] detail IN [

,→"*C:\Windows\Temp\*", "*\AppData\*", "%AppData%\*", "*C:\$Recycle.bin\*",

,→"*C:\Temp\*", "*C:\Users\Public\*", "%Public%\*", "*C:\Users\Default\*",

,→"*C:\Users\Desktop\*", "wscript*", "cscript*"] -detail IN [

,→"*\AppData\Local\Microsoft\OneDrive\\*"] -user IN EXCLUDED_USERS

2.417 LP_New Service Creation

• Trigger Condition: When the creation of a new service is detected. Windows
Services can allow the creation and management of long-running processes. It
can start automatically and keep running for a long time after the user logs off.
Adversaries might leverage this functionality to maintain persistence and escalate
their privilege.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: T1543 - Create or Modify System Process (2), T1543.003 - Windows
Service (2)

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" "process" IN ["*sc.exe", "*powershell.exe", "*cmd.exe"]�

,→command IN ["*New-Service*BinaryPathName*", "*sc*create*binpath*", "*Get-

,→WmiObject*Win32_Service*create*"] -user IN EXCLUDED_USERS

2.418 LP_Non Interactive PowerShell Execution

• Trigger Condition: Non-interactive Command and Scripting Interpreter and
PowerShell activity by looking at powershell.exe with no explorer.exe as a parent.

• ATT&CK Category: Execution

2.417. LP_New Service Creation 189

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_Image=

,→"*\explorer.exe" -user IN EXCLUDED_USERS

2.419 LP_NoPowerShell Tool Activity Detected

• Trigger Condition: Execution of NoCommand and Scripting Interpreter and
PowerShell tool.

• ATT&CK Category: Execution

• ATT&CK Tag: Shared Modules

• ATT&CK ID: T1129

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 -file in ["*cscript.exe.log", "*wscript.exe.log",

,→"*wmic.exe.log", "*mshta.exe.log", "*svchost.exe.log", "*regsvr32.exe.log", "*rundll32.

,→exe.log"] file="*.exe.log" -user IN EXCLUDED_USERS

2.420 LP_NotPetya Ransomware Activity Detected

• Trigger Condition: NotPetya ransomware activity in which the extracted
passwords are passed back to the main module via named pipe is detected. The
file system journal of drive C is deleted, and window event logs are cleared using
wevtutil.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Rundll32, Indicator Removal on Host

• ATT&CK ID: T1218, T1218.011, T1070

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.419. LP_NoPowerShell Tool Activity Detected 190

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 (command="*\AppData\Local\Temp\* \.\pipe\*"�

,→OR (image="*\rundll32.exe" command="*.dat, #1")) -user IN EXCLUDED_USERS

2.421 LP_OceanLotus Registry Activity Detected

• Trigger Condition: Creation of registry keys in OceanLotus attacks, which is also
known as APT32.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=13 target_object IN ["HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-

,→BD4625B9C5A1}\Model", "HKU\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-

,→BD4625B9C5A1}\Model",

"*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application",
"*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon",
,→"*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application",

"*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon",
"*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application",
,→"*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon",

"HKU\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\*", "HKU\*_
,→Classes\AppX3bbba44c6cae4d9695755183472171e2\*",

"HKU\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\*"]
-user IN EXCLUDED_USERS

2.422 LP_Office365 Multiple Failed Login from Different

Host by Single User
• Trigger Condition: A user attempts multiple failed logins from distinct hosts with
a count greater than one.

• ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege

Escalation, Initial Access

• ATT&CK Tag: Brute Force, Valid Accounts

• ATT&CK ID: T1110, T1078

2.421. LP_OceanLotus Registry Activity Detected 191

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Office365

• Query:

norm_id="Office365" source_address=* label=User label=Login label=Fail | chart distinct_

,→count(source_address) as DC by user | search DC>1

2.423 LP_Office365 Multiple Failed Login from Same Host

• Trigger Condition: Multiple failed logins from the same host with a count greater
than five.

• ATT&CK Category: Credential Access, Persistence, Defense Evasion, Privilege

Escalation, Initial Access

• ATT&CK Tag: Brute Force, Valid Accounts

• ATT&CK ID: T1110, T1078

• Minimum Log Source Requirement: Office365

• Query:

norm_id="Office365" source_address=* label=User label=Login label=Fail | chart count()�

,→as"Cnt" by user, source_address| search Cnt > 5

2.424 LP_Office365 Multiple Successful Login from

Different Country by Single User
• Trigger Condition: A user attempts multiple failed logins from different countries
with a count greater than one.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Office365

• Query:

2.423. LP_Office365 Multiple Failed Login from Same Host 192

 Alert Rules Documentation, Release latest

norm_id="Office365" label=User label=login label=Successful source_address=* |�

,→process geoip(source_address) as country |chart distinct_count(country) as DC by user|�

,→search DC >1

2.425 LP_Office365 Multiple Successful Login From

Different Host by Single User
• Trigger Condition: A user attempts multiple successful logins from a distinct host
with a count greater than one.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Office365

• Query:

norm_id="Office365" label=User label=login label=Successful source_address=* | chart�

,→distinct_count(source_address) as DC by user |search DC >1

2.426 LP_Office365 Password Resets

• Trigger Condition: A user’s password is reset.

• ATT&CK Category: Persistence

• ATT&CK Tag: Account Manipulation

• ATT&CK ID: T1098

• Minimum Log Source Requirement: Office365

• Query:

norm_id="Office365" label=Password label=Reset user=*

2.425. LP_Office365 Multiple Successful Login From Different Host by Single User 193
 Alert Rules Documentation, Release latest

2.427 LP_OpenWith Execution of Specified Binary

Detected
• Trigger Condition: The execution of OpenWith.exe is detected as a specified
binary. It characterized as a malicious activity when executed from a location other
than C:WindowsSystem32* path.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\OpenWith.exe" command="*/c*" -user�

,→IN EXCLUDED_USERS

2.428 LP_Possible Operation Wocao Activity Detected

• Trigger Condition: Activity mentioned in Operation Wocao report is detected.

• ATT&CK Category: Defense Evasion,Execution, Persistence, Privilege Escalation

• ATT&CK Tag: Exploitation for Defense Evasion, Obfuscated Files or Information,

Masquerade Task or Service, Masquerading, Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1211, T1012, T1036, T1036.004, T1053, T1053.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

((norm_id=WinServer event_id=4799 group="Administrators" "process"="*\checkadmin.

,→exe") OR (norm_id=WindowsSysmon event_id=1 command IN ["*checkadmin.exe 127.0.

,→0.1 -all*", "*netsh advfirewall firewall add rule name=powershell dir=in*", "*cmd /c�

,→powershell.exe -ep bypass -file c:\s.ps1*", "*/tn win32times /f*", "*create win32times�

,→binPath=*", "*\c$\windows\system32\devmgr.dll*", "* -exec bypass -enc JgAg*",

,→"*type *keepass\KeePass.config.xml*", "*iie.exe iie.txt*", "*reg query HKEY_CURRENT_

,→USER\Software\\*\PuTTY\Sessions\\*"])) -user IN EXCLUDED_USERS

2.427. LP_OpenWith Execution of Specified Binary Detected 194

 Alert Rules Documentation, Release latest

2.429 LP_Pandemic Registry Key Detected

• Trigger Condition: LogPoint detects pandemic Windows implant. It turns file
servers into patient zero on a local network, infecting machines requesting files
with trojanized replacements.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote File Copy

• ATT&CK ID: T1105

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id=13 target_object IN ["HKLM\SYSTEM\CurrentControlSet\services\null\Instance*

,→"]) OR (event_id=1 command="loaddll -a *")

2.430 LP_Password Change on DSRM Account Detected

• Trigger Condition: Password change in Directory Service Restore Mode (DSRM)
account is detected.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Account Manipulation

• ATT&CK ID: T1098

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4794 -user IN EXCLUDED_USERS

2.431 LP_Password Dumper Remote Thread in LSASS

• Trigger Condition: Password dumper activity by monitoring remote thread
creation event ID 8 in combination with the lsass.exe process as TargetImage is
detected. The process in the field Process is a malicious program and a single
execution can lead to hundreds of events.

• ATT&CK Category: Credential Access

2.429. LP_Pandemic Registry Key Detected 195

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=8 image="C:\Windows\System32\lsass.exe" -start_

,→module=* -user IN EXCLUDED_USERS

2.432 LP_Password Spraying Attack Detected

• Trigger Condition: Password spraying attack is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Brute Force

• ATT&CK ID: T1110

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4625 -user IN EXCLUDED_USERS -user IN EXCLUDED_

,→USERS | chart distinct_count(user) as UserCount, distinct_list(user) as Users by source_

,→address | search UserCount > 5

2.433 LP_Persistence and Execution at Scale via GPO

Scheduled Task
• Trigger Condition: Lateral movement using GPO scheduled task used to deploy
ransomware at scale is detected.

• ATT&CK Category: Persistence, Lateral Movement, Execution, Privilege

Escalation

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows

• Query:

2.432. LP_Password Spraying Attack Detected 196

 Alert Rules Documentation, Release latest

norm_id=WinServer event_id=5145 share_name="\*\SYSVOL" relative_target=

,→"*ScheduledTasks.xml" access="*WriteData*" -user IN EXCLUDED_USERS

2.434 LP_Petya Affected Hosts

• Trigger Condition: Applications and commands like wevtutil,wmic,rundll,or
schtasks are executed for defense evasion. For this alert to work, you must update
the list PETYA_COMMAND.

• ATT&CK Category: Discovery, Defense Evasion

• ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion,

Software Discovery, Security Software Discovery

• ATT&CK ID: T1046, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* event_id=106 event_source="Microsoft-Windows-TaskScheduler"�

,→task IN PETYA_COMMAND -user IN EXCLUDED_USERS

2.435 LP_Petya Compromised Files

• Trigger Condition: A file with IOC’s of Petya file digest value is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact, Data Destruction, Proxy

• ATT&CK ID: T1486, T1485, T1090

• Minimum Log Source Requirement: Integrity Scanner

• Query:

norm_id=IntegrityScanner digest IN PETYA_DIGEST OR prev_digest IN PETYA_DIGEST�

,→path=*

2.434. LP_Petya Affected Hosts 197

 Alert Rules Documentation, Release latest

2.436 LP_Ping Hex IP Detected

• Trigger Condition: Ping command using a hex-encoded IP address is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Deobfuscate/Decode Files or Information, Obfuscated Files or

Information

• ATT&CK ID: T1140, T1027

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*\ping.exe 0x*", "*\ping 0x*"] -user�

,→IN EXCLUDED_USERS

2.437 LP_Ping of Death Attack

• Trigger Condition: Datagrams with a size greater than 65536 are received.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service, Direct Network Flood

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Receive label=Packet (packet_length>65536 or fragment_length>65536)

2.438 LP_Possible Access to ADMIN Share

• Trigger Condition: Access to $ADMIN share and may help to detect lateral
movement attempts. Since Windows Admin Share activity is so common, it
provides adversaries with a powerful, discreet way to move laterally within an
environment. Self-propagating ransomware and cryptocurrency miners, both
rapidly emerging threats, rely on Windows Admin Shares. Suppose an adversary
can obtain legitimate Windows credentials. The hidden shares (C$, ADMIN$,
and IPC$) can be accessed remotely via server message block (SMB) or the Net
utility to transfer files and execute code. Windows Admin Shares are often used

2.436. LP_Ping Hex IP Detected 198

 Alert Rules Documentation, Release latest

in conjunction with behaviors relating to Remote File Copy (T1105)—because

adversaries commonly use the technique to copy files remotely—and Network
Share Discovery (T1135). It can also occur with New Service (T1050) and Service
Execution (T1035) because tools like PsExec deploys their receiver executable
to admin shares, scheduling a service to execute it. Legitimate administrative
activities may generate false positives and will require whitelisting.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5140 share_name="Admin$" -user="*$" -user IN�

,→EXCLUDED_USERS

2.439 LP_Possible Account Misuse-Abnormal Login

• Trigger Condition: Admin is logged in or running an application beyond regular
office hours is detected.

• ATT&CK Category: Initial Access, Privilege Escalation, Defense Evasion,

Persistence

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

(label=User label=Login label=Successful user in ADMINS ((day_of_week(log_ts) IN [

,→"Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]) and (hour(log_ts)<9 or�

,→hour(log_ts)>17)) or (day_of_week(log_ts) IN ["Saturday", "Sunday"] )) or (label=User�

,→label=Login label=Successful sub_status_code="0xC000006F") user=* (workstation=*�

,→or source_address=*)

2.439. LP_Possible Account Misuse-Abnormal Login 199

 Alert Rules Documentation, Release latest

2.440 LP_Possible Account Misuse-Privilege Escalation

• Trigger Condition: The non-admin users are assigned privileged access. The event
maps to event ID of 4648 and 4672 in Windows.

• ATT&CK Category: Privilege Escalation, Persistence, Defense Evasion

• ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass

User Account Control

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows

• Query:

((label=Privilege label=Assign) or (label=Login label=Explicit label=Credential) user=* -

,→user in ADMINS) OR (label=User label=Add label=Group user=* group=*admin*)

2.441 LP_Possible Applocker Bypass Detected

• Trigger Condition: The execution of executables like msdt, installutil, regsvcs,
regasm or msbuild.ieexec is detected, which is used to bypass Applocker
whitelisting is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution, Mshta, InstallUtil, Regsvcs/Regasm,

Trusted Developer Utilities, MSBuild

• ATT&CK ID: T1218, T1218.004, T1218.009, T1127, T1218.005, T1127.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" command IN ["*\msdt.exe*", "*\installutil.exe*",

,→"*\regsvcs.exe*", "*\regasm.exe*", "*\msbuild.exe*", "*\ieexec.exe*"] -user IN�

,→EXCLUDED_USERS

2.440. LP_Possible Account Misuse-Privilege Escalation 200

 Alert Rules Documentation, Release latest

2.442 LP_Possible Bitsadmin Download Detected

• Trigger Condition: The use of bitsadmin downloading a file is detected.

• ATT&CK Category: Defense Evasion, Persistence

• ATT&CK Tag: BITS Jobs

• ATT&CK ID: T1197

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create ("process"="*\bitsadmin.exe" (command IN ["* /create *",

,→"* /addfile *"] command="*http*") OR (command="* /transfer *")) OR (command=

,→"*copy bitsadmin.exe*") -user IN EXCLUDED_USERS

2.443 LP_Possible Botnet Connection-DNS Server

Modified
• Trigger Condition: An unauthorized default Application Layer Protocol and DNS
server modification are detected in Unix or Windows Server.

• ATT&CK Category: Impact, Command and Control, Defense Evasion

• ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion

• ATT&CK ID: T1498, T1090, T1211

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=Unix action="RUN" (file="etc/resolv.conf" or file="*\etc\host")) or (norm_

,→id=WinServer* (label=File (label=Write or label=Modify) path=

,→"C:\Windows\System32\Drivers\etc" object="hosts") or (label=DNS label=Update�

,→(label=Successful or label=Request OR label=Fail)) (host=* or source_address=*))) -user�

,→IN EXCLUDED_USERS

2.442. LP_Possible Bitsadmin Download Detected 201

 Alert Rules Documentation, Release latest

2.444 LP_Possible Botnet Connection-IRC Port

• Trigger Condition: The connection through the IRC port is detected. For this alert
to work, you must update the list IRC_PORTS, including commonly used ports 6660
to 6669 and 6700.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

source_address=* destination_address=* destination_port in IRC_PORTS

2.445 LP_Possible Botnet Connection-Outbound DDOS

• Trigger Condition: Multiple hosts connecting to the same destination address is
detected.

• ATT&CK Category: Impact, Command and Control, Defense Evasion

• ATT&CK Tag: Network Denial of Service, Proxy, Exploitation for Defense Evasion

• ATT&CK ID: T1498, T1090, T1211

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection source_address in HOMENET destination_address=* | chart distinct_

,→count(source_address) as source by destination_address| search source>100

2.446 LP_Possible Botnet Connection-Outbound Spam

• Trigger Condition: An unauthorized email sent through an open relay is detected.

• ATT&CK Category: Command and Control, Defense Evasion, Impact

• ATT&CK Tag: Proxy, Exploitation for Defense Evasion, Network Denial of Service

• ATT&CK ID: T1090, T1211, T1498

2.444. LP_Possible Botnet Connection-IRC Port 202

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(source_address=* or host=* method="HELO" or method="EHLO") or�

,→(label=Connection destination_port="25" source_address=* or host=*) | search -source_

,→address IN MAIL_SERVER_IP

2.447 LP_Possible CLR DLL Loaded Via Office Applications

• Trigger Condition: CLR DLL is loaded by an Office Product like WinWord,
PowerPoint Excel, or Outlook.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe", "*\powerpnt.

,→exe", "*\excel.exe", "*\outlook.exe"] image IN ["*\clr.dll*"] -user IN EXCLUDED_USERS

2.448 LP_Possible Credential Dump-Tools Named Pipes

Detected
• Trigger Condition: A well-known credential dumping tool execution via specifically
named pipes like lsadump, cachedump, or wceservicepipe is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=17 pipe IN ["*\lsadump*", "*\cachedump*",

,→"*\wceservicepipe*"] -user IN EXCLUDED_USERS

2.447. LP_Possible CLR DLL Loaded Via Office Applications 203

 Alert Rules Documentation, Release latest

2.449 LP_Possible Data Breach

• Trigger Condition: Unauthorized transfer of sensitive data is detected using
mail applications, cloud applications, or other sources. For the alert to work,
you must update the lists RESIGNED_EMPLOYEES, KNOWN_DOMAINS, and
CLOUD_APPLICATIONS.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Web Service, Exfiltration to Cloud Storage

• ATT&CK ID: T1567, T1567.002

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(label=Mail object="*attachment*" sender in RESIGNED_EMPLOYEES -receiver in�

,→KNOWN_DOMAINS) or (label=Object label=Access (label=Write or label=Modify)�

,→event_category="*Removable*" user in RESIGNED_EMPLOYEES) or (label=Access�

,→label=Object (label=Write or label=Modify) path IN CLOUD_APPLICATIONS user in�

,→RESIGNED_EMPLOYEES) or (label=Data label=Transfer label=Sensitive source_

,→address=* destination_address=*)

2.450 LP_Possible Data Breach-Off Hour Transfer

• Trigger Condition: Unauthorized transfer of sensitive data during off-hours is
detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(norm_id=*Firewall or norm_id=*IDS*) label=Connection source_address=* destination_

,→address=* destination_port=* sent_datasize=* ((day_of_week(log_ts) IN ["Monday",

,→"Tuesday", "Wednesday", "Thursday", "Friday"]) and (hour(log_ts)<9 or hour(log_ts)>

,→17)) or (day_of_week(log_ts) IN ["Saturday", "Sunday"] ) | chart sum((sent_datasize)/1024/

,→1024) as TotalSentMB by user | search TotalSentMB>20

2.449. LP_Possible Data Breach 204

 Alert Rules Documentation, Release latest

2.451 LP_Possible DDOS Attack

• Trigger Condition: A considerable number of inbound traffic within a short period
is detected.

• ATT&CK Category: Initial Access, Impact

• ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service

• ATT&CK ID: T1190, T1498

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Deny ((protocol=icmp or application="icmp" or service=icmp) or (protocol=http or�

,→protocol=https) or (protocol=udp) or 'dns reply' or 'SYN') source_address=* destination_

,→address=*| chart count(source_address) as ddos_source by destination_address| search�

,→ddos_source>2000

2.452 LP_Possible Detection of SafetyKatz

• Trigger Condition: SafetyKatz behavior where a temp file debug.bin is created in
temp folder to dump credentials using lsass.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, LSASS Memory

• ATT&CK ID: T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 path="*\Temp" file="debug.bin" -user IN�

,→EXCLUDED_USERS

2.453 LP_Possible DNS Rebinding Detected

• Trigger Condition: Different DNS answers by one domain with IPs from internal
and external networks are detected. Typically, DNS-answer contains TTL greater
than 100. Application Layer Protocol and DNS-record are saved in the host cache
during TTL.

2.451. LP_Possible DDOS Attack 205

 Alert Rules Documentation, Release latest

• ATT&CK Category: Command and Control

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=22 query="*" status_code="0" query_result IN ["(::ffff:)?10.*", "(::ffff:)?192.168.*",

,→ "(::ffff:)?172.16.*", "(::ffff:)?172.17.*", "(::ffff:)?172.18.*", "(::ffff:)?172.19.*", "(::ffff:)?172.20.*

,→", "(::ffff:)?172.21.*", "(::ffff:)?172.22.*", "(::ffff:)?172.23.*", "(::ffff:)?172.24.*", "(::ffff:)?172.25.

,→*", "(::ffff:)?172.26.*", "(::ffff:)?172.27.*", "(::ffff:)?172.28.*", "(::ffff:)?172.29.*", "(::ffff:)?172.

,→30.*", "(::ffff:)?172.31.*", "(::ffff:)?127.*"] -user IN EXCLUDED_USERS | chart�

,→count(QueryName) as val by host | search val > 3

2.454 LP_Possible DoS Attack

• Trigger Condition: LogPoint detects DOS attack.

• ATT&CK Category: Initial Access, Impact

• ATT&CK Tag: Exploit Public-Facing Application, Network Denial of Service,

Endpoint Denial of Service

• ATT&CK ID: T1190, T1498, T1499

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Dos label=Attack source_address=* destination_address=*

2.455 LP_Possible Empire Monkey Detected

• Trigger Condition: LogPoint detects EmpireMonkey APT reported activity
involving exploitation of scrobj.dll file using cutil or regsvr32.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

2.454. LP_Possible DoS Attack 206

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command="*/i:%APPDATA%\logs.txt scrobj.dll"�

,→(image IN ["*\cutil.exe"] OR message IN ["Microsoft(C) Registerserver"]) -user IN�

,→EXCLUDED_USERS

2.456 LP_Possible Executable Used by PlugX in

Uncommon Location
• Trigger Condition: The execution of an executable used by PlugX for DLL side
loading initated from an exotic location.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading
• ATT&CK ID: T1574, T1574.002
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\CamMute.exe" -image=

,→"*\Lenovo\Communication Utility\*") OR (image="*\chrome_frame_helper.exe" -image=

,→"*\Google\Chrome\application\*") OR (image="*\dvcemumanager.exe" -image=

,→"*\Microsoft Device Emulator\*") OR (image="*\Gadget.exe" -image="*\Windows�

,→Media Player\*") OR (image="*\hcc.exe" -image="*\HTML Help Workshop\*") OR�

,→(image="*\hkcmd.exe" -image IN ["*\System32\*", "*\SysNative\*", "*\SysWowo64\*"])�

,→OR (image="*\Mc.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*",

,→"*\Windows Kit*"]) OR (image="*\MsMpEng.exe" -image IN ["*\Microsoft Security�

,→Client\*", "*\Windows Defender\*", "*\AntiMalware\*"]) OR (image="*\msseces.exe" -

,→image IN ["*\Microsoft Security Center\*", "*\Microsoft Security Client\*", "*\Microsoft�

,→Security Essentials\*"]) OR (image="*\OInfoP11.exe" -image="*\Common�

,→Files\Microsoft Shared\*") OR (image="*\OleView.exe" -image IN ["*\Microsoft Visual�

,→Studio*", "*\Microsoft SDK*", "*\Windows Kit*", "*\Windows Resource Kit\*"]) OR�

,→(image="*\rc.exe" -image IN ["*\Microsoft Visual Studio*", "*\Microsoft SDK*",

,→"*\Windows Kit*", "*\Windows Resource Kit\*", "*\Microsoft.NET\*"])) -user IN�

,→EXCLUDED_USERS

2.457 LP_Possible Exploitation for CVE-2015-1641

Detected
• Trigger Condition: Winword starting uncommon subprocess MicroScMgmt.exe
used in exploits for CVE-2015-1641 is detected.

2.456. LP_Possible Executable Used by PlugX in Uncommon Location 207

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\WINWORD.EXE" image=

,→"*\MicroScMgmt.exe " -user IN EXCLUDED_USERS

2.458 LP_Possible Hijack of Legit RDP Session to Move

Laterally
• Trigger Condition: The use of tsclient share to place a backdoor on the RDP source
machine’s startup folder is detected.

• ATT&CK Category: Persistence, Lateral Movement, Privilege Escalation

• ATT&CK Tag: Remote Service Session Hijacking, RDP Hijacking, Boot or Logon
Autostart Execution, Registry Run Keys/Startup Folder

• ATT&CK ID: T1563, T1563.002, T1547, T1547.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 image="*\mstsc.exe" file=

,→"*\Microsoft\Windows\Start Menu\Programs\Startup\*" -user IN EXCLUDED_USERS

2.459 LP_Possible Impacket Lateralization Detected

• Trigger Condition: wmiexec/dcomexec/atexec/smbexec from the Impacket
framework is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Windows Management Instrumentation, Inter-Process

Communication, Inter-Process Communication, Component Object Model and
Distributed COM

• ATT&CK ID: T1047, T1021, T1021.003, T1559, T1559.001

2.458. LP_Possible Hijack of Legit RDP Session to Move Laterally 208

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((parent_image IN ["*\wmiprvse.exe", "*\mmc.exe",

,→ "*\explorer.exe", "*\services.exe"] command IN ["*cmd.exe* /Q /c * \\127.0.0.1\*&1*"])�

,→OR (parent_command IN ["*svchost.exe -k netsvcs", "taskeng.exe*"] command IN [

,→"cmd.exe /C *Windows\Temp\*&1"])) -user IN EXCLUDED_USERS

2.460 LP_Possible Impacket SecretDump Remote Activity

• Trigger Condition: LogPoint detects share_nameAD credential dumping using
impacket secretdump HKTL.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5145 share_name="\*\ADMIN$" relative_target=

,→"SYSTEM32\*.tmp" -user IN EXCLUDED_USERS

2.461 LP_Possible Inbound Spamming Detected

• Trigger Condition: LogPoint detects possible inbound spam.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Mail Server

• Query:

(sender=* receiver=* -sender in KNOWN_DOMAINS) | chart distinct_count(receiver) as�

,→spam_receiver by sender | search spam_receiver>100

2.460. LP_Possible Impacket SecretDump Remote Activity 209

 Alert Rules Documentation, Release latest

2.462 LP_Possible Insider Threat

• Trigger Condition: LogPoint detects alerts like privilege escalation, unauthorized
access, and data breach for the same user.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Logpoint

• Query:

event_type="Possible Insider Threat" incident_user=* -incident_user in EXCLUDED_

,→USERS| rename incident_user as user | chart distinct_count(incident_name) as�

,→AlertCount by user | search AlertCount>2

2.463 LP_Possible Land Attack

• Trigger Condition: LogPoint detects a Cisco land-attack with event ID 106017.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service

• ATT&CK ID: T1498

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

event_id=106017 label=Connection label=Attack label=Deny

2.464 LP_Possible Malicious Payload Download via Office

Binaries Detected
• Trigger Condition: A payload is downloaded from a remote server with HTTP
command using Microsoft Office applications such as PowerPoint, Word and Excel
in a compromised system is detected.

• ATT&CK Category: Command and Control

2.462. LP_Possible Insider Threat 210

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Ingress Tool Transfer

• ATT&CK ID: T1105

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process" IN ["*\powerpnt.exe", "*\winword.exe", "*\excel.

,→exe"] command="*http*" -user IN EXCLUDED_USERS

2.465 LP_Possible Malware Detected

• Trigger Condition: A file or software is detected as worm, virus, trojan, or malware.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Antivirus

• Query:

(label=Malware or label=Threat or label=Virus or label=Quarantine or label=Risk)�

,→(malware=* OR risk=* OR virus=*) (file=* or application=* or url=*)

2.466 LP_Possible Modification of Boot Configuration

• Trigger Condition: When the use of the bcdedit command to delete or modify
Boot Configuration Data is detected. Boot Configuration Data (BCD) files provide a
store that describes boot applications and application settings. Boot configuration
data edit (bcdedit) allows manipulating BCD. This tactic is used by malware or
attackers as a destructive technique to prevent system recovery. Legitimate
usage can trigger this alert. We recommend including the legitimate user in the
EXCLUDED_USERS list.

• ATT&CK Category: Impact, Defense Evasion, Persistence

• ATT&CK Tag: Inhibit System Recovery, Pre-OS Boot, Bootkit

• ATT&CK ID: T1490, T1542, T1542.003

• Minimum Log Source Requirement: Windows Sysmon

2.465. LP_Possible Malware Detected 211

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 ((image="*\bcdedit.exe" command IN ["*delete*",

,→ "*import*","set"]) OR ((command="*bootstatuspolicy*" command="*ignoreallfailures*

,→") OR (command="*recoveryenabled*" command="*no*"))) -user IN EXCLUDED_USERS

2.467 LP_Possible Outbound Spamming Detected

• Trigger Condition: An outbound spamming is detected.
• ATT&CK Category: -
• ATT&CK Tag: -
• ATT&CK ID: -
• Minimum Log Source Requirement: Mail Server
• Query:

(sender=* receiver=* -receiver in KNOWN_DOMAINS sender in KNOWN_DOMAINS) |�

,→chart distinct_count(receiver) as spam_receiver by sender | search spam_receiver>100

2.468 LP_Possible Pass the Hash Activity Detected

• Trigger Condition: When the attack technique passes the hash, which is used to
move laterally inside the network. Pass the hash is a method of authenticating
to a system using a password hash rather than the actual password. Adversaries
may use this technique to gain unauthorized access to a system, bypassing normal
authentication controls. Pass the hash attacks can be challenging to detect and
prevent, as they do not involve using a clear-text password.
• ATT&CK Category: Lateral Movement
• ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash
• ATT&CK ID: T1550, T1550.002
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=4624 ((caller_id="S-1-0-0" logon_type="3" logon_process=

,→"NtLmSsp" key_length="0") OR (logon_type="9" logon_process="seclogo")) -user=

,→"ANONYMOUS LOGON" -user IN EXCLUDED_USERS

2.467. LP_Possible Outbound Spamming Detected 212

 Alert Rules Documentation, Release latest

2.469 LP_Possible Privilege Escalation via Weak Service

Permissions
• Trigger Condition: The sc.exe utility spawning by a user with medium integrity
level to change the service ImagePath or FailureCommand is detected.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Access Token Manipulation

• ATT&CK ID: T1134

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\sc.exe" integrity_level="Medium"�

,→command IN ["*config*", "*binPath*", "*failure*", "*command*"] -user IN EXCLUDED_

,→USERS

2.470 LP_Possible Process Hollowing Image Loading

• Trigger Condition: Loading of samlib.dll or WinSCard.dll from untypical process is
detected. For example, through process hollowing by Mimikatz.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, Process Injection, Process
Hollowing

• ATT&CK ID: T1574, T1574.002, T1055, T1055.012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\notepad.exe"] image IN [

,→"*\samlib.dll", "*\WinSCard.dll"] -user IN EXCLUDED_USERS

2.471 LP_Possible SPN Enumeration Detected

• Trigger Condition: Service Principal Name Enumeration used for Steal or Forge
Kerberos Tickets and Kerberoasting is detected.

2.469. LP_Possible Privilege Escalation via Weak Service Permissions 213

 Alert Rules Documentation, Release latest

• ATT&CK Category: Credential Access

• ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

• ATT&CK ID: T1558, T1558.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*-q*" (image="*\setspn.exe" OR�

,→message="*Query or reset the computer* SPN attribute*") -user IN EXCLUDED_USERS

2.472 LP_Possible SquiblyTwo Detected

• Trigger Condition: WMI SquiblyTwo Attack with possible renamed WMI seeking
for imphash is detected.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Windows Management Instrumentation, Visual Basic, JavaScript,

XSL Script Processing

• ATT&CK ID: T1047, T1059.005, T1059.007, T1220

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 file="wmic.exe" hash_imphash IN [

,→"1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C",

,→"9D87C9D67CE724033C0B40CC4CA1B206"] command="*format:*" command="*http*"

2.473 LP_Possible Taskmgr run as LOCAL_SYSTEM

Detected
• Trigger Condition: Creation of a taskmgr.exe process in the context of
LOCAL_SYSTEM is detected. Taskmgr.exe is the executable file for Windows Task
Manager.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

2.472. LP_Possible SquiblyTwo Detected 214

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\taskmgr.exe" user in ["*AUTHORI*",

,→"*AUTORI*"]

2.474 LP_Potential RDP Exploit CVE-2019-0708 Detected

• Trigger Condition: An error on protocol RDP potential CVE-2019-0708 is detected.

• ATT&CK Category: Initial Access, Lateral Movement

• ATT&CK Tag: Exploitation of Remote Services, Exploit Public-Facing Application

• ATT&CK ID: T1210, T1190

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["56", "50"] event_source="TermDD" -user IN�

,→EXCLUDED_USERS

2.475 LP_Powershell AMSI Bypass via dotNET Reflection

• Trigger Condition: Request to amsiInitFailed used to disable AMSI Scanning is
detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*System.Management.Automation.

,→AmsiUtils*"] command IN ["*amsiInitFailed*"] -user IN EXCLUDED_USERS

2.474. LP_Potential RDP Exploit CVE-2019-0708 Detected 215

 Alert Rules Documentation, Release latest

2.476 LP_PowerShell Base64 Encoded Shellcode

Detected
• Trigger Condition: Base64 encoded shellcode is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*AAAAYInlM*" command IN [

,→"*OiCAAAAYInlM*", "*OiJAAAAYInlM*"] -user IN EXCLUDED_USERS

2.477 LP_PowerShell Network Connections Detected

• Trigger Condition: LogPoint detects a Command and Scripting Interpreter
and PowerShell process that opens network connections. We recommend you
check suspicious target ports and systems, and adjust them according to your
environment. For example, extend filters with the company’s IP range.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 image="*\powershell.exe" initiated="true" -

,→destination_address IN HOMENET -user="NT AUTHORITY\SYSTEM" -user IN�

,→EXCLUDED_USERS

2.478 LP_PowerShell Profile Modification

• Trigger Condition: Modification of Command and Scripting Interpreter and
PowerShell profile is detected.

2.476. LP_PowerShell Base64 Encoded Shellcode Detected 216

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence, Privilege Escalation, Execution

• ATT&CK Tag: Command and Scripting Interpreter, Event Triggered Execution,

PowerShell Profile, Powershell

• ATT&CK ID: T1546, T1546.013, T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4103 command in ["Write-Output", "Add-Content"]�

,→payload= "*powershell_profile*" -user IN EXCLUDED_USERS

2.479 LP_PowerShell Rundll32 Remote Thread Creation

Detected
• Trigger Condition: Command and Scripting Interpreter and PowerShell remote
thread creation in Signed Binary Proxy Execution and Rundll32.exe is detected.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Rundll32, Command and Scripting
Interpreter, PowerShell

• ATT&CK ID: T1218, T1218.011, T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=8 source_image="*\powershell.exe" image=

,→"*\rundll32.exe" -user IN EXCLUDED_USERS

2.480 LP_PowerShell Script Run in AppData Detected

• Trigger Condition: A suspicious command line execution that invokes Command
and Scripting Interpreter and PowerShell concerning an AppData folder is
detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

2.479. LP_PowerShell Rundll32 Remote Thread Creation Detected 217

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["* /c powershell*\AppData\Local\*",

,→"* /c powershell*\AppData\Roaming\*"] -user IN EXCLUDED_USERS

2.481 LP_PowerShell Version Downgrade Detected

• Trigger Condition: The execution of Command and Scripting Interpreter and
PowerShell v2 is detected. We recommend you avoid Powershell v2 as it offers
zero-logging. PowerShell v5.x or higher offers better login.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=400 host_version="2.0" -user IN EXCLUDED_USERS

2.482 LP_Process Dump via Comsvcs DLL Detected

• Trigger Condition: Process memory dump via comsvcs.dll and rundll32 is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*\rundll32.exe" OR file="RUNDLL32.EXE

,→") command IN ["*comsvcs*MiniDump*full*", "*comsvcs*MiniDumpW*full*"] -user IN�

,→EXCLUDED_USERS

2.481. LP_PowerShell Version Downgrade Detected 218

 Alert Rules Documentation, Release latest

2.483 LP_Process Dump via Rundll32 and Comsvcs

Detected
• Trigger Condition: Process memory dump performed via ordinal function 24 in
comsvcs.dll is detected.

• ATT&CK Category: Defense Evasion, Credential Access

• ATT&CK Tag: Masquerading, OS Credential Dumping, LSASS Memory

• ATT&CK ID: T1036, T1003, T1003.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*comsvcs.dll, #24*", "*comsvcs.dll,�

,→MiniDump*"] -user IN EXCLUDED_USERS

2.484 LP_Process Hollowing Detected

• Trigger Condition: Adversaries attempt to inject malicious code into suspended
and hollowed processes to evade process-based defenses.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection, Process Hollowing

• ATT&CK ID: T1055, T1055.012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*smss.exe" parent_command!="*smss.

,→exe") or (image="*csrss.exe" (parent_command!="*smss.exe" and parent_command!=

,→"*svchost.exe")) or (image="*wininit.exe" parent_command!="*smss.exe") or (image=

,→"*winlogon.exe" parent_command!="*smss.exe") or (image="*lsass.exe" parent_

,→command!="*wininit.exe") or (image="*LogonUI.exe" (parent_command!="*winlogon.

,→exe" and parent_command!="*wininit.exe")) or (image="*services.exe" parent_

,→command!="*wininit.exe") or (image="*spoolsv.exe" parent_command!="*services.exe

,→") or (image="*taskhost.exe" (parent_command!="*services.exe" and parent_command!

,→="*svchost.exe")) or (image="*taskhostw.exe" (parent_command!="*services.exe" and�

,→parent_command!="*svchost.exe")) or (image="*userinit.exe" (parent_command!=

,→"*dwm.exe" and parent_command!="*winlogon.exe")) -user IN EXCLUDED_USERS

2.483. LP_Process Dump via Rundll32 and Comsvcs Detected 219

 Alert Rules Documentation, Release latest

2.485 LP_Process Injection Detected

• Trigger Condition: Adversaries inject code into processes to evade process-based
defenses and possibly elevate privileges using commands like Invoke-DllInjection.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (command="*Invoke-DllInjection*" or command=

,→"*C:\windows\sysnative\*") -user IN EXCLUDED_USERS

2.486 LP_Protected Storage Service Access Detected

• Trigger Condition: An access to a protected_storage service over the network
is detected. The potential abuse of DPAPI to extract domain backup keys from
Domain Controllers.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5145 share_name="*IPC*" relative_target="protected_

,→storage" -user IN EXCLUDED_USERS

2.487 LP_Prowli Malware Affected Host

• Trigger Condition: Widows Server is affected by Prowli malware.

• ATT&CK Category: -

• ATT&CK Tag: -

2.485. LP_Process Injection Detected 220

 Alert Rules Documentation, Release latest

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id=Winserver* hash in PROWLI_FILE host=*

2.488 LP_Prowli Malware Connection to Malicious

Destination
• Trigger Condition: An outbound connection to Prowli Malware sources is
established by hosts.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Windows

• Query:

(source_address=* OR destination_address=*) destination_address in PROWLI_IP |�

,→process dns(source_address) as host | process geoip(destination_address) as country

2.489 LP_Prowli Malware Emails Sent to Attacker

• Trigger Condition: An email is sent to Prowli Malware listed emails.

• ATT&CK Category: Exfiltration, Collection

• ATT&CK Tag: Exfiltration Over C2 Channel, Email Collection

• ATT&CK ID: T1041, T1114

• Minimum Log Source Requirement: Mail Server

• Query:

sender=* receiver=* receiver in PROWLI_EMAIL (host=* OR source_host=*) | rename�

,→source_host as host

2.488. LP_Prowli Malware Connection to Malicious Destination 221

 Alert Rules Documentation, Release latest

2.490 LP_PsExec Tool Execution Detected

• Trigger Condition: PsExec service installation and execution event (Service and
Sysmon) is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: System Services, Service Execution

• ATT&CK ID: T1569, T1569.002

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

((norm_id=WinServer service="PSEXESVC" event_id IN [7045, 7036]) OR (norm_

,→id=WindowsSysmon event_id=1 "process"="*\PSEXESVC.exe" user="*SYSTEM*")) -

,→user IN EXCLUDED_USERS

2.491 LP_Psr Capture Screenshots Detected

• Trigger Condition: The psr.exe captures desktop screenshots and saves them in a
local machine.

• ATT&CK Category: Collection

• ATT&CK Tag: Screen Capture

• ATT&CK ID: T1113

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\Psr.exe" command="*/start*" -user IN�

,→EXCLUDED_USERS

2.492 LP_Pulse Secure Arbitrary File Reading Detected

• Trigger Condition: The exploitation of arbitrary file reading vulnerability
(CVE-2019-11510) in Pulse Secure is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: External Remote Services

2.490. LP_PsExec Tool Execution Detected 222

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1113

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

norm_id=* url IN ['*dana*guacamole*', '*lmdb*data.mdb*', '*data*mtmp/system*']

2.493 LP_QBot Process Creation Detected

• Trigger Condition: LogPoint detects QBot like process execution of wscript or use
of commands to manipulate program data or ping local host.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, Visual Basic

• ATT&CK ID: T1059, T1059.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ((parent_image="*\WinRAR.exe" image="*\wscript.

,→exe") OR command="* /c ping.exe -n 6 127.0.0.1 & type *" OR (command="*regsvr32.

,→exe*" command="*C:\ProgramData*" command="*.tmp*")) -user IN EXCLUDED_

,→USERS

2.494 LP_QuarksPwDump Clearing Access History

Detected
• Trigger Condition: QuarksPwDump clearing access history in hive is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, NTDS, Valid Accounts, Local Accounts

• ATT&CK ID: T1003, T1003.003, T1078, T1078.003

• Minimum Log Source Requirement: Windows

• Query:

2.493. LP_QBot Process Creation Detected 223

 Alert Rules Documentation, Release latest

norm_id=WinServer event_id=16 hive="*\AppData\Local\Temp\SAM*" hive="*.dmp" -

,→user IN EXCLUDED_USERS

2.495 LP_QuarksPwDump Dump File Detected

• Trigger Condition: A dump file written by QuarksPwDump password dumper is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, Security Account Manager

• ATT&CK ID: T1003, T1003.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=11 file="*\AppData\Local\Temp\SAM-*.dmp*" -user IN EXCLUDED_USERS

2.496 LP_Query Registry Network

• Trigger Condition: Adversaries use reg.exe component for network connection
and interact with the Windows Registry to gather information about the system,
configuration, and installed software.

• ATT&CK Category: Discovery

• ATT&CK Tag: Query Registry

• ATT&CK ID: T1012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 image="*reg.exe" command="*reg query*" -user�

,→IN EXCLUDED_USERS

2.495. LP_QuarksPwDump Dump File Detected 224

 Alert Rules Documentation, Release latest

2.497 LP_Rare Scheduled Task Creations Detected

• Trigger Condition: Rare scheduled task creations are detected. A software gets
installed on multiple systems. The aggregation and count function selects tasks
with rare names.

• ATT&CK Category: Persistence

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id="106" | chart count() as val by task | search val < 5

2.498 LP_RDP Login from Localhost Detected

• Trigger Condition: RDP login with a localhost source address that may be a
tunneled login is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services, Remote Desktop Protocol

• ATT&CK ID: T1021, T1021.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4624 logon_type="10" source_address IN ["::1", "127.0.0.1

,→"] -user IN EXCLUDED_USERS

2.499 LP_RDP Over Reverse SSH Tunnel Detected

• Trigger Condition: svchost hosting RDP termsvcs communicating with the
loopback address and on TCP port 3389 is detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services, Remote Desktop Protocol

2.497. LP_Rare Scheduled Task Creations Detected 225

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1021, T1021.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 image="*\svchost.exe" initiated="true" source_

,→port="3389" destination_address IN ["127.*", "::1"] -user IN EXCLUDED_USERS

2.500 LP_RDP over Reverse SSH Tunnel WFP

• Trigger Condition: svchost hosting RDP termsvcs communicating with the
loopback address is detected.

• ATT&CK Category: Command and Control, Lateral Movement

• ATT&CK Tag: Remote Services, Remote Desktop Protocol, Proxy

• ATT&CK ID: T1021, T1021.001, T1090

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5156 ((source_port="3389" destination_address IN ["127.*",

,→ "::1"]) OR (destination_port="3389" source_address IN ["127.*", "::1"])) -user IN�

,→EXCLUDED_USERS

2.501 LP_RDP Registry Modification

• Trigger Condition: Potential malicious modification of the property value
of fDenyTS Connections and UserAuthentication to enable remote desktop
connections is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.500. LP_RDP over Reverse SSH Tunnel WFP 226

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=13 target_object IN [

,→"*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication

,→", "*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"] details=

,→"DWORD (0x00000000)" -user IN EXCLUDED_USERS

2.502 LP_RDP Sensitive Settings Changed

• Trigger Condition: Changes to RDP terminal service sensitive settings are
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=13 target_object IN ["*\services\TermService\Parameters\ServiceDll*",

,→"*\Control\Terminal Server\fSingleSessionPerUser*", "*\Control\Terminal�

,→Server\fDenyTSConnections*"] -user IN EXCLUDED_USERS

2.503 LP_Reconnaissance Activity with Net Command

• Trigger Condition: A set of commands often used in recon stages by different
attack groups to discover the victim’s information, systems, or network are
detected.

• ATT&CK Category: Discovery, Reconnaissance

• ATT&CK Tag: Account Discovery, System Information Discovery, Gather Victim

Host Information, Gather Victim Identity Information

• ATT&CK ID: T1087, T1082, T1589, T1592

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.502. LP_RDP Sensitive Settings Changed 227

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 command IN ["tasklist", "net time", "systeminfo",

,→"whoami", "nbtstat", "net start", "*\net1 start", "qprocess", "nslookup", "hostname.exe

,→", "*\net1 user /domain", "*\net1 group /domain", "*\net1 group *domain admins* /

,→domain", "*\net1 group *Exchange Trusted Subsystem* /domain", "*\net1 accounts /

,→domain", "*\net1 user net localgroup administrators", "netstat -an"]

-user IN EXCLUDED_USERS | chart count() as val by command | search val > 4

2.504 LP_RedSocks Backdoor Connection

• Trigger Condition: A backdoor event is detected. Adversaries develop malware
and malware components as backdoors, which are used during targeting.

• ATT&CK Category: Resource Development

• ATT&CK Tag: Develop Capabilities, Malware

• ATT&CK ID: T1587, T1587.001

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks description="*backdoor*" | process geoip(destination_address) as�

,→country

2.505 LP_RedSocks Bad Neighborhood Detection

• Trigger Condition: A bad neighborhood is detected where adversaries use
a connection proxy to direct network traffic between systems or act as an
intermediary for network communications to a Command and Control server to
avoid direct connections to their infrastructure.

• ATT&CK Category: Impact

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks category="bad hood" | process geoip(destination_address) as country

2.504. LP_RedSocks Backdoor Connection 228

 Alert Rules Documentation, Release latest

2.506 LP_RedSocks Blacklist URL Detection

• Trigger Condition: Blacklist URLs are detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks category="URL blacklist" | process geoip(destination_address) as�

,→country

2.507 LP_RedSocks FileSharing

• Trigger Condition: Filesharing using an alternate platform like 4Shared, FileHippo,
Torrent, Picofile, or WeTransfer is detected.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration over Alternative Protocol

• ATT&CK ID: T1048

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks category="Filesharing" description in ["*4share*","*torrent*" ,

,→"*FileHippo*","*picofile*","*wetransfer*"]| process geoip(destination_address) as�

,→country

2.508 LP_RedSocks Ransomware Connection

• Trigger Condition: A ransomware event is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Disk Wipe, Disk Content Wipe, Data Encrypted for Impact, Data
Destruction, Proxy

2.506. LP_RedSocks Blacklist URL Detection 229

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1561, T1561.001, T1486, T1485, T1090

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks description="*ransomware*" | process geoip(destination_address) as�

,→country

2.509 LP_RedSocks Sinkhole Detection

• Trigger Condition: Sinkhole is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks category="Sinkhole" | process geoip(destination_address) as country

2.510 LP_RedSocks Tor Connection

• Trigger Condition: A Tor connection is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks category="tor" | process geoip(destination_address) as country

2.509. LP_RedSocks Sinkhole Detection 230

 Alert Rules Documentation, Release latest

2.511 LP_RedSocks Trojan Connection

• Trigger Condition: A trojan event is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Redsocks

• Query:

norm_id=RedSocks description="*trojan*" | process geoip(destination_address) as country

2.512 LP_Register new Logon Process by Rubeus

• Trigger Condition: Potential use of Rubeus via registered new trusted logon
process is detected. Adversaries abuse a valid Kerberos ticket-granting ticket (TGT)
or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be
vulnerable to Brute Force.

• ATT&CK Category: Lateral Movement, Privilege Escalation

• ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

• ATT&CK ID: T1558, T1558.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4611 logon_process="User32LogonProcesss" -user IN�

,→EXCLUDED_USERS

2.513 LP_Registry Persistence Mechanisms Detected

• Trigger Condition: Persistence registry keys at the current version folder for
registry keys are detected. Adversaries establish persistence and/or elevate
privileges by executing malicious content triggered by Image File Execution
Options (IFEO) debuggers.

• ATT&CK Category: Privilege Escalation, Persistence

2.511. LP_RedSocks Trojan Connection 231

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Event Triggered Execution, Image File Execution Options Injection

• ATT&CK ID: T1546, T1546.012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=13 target_object IN ["*\SOFTWARE\Microsoft\Windows�

,→NT\CurrentVersion\Image File Execution Options\*\GlobalFlag",

,→"*\SOFTWARE\Microsoft\Windows�

,→NT\CurrentVersion\SilentProcessExit\*\ReportingMode",

,→"*\SOFTWARE\Microsoft\Windows�

,→NT\CurrentVersion\SilentProcessExit\*\MonitorProcess"] event_type="SetValue" -user�

,→IN EXCLUDED_USERS

2.514 LP_Registry Persistence via Explorer Run Key

Detected
• Trigger Condition: Persistence mechanism using a RUN key for Windows Explorer
and pointing to a suspicious folder is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup

Folder

• ATT&CK ID: T1547, T1547.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=13 target_object="*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"�
,→detail IN ["C:\Windows\Temp\*", "C:\ProgramData\*", "*\AppData\*", "C:\$Recycle.

,→bin\*", "C:\Temp\*", "C:\Users\Public\*", "C:\Users\Default\*"] -user IN EXCLUDED_

,→USERS

2.515 LP_Regsvcs-Regasm Detected

• Trigger Condition: Adversary abuses trusted Windows command line utilities
regsvcs and regasm for proxy execution of code.

• ATT&CK Category: Defense Evasion

2.514. LP_Registry Persistence via Explorer Run Key Detected 232

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Signed Binary Proxy Execution, Regsvcs/Regasm

• ATT&CK ID: T1218, T1218.009

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 (image="*regsvcs.exe" or image="*regasm.exe")

2.516 LP_Remote PowerShell Session

• Trigger Condition: Remote Command and Scripting Interpreter and PowerShell
sessions by monitoring network outbound connections to ports 5985 or 5986 from
network service accounts are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(norm_id=WinServer event_id IN ["4103", "400"] host="ServerRemoteHost" application=

,→"*wsmprovhost.exe*") OR (norm_id=WindowsSysmon event_id=1 (image=

,→"*\wsmprovhost.exe" OR parent_image="*\wsmprovhost.exe")) -user IN EXCLUDED_

,→USERS | rename application as service

2.517 LP_Remote System Discovery

• Trigger Condition: The components like net.exe and ping.exe are used to list other
systems by IP address, hostname, or other logical identifiers on a network used for
Lateral Movement from the current system.

• ATT&CK Category: Discovery

• ATT&CK Tag: Remote System Discovery

• ATT&CK ID: T1018

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.516. LP_Remote PowerShell Session 233

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon (image="*net.exe" or image="*ping.exe") (command="*view*

,→" or command="*ping*") -user IN EXCLUDED_USERS

2.518 LP_Renamed Binary Detected

• Trigger Condition: The execution of a renamed binary used by attackers or
malware leveraging new Sysmon OriginalFileName datapoint is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="Process" label=Create file IN ["cmd.exe", "powershell.exe", "powershell_ise.exe",

,→"psexec.exe", "psexec.c", "cscript.exe", "wscript.exe", "mshta.exe", "regsvr32.exe",

,→"wmic.exe", "certutil.exe", "rundll32.exe", "cmstp.exe", "msiexec.exe", "7z.exe",

,→"winrar.exe", "wevtutil.exe", "net.exe", "net1.exe"] -"process" IN ["*\cmd.exe",

,→"*\powershell.exe", "*\powershell_ise.exe", "*\psexec.exe", "*\psexec64.exe",

,→"*\cscript.exe", "*\wscript.exe", "*\mshta.exe", "*\regsvr32.exe", "*\wmic.exe",

,→"*\certutil.exe", "*\rundll32.exe", "*\cmstp.exe", "*\msiexec.exe", "*\7z.exe", "*\winrar.

,→exe", "*\wevtutil.exe", "*\net.exe", "*\net1.exe"]

2.519 LP_Renamed ProcDump Detected

• Trigger Condition: Execution of a renamed ProcDump executable used by
attackers or malware.

• ATT&CK Category: Execution

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon file="procdump" -image IN ["*\procdump.exe",

,→"*\procdump64.exe"]

2.518. LP_Renamed Binary Detected 234

 Alert Rules Documentation, Release latest

2.520 LP_Renamed PsExec Detected

• Trigger Condition: Execution of a renamed PsExec used by attackers or malware.

• ATT&CK Category: Execution

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon message="Execute processes remotely" product=

,→"Sysinternals PsExec" -image IN ["*\PsExec.exe", "*\PsExec64.exe"]

2.521 LP_Renamed ZOHO Dctask64 Detected

• Trigger Condition: Renamed dctask64.exe used for process injection, command
execution, and process creation with a signed binary by ZOHO Corporation is
detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 hash="6834B1B94E49701D77CCB3C0895E1AFD" -

,→image="*\dctask64.exe" -user IN EXCLUDED_USERS

2.522 LP_REvil-Sodinokibi Ransomware Connection to

Malicious Domains
• Trigger Condition: The connection to REvil-Sodinokibi Double Extortion
ransomware-related domains is detected. For the alert to work, you must use the
list REVIL_RANSOMWARE_DOMAINS, which includes IOC domains for Sodinokibi
ransomware.

2.520. LP_Renamed PsExec Detected 235

 Alert Rules Documentation, Release latest

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in REVIL_

,→RANSOMWARE_DOMAINS

2.523 LP_REvil-Sodinokibi Ransomware Connection to

Malicious Sources
• Trigger Condition: Hosts establishing an outbound connection to REvil-Sodinokibi
Double Extortion ransomware sources are deteted. For the alert to work, you
must use the list REVIL_RANSOMWARE_IPS, which includes IOC IPs for Sodinokibi
ransomware.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(destination_address IN REVIL_RANSOMWARE_IPS OR source_address IN REVIL_

,→RANSOMWARE_IPS) | process geoip(destination_address) as country

2.524 LP_REvil-Sodinokibi Ransomware Exploitable

Vulnerabilities Detected
• Trigger Condition: Vulnerability management detects the presence of
vulnerabilities linked to REvil-Sodinokibi ransomware. For the alert to work,
you must use the list REVIL_RANSOMWARE_CVE, which includes IOC CVE IDs for
Sodinokibi ransomware.

• ATT&CK Category: -

2.523. LP_REvil-Sodinokibi Ransomware Connection to Malicious Sources 236

 Alert Rules Documentation, Release latest

• ATT&CK Tag: -
• ATT&CK ID: -
• Minimum Log Source Requirement: Vulnerability Management
• Query:

norm_id=VulnerabilityManagement cve_id IN REVIL_RANSOMWARE_CVE

2.525 LP_REvil-Sodinokibi Ransomware Infected Host

Detected
• Trigger Condition: REvil-Sodinokibi Double Extortion ransomware-infected host is
detected. For the alert to work, you must use the list REVIL_RANSOMWARE_CVE,
which includes IOC for Sodinokibi ransomware.
• ATT&CK Category: Impact
• ATT&CK Tag: Data Encrypted for Impact
• ATT&CK ID: T1486
• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon
• Query:

host=* hash=* hash IN REVIL_RANSOMWARE_HASHES

2.526 LP_RobbinHood Ransomware Exploitable

Vulnerabilities Detected
• Trigger Condition: Vulnerability management detects GIGABYTE Drivers Elevation
of Privilege Vulnerabilities linked to RobbinHood ransomware.
• ATT&CK Category: -
• ATT&CK Tag: -
• ATT&CK ID: -
• Minimum Log Source Requirement: Vulnerability Management
• Query:

2.525. LP_REvil-Sodinokibi Ransomware Infected Host Detected 237

 Alert Rules Documentation, Release latest

norm_id=VulnerabilityManagement cve_id="*CVE-2018-19320*"

2.527 LP_Robbinhood Ransomware Infected Host

Detected
• Trigger Condition: RobbinHood ransomware-infected host is detected. For the
alert to work, you must use the list REVIL_RANSOMWARE_HASHES, which includes
Ioc CVE IDs for Sodinokibi ransomware.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* hash=* hash IN ROBBINHOOD_RANSOMWARE_HASHES

2.528 LP_Rogue Access Point Detected

• Trigger Condition: Rouge access point is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Exploitation for Defense Evasion, Exploitation for Defense Evasion,
Software Discovery, Security Software Discovery

• ATT&CK ID: T1211, T1211, T1518, T1518.001

• Minimum Log Source Requirement: Firewall, IDS/IPS (ArubaOS, Cisco Controller)

• Query:

label=Accesspoint label=Rogue -label=Clear access_point=*

2.527. LP_Robbinhood Ransomware Infected Host Detected 238

 Alert Rules Documentation, Release latest

2.529 LP_RSA SecurID Account Lockout

• Trigger Condition: User’s account is locked after entering the wrong passcode
multiple times in a row.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Brute Force

• ATT&CK ID: T1110

• Minimum Log Source Requirement: RSA Secure ID

• Query:

norm_id=RSA_SecurID type=Runtime action=AUTHN_LOCKOUT_EVENT

2.530 LP_RSA SecurID Account Lockout

• Trigger Condition: User’s account is locked after entering the wrong passcode
multiple times in a row.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Brute Force

• ATT&CK ID: T1110

• Minimum Log Source Requirement: RSA Secure ID

• Query:

norm_id=RSA_SecurID type=Runtime action=AUTHN_LOCKOUT_EVENT

2.531 LP_Rubeus Hack Tool Detected

• Trigger Condition: The Command line parameters like asreproast, dump,
impersonate user, harvest, and other commands used by the Rubeus hack tool
are detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

2.529. LP_RSA SecurID Account Lockout 239

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["* asreproast *", "* dump /

,→service:krbtgt *", "* kerberoast *", "* createnetonly /program:*", "* ptt /ticket:*", "* /

,→impersonateuser:*", "* renew /ticket:*", "* asktgt /user:*", "* harvest /interval:*"] -user�

,→IN EXCLUDED_USERS

2.532 LP_Run PowerShell Script from ADS Detected

• Trigger Condition: PowerShell script execution from Alternate Data Stream (ADS)
is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hide Artifacts, NTFS File Attributes

• ATT&CK ID: T1564, T1564.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\powershell.exe" image=

,→"*\powershell.exe" command="*Get-Content*" command="*-Stream*" -user IN�

,→EXCLUDED_USERS

2.533 LP_Rundll32 Internet Connection Detected

• Trigger Condition: rundll32 that communicates with public IP addresses are
detected.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Rundll32

• ATT&CK ID: T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.532. LP_Run PowerShell Script from ADS Detected 240

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=3 image="*\rundll32.exe" initiated="true" -

,→destination_address IN HOMENET -user IN EXCLUDED_USERS

2.534 LP_Ryuk Ransomware Affected Host

• Trigger Condition: Ryuk Ransomware infects a host. The alert uses the
RYUK_RANSOMWARE_HASH list to compare hash, pre-digest value, or digest in
the logs.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

hash IN RYUK_RANSOMWARE_HASH OR pre_digest IN RYUK_RANSOMWARE_HASH OR�

,→digest IN RYUK_RANSOMWARE_HASH host=* | rename object as file

2.535 LP_SAM Registry Hive Dump via Reg Utility

• Trigger Condition: Handle to SAM registry hive via reg utility is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Query Registry

• ATT&CK ID: T1012

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4656 object_type="Key" object_name="*\SAM" "process

,→"="*\reg.exe" -user IN EXCLUDED_USERS

2.534. LP_Ryuk Ransomware Affected Host 241

 Alert Rules Documentation, Release latest

2.536 LP_SAM Registry Hive Handle Request Detected

• Trigger Condition: Request to SAM registry hive is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Query Registry

• ATT&CK ID: T1012

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4656 object_type="Key" object_name="*\SAM" -user IN�

,→EXCLUDED_USERS

2.537 LP_Scheduled Task Creation Detected

• Trigger Condition: The use of schtasks for the creation of scheduled tasks in a user
session is detected.

• ATT&CK Category: Execution, Persistence, Privilege Escalation

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command="* /create *" -

,→user="NT AUTHORITY\SYSTEM" -user IN EXCLUDED_USERS

2.538 LP_SCM Database Handle Failure Detected

• Trigger Condition: Non-system user fails to get a handle of the SCM database.

• ATT&CK Category: Impact

• ATT&CK Tag: Endpoint Denial of Service

• ATT&CK ID: T1499

2.536. LP_SAM Registry Hive Handle Request Detected 242

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4656 object_type="SC_MANAGER OBJECT" object_name=

,→"servicesactive" event_type="Audit Failure" logon_id="0x3e4" -user IN EXCLUDED_

,→USERS

2.539 LP_SCM Database Privileged Operation Detected

• Trigger Condition: Non-system user performs privileged operation on the SCM
database.
• ATT&CK Category: Privilege Escalation
• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Account Control
• ATT&CK ID: T1548, T1548.002
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=4674 object_type="SC_MANAGER OBJECT" object_name=

,→"servicesactive" privilege="SeTakeOwnershipPrivilege" logon_id="0x3e4" -user IN�

,→EXCLUDED_USERS

2.540 LP_Screensaver Activities Detected

• Trigger Condition: Adversaries use screensaver executable to establish
persistence by executing malicious content triggered by user inactivity.
• ATT&CK Category: Persistence, Privilege Escalation
• ATT&CK Tag: Event Triggered Execution, Screensaver
• ATT&CK ID: T1546, T1546.002
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\Control Panel\Desktop\SCRNSAVE.exe") (parent_command!="*explorer.exe" or�

,→image!="*rundll32.exe" or command!="*shell32.dll, Control_RunDLL desk.cpl,�

,→ScreenSaver, *") -user IN EXCLUDED_USERS

2.539. LP_SCM Database Privileged Operation Detected 243

 Alert Rules Documentation, Release latest

2.541 LP_Secure Deletion with SDelete

• Trigger Condition: LogPoint detects renaming of a file while deletion with SDelete
tool.

• ATT&CK Category: Defense Evasion, Impact

• ATT&CK Tag: Indicator Removal on Host, File Deletion,Obfuscated Files or

Information, Indicator Removal from Tools, Data Destruction, Subvert Trust
Controls, Code Signing

• ATT&CK ID: T1070, T1070.004, T1027, T1027.005, T1485, T1553, T1553.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["4656", "4663", "4658"] object_name IN ["*.AAA", "*.ZZZ

,→"] -user IN EXCLUDED_USERS

2.542 LP_SecurityXploded Tool Detected

• Trigger Condition: Execution of the SecurityXploded tools.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (company="SecurityXploded" OR image=

,→"*PasswordDump.exe" OR file="*PasswordDump.exe") -user IN EXCLUDED_USERS

2.543 LP_Shadow Copy Creation Using OS Utilities

Detected
• Trigger Condition: Creation of shadow copies using Operating systems utilities
like PowerShell, wmic, and vssadmin are detected.

• ATT&CK Category: Credential Access

2.541. LP_Secure Deletion with SDelete 244

 Alert Rules Documentation, Release latest

• ATT&CK Tag: OS Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 "process" IN ["*\powershell.exe", "*\wmic.exe",

,→"*\vssadmin.exe"] command="*shadow*" command="*create*" -user IN EXCLUDED_

,→USERS

2.544 LP_Signed Binary Proxy Execution - Network

Detected
• Trigger Condition: When adversaries bypass process and/or signature-based
defenses by proxying execution of malicious content with signed binaries using
windows components and commands like certutil, replace. Signed binary proxy
execution is a technique that involves the use of a trusted, signed binary to execute
malicious code. Adversaries may use this technique to bypass security controls and
execute malicious code on a system without being detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 (image="*certutil.exe" or command=

,→"*certutil*script:http*://*" or image="*\replace.exe") -user IN EXCLUDED_USERS

2.545 LP_Signed Binary Proxy Execution - Process

Detected
• Trigger Condition: Adversaries bypass process and/or signature-based defenses
by proxying execution of malicious content with signed binaries using Windows
components and commands like certutil or replace.

• ATT&CK Category: Defense Evasion

2.544. LP_Signed Binary Proxy Execution - Network Detected 245

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Signed Binary Proxy Execution

• ATT&CK ID: T1218

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="process" label=create ("process"="*mavinject.exe" or command="*\/

,→injectrunning*" or command="*mavinject32*\/injectrunning*" or command=

,→"*certutil*script:http*://*" or command="*msiexec*http*://*") -user IN EXCLUDED_

,→USERS

2.546 LP_Signed Script Proxy Execution

• Trigger Condition: Adversaries use scripts signed with trusted certificates for
proxy execution of malicious files using cscript, wscript, certutil, and jjs.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Signed Script Proxy Execution

• ATT&CK ID: T1216

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon image IN ["*cscript*", "*wscript*", "*certutil*" , "*jjs"]�

,→command!="* /nologo *MonitorKnowledgeDiscovery.vbs*" -user IN EXCLUDED_USERS

2.547 LP_SILENTTRINITY Stager Execution Detected

• Trigger Condition: The use of SILENTTRINITY stager is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: System Services, Service Execution

• ATT&CK ID: T1569, T1569.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.546. LP_Signed Script Proxy Execution 246

 Alert Rules Documentation, Release latest

(event_id=7 OR event_id="1") message="*st2stager*"

2.548 LP_smbexec Service Installation Detected

• Trigger Condition: smbexec.py tool is detected by identifying a specific service
installation.

• ATT&CK Category: Lateral Movement, Execution

• ATT&CK Tag: Remote Services, System Services, Service Execution

• ATT&CK ID: T1021, T1569, T1569.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=7045 service="BTOBTO" service="*\execute.bat" -user IN�

,→EXCLUDED_USERS

2.549 LP_SolarisLDAP Group Remove from LDAP

Detected
• Trigger Condition: The removal of a group from LDAP is detected.

• ATT&CK Category: Credential Access, Persistence, Impact, Defense Evasion

• ATT&CK Tag: Account Manipulation, Account Access Removal

• ATT&CK ID: T1098, T1531

• Minimum Log Source Requirement: Solaris LDAP

• Query:

norm_id=SolarisLDAP label=Remove label=Member label=Management label=Group

2.548. LP_smbexec Service Installation Detected 247

 Alert Rules Documentation, Release latest

2.550 LP_SolarisLDAP Possible Bruteforce Attack

Detected
• Trigger Condition: Bruteforcing of a user’s LDAP credentials is detected.

• ATT&CK Category: Credential Access, Persistence

• ATT&CK Tag: Brute Force, Forced Authentication, Valid Accounts, Account

Manipulation

• ATT&CK ID: T1110, T1110.001, T1110.002, T1110.004, T1187, T1078, T1098

• Minimum Log Source Requirement: Solaris LDAP

• Query:

norm_id=SolarisLDAP label=User (label=Login OR label=Authentication) label=Fail | chart�

,→count() as cnt by user | search cnt > 5

2.551 LP_SolarisLDAP User Account Lockout Detected

• Trigger Condition: A locked user account is detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Abuse Elevation Control Mechanism, Bypass User
Access Control

• ATT&CK ID: T1078, T1548

• Minimum Log Source Requirement: Solaris LDAP

• Query:

norm_id=SolarisLDAP label=User label=Account label=Lock

2.552 LP_Sophos XG Firewall - Inbound Attack Detected

by IDP
• Trigger Condition: An inbound attack defined in IDP policy is detected.

• ATT&CK Category: Impact

2.550. LP_SolarisLDAP Possible Bruteforce Attack Detected 248

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

• ATT&CK ID: T1498, T1499

• Minimum Log Source Requirement: Sophos XG Firewall

• Query:

norm_id=SophosXGFirewall label=Attack label=Detect label=IDP destination_address=* -

,→source_address in HOMENET | process geoip(source_address) as country

2.553 LP_Sophos XG Firewall - Outbound Attack Detected

by IDP
• Trigger Condition: An outbound attack defined in IDP policy is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Network Denial of Service, Endpoint Denial of Service

• ATT&CK ID: T1498, T1499

• Minimum Log Source Requirement: Sophos XG Firewall

• Query:

norm_id=SophosXGFirewall label=Attack label=Detect label=IDP destination_address=* -

,→destination_address in HOMENET | process geoip(destination_address) as country

2.554 LP_SophosUTM Policy Violation

• Trigger Condition: Different policy violation from a source is detected. For this
alert to work, the following list must be updated;

– EXTREMIST _CONTENT, for example, weapons.

– CONCERNED _CONTENT, for example, alcohol, tobacco, gambling, and so
on.
– CRIMINAL _CONTENT, for example, hacking, drugs, and so on.
– VULNERABLE _CONTENT, for example, abuse, and so on.

• ATT&CK Category: Defense Evasion, Privilege Escalation, Credential Access

2.553. LP_Sophos XG Firewall - Outbound Attack Detected by IDP 249

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control,
Group Policy Modification, Exploitation for Credential Access, Exploitation for
Privilege Escalation

• ATT&CK ID: T1548, T1484, T1212, T1068

• Minimum Log Source Requirement: Sophos UTM

• Query:

norm_id=SophosUTM category_name=* source_address=* | chart count(category_name�

,→IN EXTREMIST_CONTENT) as Extremist, count(category_name IN CONCERNED_

,→CONTENT) as Concerning, count(category_name IN CRIMINAL_CONTENT) as Criminal,

,→ count(category_name IN VULNERABLE_CONTENT) as Vulnerable by source_address,�

,→user | chart sum(Extremist+Concerning+Criminal+Vulnerable) as Violation by Extremist,�

,→Concerning, Criminal, Vulnerable, source_address,

user order by Violation | search Violation>1

2.555 LP_SourceFire DNS Tunneling Detection - Multiple

domains
• Trigger Condition: The source address is detected with queries for more than 50
domains.

• ATT&CK Category: Impact, Command and Control

• ATT&CK Tag: Network Denial of Service, Proxy, Domain Fronting

• ATT&CK ID: T1498, T1090, T1090.004, T1568, T1568.002

• Minimum Log Source Requirement: Sourcefire

• Query:

norm_id=SourceFire domain=* -domain in HOME_DOMAIN | norm on message <:all><:'(?

,→i)dns request'><:all><:'domain'><domain:string> | chart distinct_count(domain) as�

,→DomainCount by source_address | search DomainCount > 50

2.556 LP_SSHD Connection Denied

• Trigger Condition: Ten denied connections are detected from the same source.

• ATT&CK Category: Lateral Movement, Command and Control, Impact

2.555. LP_SourceFire DNS Tunneling Detection - Multiple domains 250

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Remote Services, Commonly Used Port, Network Denial of Service,
Endpoint Denial of Service

• ATT&CK ID: T1021, T1498, T1499

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

[10 norm_id=Unix label=Connection label=Deny having same source_address within 10�

,→seconds]

2.557 LP_Stealthy Scheduled Task Creation via VBA Macro

Detected
• Trigger Condition: Creation of stealthy scheduled tasks via VBA macro is detected.

• ATT&CK Category: Execution, Persistence, Privilege Escalation

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 image="*taskschd.dll" source_image in ["*winword.

,→exe", "*excel.exe", "*powerpnt.exe", "*outlook.exe"] -user IN EXCLUDED_USERS

2.558 LP_Sticky Key Like Backdoor Usage Detected

• Trigger Condition: The use and installation of a backdoor that uses an option to
register a malicious debugger for built-in tools that are accessible on the login
screen. Sticky keys are a Windows accessibility feature that allows a user to press
a modifier key (For example, Shift, Ctrl, Alt) and remain active until another key
is pressed. Adversaries may use a sticky key-like backdoor to gain unauthorized
access to a system by pressing a specific combination of keys. This can allow them
to execute malicious code or bypass security controls.

• ATT&CK Category: Privilege Escalation, Persistence

• ATT&CK Tag: Event Triggered Execution, Accessibility Features

2.557. LP_Stealthy Scheduled Task Creation via VBA Macro Detected 251
 Alert Rules Documentation, Release latest

• ATT&CK ID: T1546, T1546.008

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(norm_id=WindowsSysmon event_id=13 target_object IN [

,→"*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution�

,→Options\*\Debugger"] event_type="SetValue") OR (event_id=1 parent_image=

,→"*\winlogon.exe" command IN ["*cmd.exe sethc.exe *", "*cmd.exe utilman.exe *",

,→"*cmd.exe osk.exe *", "*cmd.exe Magnify.exe *", "*cmd.exe Narrator.exe *", "*cmd.

,→exe DisplaySwitch.exe *"])

2.559 LP_StoneDrill Service Install Detected

• Trigger Condition: Service install of the malicious Microsoft Network Realtime
Inspection Service described in StoneDrill report by Kaspersky is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: New Service

• ATT&CK ID: T1543

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=7045 service_type="NtsSrv" service="* LocalService" -

,→user IN EXCLUDED_USERS

2.560 LP_Stop Windows Service Detected

• Trigger Condition: Windows Service stops.

• ATT&CK Category: Impact

• ATT&CK Tag: Service Stop

• ATT&CK ID: T1489

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.559. LP_StoneDrill Service Install Detected 252

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 image IN ["*\sc.exe", "*\net.exe", "*\net1.exe"]�

,→command="*stop*" -user IN EXCLUDED_USERS

2.561 LP_Successful Lateral Movement to Administrator

via Pass the Hash using Mimikatz Detected
• Trigger Condition: Lateral Movement is successful in compromising the admin
account via Pass the Hash method.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Use Alternate Authentication Material, Pass the Hash

• ATT&CK ID: T1550, T1550.002

• Minimum Log Source Requirement: Windows

• Query:

[norm_id=WinServer event_id=4624 logon_type=9 logon_process=seclogo�

,→package=Negotiate label=User label=Login label=Successful -user IN EXCLUDED_

,→USERS] as s1

followed by [norm_id=WinServer event_id=4672 label=Privilege label=Assign] as s2 on s1.

,→user=s2.user | rename s1.log_ts

as log_ts, s1.user as user, s1.domain as domain, s1.user_id as user_id, s1.host as host

2.562 LP_Successful Overpass the Hash Attempt

• Trigger Condition: Successful logon with logon type 9 (NewCredentials), which
matches the Overpass the Hash behavior of Mimikatz’s sekurlsa::pth module is
detected.

• ATT&CK Category: Lateral Movement, Defense Evasion

• ATT&CK Tag: T1550 - Use Alternate Authentication Material (2), T1550.002 - Pass
the Hash (2)

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4624 logon_type="9" logon_process="seclogo" package=

,→"Negotiate" -user IN EXCLUDED_USERS

2.561. LP_Successful Lateral Movement to Administrator via Pass the Hash using Mimikatz Detected
253
 Alert Rules Documentation, Release latest

2.563 LP_Suspect Svchost Activity Detected

• Trigger Condition: Scvhost activity is detected. It is abnormal for svchost.exe to
spawn without any CLI arguments and is observed when a malicious process spawns
the process and injects code into the process memory space.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 -command=* image="*\svchost.exe" -parent_

,→image IN ["*\rpcnet.exe", "*\rpcnetp.exe"] -user IN EXCLUDED_USERS

2.564 LP_Suspect Svchost Memory Access

• Trigger Condition: When access to svchost process memory such as that used
by Invoke-Phantom to kill the winRM windows event logging service is detected.
The “svchost.exe” process is a legitimate system that hosts multiple Windows
services. However, adversaries may use this process to execute malicious code
or gain unauthorized system access.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=10 image="*\windows\system32\svchost.exe"�

,→access="0x1f3fff" call_trace="*unknown*" -user IN EXCLUDED_USERS

2.563. LP_Suspect Svchost Activity Detected 254

 Alert Rules Documentation, Release latest

2.565 LP_Suspicious Access to Sensitive File Extensions

• Trigger Condition: Sensitive file extensions are detected.
• ATT&CK Category: Collection
• ATT&CK Tag: Data Staged
• ATT&CK ID: T1074
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=5145 relative_target IN ["*.pst", "*.ost", "*.msg", "*.nst", "*.

,→oab", "*.edb", "*.nsf",

"*.bak", "*.dmp", "*.kirbi", "*\groups.xml", "*.rdp"] -user IN EXCLUDED_USERS

2.566 LP_Suspicious Calculator Usage Detected

• Trigger Condition: The use of calc.exe with command line parameters or in a
suspicious directory, which is likely caused by some PoC or detection evasion, is
detected.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: Masquerading
• ATT&CK ID: T1036
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=1 (command="*\calc.exe *" OR (event_id=1 image=

,→"*\calc.exe" -image="*\Windows\Sys*")) -user IN EXCLUDED_USERS

2.567 LP_Suspicious Call by Ordinal Detected

• Trigger Condition: When suspicious calls of DLLs through RUNDLL32 via ordinal.
This search looks for executing scripts with rundll32. Adversaries may abuse
rundll32.exe to proxy the execution of malicious code. Using rundll32.exe, vice
executing directly, may avoid triggering security tools that may not monitor the
execution of the rundll32.exe process because of allowlists or false positives from
normal operations.

2.565. LP_Suspicious Access to Sensitive File Extensions 255

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Rundll32

• ATT&CK ID: T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer event_id=4688 "process"="*\rundll32.exe" command IN ["*,#*", "*,

,→#*", "*.dll #*", "*.ocx #*"] -command IN ["*EDGEHTML.DLL*", "*#141*"] -user IN�

,→EXCLUDED_USERS

2.568 LP_Suspicious Certutil Command Detected

• Trigger Condition: Microsoft certutil execution with subcommands like decode
used to decode malicious code with the built-in certutil utility is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Deobfuscate/Decode Files or Information, Remote File Copy

• ATT&CK ID: T1140, T1105

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="process" label=create command IN ["* -decode *", "* /decode *", "* -decodehex *
,→", "* /decodehex *", "* -urlcache *", "* /urlcache *", "* -verifyctl *", "* /verifyctl *", "* -

,→encode *", "* /encode *", "*certutil* -URL*", "*certutil* /URL*", "*certutil* -ping*",

,→"*certutil* /ping*"] -user IN EXCLUDED_USERS

2.569 LP_Suspicious Code Page Switch Detected

• Trigger Condition: Code page switch in a command line or batch scripts to a rare
language is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Deobfuscate/Decode Files or Information

• ATT&CK ID: T1140

• Minimum Log Source Requirement: Windows Sysmon

2.568. LP_Suspicious Certutil Command Detected 256

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["chcp* 936", "chcp* 1258"] -user IN�

,→EXCLUDED_USERS

2.570 LP_Suspicious Commandline Escape Detected

• Trigger Condition: Suspicious processes that use escape characters.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Deobfuscate/Decode Files or Information

• ATT&CK ID: T1140

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*h^t^t^p*", "*h\t\t\p*"] -user IN�

,→EXCLUDED_USERS

2.571 LP_Suspicious Compression Tool Parameters

• Trigger Condition: Suspicious command line arguments of data compression tools
are detected.

• ATT&CK Category: Collection

• ATT&CK Tag: Automated Exfiltration, Data Compressed, Archive Collected Data

• ATT&CK ID: T1020, T1560

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 file IN ["7z*.exe", "*rar.exe",

,→"*Command*Line*RAR*"] command IN ["* -p*", "* -ta*", "* -tb*", "* -sdel*", "* -dw*",

,→"* -hp*"] -parent_image="C:\Program*" -user IN EXCLUDED_USERS

2.570. LP_Suspicious Commandline Escape Detected 257

 Alert Rules Documentation, Release latest

2.572 LP_Suspicious Control Panel DLL Load Detected

• Trigger Condition: Execution of a suspicious Signed Binary Proxy Execution or
Rundll32 from control.exe used by Equation Group and Exploit Kits.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading,Signed Binary Proxy

Execution, Rundll32

• ATT&CK ID: T1574, T1574.002, T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\System32\control.exe"�

,→command="*\rundll32.exe *" -command="*Shell32.dll*" -user IN EXCLUDED_USERS

2.573 LP_Suspicious Csc Source File Folder Detected

• Trigger Condition: Execution of csc.exe that uses a source in a suspicious folder is
detected. For example, AppData.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Obfuscated Files or Information, Compile After Delivery, User

Execution

• ATT&CK ID: T1027, T1027.004, T1204

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\csc.exe" command IN ["*\AppData\*",

,→"*\Windows\Temp\*"] -(parent_process ="*:\Program Files*" parent_process in [

,→"*\sdiagnhost.exe", "*\w3wp.exe", "*\choco.exe"] ) -user IN EXCLUDED_USERS

2.574 LP_Suspicious Debugger Registration Detected

• Trigger Condition: Registration of a debugger for a program available in the logon
screen (sticky key backdoor).

2.572. LP_Suspicious Control Panel DLL Load Detected 258

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Obfuscated Files or Information, Compile After Delivery

• ATT&CK ID: T1027, T1027.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="process" label=create command IN ["*\CurrentVersion\Image File Execution�

,→Options\sethc.exe*", "*\CurrentVersion\Image File Execution Options\utilman.exe*",

,→"*\CurrentVersion\Image File Execution Options\osk.exe*", "*\CurrentVersion\Image�

,→File Execution Options\magnify.exe*", "*\CurrentVersion\Image File Execution�

,→Options\narrator.exe*", "*\CurrentVersion\Image File Execution Options\displayswitch.

,→exe*", "*\CurrentVersion\Image File Execution Options\atbroker.exe*"]

2.575 LP_Suspicious Double Extension Detected

• Trigger Condition: The use of double .exe extension of file is detected. The query
searches for double extension in process name and in command line.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Double File Extension

• ATT&CK ID: T1036.007

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create ("process" IN ["*.doc.exe", "*.docx.exe", "*.tmp.bat","*.xls.

,→exe","*.bat.exe","*.xlsx.exe", "*.ppt.exe", "*.pptx.exe", "*.rtf.exe", "*.pdf.exe", "*.bat.

,→exe", "*.txt.exe", "* .exe", "*______.exe"] OR command IN ["*.doc.exe", "*.docx.exe",

,→ "*.tmp.bat","*.xls.exe","*.bat.exe","*.xlsx.exe", "*.ppt.exe", "*.pptx.exe", "*.rtf.exe",

,→"*.pdf.exe", "*.bat.exe", "*.txt.exe", "* .exe", "*______.exe"] )

2.576 LP_Suspicious Driver Load from Temp

• Trigger Condition: Driver load from a temporary directory is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: New Service

2.575. LP_Suspicious Double Extension Detected 259

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1543

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=6 image="*\Temp\*" -user IN EXCLUDED_USERS

2.577 LP_Suspicious Eventlog Clear or Configuration

Using Wevtutil Detected
• Trigger Condition: Clearing or configuration of eventlogs uwing wevtutil,
PowerShell and wmic is detected. It is used by ransomware during the attack as
seen by NotPetya and others.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host

• ATT&CK ID: T1070

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="Process" label=Create ((("process" IN ["*\powershell.exe","*\pwsh.exe*"]�

,→command IN ["*Clear-EventLog*", "*Remove-EventLog*", "*Limit-EventLog*","*Clear-

,→WinEvent*"]) OR ("process"="*\wmic.exe" command="* ClearEventLog *")) OR (

,→"process"="*\wevtutil.exe" command IN ["*clear-log*", "* cl *", "*set-log*", "* sl *"])) -

,→user IN EXCLUDED_USERS

2.578 LP_Suspicious Execution from Outlook

• Trigger Condition: EnableUnsafeClient MailRules used for Script Execution from
Outlook is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command and Scripting Interpreter, Indirect Command Execution

• ATT&CK ID: T1059, T1202

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.577. LP_Suspicious Eventlog Clear or Configuration Using Wevtutil Detected 260

 Alert Rules Documentation, Release latest

label="Process" label=Create (command="*EnableUnsafeClientMailRules*" OR (parent_

,→process="*\outlook.exe" command="\\*\*.exe")) -user IN EXCLUDED_USERS

2.579 LP_Suspicious GUP Usage Detected

• Trigger Condition: Execution of the Notepad++ updater in a suspicious directory
used in DLL side-loading attacks.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

• ATT&CK ID: T1574, T1574.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\GUP.exe" -image IN [

,→"C:\Users\*\AppData\Local\Notepad++\updater\gup.exe",

,→"C:\Users\*\AppData\Roaming\Notepad++\updater\gup.exe",

"C:\Program Files\Notepad++\updater\gup.exe", "C:\Program Files�

,→(x86)\Notepad++\updater\gup.exe"] -user IN EXCLUDED_USERS

2.580 LP_Suspicious HWP Sub Processes Detected

• Trigger Condition: Hangul Word Processor (Hanword) sub-processes that could
indicate exploitation are detected.

• ATT&CK Category: Execution, Defense Evasion, Initial Access

• ATT&CK Tag: Command-Line Interface, Indirect Command Execution, Phishing,

Spearphishing Attachment

• ATT&CK ID: T1059, T1202, T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\Hwp.exe" image="*\gbb.exe" -

,→user IN EXCLUDED_USERS

2.579. LP_Suspicious GUP Usage Detected 261

 Alert Rules Documentation, Release latest

2.581 LP_Suspicious In-Memory Module Execution

Detected
• Trigger Condition: An access to processes by other suspicious processes that have
reflectively loaded libraries in their memory space are detected.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=10 (call_trace IN ["C:\Windows\SYSTEM32\ntdll.dll+*

,→", "C:\Windows\System32\KERNELBASE.dll+*", "*UNKNOWN(*)"] OR (call_trace=

,→"*UNKNOWN*" access IN ["0x1F0FFF", "0x1F1FFF", "0x143A", "0x1410", "0x1010",

,→"0x1F2FFF", "0x1F3FFF", "0x1FFFFF"])) -user IN EXCLUDED_USERS

2.582 LP_Suspicious Kerberos RC4 Ticket Encryption

• Trigger Condition: Service ticket requests using the RC4 encryption type are
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

• ATT&CK ID: T1558, T1558.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4769 ticket_option="0x40810000" Encryption_type="0x17" -

,→service="$*" -user IN EXCLUDED_USERS

2.583 LP_Suspicious Keyboard Layout Load Detected

• Trigger Condition: Keyboard preload installation with a suspicious keyboard layout
is detected. For example, Chinese, Iranian, or Vietnamese layout load in user
sessions on systems maintained by US staff only.

2.581. LP_Suspicious In-Memory Module Execution Detected 262

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

event_id=13 target_object IN ["*\Keyboard Layout\Preload\\*", "*\Keyboard�

,→Layout\Substitutes\\*"] detail IN ["*00000429*", "*00050429*", "*0000042a*"]

-user IN EXCLUDED_USERS

2.584 LP_Suspicious MsiExec Directory Detected

• Trigger Condition: Suspicious msiexec process starting in a different directory is
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\msiexec.exe" -image IN [

,→"C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*"]

-user IN EXCLUDED_USERS

2.585 LP_Suspicious Named Pipes Detected

• Trigger Condition: Suspicious named pipes are detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.584. LP_Suspicious MsiExec Directory Detected 263

 Alert Rules Documentation, Release latest

event_id IN ["17", "18"] pipe IN ["\isapi_http", "\isapi_dg", "\isapi_dg2", "\sdlrpc",

,→"\ahexec", "\winsession", "\lsassw", "\46a676ab7f179e511e30dd2dc41bd388",

"\9f81f59bc58452127884ce513865ed20", "\e710f28d59aa529d6792ca6ff0ca1b34",
,→"\rpchlp_3", "\NamePipe_MoreWindows", "\pcheap_reuse", "\msagent_*", "\gruntsvc

,→", "*\PSEXESVC*",

"*\PowerShellISEPipeName_*", "*\csexec*", "*\paexec*", "*\remcom*"] -user IN�

,→EXCLUDED_USERS

2.586 LP_Suspicious Outbound Kerberos Connection

• Trigger Condition: An outbound network activity via Kerberos default port
indicating possible lateral movement or first stage PrivEsc via delegation is
detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

• ATT&CK ID: T1558, T1558.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=Windows* (event_id=3 OR event_id=5156) destination_port="88" -image IN [

,→"*\lsass.exe", "*\opera.exe", "*\chrome.exe", "*\firefox.exe"] -user IN EXCLUDED_

,→USERS

2.587 LP_Suspicious Outbound RDP Connections

Detected
• Trigger Condition: Non-Standard tools connecting to TCP port 3389 indicating
possible Lateral Movement are detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Exploitation of Remote Services

• ATT&CK ID: T1210

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.586. LP_Suspicious Outbound Kerberos Connection 264

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=3 destination_port="3389" initiated="true" -image�

,→IN ["*\mstsc.exe", "*\RTSApp.exe", "*\RTS2App.exe", "*\RDCMan.exe", "*\ws_

,→TunnelService.exe", "*\RSSensor.exe",

"*\RemoteDesktopManagerFree.exe", "*\RemoteDesktopManager.exe",
,→"*\RemoteDesktopManager64.exe", "*\mRemoteNG.exe", "*\mRemote.exe",

,→"*\Terminals.exe", "*\spiceworks-finder.exe", "*\FSDiscovery.exe", "*\FSAssessment.exe

,→", "*\MobaRTE.exe", "*\chrome.exe", "*\thor.exe", "*\thor64.exe"] -user IN�

,→EXCLUDED_USERS

2.588 LP_Suspicious Parent of Csc Detected

• Trigger Condition: Suspicious parent of csc.exe is a sign of payload delivery is
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\csc.exe*" parent_image IN ["*\wscript.

,→exe", "*\cscript.exe", "*\mshta.exe"] -user IN EXCLUDED_USERS

2.589 LP_Suspicious PowerShell Invocation Based on

Parent Process
• Trigger Condition: PowerShell invocations from interpreters or unusual programs
like wscript or IIS worker process(w3wp.exe) are detected. Admins can add other
suspicious parent processes to increase visibility.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.588. LP_Suspicious Parent of Csc Detected 265

 Alert Rules Documentation, Release latest

label="process" label=create parent_process IN ["*\mshta.exe", "*\wscript.exe",

,→"*\cscript.exe", "*\rundll32.exe", "*\regsvr32.exe", "*\services.exe", "*\winword.exe",

,→"*\wmiprvse.exe", "*\powerpnt.exe", "*\excel.exe", "*\msaccess.exe", "*\mspub.exe",

,→"*\visio.exe", "*\outlook.exe", "*\amigo.exe", "*\chrome.exe", "*\firefox.exe",

,→"*\iexplore.exe", "*\microsoftedgecp.exe", "*\microsoftedge.exe", "*\browser.exe",

,→"*\vivaldi.exe", "*\safari.exe", "*\sqlagent.exe", "*\sqlserver.exe", "*\sqlservr.exe",

,→"*\w3wp.exe", "*\httpd.exe", "*\nginx.exe", "*\php-cgi.exe", "*\jbosssvc.exe",

,→"*MicrosoftEdgeSH.exe", "*tomcat*"] "process"="*\powershell.exe" -path="*\Health�

,→Service State\*" (command IN ["*powershell*", "*pwsh*"] ) -user IN EXCLUDED_USERS

2.590 LP_Suspicious PowerShell Parameter Substring

Detected
• Trigger Condition: Suspicious Command and Scripting Interpreter and PowerShell
invocation with a parameter substring is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=create label="process" "process"="*\powershell.exe" command IN ["* -en*", "* -

,→ec *", "* -noni*", "* -nop*", "* -exe* bypass*", "* -ep bypass*", "* -win* hid*", "* -w hid*

,→", "* -sta *"]

2.591 LP_Suspicious Process Start Locations Detected

• Trigger Condition: Execution of processes run from an unusual locations like
Recycle bin or Fonts folder detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.590. LP_Suspicious PowerShell Parameter Substring Detected 266

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 image IN ["*:\RECYCLER\*",

,→"*:\SystemVolumeInformation\*", "C:\Windows\Tasks\*", "C:\Windows\debug\*",

,→"C:\Windows\fonts\*", "C:\Windows\help\*", "C:\Windows\drivers\*",

,→"C:\Windows\addins\*", "C:\Windows\cursors\*", "C:\Windows\system32\tasks\*",

,→"*\Windows\IME\*",

"C:\Perflogs\*", "*\Windows\IME\*"] -user IN EXCLUDED_USERS

2.592 LP_Suspicious Program Location with Network

Connections
• Trigger Condition: Network connections run in suspicious file system locations.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 image IN ["*\$Recycle.bin", "*\Users\All Users\*",

,→"*\Users\Default\*", "*\Users\Public\*", "*\Users\Contacts\*", "*\Users\Searches\*",

,→"C:\Perflogs\*", "*\config\systemprofile\*", "*\Windows\Fonts\*", "*\Windows\IME\*",

,→"*\Windows\addins\*"] -user IN EXCLUDED_USERS

2.593 LP_Suspicious PsExec Execution Detected

• Trigger Condition: Execution of psexec or paexec with the renamed service
name.This rule helps filter out the noise if psexec is used for legitimate purposes
or if an attacker uses a different psexec client other than sysinternal one.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows

• Query:

2.592. LP_Suspicious Program Location with Network Connections 267

 Alert Rules Documentation, Release latest

norm_id=WinServer event_id=5145 share_name="IPC$" relative_target IN ["*-stdin", "*-

,→stdout", "*-stderr"] -relative_target="PSEXESVC*" -user IN EXCLUDED_USERS

2.594 LP_Suspicious RDP Redirect Using TSCON Detected

• Trigger Condition: A suspicious RDP session redirect using tscon.exe.
• ATT&CK Category: Lateral Movement, Privilege Escalation
• ATT&CK Tag: Remote Services, Remote Desktop Protocol
• ATT&CK ID: T1021, T1021.001
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=1 command="* /dest:rdp-tcp:*" -user IN EXCLUDED_

,→USERS

2.595 LP_Suspicious Remote Thread Created

• Trigger Condition: The suspicious processes (like word.exe or outlook.exe) create
remote threads on other processes. This technique is used by malware to inject
code and hide in other processes. The event indicates the source and target
process. It gives information on the code that will run in the new thread:
StartAddress, StartModule and StartFunction.
• ATT&CK Category: Privilege Escalation
• ATT&CK Tag: Process Injection
• ATT&CK ID: T1055
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=8 source_image IN ["*\bash.exe", "*\cvtres.exe",

,→"*\defrag.exe", "*\dnx.exe", "*\esentutl.exe", "*\excel.exe", "*\expand.exe",

,→"*\explorer.exe", "*\find.exe",

"*\findstr.exe", "*\forfiles.exe", "*\git.exe", "*\gpupdate.exe", "*\hh.exe", "*\iexplore.exe

,→", "*\installutil.exe", "*\lync.exe", "*\makecab.exe", "*\mDNSResponder.exe",

,→"*\monitoringhost.exe",

(continues on next page)

2.594. LP_Suspicious RDP Redirect Using TSCON Detected 268

 Alert Rules Documentation, Release latest

(continued from previous page)

"*\msbuild.exe", "*\mshta.exe", "*\msiexec.exe", "*\mspaint.exe", "*\outlook.exe",
,→"*\ping.exe", "*\powerpnt.exe", "*\powershell.exe", "*\provtool.exe", "*\python.exe",

,→"*\regsvr32.exe", "*\robocopy.exe", "*\runonce.exe",

"*\sapcimc.exe", "*\schtasks.exe", "*\smartscreen.exe", "*\spoolsv.exe", "*\tstheme.exe",

,→ "*\userinit.exe", "*\vssadmin.exe", "*\vssvc.exe", "*\w3wp.exe*", "*\winlogon.exe",

,→"*\winscp.exe", "*\wmic.exe", "*\word.exe", "*\wscript.exe"]

-source_image="*Visual Studio*" -user IN EXCLUDED_USERS

2.596 LP_Suspicious RUN Key from Download Detected

• Trigger Condition: A suspicious RUN keys created by software located in the
Download or temporary Outlook/Internet Explorer directories.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: Boot or Logon Autostart Execution, Registry Run Keys/Startup

Folder

• ATT&CK ID: T1547, T1547.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 image IN ["*\Downloads\*", "*\Temporary�

,→Internet Files\Content.Outlook\*", "*\Local Settings\Temporary Internet Files\*"] target_

,→object="*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*" -user IN EXCLUDED_

,→USERS

2.597 LP_Suspicious Rundll32 Activity Detected

• Trigger Condition: Processes related to the RunDLL32 system binary based on
its command-line arguments. Adversaries may abuse RunDLL32 to proxy code
executions and avoid triggering security tools that may not monitor the execution
of the rundll32.exe process because of allowlists or false positives from normal
operations. Whitelisting is required due to the inherent system noise of RunDLL32.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Signed Binary Proxy Execution, Rundll32

• ATT&CK ID: T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

2.596. LP_Suspicious RUN Key from Download Detected 269

 Alert Rules Documentation, Release latest

• Query:

label="process" label=create ((command IN ["*\rundll32.exe* url.dll, *OpenURL *",

,→"*\rundll32.exe* url.dll, *OpenURLA *", "*\rundll32.exe* url.dll, *FileProtocolHandler *",

,→"*\rundll32.exe* zipfldr.dll, *RouteTheCall *", "*\rundll32.exe* Shell32.dll, *Control_

,→RunDLL *", "*\rundll32.exe javascript:*", "* url.dll, *OpenURL *", "* url.dll, *OpenURLA *

,→", "* url.dll, *FileProtocolHandler *", "* zipfldr.dll, *RouteTheCall *", "* Shell32.dll,�

,→*Control_RunDLL *", "* javascript:*", "*.RegisterXLL*", "*\rundll32*C:\PerfLogs\*",

,→"*\rundll32*C:\ProgramData\*", "*\rundll32*\AppData\Local\Temp\*"]) OR ("process"=

,→"*\rundll32.exe" parent_process IN ["*\cmd.exe", "*\powershell.exe"] parent_

,→command="*.lnk*" parent_command IN ["* /c *", "* /k *"] parent_command IN [

,→"C:\ProgramData\", "*\AppData\Local\Temp\*", "*\AppData\Roaming\Temp\*",

,→"C:\Users\Public\", "C:\Windows\tracing\"])) -user IN EXCLUDED_USERS

2.598 LP_Suspicious Scripting in a WMI Consumer

• Trigger Condition: Suspicious scripting in the WMI Event Consumers.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=20 destination IN ["*new-object .webclient).

,→downloadstring(*", "*new-object .webclient).downloadfile(*", "*new-object net.

,→webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*", "* iex(*",

,→"*WScript.shell*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *"] -user IN�

,→EXCLUDED_USERS

2.599 LP_Suspicious Service Path Modification Detected

• Trigger Condition: Modification of service path to powershell/cmd.

• ATT&CK Category: Persistence

• ATT&CK Tag: Modify Existing Service

• ATT&CK ID: T1569, T1569.002

• Minimum Log Source Requirement: Windows Sysmon

2.598. LP_Suspicious Scripting in a WMI Consumer 270

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 image="*\sc.exe" command IN ["*powershell*",

,→"*cmd*"] command IN ["*binpath*", "*config*"] -user IN EXCLUDED_USERS

2.600 LP_Suspicious Svchost Process Detected

• Trigger Condition: Suspicious svchost process starts.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading, Match Legitimate Name or Location

• ATT&CK ID: T1036, T1036.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\svchost.exe" -parent_image IN [

,→"*\services.exe", "*\MsMpEng.exe", "*\Mrt.exe", "*\rpcnet.exe", "*\svchost.exe"]�

,→parent_image=* -user IN EXCLUDED_USERS

2.601 LP_Suspicious SYSVOL Domain Group Policy Access

• Trigger Condition: Access to Domain Group Policies stored in SYSVOL detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Unsecured Credentials, Group Policy Preferences

• ATT&CK ID: T1552, T1552.006

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command="*\SYSVOL\*\policies\*" -user IN�

,→EXCLUDED_USERS

2.600. LP_Suspicious Svchost Process Detected 271

 Alert Rules Documentation, Release latest

2.602 LP_Suspicious TSCON Start

• Trigger Condition: tscon.exe process execution as LOCAL SYSTEM is detected. If
tscon.exe run as SYSTEM, users can gain access to the currently logged-in session
without credential.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Remote Access Software

• ATT&CK ID: T1219

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 user="SYSTEM" image="*\tscon.exe" -user IN�

,→EXCLUDED_USERS

2.603 LP_Suspicious Typical Malware Back Connect Ports

Detected
• Trigger Condition: Programs connecting to a typical malware back connect ports
based on statistical analysis from two different sandbox system databases are
detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Non-Standard Port

• ATT&CK ID: T1571

• Minimum Log Source Requirement: Windows Sysmon

• Query:

destination_port IN ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506",

,→"3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505",

,→"13504", "12102", "9631", "5445",

"2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649",
,→"4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103

,→", "14102", "12322", "10101", "7210", "4040", "9943"] -image="*\Program Files*"

-destination_address IN HOMENET -user IN EXCLUDED_USERS

2.602. LP_Suspicious TSCON Start 272

 Alert Rules Documentation, Release latest

2.604 LP_Suspicious CSharp or FSharp Interactive Console

Execution
• Trigger Condition: Execution of CSharp or FSharp interactive console by scripting
utilities like WScript or PowerShell detected. The alert warns you of the use of the
.NET framework by attackers for offensive purposes.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: Trusted Developer Utilities
• ATT&CK ID: T1127
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\csi.exe", "*\fsi.exe"] parent_image IN�

,→["*\cmd.exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe"] -user IN EXCLUDED_

,→USERS

2.605 LP_Suspicious Userinit Child Process

• Trigger Condition: Suspicious child process of userinit is detected.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: Masquerading
• ATT&CK ID: T1036
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\userinit.exe" -command=

,→"*\netlogon\*" -image="*\explorer.exe" -user IN EXCLUDED_USERS

2.606 LP_Suspicious Windows ANONYMOUS LOGON

Local Account Creation
• Trigger Condition: Creation of suspicious accounts similar to ANONYMOUS
LOGON like using additional spaces, is detected. It is created to catch the exclusion
of Logon Type 3 from ANONYMOUS LOGON accounts.

2.604. LP_Suspicious CSharp or FSharp Interactive Console Execution 273

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence

• ATT&CK Tag: Create Account

• ATT&CK ID: T1136

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4720 user="*ANONYMOUS*LOGON*" -user IN�

,→EXCLUDED_USERS

2.607 LP_Suspicious WMI Execution Detected

• Trigger Condition: When WMI executing suspicious commands including but not
limited to AV product enumeration and remote process creation are detected.
WMIC.exe is a built-in Microsoft program that allows command-line access to the
Windows Management Instrumentation. Adversaries can use this technique to
create remote or local processes, get details about antivirus and firewalls, delete
shadow copies and modify defender configurations.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="Process" label=Create ("process"="*\wmic.exe" or file=wmic.exe) command IN [

,→"*/node:*process call create *", "* path AntiVirusProduct get *", "* path FirewallProduct�

,→get *", "* shadowcopy delete *","*csproduct get*UUID*",

,→"*NAMESPACE:\\root\Microsoft\Windows\Defender*"]

2.608 LP_Svchost DLL Search Order Hijack Detected

• Trigger Condition: Svchost DLL Search Order Hijack is detected. By default,
IKEEXT and SessionEnv service call LoadLibrary on files that does not exist within
C:/Windows/System 32/. An attacker can place their malicious logic within the
PROCESS_ATTACH block of their library and restart the services mentioned above
svchost.exe -k netsvcs to gain code execution on a remote machine.

2.607. LP_Suspicious WMI Execution Detected 274

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence, Privilege Escalation, Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading, DLL Search Order
Hijacking

• ATT&CK ID: T1574, T1574.002, T1574.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\svchost.exe"] image IN [

,→"*\tsmsisrv.dll", "*\tsvipsrv.dll", "*\wlbsctrl.dll"] -image IN ["C:\Windows\WinSxS\*"] -

,→user IN EXCLUDED_USERS

2.609 LP_SysKey Registry Keys Access

• Trigger Condition: Requests and access operations to specific registry keys to
calculate the SysKey are detected. Adversaries use a tool (like Mimikatz) or a script
(like Invoke-PowerDump) to get the SysKey to decrypt Security Account Manager
(SAM) database entries from registry or hive and get NTLM and LM hashes of local
accounts passwords.

• ATT&CK Category: Discovery

• ATT&CK Tag: Query Registry

• ATT&CK ID: T1012

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN [4656, 4663] object_type="key" object_name IN ["*lsa\JD

,→", "*lsa\GBG", "*lsa\Skew1", "*lsa\Data"]

-user IN EXCLUDED_USERS

2.610 LP_Sysmon Configuration Modification Detected

• Trigger Condition: Modification in Sysmon configuration.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

2.609. LP_SysKey Registry Keys Access 275

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1562, T1562.006

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Sysmon label=Config label=Change -user IN�

,→EXCLUDED_USERS

2.611 LP_Sysmon Driver Unload Detected

• Trigger Condition: Unloading of Sysmon driver is detected. After error events are
logged, logs will not be collected and parsed by Sysmon.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=255 id="DriverCommunication" -user IN EXCLUDED_

,→USERS

2.612 LP_Sysmon Error Event Detected

• Trigger Condition: Sysmon error event is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=255 -user IN EXCLUDED_USERS

2.611. LP_Sysmon Driver Unload Detected 276

 Alert Rules Documentation, Release latest

2.613 LP_System File Execution Location Anomaly

Detected
• Trigger Condition: Starting a Windows program executable in a suspicious folder
is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process" IN ["*\svchost.exe", "*\rundll32.exe", "*\services.

,→exe", "*\powershell.exe", "*\regsvr32.exe", "*\spoolsv.exe", "*\lsass.exe", "*\smss.exe

,→", "*\csrss.exe", "*\conhost.exe", "*\wininit.exe", "*\lsm.exe", "*\winlogon.exe",

,→"*\explorer.exe", "*\taskhost.exe"] -"process" IN ["C:\Windows\System32\*",

,→"C:\Windows\SysWow64\*", "C:\Windows\explorer.exe", "C:\Windows\winsxs\*",

,→"\SystemRoot\System32\*"] -user IN EXCLUDED_USERS

2.614 LP_System Information Discovery

• Trigger Condition: Discovery of system information via sysinfo or net command is
detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Information Discovery

• ATT&CK ID: T1082

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" ("process"="*\sysinfo.exe" OR command="*net* config*") -

,→user IN EXCLUDED_USERS

2.613. LP_System File Execution Location Anomaly Detected 277

 Alert Rules Documentation, Release latest

2.615 LP_System Owner or User Discovery

• Trigger Condition: Detected MITRE ATT&CK T1033.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Owner/User Discovery

• ATT&CK ID: T1033

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image IN ["*\whoami.exe", "*\qwinsta.exe",

,→"*\quser.exe"] OR command="*wmic* useraccount get*")

2.616 LP_System Service Discovery

• Trigger Condition: Detected MITRE ATT&CK T1007.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Service Discovery

• ATT&CK ID: T1007

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*tasklist.exe" or�

,→image="*sc.exe" or image="*wmic.exe") (command="*net.exe* start*" or command=

,→"*tasklist.exe* /SVC" command="*sc.exe* query*" or command="*wmic.exe* service�

,→where*") -user IN EXCLUDED_USERS

2.617 LP_System Time Discovery

• Trigger Condition: LogPoint detects an attempt to discover system time. The
information is useful to perform other techniques, like executing a file with a
scheduled task or discovering locality information based on time zone to assist
in victim targeting.

• ATT&CK Category: Discovery

2.615. LP_System Owner or User Discovery 278

 Alert Rules Documentation, Release latest

• ATT&CK Tag: System Time Discovery

• ATT&CK ID: T1124

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 ( image IN ["*\net.exe", "*\net1.exe"] command=

,→"*net* time*") or image="*w32tm.exe" or command="*Get-Date*" -user IN�

,→EXCLUDED_USERS

2.618 LP_Tap Driver Installation Detected

• Trigger Condition: Installation of TAP software. It indicates possible preparation
for data exfiltration using tunneling techniques.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Alternative Protocol

• ATT&CK ID: T1048

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=WindowsSysmon event_id=6) OR (norm_id=WinServer (event_id=7045 OR�

,→event_id=4697))) (path="*tap0901*" OR file="*tap0901*") -user IN EXCLUDED_USERS

2.619 LP_Taskmgr as Parent Detected

• Trigger Condition: Creation of a process from the Windows Task Manager.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.618. LP_Tap Driver Installation Detected 279

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 parent_image="*\taskmgr.exe" -image IN [

,→"*\resmon.exe", "*\mmc.exe", "*\taskmgr.exe"] -user IN EXCLUDED_USERS

2.620 LP_Tasks Folder Evasion Detected

• Trigger Condition: Evasion of task folder is detected. Task folder in system32 and
syswow64 are globally writable paths. Adversaries can take advantage to load or
influence script hosts, or any .NET application in task to load and execute a custom
assembly into cscript, wscript, regsvr32, mshta, and eventvwr.

• ATT&CK Category: Persistence, Privilege Escalation, Defense Evasion

• ATT&CK Tag: Hijack Execution Flow, DLL Side-Loading

• ATT&CK ID: T1574, T1574.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer event_id=4688 command IN ["*echo *", "*copy *", "*type *", "*file�
,→createnew*"] command IN ["* C:\Windows\System32\Tasks\*", "*�

,→C:\Windows\SysWow64\Tasks\*"]

2.621 LP_Terminal Service Process Spawn Detected

• Trigger Condition: Process spawned by the terminal service server process is
detected. It can be used as an indicator for the exploitation of CVE-2019-0708.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Exploitation of Remote Services

• ATT&CK ID: T1210

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_command="*\svchost.exe*termsvcs" -

,→image="*\rdpclip.exe" -user IN EXCLUDED_USERS

2.620. LP_Tasks Folder Evasion Detected 280

 Alert Rules Documentation, Release latest

2.622 LP_Threat Intel Allowed Connections from

Suspicious Sources
• Trigger Condition: A connection from suspicious sources are detected.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

norm_id=* label=Allow label=Connection -source_address in HOMENET destination_

,→address in HOMENET | process ti(source_address) | rename et_ip_address as�

,→SourceAddress, cs_ip_address as SourceAddress, et_category as Category,

cs_category as Category, rf_ip_address as SourceAddress, rf_category as Category,et_

,→score as Score,cs_score as Score,rf_score as Score,destination_port as Port | fields�

,→Category,SourceAddress,Score,Port

2.623 LP_Threat Intel Connections with Suspicious

Domains
• Trigger Condition: A connection is established with a suspicious domain.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

label=Connection (url=* OR domain=*)| process domain(url) as domain | process�

,→ti(domain) | rename et_category as Category, cs_category as Category, rf_category as�

,→Category,et_score as Score,cs_score as Score,rf_score as Score ,rf_domain as Domain,�

,→et_domain as Domain,cs_domain as Domain

2.622. LP_Threat Intel Allowed Connections from Suspicious Sources 281

 Alert Rules Documentation, Release latest

2.624 LP_Threat Intel Excessive Denied Connections

Attempt from IOC
• Trigger Condition: Multiple denied connections are received from suspicious
sources.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

norm_id=* label=Connection label=Deny -source_address in HOMENET destination_

,→address in HOMENET | process ti(source_address) | rename rf_ti_category as Category,�

,→rf_ip_address as SourceAddress, rf_score as Score, destination_port as Port | chart�

,→count() as cnt by SourceAddress | search cnt>5

2.625 LP_Threat Intel Internal Machine Connecting to

Multiple IOCs
• Trigger Condition: A user establishes connections to unique destination.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

norm_id=* label=Connection source_address IN HOMENET -destination_address IN�

,→HOMENET | process ti(destination_address) | rename rf_ti_category as Category, rf_ip_

,→address as DestinationAddress, rf_score as Score, destination_port as Port | chart�

,→distinct_count(DestinationAddress) as DC by source_address | search DC>5

2.624. LP_Threat Intel Excessive Denied Connections Attempt from IOC 282
 Alert Rules Documentation, Release latest

2.626 LP_Threat Intel IOC Connecting to Multiple Internal

Machines
• Trigger Condition: An inbound connection from suspicious sources to multiple
destinations is detected.

• ATT&CK Category: Command and Control, Defense Evasion

• ATT&CK Tag: Proxy, Exploitation for Defense Evasion

• ATT&CK ID: T1090, T1211

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

norm_id=* label=Connection -source_address in HOMENET destination_address in�

,→HOMENET | process ti(source_address) | rename rf_ti_category as Category, rf_ip_

,→address as SourceAddress, rf_score as Score, destination_port as Port | chart distinct_

,→count(destination_address) as DC by source_address | search DC>5

2.627 LP_Time-Stomping of Users Directory Files

Detected
• Trigger Condition: Time-stomping of user directory file is detected. Sysmon can
only detect a change of CreationTime and not LastWriteTime and LastAccessTime.
Therefore, we recommend that whitelist legitimate noisy processes like browsers,
slack, or teams to reduce false positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host, Timestomp

• ATT&CK ID: T1070, T1070.006

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=2 path="C:\Users*" -source_image IN ["*iexplore.exe

,→", "*cortana*", "*\StartMenuExperienceHost.exe", "C:\Windows\system32\cleanmgr.exe

,→", "C:\Windows\Explorer.EXE", "*\LocalBridge.exe", "*\svchost.exe",

"*\RuntimeBroker.exe", "*\msedge.exe"]-path=
,→"*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" -user IN�

,→EXCLUDED_USERS

2.626. LP_Threat Intel IOC Connecting to Multiple Internal Machines 283

 Alert Rules Documentation, Release latest

2.628 LP_Transfering Files with Credential Data via

Network Shares
• Trigger Condition: Transfer of sensitive files with credential data using a network
share.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5145 relative_target IN ["*\mimidrv*", "*\lsass*",

,→"*\windows\minidump\*", "*\hiberfil*", "*\sqldmpr*", "*\sam*", "*\ntds.dit*",

,→"*\security*"] -user IN EXCLUDED_USERS

2.629 LP_TrendMicroDeepSecurity Virus Quarantined

• Trigger Condition: A virus-infected file is quarantined.

• ATT&CK Category: Defense Evasion, Discovery

• ATT&CK Tag: Obfuscated Files or Information, Indicator Removal from Tools,

Network Service Scanning

• ATT&CK ID: T1027, T1027.005, T1046

• Minimum Log Source Requirement: Trend Micro Deep Security

• Query:

norm_id=TrendMicroDeepSecurity label=Virus OR label=Malware label=File�

,→label=Quarantine

2.630 LP_UAC Bypass via Event Viewer Detected

• Trigger Condition: UAC bypass method using the Windows Event Viewer is
detected.

• ATT&CK Category: Defense Evasion, Privilege Escalation

2.628. LP_Transfering Files with Credential Data via Network Shares 284
 Alert Rules Documentation, Release latest

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(event_id=13 target_object="HKU\*\mscfile\shell\open\command") OR ((event_id=1�

,→parent_image="*\eventvwr.exe") -(image="*\mmc.exe"))

2.631 LP_Unix Possible Bruteforce Attack

• Trigger Condition: An account is not present but is used repeatedly to login. This
may be a brute force attack by a bot, malware, or threat agent.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Brute Force

• ATT&CK ID: T1110

• Minimum Log Source Requirement: Unix

• Query:

norm_id=Unix ((label=Account label=Absent) OR (label=User label=Authentication�

,→label=Fail)) user=* | chart count() as cnt by user | search cnt>10

2.632 LP_Unix User Deleted

• Trigger Condition: Deletion of a user account.

• ATT&CK Category: Impact

• ATT&CK Tag: Account Access Removal

• ATT&CK ID: T1531

• Minimum Log Source Requirement: Unix

• Query:

norm_id=Unix label=User label=Account label=Management label=Delete label=Remove�

,→user=*

2.631. LP_Unix Possible Bruteforce Attack 285

 Alert Rules Documentation, Release latest

2.633 LP_Unsigned Driver Loading Detected

• Trigger Condition: Loading of an unsigned driver is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=6 is_sign=False image=* -user IN EXCLUDED_USERS

2.634 LP_Possible Ursnif Registry Activity

• Trigger Condition: A new registry key under AppDataLowSoftwareMicrosoft is
detected, which was used by Ursnif malware.

• ATT&CK Category: Execution

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object=

,→"*\Software\AppDataLow\Software\Microsoft\*" -user IN EXCLUDED_USERS

2.635 LP_Valak Malware Connection to Malicious Domains

• Trigger Condition: Connection to VALAK malware-related domains are detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

2.633. LP_Unsigned Driver Loading Detected 286

 Alert Rules Documentation, Release latest

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in�

,→VALAK_DOMAINS

2.636 LP_Valak Malware Infected Host Detected

• Trigger Condition: Valak malware infected host is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* hash=* hash IN VALAK_HASHES

2.637 LP_VBA DLL Loaded by Office

• Trigger Condition: Loading of DLL related to VBA macros by Office products
id detected. To reduce false positives, we recommend you filter the use of the
legitimate macro.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe*", "*\powerpnt.

,→exe*", "*\excel.exe*", "*\outlook.exe*"] image IN ["*\VBE7.DLL*", "*\VBEUI.DLL*",

,→"*\VBE7INTL.DLL*"] -user IN EXCLUDED_USERS

2.636. LP_Valak Malware Infected Host Detected 287

 Alert Rules Documentation, Release latest

2.638 LP_VM - High Risk Vulnerability on High Impact

Assets
• Trigger Condition: High-risk vulnerability is detected in high impact assets.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

(col_type=qualys* or col_type=Nessus or norm_id=VulnerabilityManagement) (severity=4�

,→or severity=5) source_address IN HIGH_IMPACT_ASSETS

2.639 LP_VM - High Risk Vulnerability on Low Impact

Assets
• Trigger Condition: High-risk vulnerability is detected in low impact assets.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

(col_type=qualys* or col_type=Nessus or norm_id=VulnerabilityManagement) (severity=4�

,→OR severity=5) source_address IN LOW_IMPACT_ASSETS

2.640 LP_VM - High Risk Vulnerability on Medium Impact

Assets
• Trigger Condition: High-risk vulnerability is detected in medium impact assets.

• ATT&CK Category: Discovery

2.638. LP_VM - High Risk Vulnerability on High Impact Assets 288

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

(col_type=qualys* or col_type=Nessus or norm_id=VulnerabilityManagement) (severity=4�

,→or severity=5) source_address IN MEDIUM_IMPACT_ASSETS

2.641 LP_VM - Medium Risk Vulnerability on High Impact

Assets
• Trigger Condition: Medium-risk vulnerability is detected in high impact assets.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

(col_type=qualys* or col_type=Nessus or norm_id=VulnerabilityManagement) (severity=2�

,→or severity=3) source_address IN HIGH_IMPACT_ASSETS

2.642 LP_VM - Medium Risk Vulnerability on Low Impact

Assets
• Trigger Condition: Medium-risk vulnerability is detected in low impact assets.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

2.641. LP_VM - Medium Risk Vulnerability on High Impact Assets 289

 Alert Rules Documentation, Release latest

(col_type=qualys* or col_type=Nessus or norm_id=VulnerabilityManagement) (severity=2�

,→OR severity=3) source_address IN LOW_IMPACT_ASSETS

2.643 LP_VM - Medium Risk Vulnerability on Medium

Impact Assets
• Trigger Condition: Medium-risk vulnerability is detected in medium impact assets.

• ATT&CK Category: Discovery

• ATT&CK Tag: Network Service Scanning

• ATT&CK ID: T1046

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

(col_type=qualys* or col_type=Nessus or norm_id=VulnerabilityManagement) (severity=2�

,→or severity=3) source_address IN MEDIUM_IMPACT_ASSETS

2.644 LP_WannaCry File Encryption

• Trigger Condition: File encryption due to WannaCry ransomeware.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Windows

• Query:

col_type=lpagent new_file IN WANNACRY_EXTENSION

2.643. LP_VM - Medium Risk Vulnerability on Medium Impact Assets 290

 Alert Rules Documentation, Release latest

2.645 LP_WannaCry MS17-010 Vulnerable Sources

• Trigger Condition: MS17-010 vulnerability is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Qualys, Vulnerability Management

• Query:

col_type=qualys* qualys_id IN [91345, 91357, 91359, 91360, 70077, 91360, 91345]

2.646 LP_WannaCry Sources in Connections to Sinkhole

Domain
• Trigger Condition: A source tries to connect to the WannaCry sinkhole domain.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Proxy

• ATT&CK ID: T1090

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* url IN WANNACRY_DOMAIN or domain IN WANNACRY_DOMAIN

2.647 LP_WastedLocker Ransomware Connection to

Malicious Domains
• Trigger Condition: A connection to WastedLocker ransomware related domains is
detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

2.645. LP_WannaCry MS17-010 Vulnerable Sources 291

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Firewall, IDS/IPS, Webserver

• Query:

norm_id=* (url=* OR domain=*) | process domain(url) as domain | search domain in�

,→WASTEDLOCKER_DOMAINS

2.648 LP_WastedLocker Ransomware Connection to

Malicious Sources
• Trigger Condition: A host establishes an outbound connection to WastedLocker
ransomware sources.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, IDS/IPS

• Query:

(destination_address IN WASTEDLOCKER_IPS OR source_address IN WASTEDLOCKER_

,→IPS) | process geoip(destination_address) as country

2.649 LP_WastedLocker Ransomware Infected Host

Detected
• Trigger Condition: WastedLocker ransomware-infected host is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: Firewall, IDS/IPS, Windows Sysmon

• Query:

host=* hash=* hash IN WASTEDLOCKER_HASHES

2.648. LP_WastedLocker Ransomware Connection to Malicious Sources 292

 Alert Rules Documentation, Release latest

2.650 LP_WCE wceaux dll Access Detected

• Trigger Condition: wceaux.dll access during Windows Credential Editor (WCE)
pass-the-hash remote command execution on the source host is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["4656", "4658", "4660", "4663"] object_name=

,→"*\wceaux.dll" -user IN EXCLUDED_USERS

2.651 LP_Wdigest Registry Modification

• Trigger Condition: Modification of the property value of UseLogonCredential
from HKLM:/SYSTEM /CurrentControlSet/Control/Security Providers/WDigest to
enable clear-text credentials is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object="*WDigest\UseLogonCredential" -

,→user IN EXCLUDED_USERS

2.652 LP_Weak Encryption Enabled for User

• Trigger Condition: Weak encryption is enabled for a user profile, which is later
used for hash or password cracking.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

2.650. LP_WCE wceaux dll Access Detected 293

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer event_id=4738 user_account_control IN ["*DES*", "*Preauth*",

,→"*Encrypted*"] user_account_control="*Enabled*" -user IN EXCLUDED_USERS

2.653 LP_Webshell Detection With Command Line

Keywords
• Trigger Condition: Command line parameters used during reconnaissance activity
via WebShell are detected.

• ATT&CK Category: Privilege Escalation, Persistence

• ATT&CK Tag: Server Software Component, Web Shell

• ATT&CK ID: T1505, T1505.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image IN ["*\apache*", "*\tomcat*",

,→"*\w3wp.exe", "*\php-cgi.exe", "*\nginx.exe", "*\httpd.exe"] command IN ["*whoami*

,→", "*net user *", "*ping -n *", "*systeminfo",

"*&cd&echo*", "*cd /d*"] -user IN EXCLUDED_USERS

2.654 LP_Windows 10 Scheduled Task SandboxEscaper 0

day Detected
• Trigger Condition: Modification of potential malicious property value of
UseLogonCredential from‘HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest‘
to enable storing of clear-text credentials in memory.

• ATT&CK Category: Privilege Escalation, Execution

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows Sysmon

2.653. LP_Webshell Detection With Command Line Keywords 294

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 image="schtasks.exe" command="*/change*/TN*/

,→RU*/RP*" -user IN EXCLUDED_USERS

2.655 LP_Windows Admin Shares - Process

• Trigger Condition: The use of hidden network shares (like CandIPC and IPC) are
accessible only to administrators. Adversaries use this technique in conjunction
with administrator-level accounts to remotely access a networked system over
SMB, interact with systems using RPC calls, or transfer files.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services, SMB/Windows Admin Share

• ATT&CK ID: T1021, T1021.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 (image="*net.exe" or image="*powershell.exe")�

,→((command="*net* use*�" orcommand=" *net * session*" or command="*net* file*$*

,→") or command="*New-PSDrive*root*") -user IN EXCLUDED_USERS

2.656 LP_Windows Audit Logs Cleared

• Trigger Condition: Security events cleared.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host

• ATT&CK ID: T1070

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=Audit label=Log label=Clear -user IN EXCLUDED_USERS

2.655. LP_Windows Admin Shares - Process 295

 Alert Rules Documentation, Release latest

2.657 LP_Windows Credential Editor Detected

• Trigger Condition: The use of Windows Credential Editor (WCE) is detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(norm_id=WindowsSysmon event_id=1 (hash IN ["a53a02b997935fd8eedcb5f7abab9b9f",

,→"e96a73c7bf33a464c510ede582318bf2"] OR command="*.exe -S" parent_image=

,→"*\services.exe")) OR (norm_id=WindowsSysmon event_id=13 target_object=

,→"*Services\WCESERVICE\Start*") -user IN EXCLUDED_USERS

2.658 LP_Windows Data Copied to Removable Device

• Trigger Condition: A file is copied to removable storage. For this alert to work, you
must update the list CRITICAL_HOSTS, which includes hosts where admin monitors
file copy across removable storage.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Physical Medium, Exfiltration over USB

• ATT&CK ID: T1052, T1052.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* event_id=4663 event_category="Removable Storage" access=

,→"WriteData*" or access="*AppendData*" host IN CRITICAL_HOSTS -user IN�

,→EXCLUDED_USERS

2.659 LP_Windows Defender Exclusion Set Detected

• Trigger Condition: When Windows Defender Antivirus exclusion is added.
Windows Defender Antivirus is a built-in antivirus program for Windows 10.
It provides real-time protection against malware, viruses, spyware and other

2.657. LP_Windows Credential Editor Detected 296

 Alert Rules Documentation, Release latest

malicious software. Windows Defender allows users to exclude specific files,

folders or processes from scanning to improve performance and reduce false
positives. Adversaries can abuse the file exclusion feature in Windows Defender
to evade detection of their malicious binaries by excluding the file type or file from
being scanned.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows

• Query:

(norm_id=WinServer event_source="Microsoft-Windows-Windows Defender" event_

,→id=5007 new_value="HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\*")�

,→OR (norm_id=WindowsSysmon event_id=13 target_object=

,→"*\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\*" event_

,→type=setvalue)

2.660 LP_Windows Domain Policy Change

• Trigger Condition: The domain policy is changed on a Domain Controller.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Domain Policy Modification, Group Policy Modification

• ATT&CK ID: T1484, T1484.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=Domain label=Policy label=Change user=*$ -user IN�

,→EXCLUDED_USERS| rename target_domain as domain

2.661 LP_Windows Excessive Amount of Files Copied to

Removable Device
• Trigger Condition: A user copies more than 100 files in the removable storage.

• ATT&CK Category: Exfiltration

2.660. LP_Windows Domain Policy Change 297

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Exfiltration Over Physical Medium, Exfiltration over USB

• ATT&CK ID: T1052, T1052.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* event_id=4663 event_category="Removable Storage" access=

,→"WriteData*" or access="*AppendData*" -user IN EXCLUDED_USERS | chart distinct_

,→count(object) as DataCopied by user | search DataCopied>100

2.662 LP_Windows Failed Login Attempt Using Service

Account
• Trigger Condition: A user fails to log in using a service account. Generally, failed
logon events with logon type 5 indicate the password change without updating
the service; however, a possibility of malicious users at work exists. Conversely,
the existence of malicious users is less likely to happen as creating a new service
or editing an existing service by default requires membership in Administrators
or Server Operators. Also, malicious users will already have the authority to
perpetuate their desired goal.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts

• ATT&CK ID: T1078

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=User label=Login label=Fail target_user=*ORuser=�logon_

,→type = 5 -user IN EXCLUDED_USERS | rename target_user as user, target_domain as�

,→domain

2.663 LP_Windows Failed Login Followed by Lockout

Event
• Trigger Condition: A failed login attempt followed by account lockout is detected.

2.662. LP_Windows Failed Login Attempt Using Service Account 298

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Exploitation for Credential Access, Exploitation for
Privilege Escalation, Exploitation for Defense Evasion, Brute Force

• ATT&CK ID: T1078, T1212, T1068, T1211 ,T1110

• Minimum Log Source Requirement: Windows

• Query:

[norm_id=WinServer label=User label=Login label=Fail -user IN EXCLUDED_USERS] as s1�

,→followed by [norm_id=WinServer label=User label=Account label=Lock user=*] as s2 on�

,→s1.user=s2.user | rename s1.user as User, s1.source_address as SourceAddress, s2.

,→workstation as ComputerName, s2.caller_domain as Domain, s1.log_ts as�

,→LastFailedLogin_ts, s2.log_ts as LockedOut_ts

2.664 LP_Windows Local User Management

• Trigger Condition: A user is created on a non-domain controller. For the alert to
work, you must update the list DOMAIN with domain controllers.

• ATT&CK Category: Persistence

• ATT&CK Tag: Create Account, Local Account

• ATT&CK ID: T1136, T1136.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=User label=Create -target_user=*−user=� -target_domain IN�

,→DOMAIN -domain IN DOMAIN -user IN EXCLUDED_USERS

2.665 LP_WMI DLL Loaded by Office

• Trigger Condition: Loading of DLLs related to WMI by Office products signaling
VBA macros executing WMI Commands.

• ATT&CK Category: Execution

• ATT&CK Tag: User Execution, Malicious File

• ATT&CK ID: T1204, T1204.002

2.664. LP_Windows Local User Management 299

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image IN ["*\winword.exe", "*\powerpnt.

,→exe", "*\excel.exe", "*\outlook.exe"] image IN ["*\wmiutils.dll", "*\wbemcomn.dll",

,→"*\wbemprox.dll", "*\wbemdisp.dll", "*\wbemsvc.dll"]

-user IN EXCLUDED_USERS

2.666 LP_Windows Multiple Password Changed by User

• Trigger Condition: A user changes its own password more than once in a given
period of time.

• ATT&CK Category: Persistence, Credential Access, Privilege Escalation, Defense

Evasion

• ATT&CK Tag: Account Manipulation, Abuse Elevation Control Mechanism, Bypass

User Access Control, Exploitation for Credential Access, Exploitation for Privilege
Escalation

• ATT&CK ID: T1098, T1548, T1212, T1068

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=User label=Password label=Change -target_

,→user=*−calleruser=�−calleruser=� -user IN EXCLUDED_USERS | rename caller_user as�

,→user | process compare(target_user, user) as match | search match=True | chart count()

as Event by target_user | search Event>1

2.667 LP_Windows Processes Suspicious Parent Directory

Detected
• Trigger Condition: Suspicious parent processes of Windows processes are
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Masquerading

• ATT&CK ID: T1036

2.666. LP_Windows Multiple Password Changed by User 300

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\svchost.exe", "*\taskhost.exe", "*\lsm.

,→exe", "*\lsass.exe", "*\services.exe", "*\lsaiso.exe", "*\csrss.exe", "*\wininit.exe",

,→"*\winlogon.exe"] -parent_image IN ["*\System32\*", "*\SysWOW64\*", "*\SavService.

,→exe", "*\Windows Defender\*\MsMpEng.exe"] parent_image=* -user IN EXCLUDED_

,→USERS

2.668 LP_Windows Registry Persistence COM Key Linking

Detected
• Trigger Condition: COM object hijacking via TreatAs subkey is detected. It is
rare, but there are some cases where system utilities use linking keys for backward
compatibility.

• ATT&CK Category: Privilege Escalation, Persistence

• ATT&CK Tag: Event Triggered Execution, Component Object Model Hijacking

• ATT&CK ID: T1546, T1546.015

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=12 target_object="HKU\*_Classes\CLSID\*\TreatAs" -

,→user IN EXCLUDED_USERS

2.669 LP_Windows Shell Spawning Suspicious Program

• Trigger Condition: A suspicious child process of Windows Shell is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter

• ATT&CK ID: T1059

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.668. LP_Windows Registry Persistence COM Key Linking Detected 301

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 parent_image IN ["*\mshta.exe", "*\powershell.exe

,→", "*\rundll32.exe", "*\cscript.exe", "*\wscript.exe", "*\wmiprvse.exe"] image IN [

,→"*\schtasks.exe", "*\nslookup.exe", "*\certutil.exe", "*\bitsadmin.exe", "*\mshta.exe"]

-path="*\ccmcache\*" -user IN EXCLUDED_USERS

2.670 LP_Windows SMB Remote Code Execution

Vulnerability CVE-2017-0143 Detected
• Trigger Condition: Remote code execution in Windows SMB (CVE-2017-0143) is
detected.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote Services

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Detect label=Network label=Connection destination_

,→port=445 rule=SMB source_address IN MOST_EXPLOITABLE_IPS -user IN EXCLUDED_

,→USERS

2.671 LP_Windows Suspicious Creation of User Accounts

• Trigger Condition: Creation of an account, followed by its deletion in a day is
detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Account Create

• ATT&CK ID: T1136

• Minimum Log Source Requirement: Windows

• Query:

2.670. LP_Windows SMB Remote Code Execution Vulnerability CVE-2017-0143 Detected 302
 Alert Rules Documentation, Release latest

[norm_id=WinServer* label=User label=Create -target_user=*−calleruser=�−calleruser=� -

,→user=*$ -user IN EXCLUDED_USERS | rename target_user as Account, caller_user as�

,→user] as s1 followed by [norm_id=WinServer* label=User (label=Delete or�

,→label=Remove) | rename target_user as Account, caller_user as user]

as s2 on s1.Account=s2.Account| rename s1.col_ts as CreatedTime_ts, s2.col_ts as�

,→DeletedTime_ts, s1.user as CreatedUser, s2.user as DeletedUser, s1.Account as Account

2.672 LP_Windows User Account Created via Command

Line
• Trigger Condition: Creation of a user account via CLI like PowerShell or net utility
is detected.

• ATT&CK Category: Execution, Persistence

• ATT&CK Tag: Create Account, PowerShell, Local Account

• ATT&CK ID: T1136, T1059.001, T1136.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" (command="*New-LocalUser*" or command="*net user�

,→add*")

2.673 LP_Windows Unusual User Access to an Object

• Trigger Condition: A file or object is accessed by a user more than ten times in a
given time.

• ATT&CK Category: Discovery

• ATT&CK Tag: File and Directory Discovery, Data from Network Shared Drive,
Network Share Discovery

• ATT&CK ID: T1083, T1039, T1135

• Minimum Log Source Requirement: Windows

• Query:

2.672. LP_Windows User Account Created via Command Line 303

 Alert Rules Documentation, Release latest

norm_id=WinServer* label=Access label=Object access="*Read*Control*" path=* -user=*

,→$ -user IN EXCLUDED_USERS | chart distinct_count(object) as FileAccessed by user,�

,→path order by FileAccessed desc | search FileAccessed>10

2.674 LP_Windows User Account Change to End with

Dollar Sign
• Trigger Condition: A user account is changed to end with the dollar sign ($).

• ATT&CK Category: Persistence

• ATT&CK Tag: Account Manipulation

• ATT&CK ID: T1098

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=User label=Account label=Change label=Name new_user=*$ -

,→user IN EXCLUDED_USERS | rename caller_user as user, caller_domain as domain

2.675 LP_Windows Webshell Creation Detected

• Trigger Condition: Creation of WebShell file on a static web site. The alert has
been directly translated from sigma rule.

• ATT&CK Category: Persistence

• ATT&CK Tag: Server Software Component, Web Shell

• ATT&CK ID: T1505, T1505.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 ((path="*\inetpub\wwwroot*" file IN ["*.asp", "*.

,→ashx", "*.ph"]) OR (path IN ["*\www\*", "*\htdocs\*", "*\html\*"] file="*.ph") OR (file=

,→"*.jsp" path="*\cgi-bin\*" path="*.pl*"))

-path IN ["*\AppData\Local\Temp*", "*\Windows\Temp*"]

2.674. LP_Windows User Account Change to End with Dollar Sign 304
 Alert Rules Documentation, Release latest

2.676 LP_Winlogon Helper DLL

• Trigger Condition: Modification of registry entries related to winlogon.exe to load
and execute possible malicious DLLs and/or executables is detected.

• ATT&CK Category: Persistence

• ATT&CK Tag: Boot or Logon Autostart Execution, Winlogon Helper DLL

• ATT&CK ID: T1547, T1547.004

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\user_nameinit\*" or�

,→target_object="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\*

,→" or target_object="*\SOFTWARE\Microsoft\Windows�

,→NT\CurrentVersion\Winlogon\Notify\*")

-user IN EXCLUDED_USERS

2.677 LP_WMI - Network Connection

• Trigger Condition: A network connection from wmic.exe is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=3 image="*wmic.exe" -user IN EXCLUDED_USERS

2.678 LP_WMI Backdoor Exchange Transport Agent

• Trigger Condition: WMI backdoor in Exchange Server Software Component and
Transport Agents via WMi event filters is detected.

• ATT&CK Category: Privilege Escalation, Persistence

2.676. LP_Winlogon Helper DLL 305

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation

Event Subscription

• ATT&CK ID: T1546, T1546.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\EdgeTransport.exe" -user IN�

,→EXCLUDED_USERS

2.679 LP_WMI Modules Loaded by Suspicious Process

• Trigger Condition: Loading of WMI modules by suspicious processes like a binary
from ProgramData is detected. Legitimate system processes and third-party
utilities extensively use WMI. We recommend you whitelist to reduce false-positive
flooding. Also, do not monitor C:Windows* as extensive whitelisting is required,
which may hamper query’s performance.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 image IN ["*wmiclnt.dll", "*WmiApRpl.dll",

,→"*wmiprov.dll", "*wmiutils.dll", "*wbemcomn.dll", "*wbemprox.dll", "*WMINet_Utils.dll

,→", "*wbemsvc.dll", "*fastprox.dll"] source_image IN ["C:\Users\*", "C:\ProgramData*",

,→"C:\Windows\Temp*"] -source_image IN ["*\Microsoft\Teams\Update.exe",

,→"*\MsMpEng.exe"]

2.680 LP_WMI Persistence - Script Event Consumer

Detected
• Trigger Condition: Windows Management Instrumentation (WMI) script event
consumers are detected. Attackers leverage WMI ActiveScriptEventConsumers
remotely to move laterally in the network.

• ATT&CK Category: Privilege Escalation, Persistence

2.679. LP_WMI Modules Loaded by Suspicious Process 306

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation

Event Subscription

• ATT&CK ID: T1546, T1546.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*:\WINDOWS\system32\wbem\scrcons.exe"�

,→parent_process="*:\Windows\System32\svchost.exe" -user IN EXCLUDED_USERS

2.681 LP_WMI Persistence - Script Event Consumer File

Write
• Trigger Condition: File writes of WMI script event consumer are detected.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Event Triggered Execution, Windows Management Instrumentation

Event Subscription

• ATT&CK ID: T1546, T1546.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 source_image=

,→"C:\WINDOWS\system32\wbem\scrcons.exe" -user IN EXCLUDED_USERS

2.682 LP_WMI Process Execution

• Trigger Condition: Execution of processes related to WMI is detected. You must
whitelist installed security tools or software that uses WMI to reduce false positives.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.681. LP_WMI Persistence - Script Event Consumer File Write 307

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 (parent_command="*wmiprvse.exe" or image=

,→"*wmic.exe" or command="*wmic*") -user IN EXCLUDED_USERS

2.683 LP_WMI Spawning Windows Shell

• Trigger Condition: WMI spawning Command and Scripting Interpreter and
PowerShell are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell, Windows

Management Instrumentation

• ATT&CK ID: T1059, T1059.001, T1047

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\wmiprvse.exe" image=

,→"*\powershell.exe" -user IN EXCLUDED_USERS

2.684 LP_WMIExec VBS Script Detected

• Trigger Condition: Execution of a VBS script by wscript and cscript.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, Visual Basic

• ATT&CK ID: T1059, T1059.005

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image IN ["*\cscript.exe", "*\wscript.exe"]�

,→command="*.vbs /shell *" -user IN EXCLUDED_USERS

2.683. LP_WMI Spawning Windows Shell 308

 Alert Rules Documentation, Release latest

2.685 LP_Wmiprvse Spawning Process

• Trigger Condition: wmiprvse spawning unusual processes are detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Windows Management Instrumentation

• ATT&CK ID: T1047

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 parent_process="*WmiPrvSe.exe" -target_logon_id=

,→"0x3e7" -logon_id="0x3e7" -"process" IN ["*\WmiPrvse.exe", "*\Werfault.exe"] -user�

,→IN EXCLUDED_USERS

2.686 LP_WScript or CScript Dropper Detected

• Trigger Condition: Execution of wscript or cscript scripts in user directories is
detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, Visual Basic, JavaScript

• ATT&CK ID: T1059.007, T1059.005, T1059

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process" IN ["*\wscript.exe", "*\cscript.exe"] command IN [

,→"*:\Users\*", "*:\ProgramData\*"] command IN ["*.jse", "*.vbe", "*.js", "*.vba", "*.vbs

,→"] -parent_process = "*\winzip*"

2.687 LP_Wsreset UAC Bypass Detected

• Trigger Condition: A method that uses the Wsreset.exe tool used to reset the
Windows Store bypassing UAC is detected.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: Abuse Elevation Control Mechanism, Bypass User Access Control

2.685. LP_Wmiprvse Spawning Process 309

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1548, T1548.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\WSreset.exe" -image=

,→"*\conhost.exe" -user IN EXCLUDED_USERS

2.688 LP_XSL Script Processing Detected

• Trigger Condition: Application control bypass attempt via execution of embedded
scripts inside Extensible Stylesheet Language (XSL) files is detected. The alert
detects another variation of this technique, dubbed Squiblytwo, that utilizes WMI
to invoke JScript or VBScript within an XSL file. Legitimate invocations of msxsl
employ the -o command-line argument should be whitelisted to reduce false
positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: XSL Script Processing

• ATT&CK ID: T1220

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create ((("process"="*\wmic.exe" command IN ["* format*:*", "*/

,→format*:*", "*-format*:*"] ) -command in ["*Format:List", "*Format:htable",

,→"*Format:hform", "*Format:table", "*Format:mof", "*Format:value", "*Format:rawxml",

,→"*Format:xml", "*Format:csv"] ) OR ("process"="*\msxsl.exe" -command="* -o *")) -

,→user IN EXCLUDED_USERS

2.689 LP_ZOHO Dctask64 Process Injection Detected

• Trigger Condition: Process injection using ZOHO’s dctask64.exe is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Process Injection

• ATT&CK ID: T1055

• Minimum Log Source Requirement: Windows Sysmon

2.688. LP_XSL Script Processing Detected 310

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 image="*\dctask64.exe" -command=

,→"*DesktopCentral_Agent\agent*" -user IN EXCLUDED_USERS

2.690 LP_ZxShell Malware Detected

• Trigger Condition: Proxy execution of ZxShell via Rundll32 is detected.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: Command-Line Interface, Signed Binary Proxy Execution, Rundll32

• ATT&CK ID: T1059, T1218, T1218.011

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\rundll32.exe" command IN [

,→"*zxFunction*", "*RemoteDiskXXXXX*"] -user IN EXCLUDED_USERS

2.691 LP_APT 34 Initial Access Using Spearphishing Link

Detected
• Trigger Condition: Entry vectors try to gain their initial foothold within a
network using Spearphishing link with IOCs’ attacks related to APT34. For
the alert to work, it uses lists; IRANIAN_SPEARPHISHING_DOMAINS and
IRANIAN_SPEARPHISHING_IP.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Spearphishing Link

• ATT&CK ID: T1566

• Minimum Log Source Requirement: EmailServer

• Query:

norm_id=* label=Detect label=Malicious label=URL (source_address in IRANIAN_

,→SPEARPHISHING_IP OR domain in IRANIAN_SPEARPHISHING_DOMAINS) -user IN�

,→EXCLUDED_USERS

2.690. LP_ZxShell Malware Detected 311

 Alert Rules Documentation, Release latest

2.692 LP_Automated Collection Detected

• Trigger Condition: An adversary uses automated techniques like scripting for
collecting internal data.

• ATT&CK Category: Collection

• ATT&CK Tag: Automated Collection

• ATT&CK ID: T1119

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer (event_id=4104 ( scriptblocktext="*Get-ChildItem -Recurse*Copy-

,→Item*" OR scriptblocktext="*Get-ChildItem*" OR scriptblocktext="*Get-Process*" OR�

,→scriptblocktext="*Get-Service*" OR scriptblocktext="*cmd.exe dir*findstr /e*" OR�

,→scriptblocktext="*wmic process list*" OR script_block="*Get-ChildItem -Recurse*Copy-

,→Item*" OR script_block="*Get-ChildItem*" OR script_block="*Get-Process*" OR script_

,→block="*Get-Service*" OR script_block="*cmd.exe dir*findstr /e*" OR script_block=

,→"*wmic process list*")) -user IN EXCLUDED_USERS | rename scriptblocktext as�

,→command | rename script_block as command

2.693 LP_Screenshot Capture Detected

• Trigger Condition: An adversary captures the screen of the desktop to gather
information throughout an operation.

• ATT&CK Category: Collection

• ATT&CK Tag: Automated Collection

• ATT&CK ID: T1113

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer (event_id=4104 (scriptblocktext="*Get-ScreenShot.ps1*" OR script_

,→block="*Get-ScreenShot.ps1*")) -user IN EXCLUDED_USERS | rename scriptblocktext�

,→as command | rename script_block as command

2.692. LP_Automated Collection Detected 312

 Alert Rules Documentation, Release latest

2.694 LP_APT 34 Command and Control Using Commonly

used Ports Detected
• Trigger Condition: An adversary communicates over a commonly used port to
bypass firewalls or network detection systems and blend with regular network
activity to avoid detailed inspection. The alert uses lists IRANIAN_CNC_IP,
IRANIAN_CNC_DOMAIN, and COMMON_PORTS.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: ProxyServer

• Query:

norm_id=*Proxy* source_address=* destination_address=* destination_port IN�

,→COMMON_PORTS destination_address in IRANIAN_CNC_IP destination_host in�

,→IRANIAN_CNC_DOMAIN -user IN EXCLUDED_USERS

2.695 LP_APT 34 Command and Control Using Standard

Application Layer Protocol Detected
• Trigger Condition: An adversary communicates using a common, standardized
Application Layer protocol such as HTTP, HTTPS, SMTP, or DNS to
avoid detection by blending in with existing traffic. The alert uses
lists STANDARD_APPLICATION_PORTS, RANIAN_CNC_DOMAIN, and
IRANIAN_CNC_IP.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Application Layer Protocol

• ATT&CK ID: T1071

• Minimum Log Source Requirement: ProxyServer

• Query:

norm_id=*proxy source_address=* destination_address=* destination_port IN�

,→STANDARD_APPLICATION_PORTS destination_address in IRANIAN_CNC_IP�

,→destination_host in IRANIAN_CNC_DOMAIN -user IN EXCLUDED_USERS

2.694. LP_APT 34 Command and Control Using Commonly used Ports Detected 313
 Alert Rules Documentation, Release latest

2.696 LP_APT 34 Command and Control Using

Uncommonly used Port Detected
• Trigger Condition: An adversary conducts Command and Control communications
over a non-standard port to bypass proxy and firewalls that are misconfigured.
The alert uses lists IRANIAN_CNC_IP, IRANIAN_CNC_DOMAIN, and
UNCOMMON_PORTS.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Non-Standard Port

• ATT&CK ID: T1571

• Minimum Log Source Requirement: ProxyServer

• Query:

norm_id=*Proxy* source_address=* destination_address=* destination_port IN�

,→UNCOMMON_PORTS destination_address in IRANIAN_CNC_IP destination_host in�

,→IRANIAN_CNC_DOMAIN -user IN EXCLUDED_USERS

2.697 LP_Credential Dumping using procdump Detected

• Trigger Condition: An adversary obtains account login and password information
using procdump, generally in the form of a hash or a clear text password, from the
operating system and software.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credential Dumping

• ATT&CK ID: T1003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=File label=Create file=*.dmp source_image=

,→"*procdump.exe" -user IN EXCLUDED_USERS | rename source_image as image

2.696. LP_APT 34 Command and Control Using Uncommonly used Port Detected 314
 Alert Rules Documentation, Release latest

2.698 LP_Access Using Browser Stored Credential

Detected
• Trigger Condition: Adversary acquires credentials from web browsers by reading
files specific to the target browser and using password stores, credentials from
web browsers. The alert is triggered when process wsus is detected on path of
web browsers.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Credentials from Password Stores, Credentials from Web Browsers

• ATT&CK ID: T1555, T1555.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=Object label=Access label=File "process"="*wsus.exe" (path=

,→"*firefox*" OR path="*chrome*") -user IN EXCLUDED_USERS

2.699 LP_GUI Input Capture Detected

• Trigger Condition: Credential access using input capture technique is detected.
Adversaries use this technique to obtain valid account credentials on the target
system and other sensitive user information that may assist in the attack campaign.

• ATT&CK Category: Credential Access

• ATT&CK Tag: GUI Input Capture

• ATT&CK ID: T1056.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Set label=Registry "process"="*keylogger_directx.exe" -

,→user IN EXCLUDED_USERS

2.698. LP_Access Using Browser Stored Credential Detected 315

 Alert Rules Documentation, Release latest

2.700 LP_Files and Directory Discovery Process Detected

• Trigger Condition: An adversary enumerates files and directories, or searches in
a specific host or network share locations for particular information within a file
system.
• ATT&CK Category: Discovery
• ATT&CK Tag: File and Directory Discovery
• ATT&CK ID: T1083
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer label="Process" label=Create -command="*findstr*" (command=

,→"*cmd.exe*dir *" OR command="*tree.com*" ) -user IN EXCLUDED_USERS | rename�

,→commandline as command

2.701 LP_Account Discovery Process Detected

• Trigger Condition: Adversaries attempt to get a listing of accounts on a system or
within an environment that can help them determine which accounts exist to aid in
follow-on behavior.
• ATT&CK Category: Discovery
• ATT&CK Tag: Account Discovery, Domain Account
• ATT&CK ID: T1087, T1087.002
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer label="Process" label=Create command="*dsquery user*" user IN�

,→EXCLUDED_USERS

2.702 LP_Suspicious File Deletion Detected

• Trigger Condition: Adversaries remove trail files for an intrusion to keep their
footprint low or remove them at the end as part of the post-intrusion cleanup
process. For the alert to work, you must configure ACLs on paths and extensions
you want to monitor for deletion operations.

2.700. LP_Files and Directory Discovery Process Detected 316

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Indicator Removal on Host, File Deletion

• ATT&CK ID: T1070, T1070.004

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=Object label=Access access="*delete*" (relative_target="*.exe

,→" OR relative_target="*.bat" OR relative_target="*.ps1" OR relative_target="*.cmd") -

,→user IN EXCLUDED_USERS | rename relative_target as file

2.703 LP_File or Information Decode Process Detected

• Trigger Condition: An adversary implements Obfuscated Files or Information to
hide artifacts of an intrusion from analysis and employ spcific decoding to use them.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Decode Files or Information

• ATT&CK ID: T1140

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*certutil.exe*-

,→encode*calc.exe*T1140_calc.txt" OR commandline="*certutil.exe*-decode*T1140_calc.

,→txt*T1140_calc_decoded.exe" OR command="*certutil.exe*-encode*calc.exe*T1140_

,→calc.txt" OR command="*certutil.exe*-decode*T1140_calc.txt*T1140_calc_decoded.exe

,→")

-user IN EXCLUDED_USERS | rename commandline as command

2.704 LP_Access of Password Policy Detected

• Trigger Condition: The use of command net* accounts is detected. Adversary
accesses detailed information about the password policy used within an enterprise
network.

• ATT&CK Category: Discovery

• ATT&CK Tag: Password Policy Discovery

2.703. LP_File or Information Decode Process Detected 317

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1021

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=WinServer label="Process" label=Create) OR (norm_id=WindowsSysmon event_

,→id=11 ) command="*net*accounts*") -user IN EXCLUDED_USERS

2.705 LP_Access of Permission Groups Detected

• Trigger Condition: The use of commands net and get is detected. Adversary
finds a local system or domain-level groups and permissions settings using these
commands.

• ATT&CK Category: Discovery

• ATT&CK Tag: Permission Group Discovery, Local Groups, Domain Groups

• ATT&CK ID: T1069, T1069.001, T1069.002

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

((norm_id=WinServer label="Process" label=Create) OR (norm_id=WindowsSysmon event_

,→id=1 image="*net.exe")) (command="*net*user*" OR command="*net*group*" OR�

,→command="*get*group*" OR command="*get*ADPrinicipalGroupMembership*") -

,→user IN EXCLUDED_USERS

2.706 LP_Security Software Discovery Process Detected

• Trigger Condition: Adversary attempts to get a listing of security software,
configurations, defensive tools, and sensors that are installed on the system.

• ATT&CK Category: Discovery

• ATT&CK Tag: Security Software Discovery

• ATT&CK ID: T1518

• Minimum Log Source Requirement: Windows

• Query:

2.705. LP_Access of Permission Groups Detected 318

 Alert Rules Documentation, Release latest

norm_id=WinServer label="Process" label=Create (command="*findstr.exe*virus" OR�

,→command="*findstr.exe*cylance" OR command="*findstr.exe*defender" OR�

,→command="*findstr.exe*cb" ) -user IN EXCLUDED_USERS

2.707 LP_System Network Configuration Discovery

• Trigger Condition: Discovery of network configuration via system utilities like
ipconfig, route, or netsh is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Network Configuration Discovery

• ATT&CK ID: T1016

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (command="*ipconfig.exe*" OR�

,→command="*route.exe*" OR command="*netsh advfirewall*" OR command="*arp.exe*

,→" OR command="*nbtstat.exe*" OR command="*netsh.exe*interface show" OR�

,→command="*net*config" ) -user IN EXCLUDED_USERS | rename commandline as�

,→command

2.708 LP_System Network Connections Discovery

• Trigger Condition: Discovery of network connections via system utilities like
netstat or net is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: System Network Connections Discovery

• ATT&CK ID: T1049

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create ("process" IN ["*net.exe","*netstat.exe"] command IN [

,→"*net* use*","*net* sessions*","*net* file*","*netstat*"]) OR command="*Get-

,→NetTCPConnection*" -user IN EXCLUDED_USERS

2.707. LP_System Network Configuration Discovery 319

 Alert Rules Documentation, Release latest

2.709 LP_Exfiltration over Cloud Application Detected

• Trigger Condition: Adversary performs data exfiltration with a different protocol
from the main Command and Control protocol or channel.

• ATT&CK Category: Exfiltration

• ATT&CK Tag: Exfiltration Over Alternative Protocol

• ATT&CK ID: T1048

• Minimum Log Source Requirement: ProxyServer

• Query:

norm_id=*Proxy* source_address=* destination_address=* destination_address IN�

,→CLOUD_APPLICATION_IP -user IN EXCLUDED_USERS

2.710 LP_Remote File Copy Detected

• Trigger Condition: Files are copied from one system to another to stage adversary
tools or other files throughout an operation.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Remote File Copy

• ATT&CK ID: T1105

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=Object label=Access access=* (relative_target="*.exe" OR�

,→relative_target="*.bat") -user IN EXCLUDED_USERS | rename relative_target as file

2.711 LP_Account Created for Persistence Detected

• Trigger Condition: The use of net commands is detected. An adversary with
a sufficient level of access may create a local system, domain, or cloud tenant
account, use for persistence employing this command.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Create Account

2.709. LP_Exfiltration over Cloud Application Detected 320

 Alert Rules Documentation, Release latest

• ATT&CK ID: T1136

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=WinServer label="Process" label=Create) OR (norm_id=WindowsSysmon�

,→image="*net.exe*")) command="*net*/add*" -user IN EXCLUDED_USERS

2.712 LP_Account Manipulated for Persistence Detected

• Trigger Condition: The use of net commands is detected. Adversary performs
actions for modifying permissions, credentials, adding or changing permission
groups, modifying account settings, or authentication settings using this command.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: Account Manipulation

• ATT&CK ID: T1098

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=WinServer label="Process" label=Create) OR (norm_id=WindowsSysmon�

,→image="*net.exe*")) command="*net*localgroup*/add" -user IN EXCLUDED_USERS

2.713 LP_Privilege Escalation - Bypassing User Account

Control Detected
• Trigger Condition: Adversary uses techniques to elevate a user’s privileges
manipulating UAC to administer if the target process is unprotected.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Bypass User Account Control

• ATT&CK ID: T1548

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.712. LP_Account Manipulated for Persistence Detected 321

 Alert Rules Documentation, Release latest

(norm_id=WindowsSysmon OR ((command=* OR commandline=*) norm_id=WinServer))�

,→label="Process" label=Create (command="*eventvwr.exe*" OR commandline=

,→"*eventvwr.exe*" OR command="*wscript.exe*" OR commandline="*wscript.exe*" OR�

,→token_elevation_type="TokenElevationTypeLimited*")

-user IN EXCLUDED_USERS | rename commandline as command

2.714 LP_Executable Dropped in Suspicious Location

• Trigger Condition: When the dropping of an executable file is in a suspicious
location on a system. Suspicious locations may include directories not commonly
used to store executables, such as temporary folders or user profiles, or locations
that users do not typically access. Adversaries may use this technique to drop and
execute malicious payloads or scripts on a system. They may attempt to place
these files in locations that are not easily visible or accessible to users to evade
detection. False Positive notice: It is essential to whitelist noisy system processes
like Microsoft Defender, Visual Studio, etc, to reduce false positives.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file="*.exe" path IN ["C:\ProgramData*",

,→"*\AppData\Local\*", "*\AppData\Roaming\*", "C:\Users\Public\*"] -source_image IN [

,→"*\Microsoft Visual Studio\Installer\*\BackgroundDownload.exe",

,→"C:\Windows\system32\cleanmgr.exe", "*\Microsoft\Windows Defender\*\MsMpEng.

,→exe",

"C:\Windows\SysWOW64\OneDriveSetup.exe", "*\AppData\Local\Microsoft\OneDrive\*",
,→ "*\Microsoft\Windows Defender\platform\*\MpCmdRun.exe",

,→"*\AppData\Local\Temp\mpam-*.exe"] -file IN ["vs_setup_bootstrapper.exe",

,→"DismHost.exe"]

2.715 LP_Process Execution from Suspicious Location

• Trigger Condition: Execution of a process from suspicious location is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

2.714. LP_Executable Dropped in Suspicious Location 322

 Alert Rules Documentation, Release latest

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 "process" IN ["C:\ProgramData\*.exe",

,→"*\AppData\Local\*.exe", "*\AppData\Roaming\*.exe", "C:\Users\Public\*"] -"process

,→" IN ["*\Teams.exe", "*\Teams\Update.exe", "*\Temp\*\dismhost.exe",

,→"*Microsoft\OneDrive\*\FileCoAuth.exe", "C:\ProgramData\Microsoft\*\MpCmdRun.exe

,→", "*\Local\Temp\*\BackgroundDownload.exe", "*Microsoft\Windows�

,→Defender\*\NisSrv.exe", "C:\ProgramData\Microsoft\*\MsMpEng.exe"]

2.716 LP_Active Directory Enumeration via ADFind

• Trigger Condition: When enumeration of Active Directory using the ADfind tool is
detected. AdFind is a CLI-based utility that can be used for gathering information
from Active Directory like organizational units, users, computers, and groups.
Adversaries can use this utility to gather information related to the Active Directory.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label=Create "process"="*.exe" command IN ["* -f *objectcategory=*",

,→"* -sc trustdmp*", "*lockoutduration*", "*lockoutthreshold",

,→"*lockoutobservationwindow*", "*maxpwdage*", "*minpwdage*", "*minpwdlength*",

,→"*pwdhistorylength*", "*pwdproperties*", "*-sc admincountdmp*", "*-sc�

,→exchaddresses*"]

2.717 LP_Antivirus Software Discovery via WMI

• Trigger Condition: Antivirus software discovery activity via WMI is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Software Discovery, Security Software Discovery

• ATT&CK ID: T1518, T1518.001

• Minimum Log Source Requirement: Windows

2.716. LP_Active Directory Enumeration via ADFind 323

 Alert Rules Documentation, Release latest

• Query:

norm_id=WinServer event_id=4688 "process"="*\wmic.exe" command=

,→"*SecurityCenter2*AntiVirusProduct*"

2.718 LP_Possible Command Prompt Process Hollowing

• Trigger Condition: Possible process hollowing of the command prompt is detected
using applications like net.exe, nltest.exe or ipfconfig. Adversaries inject malicious
code into suspended and hollowed processes to evade process-based defenses.

• ATT&CK Category: Defense Evasion, Privilege Escalation

• ATT&CK Tag: Process Injection, Process Hollowing

• ATT&CK ID: T1055, T1055.012

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\cmd.exe" image IN ["*\net.exe",

,→ "*\net1.exe", "*\nltest.exe", "*\ipconfig.exe"] -parent_command IN ["* /c *", "* /k *"]

2.719 LP_Suspicious Taskkill Activity

• Trigger Condition: More than two processes are terminated quickly via taskkill
command that may signal malicious activity like ransomware.

• ATT&CK Category: Impact

• ATT&CK Tag: Service Stop

• ATT&CK ID: T1489

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 "process"="*\taskkill.exe"| chart count() as cnt by host,

,→ "process" | search cnt > 2

2.718. LP_Possible Command Prompt Process Hollowing 324

 Alert Rules Documentation, Release latest

2.720 LP_Suspicious File or Directory Permission

Modification
• Trigger Condition: Permission modification of suspicious file or directory is
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: File and Directory Permissions Modification, Windows File and
Directory Permissions Modification

• ATT&CK ID: T1222.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 "process"="*\icacls.exe" command="icacls*:*/grant�

,→everyone*"

2.721 LP_Ryuk Wake-On-LAN Activity

• Trigger Condition: Ryuks Wake-On-LAN activity is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 "process"="*.exe" command="* 8 LAN *"

2.722 LP_EXE or DLL Dropped in Perflogs Folder

• Trigger Condition: The EXE or DLL file is dropped in Windows’s Perflog directory.

• ATT&CK Category: -

• ATT&CK Tag: -

2.720. LP_Suspicious File or Directory Permission Modification 325

 Alert Rules Documentation, Release latest

• ATT&CK ID: -
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=11 file IN ["*.dll", "*.exe"] path="C:\Perflogs*"

2.723 LP_Credential Access via LaZagne

• Trigger Condition: Credential access via the popular open-source LaZagne tool is
detected.
• ATT&CK Category: Credential Access
• ATT&CK Tag: OS Credential Dumping, LSASS Memory
• ATT&CK ID: T1003,T1003.001
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=10 call_trace="*C:\Windows\SYSTEM32\ntdll.

,→dll+*|C:\Windows\System32\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*"

2.724 LP_RDP Connection Inititated from Domain

Controller
• Trigger Condition: Initiation of RDP connection from a domain controller is
detected.
• ATT&CK Category: Lateral Movement
• ATT&CK Tag: Remote Services, Remote Desktop Protocol
• ATT&CK ID: T1021, T1021.001
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_source="Microsoft-Windows-TerminalServices-
,→RemoteConnectionManager" event_id=1149 |

rename eventxml.param3 as source_address | search source_address IN WINDOWS_DC

2.723. LP_Credential Access via LaZagne 326

 Alert Rules Documentation, Release latest

2.725 LP_Active Directory Module Load in PowerShell

• Trigger Condition: Active Directory module loading in PowerShell is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, PowerShell

• ATT&CK ID: T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4103 command="Import-Module" payload=

,→"*ActiveDirectory*"

2.726 LP_Possible Active Directory Enumeration via AD

Module
• Trigger Condition: Enumeration of Active Directory via PowerShell’s AD module is
detected.

• ATT&CK Category: Execution, Discovery

• ATT&CK Tag: Remote System Discovery, Command and Scripting Interpreter,

PowerShell

• ATT&CK ID: T1018, T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4103 command="Get-ADComputer" payload=

,→"*DNSHostName*LastLogonDate*"

2.727 LP_Microsoft Defender Disabling Attempt via

PowerShell
• Trigger Condition: An attempt to disable Microsoft Defender via PowerShell is
detected.

2.725. LP_Active Directory Module Load in PowerShell 327

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Impair Defenses, Disable or Modify Tools, Command and Scripting
Interpreter, PowerShell

• ATT&CK ID: T1562, T1562.001, T1059, T1059.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4104 script_block="Set-MpPreference -

,→DisableRealtimeMonitoring $true"

2.728 LP_Possible Kerberoasting via Rubeus

• Trigger Condition: Kerberoasting attack via popular open-source tool Rubeus is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: Steal or Forge Kerberos Tickets, Kerberoasting

• ATT&CK ID: T1558, T1558.003

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 -source_image="C:\Windows\System32\*" image�

,→IN ["*\clr.dll", "*\kerberos.dll", "*\cryptdll.dll", "*\dsparse.dll"]

| chart distinct_count(image) as dc, distinct_list(image) as images | search dc=4

2.729 LP_Suspicious Scheduled Task Creation

• Trigger Condition: When a suspicious scheduled task creation is detected in
a Windows endpoint. The suspicious task here refers to tasks running scripts
or programs from temp directories or insecure locations (writable by any user).
Adversaries may abuse the Windows Task Scheduler to perform task scheduling
for the initial or recurring execution of malicious code to achieve persistence,
lateral movement, execution, detection evasion, and privilege escalation. Also, it is
prevalent among ransomware to use public directories for scheduled task creation.

• ATT&CK Category: Execution, Persistence, Privilege Escalation

2.728. LP_Possible Kerberoasting via Rubeus 328

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label=Schedule label=Task label=Create command IN ["*C:\Users\*",

,→"*C:\Windows\Temp\*", "*C:\ProgramData\*"] -command=

,→"C:\ProgramData\Microsoft\Windows Defender\Platform\*"

2.730 LP_RDP Connection Inititated from Suspicious

Country
• Trigger Condition: Initiation of RDP connection from a domain controller is
detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access

• ATT&CK Tag: Valid Accounts, Domain Accounts

• ATT&CK ID: T1078, T1078.002

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_source="Microsoft-Windows-TerminalServices-
,→RemoteConnectionManager" event_id=1149 -eventxml.param3 IN HOMENET | rename�

,→eventxml.param3 as source_address

| process geoip(source_address) as country | search country IN SUSPICIOUS_COUNTRY

2.731 LP_Scheduled Task Deletion

• Trigger Condition: Deletion of a scheduled task is detected using schtasks utility
with delete command.

• ATT&CK Category: Execution, Persistence, Privilege Escalation

• ATT&CK Tag: Scheduled Task/Job, Scheduled Task

• ATT&CK ID: T1053, T1053.005

2.730. LP_RDP Connection Inititated from Suspicious Country 329

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image='*\schtasks.exe' command='*delete*'

2.732 LP_Possible GootKit WScript Execution

• Trigger Condition: GootKit banking trojan’s WScript execution activity is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: Command and Scripting Interpreter, Visual Basic

• ATT&CK ID: T1059, T1059.003

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 "process"="*\wscript.exe" command="*\APPDATA\*.

,→js*"

2.733 LP_Winnti IoC Domain Match

• Trigger Condition: A match for Winnti (APT41) group’s IoC domain is found. The
IoC reference is PT ESC Threat Intelligence, January 14, 2021.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

(domain IN WINNTI_DOMAINS OR query IN WINNTI_DOMAINS) | rename query as ioc,�

,→domain as ioc

2.732. LP_Possible GootKit WScript Execution 330

 Alert Rules Documentation, Release latest

2.734 LP_Winnti IoC Hash Match

• Trigger Condition: A match for Winnti (APT41) group’s IoC hash is found. The IoC
reference is PT ESC Threat Intelligence, January 14, 2021.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: Antivirus, EDR, Sysmon

• Query:

(hash IN WINNTI_HASHES OR hash_sha1 IN WINNTI_HASHES OR hash_sha256 IN�

,→WINNTI_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_sha256 as ioc

2.735 LP_Zerologon CVE-2020-1472 Exploitation

Detected
• Trigger Condition: The exploitation of Zerologon (CVE-2020-1472) in domain
controllers is detected. For this alert to work, you must update the list
WINDOWS_DC with a computer name of domain controllers ending with $ in the
Active Directory. By default, in Active Directory, the domain computers submit a
request to change the password every 30 days, hence you can expect some false
positives.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068

• Minimum Log Source Requirement: Windows

• Query:

(hash IN WINNTI_HASHES OR hash_sha1 IN WINNTI_HASHES OR hash_sha256 IN�

,→WINNTI_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_sha256 as ioc

2.734. LP_Winnti IoC Hash Match 331

 Alert Rules Documentation, Release latest

2.736 LP_Allowed NetLogon Connections -

CVE-2020-1472
• Trigger Condition: Any vulnerable Netlogon connections detected after
installation of the Zerologon patch during the initial deployment phase.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5829

2.737 LP_Denied NetLogon Connections - CVE-2020-1472

• Trigger Condition: Any denied vulnerable Netlogon connections detected after
installation of the Zerologon patch.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["5827", "5828"]

2.738 LP_Allowed NetLogon Connections via Group Policy

- CVE-2020-1472
• Trigger Condition: Any allowed vulnerable Netlogon connections detects Domain
controller: allow vulnerable Netlogon secure channel connections in Group Policy
setting.

• ATT&CK Category: Privilege Escalation

2.736. LP_Allowed NetLogon Connections - CVE-2020-1472 332

 Alert Rules Documentation, Release latest

• ATT&CK Tag: Exploitation for Privilege Escalation

• ATT&CK ID: T1068
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id IN ["5830", "5831"]

2.739 LP_Exchange Remote Code Execution

CVE-2020-0688 Attempt
• Trigger Condition: A remote code execution attempt via CVE-2020-0688 in
Microsoft Exchange is detected.
• ATT&CK Category: Initial Access
• ATT&CK Tag: External Remote Services
• ATT&CK ID: T1133
• Minimum Log Source Requirement: Firewall, Proxy Server
• Query:

norm_id=* (url="*/ecp/default.aspx*__VIEWSTATEGENERATOR*VIEWSTATE=*" OR�

,→resource="*__VIEWSTATEGENERATOR*VIEWSTATE=*")

2.740 LP_BlueKeep Vulnerability CVE-2019-0708

Exploitation
• Trigger Condition: The exploitation of BlueKeep, a remote desktop services
remote code execution vulnerability, also known as CVE-2019-0708 is detected.
• ATT&CK Category: Lateral Movement
• ATT&CK Tag: Exploitation of Remote Services
• ATT&CK ID: T1210
• Minimum Log Source Requirement: IDS/IPS
• Query:

2.739. LP_Exchange Remote Code Execution CVE-2020-0688 Attempt 333

 Alert Rules Documentation, Release latest

(norm_id=Snort OR norm_id=SuricataIDS) message="*Windows RDP MS_T120*"

2.741 LP_Confluence Remote Code Execution

CVE-2019-3398 Attempt
• Trigger Condition: A remote code execution via CVE-2019-3398 in Confluence
Server and Data Center is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST (url='*plugins/drag-and-drop/upload.action*filename=.

,→./../*.jsp*' OR resource='*plugins/drag-and-drop/upload.action*filename=../../*.jsp*')

2.742 LP_ZoHo ManageEngine Pre-Auth File Upload

CVE-2019-8394 Exploitation Attempt
• Trigger Condition: A pre-auth file upload vulnerability CVE-2019-8394 in ZoHo
ManageEngine ServiceDesk Plus is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST (url='*/common/FileAttachment.jsp?

,→module=CustomLogin*' OR resource='*/common/FileAttachment.jsp?

,→module=CustomLogin*')

2.741. LP_Confluence Remote Code Execution CVE-2019-3398 Attempt 334

 Alert Rules Documentation, Release latest

2.743 LP_ZoHo ManageEngine Desktop Central

CVE-2020-10189 Exploitation Attempt
• Trigger Condition: A remote code execution attempt via CVE-2019-11580 in ZoHo
ManageEngine Desktop Central is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST (url='*/mdm/client/v1/mdmLogUploader*webapps*_

,→chart*' OR resource='*/mdm/client/v1/mdmLogUploader*webapps*_chart*')

2.744 LP_Atlassian Crowd Remote Code Execution

CVE-2019-11580 Exploitation Attempt
• Trigger Condition: A remote code execution attempt via CVE-2019-11580 in
Atlassian Crowd is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST content_type="multipart/mixed*" (url='*/crowd/admin/

,→uploadplugin.action*' OR resource='*/crowd/admin/uploadplugin.action*')

2.743. LP_ZoHo ManageEngine Desktop Central CVE-2020-10189 Exploitation Attempt 335

 Alert Rules Documentation, Release latest

2.745 LP_Fortinet Pre-Auth File Read CVE-2018-13379

Exploitation Attempt
• Trigger Condition: The exploitation of pre-auth file read vulnerability (2018-13379)
in Fortinet FortiOS is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: External Remote Services

• ATT&CK ID: T1133

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* (url='*lang=/../../*/dev/cmdb/sslvpn_websession*' OR resource='*lang=/../../*/

,→dev/cmdb/sslvpn_websession*')

2.746 LP_Adobe ColdFusion Remote Code Execution

CVE-2018-15961 Attempt
• Trigger Condition: The exploitation of arbitrary file upload vulnerability
(CVE-2018-15961) to upload JSP webshell for remote code execution in Adobe
ColdFusion is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Exploit Public-Facing Application

• ATT&CK ID: T1190

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST (url='*/cf_scripts/*/upload.cfm*' OR resource='*/cf_

,→scripts/*/upload.cfm*')

2.745. LP_Fortinet Pre-Auth File Read CVE-2018-13379 Exploitation Attempt 336

 Alert Rules Documentation, Release latest

2.747 LP_Creation of Encrypted Winrar archive via CLI

• Trigger Condition: Creation of an encrypted RAR archive via CLI is detected.

• ATT&CK Category: Execution, Collection

• ATT&CK Tag: Obfuscated Files or Information, Software Packing, Archive

Collected Data, Archive via Utility

• ATT&CK ID: T1027, T1027.002, T1560, T1560.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WindowsSysmon event_id=1 image='*\rar.exe' command='*-hp*'

2.748 LP_Default Hard disk Usage Status

• Trigger Condition: The hard disk uses storage greater than or equal to 80%.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: LogPoint

• Query:

label=Harddisk label=Usage label=Metrics use>=80

2.749 LP_Default License Grace State

• Trigger Condition: LogPoint’s license has expired and is operating in grace state.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: LogPoint

2.747. LP_Creation of Encrypted Winrar archive via CLI 337

 Alert Rules Documentation, Release latest

• Query:

norm_id=LogPoint label=Audit label=License label=Grace

2.750 LP_Default License Invalid

• Trigger Condition: LogPoint’s license is no longer valid.

• ATT&CK Category: -

• ATT&CK Tag: -

• ATT&CK ID: -

• Minimum Log Source Requirement: LogPoint

• Query:

norm_id=LogPoint label=Audit label=License label=Invalid

2.751 LP_Microsoft Build Engine Loading Credential

Libraries
• Trigger Condition: Loading of credential libraries by Microsoft Build engine is
detected.

• ATT&CK Category: Credential Access

• ATT&CK Tag: OS Credential Dumping, Security Account Manager

• ATT&CK ID: T1003, T1003.002

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=7 source_image='*msbuild.exe' image IN ['vaultcli.dll

,→', 'SAMLib.DLL']

2.750. LP_Default License Invalid 338

 Alert Rules Documentation, Release latest

2.752 LP_Microsoft Build Engine started by Office

• Trigger Condition: Execution of Microsoft Build engine by Office products is
detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Trusted Developer Utilities Proxy Execution, MSBuild

• ATT&CK ID: T1127, T1127.001

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image='*msbuild.exe' parent_image IN [

,→'*eqnedt32.exe', '*excel.exe', '*fltldr.exe', '*msaccess.exe', '*winword.exe', '*mspub.exe',

,→ '*outlook.exe', '*powerpnt.exe']

2.753 LP_Potential Botnet Infected Host Detected

• Trigger Condition: Botnet-infected host is detected.

• ATT&CK Category: Command and Control, Impact

• ATT&CK Tag: Proxy, Network Denial of Service

• ATT&CK ID: T1090, T1498

• Minimum Log Source Requirement: -

• Query:

label=Botnet label=Detect source_address=* destination_address=* (host=* or device_

,→address=*) | rename device_address as host

2.754 LP_Potential Phishing Attack Detected

• Trigger Condition: Phishing attack is detected

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phishing, Spearphishing Attachment

• ATT&CK ID: T1566, T1566.001

2.752. LP_Microsoft Build Engine started by Office 339

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: MailServer

• Query:

label=Detect label=Malicious label=File file=* sender=* receiver=* hash=*

2.755 LP_Potential Malware Infected Host Detected

• Trigger Condition: A ransomware-infected host is detected.

• ATT&CK Category: Impact

• ATT&CK Tag: Data Encrypted for Impact

• ATT&CK ID: T1486

• Minimum Log Source Requirement: -

• Query:

(label=Detect label=Malware label=Infection malware="*Ransom*") OR (hash IN�

,→MALWARE_HASH) host=* hash=*

2.756 LP_PowerShell Module Logging Setting Discovery

• Trigger Condition: Enumeration of PowerShell module logging setting is detected.

• ATT&CK Category: Discovery

• ATT&CK Tag: Query Registry

• ATT&CK ID: T1012

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object="*\PowerShell\ModuleLogging*"

2.755. LP_Potential Malware Infected Host Detected 340

 Alert Rules Documentation, Release latest

2.757 LP_PowerShell Module Logging Setting Discovery

• Trigger Condition: Multiple failed user logins followed by successful login is
detected.

• ATT&CK Category: Defense Evasion, Persistence, Privilege Escalation, Initial

Access, Credential Access

• ATT&CK Tag: Valid Accounts, Brute Force

• ATT&CK ID: T1078, T1110

• Minimum Log Source Requirement: Windows

• Query:

[4 norm_id=WinServer* label=User label=Login label=Fail user!

,→=*user=�havingsameuser]asFailfollowedby[normid=WinServer�label=Userlabel=Loginlabel=Successfulu

,→=�user=�havingsameuser]asFailfollowedby[normid=WinServer�label=Userlabel=Loginlabel=Successfulu

,→=� user=*]

as Login on Fail.user=Login.user | rename user as User, Login.source_address as�

,→SourceAddress

2.758 LP_Safe DLL Search Mode Disabled

• Trigger Condition: Safe DLL search mode is disabled.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Impair Defenses, Indicator Blocking

• ATT&CK ID: T1562, T1562.001

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WindowSysmon event_id=13 target_object=

,→'*\CurrentControlSet\Control\Session Manager\SafeDllSearchMode' detail="DWORD�

,→(0x00000000)"

2.757. LP_PowerShell Module Logging Setting Discovery 341

 Alert Rules Documentation, Release latest

2.759 LP_Potential Intrusion Detected

• Trigger Condition: An intrusion by IDS or IPS devices is detected.

• ATT&CK Category: Command and Control, Defense Evasion

• ATT&CK Tag: Proxy, Exploitation for Defense Evasion

• ATT&CK ID: T1090, T1211

• Minimum Log Source Requirement: -

• Query:

label=Intrusion label=Detect source_address=* destination_address=*

2.760 LP_Windows Crash Dump Disabled

• Trigger Condition: Windows’s crash dump registry setting is disabled.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object=

,→"HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled" detail=

,→"DWORD (0x00000000)"

2.761 LP_Suspicious Shells Spawn by SQL Server

• Trigger Condition: A suspicious shell process is spawned by the SQL Server
process which may indicate exploitation of a vulnerability.

• ATT&CK Category: Initial Access, Execution

• ATT&CK Tag: Exploit Public-Facing Application, PowerShell

• ATT&CK ID: T1190, T1059.001

2.759. LP_Potential Intrusion Detected 342

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 parent_process="*\sqlservr.exe" "process" IN [

,→"*\cmd.exe", "*\powershell.exe", "*\bash.exe", "*\sh.exe", "*\bitsadmin.exe"] -(parent_

,→process IN ["C:\Program Files\Microsoft SQL Server\*", "*DATEV_

,→DBENGINE\MSSQL\Binn\sqlservr.exe"] "process"="C:\Windows\System32\cmd.exe"�

,→command='"C:\Windows\system32\cmd.exe" *')

2.762 LP_HermeticWiper Driver Load

• Trigger Condition: When loading of HermeticWiper’s driver IoC hashes is
detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=6 (hash IN HERMETIC_WIPER_DRIVER_HASHES OR�

,→hash_sha1 IN HERMETIC_WIPER_DRIVER_HASHES OR hash_sha256 IN HERMETIC_

,→WIPER_DRIVER_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_sha256 as ioc

2.763 LP_UltraVNC Execution via Command Line

• Trigger Condition: When UltraVNC execution via the command line is detected.
Gamaredon is known to use this technique for gaining remote access.

• ATT&CK Category: Command and Control

• ATT&CK Tag: Remote Access Software

• ATT&CK ID: T1219

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

2.762. LP_HermeticWiper Driver Load 343

 Alert Rules Documentation, Release latest

norm_id=WinServer event_id=4688 command="*-autoreconnect *" command="*-

,→connect *" command="*-id:*"

2.764 LP_Office Security Settings Changed

• Trigger Condition: When modification of Microsoft Office security settings in the
registry is detected.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: Modify Registry

• ATT&CK ID: T1112

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object In ["*\Security\Trusted�

,→Documents\TrustRecords*", "*\Security\AccessVBOM*", "*\Security\VBAWarnings*"]

2.765 LP_HermeticWiper IoC Hashes Detected

• Trigger Condition: When any Hermetic Wiper IoC hash match is found. IoC
Reference: Hashes are latest up to March 2022.

• ATT&CK Category: Resource Development

• ATT&CK Tag: Malware

• ATT&CK ID: T1588.001

• Minimum Log Source Requirement: IDS, IPS, Firewall, Windows Sysmon

• Query:

(hash IN HERMETIC_WIPER_HASHES OR hash_sha1 IN HERMETIC_WIPER_HASHES OR�

,→hash_sha256 IN HERMETIC_WIPER_HASHES) | rename hash as ioc, hash_sha1 as ioc,�

,→hash_sha256 as ioc

2.764. LP_Office Security Settings Changed 344

 Alert Rules Documentation, Release latest

2.766 LP_IsaacWiper IoC Hashes Detected

• Trigger Condition: When any Issac Wiper IoC hash match is found. IoC Reference:
Hashes are latest up to March 2022.

• ATT&CK Category: Resource Development

• ATT&CK Tag: Malware

• ATT&CK ID: T1588.001

• Minimum Log Source Requirement: IDS, IPS, Firewall, Windows Sysmon

• Query:

(hash IN ISAAC_WIPER_HASHES OR hash_sha1 IN ISAAC_WIPER_HASHES OR hash_

,→sha256 IN ISAAC_WIPER_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_sha256�

,→as ioc

2.767 LP_Actinium IoC Hashes Detected

• Trigger Condition: When any Actinium IoC hash match is found. IoC Reference:
Hashes are latest up to March 2022.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: IDS, IPS, Firewall, Windows Sysmon

• Query:

(hash IN ACTINIUM_HASHES OR hash_sha1 IN ACTINIUM_HASHES OR hash_sha256 IN�

,→ACTINIUM_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_sha256 as ioc

2.768 LP_WhisperGate IoC Hashes Detected

• Trigger Condition: When any WhisperGate IoC hash match by DEV-0586 is found.
IoC Reference: Hashes are latest up to Feb 2022.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

2.766. LP_IsaacWiper IoC Hashes Detected 345

 Alert Rules Documentation, Release latest

• ATT&CK ID: N/A

• Minimum Log Source Requirement: IDS, IPS, Firewall, Windows Sysmon

• Query:

(hash IN WHISPERGATE_HASHES OR hash_sha1 IN WHISPERGATE_HASHES OR hash_

,→sha256 IN WHISPERGATE_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_

,→sha256 as ioc

2.769 LP_GhostWriter IoC Detected

• Trigger Condition: When any Belarusian threat actor GhostWriter (UNC1151) IoC
domains or IP Address match is found. IoC Reference: IoCs are latest up to Feb
2022.

• ATT&CK Category: Initial Access

• ATT&CK Tag: Phising

• ATT&CK ID: T1566

• Minimum Log Source Requirement: IDS, IPS, Firewall, Windows Sysmon

• Query:

(domain IN GHOSTWRITER_DOMAINS OR source_address IN GHOSTWRITER_IPS OR�

,→destination_address IN GHOSTWRITER_IPS)

2.770 LP_Actinium IoC Domains Detected

• Trigger Condition: When any Actinium IoC domain match is found. IoC Reference:
Hashes are latest up to Feb 2022.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: IDS, IPS, Firewall

• Query:

2.769. LP_GhostWriter IoC Detected 346

 Alert Rules Documentation, Release latest

domain IN ACTINIUM_DOMAINS

2.771 LP_Suspicious VMToolsd Child Process

• Trigger Condition: Creation of a suspicious child process of the VMware Tools
process that may indicate persistence set up by attackers.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059 - Command and Scripting Interpreter

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=4688 parent_process="*\vmtoolsd.exe" image IN ["*\cmd.

,→exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\rundll32.exe", "*\regsvr32.

,→exe"] -command IN ["*\VMware\VMware Tools\poweron-vm-default.bat*",

,→"*\VMware\VMware Tools\poweroff-vm-default.bat*", "*\VMware\VMware Tools\resume-

,→vm-default.bat*", "*\VMware\VMware Tools\suspend-vm-default.bat*"]

2.772 LP_Credential Access via Pypykatz

• Trigger Condition: Credential access via the popular open-source Pypykatz tool.
Pypykatz is a Mimikatz implementation in the Python version >= 3.6.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1003.001 - LSASS Memory

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=10 image="*\lsass.exe" call_trace=

,→"*C:\Windows\SYSTEM32\ntdll.dll+*" call_trace=

,→"*C:\Windows\System32\KERNELBASE.dll+*" call_trace="*libffi-7.dll*" call_trace="*_

,→ctypes.pyd+*" call_trace="*python3*.dll+*"

2.771. LP_Suspicious VMToolsd Child Process 347

 Alert Rules Documentation, Release latest

2.773 LP_Atlassian Confluence CVE-2021-26084

Exploitation
• Trigger Condition: Spawning of suspicious child processes by Atlassian Confluence
server process that may indicate successful exploitation of CVE-2021-26084.
CVE-2021-26084 is an OGNL injection vulnerability in Confluence Server and Data
Center that allows an unauthenticated attacker to execute arbitrary code on a
Confluence Server or Data Center instance. Confluence Server and Data Center
versions before v6.13.23, v6.14.0 before v7.4.11, v7.5.0 before 7.11.6, and v7.12.0
before v7.12.5 are affected by this vulnerability.

• ATT&CK Category: Initial Access

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label=Create parent_process="*\Atlassian\Confluence\jre\bin\java.exe"�

,→command IN ["*cmd /c*", "*cmd /k*", "*powershell*", "*certutil*", "*curl*", "*whoami*

,→", "*ipconfig*"]

2.774 LP_Impacket PsExec Execution

• Trigger Condition: Execution of Impacket’s PsExec utility is detected. Impacket is
a collection of Python classes for working with network protocols. Impacket focuses
on providing low-level programmatic access to the packets and is commonly used
in PoCs.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: T1570 - Lateral Tool Transfer

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5145 share_name="IPC$" relative_target IN ["*RemCom_

,→stdint*", "*RemCom_stdoutt*", "*RemCom_stderrt*"] -user IN EXCLUDED_USERS

2.773. LP_Atlassian Confluence CVE-2021-26084 Exploitation 348

 Alert Rules Documentation, Release latest

2.775 LP_Oracle WebLogic CVE-2021-2109 Exploitation

• Trigger Condition: Possible exploitation of the Oracle WebLogic server
vulnerability CVE-2021-2109 is detected. This vulnerability allows a high privileged
attacker with network access via HTTP to compromise Oracle WebLogic Server.

• ATT&CK Category: Initial Access

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=GET url="*com.bea.console.handles.JndiBindingHandle*"�

,→url="*ldap://*" url="*AdminServer*"

2.776 LP_Possible JSP Webshell Detected

• Trigger Condition: JSP Webshell is detected in the URL. This may indicate
springshell is being exploited. However, if .jsp and .class files are commonly used
in the network, the result may be false positives.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1505.003 - Web Shell

• Minimum Log Source Requirement: -

• Query:

status_code=200 request_method IN ["POST", "GET"] url in ["*.jsp*", "*.class*"]

2.777 LP_PowerShell ADRecon Execution

• Trigger Condition: Execution of the ADRecon PowerShell script for AD
reconnaissance is detected. The script is reported to be actively used by FIN7.
For the alert to work, the Script block logging must be enabled.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell

• Minimum Log Source Requirement: Windows

2.775. LP_Oracle WebLogic CVE-2021-2109 Exploitation 349

 Alert Rules Documentation, Release latest

• Query:

norm_id=WinServer event_id=4104 script_block IN ["*Function Get-ADRExcelComOb*",

,→"*ADRecon-Report.xlsx*"] -user IN EXCLUDED_USERS

2.778 LP_PowerView PowerShell Commandlets

• Trigger Condition: Execution of PowerShell commandlets of the popular
PowerView module of the PowerSploit framework is detected. For the alert to
work, the script block logging must be enabled.
• ATT&CK Category: Execution
• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=4104 script_block IN ["Export-PowerViewCSV", "Get-

,→IPAddress", "Resolve-IPAddress", "Convert-NameToSid", "ConvertTo-SID", "Convert-

,→ADName", "ConvertFrom-UACValue", "Add-RemoteConnection", "Remove-

,→RemoteConnection", "Invoke-UserImpersonation", "Invoke-RevertToSelf", "Request-

,→SPNTicket", "Get-DomainSPNTicket", "Invoke-Kerberoast", "Get-PathAcl", "Get-

,→DNSZone", "Get-DomainDNSZone", "Get-DNSRecord", "Get-DomainDNSRecord",

,→"Get-NetDomain", "Get-Domain", "Get-NetDomainController", "Get-DomainController

,→", "Get-NetForest", "Get-Forest", "Get-NetForestDomain", "Get-ForestDomain", "Get-

,→NetForestCatalog", "Get-ForestGlobalCatalog", "Find-DomainObjectPropertyOutlier",

,→"Get-NetUser", "Get-DomainUser", "New-DomainUser", "Set-DomainUserPassword",

,→"Get-UserEvent", "Get-DomainUserEvent", "Get-NetComputer", "Get-

,→DomainComputer", "Get-ADObject", "Get-DomainObject", "Set-ADObject", "Set-

,→DomainObject", "Get-ObjectAcl", "Get-DomainObjectAcl", "Add-ObjectAcl", "Add-

,→DomainObjectAcl", "Invoke-ACLScanner", "Find-InterestingDomainAcl", "Get-NetOU",

,→ "Get-DomainOU", "Get-NetSite", "Get-DomainSite", "Get-NetSubnet", "Get-

,→DomainSubnet", "Get-DomainSID", "Get-NetGroup", "Get-DomainGroup", "New-

,→DomainGroup", "Find-ManagedSecurityGroups", "Get-DomainManagedSecurityGroup

,→", "Get-NetGroupMember", "Get-DomainGroupMember", "Add-DomainGroupMember

,→", "Get-NetFileServer", "Get-DomainFileServer", "Get-DFSshare", "Get-

,→DomainDFSShare", "Get-NetGPO", "Get-DomainGPO", "Get-NetGPOGroup", "Get-

,→DomainGPOLocalGroup", "Find-GPOLocation", "Get-

,→DomainGPOUserLocalGroupMapping", "Find-GPOComputerAdmin", "Get-

,→DomainGPOComputerLocalGroupMapping", "Get-DomainPolicy", "Get-NetLocalGroup

,→", "Get-NetLocalGroupMember", "Get-NetShare", "Get-NetLoggedon", "Get-

,→NetSession", "Get-LoggedOnLocal", "Get-RegLoggedOn", "Get-NetRDPSession",

,→"Invoke-CheckLocalAdminAccess", "Test-AdminAccess", "Get-SiteName", "Get-

,→NetComputerSiteName", "Get-Proxy", "Get-WMIRegProxy", "Get-LastLoggedOn",

,→"Get-WMIRegLastLoggedOn", "Get-CachedRDPConnection", "Get- (continues on next page)

,→WMIRegCachedRDPConnection", "Get-RegistryMountedDrive", "Get-

,→WMIRegMountedDrive", "Get-NetProcess", "Get-WMIProcess", "Find-InterestingFile",

2.778. LP_PowerView PowerShell Commandlets 350
,→"Invoke-UserHunter", "Find-DomainUserLocation", "Invoke-ProcessHunter", "Find-

,→DomainProcess", "Invoke-EventHunter", "Find-DomainUserEvent", "Invoke-ShareFinder

,→", "Find-DomainShare", "Invoke-FileFinder", "Find-InterestingDomainShareFile", "Find-

 Alert Rules Documentation, Release latest

(continued from previous page)

2.779 LP_PowerView PowerShell Commandlets

• Trigger Condition: Execution of PowerShell commandlets of the popular
PowerView module of the PowerSploit framework is detected. For the alert to
work, the script block logging must be enabled.
• ATT&CK Category: Execution
• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell
• Minimum Log Source Requirement: Windows
• Query:

norm_id=WinServer event_id=4104 script_block IN ["Export-PowerViewCSV", "Get-

,→IPAddress", "Resolve-IPAddress", "Convert-NameToSid", "ConvertTo-SID", "Convert-

,→ADName", "ConvertFrom-UACValue", "Add-RemoteConnection", "Remove-

,→RemoteConnection", "Invoke-UserImpersonation", "Invoke-RevertToSelf", "Request-

,→SPNTicket", "Get-DomainSPNTicket", "Invoke-Kerberoast", "Get-PathAcl", "Get-

,→DNSZone", "Get-DomainDNSZone", "Get-DNSRecord", "Get-DomainDNSRecord",

,→"Get-NetDomain", "Get-Domain", "Get-NetDomainController", "Get-DomainController

,→", "Get-NetForest", "Get-Forest", "Get-NetForestDomain", "Get-ForestDomain", "Get-

,→NetForestCatalog", "Get-ForestGlobalCatalog", "Find-DomainObjectPropertyOutlier",

,→"Get-NetUser", "Get-DomainUser", "New-DomainUser", "Set-DomainUserPassword",

,→"Get-UserEvent", "Get-DomainUserEvent", "Get-NetComputer", "Get-

,→DomainComputer", "Get-ADObject", "Get-DomainObject", "Set-ADObject", "Set-

,→DomainObject", "Get-ObjectAcl", "Get-DomainObjectAcl", "Add-ObjectAcl", "Add-

,→DomainObjectAcl", "Invoke-ACLScanner", "Find-InterestingDomainAcl", "Get-NetOU",

,→ "Get-DomainOU", "Get-NetSite", "Get-DomainSite", "Get-NetSubnet", "Get-

,→DomainSubnet", "Get-DomainSID", "Get-NetGroup", "Get-DomainGroup", "New-

,→DomainGroup", "Find-ManagedSecurityGroups", "Get-DomainManagedSecurityGroup

,→", "Get-NetGroupMember", "Get-DomainGroupMember", "Add-DomainGroupMember

,→", "Get-NetFileServer", "Get-DomainFileServer", "Get-DFSshare", "Get-

,→DomainDFSShare", "Get-NetGPO", "Get-DomainGPO", "Get-NetGPOGroup", "Get-

,→DomainGPOLocalGroup", "Find-GPOLocation", "Get-

,→DomainGPOUserLocalGroupMapping", "Find-GPOComputerAdmin", "Get-

,→DomainGPOComputerLocalGroupMapping", "Get-DomainPolicy", "Get-NetLocalGroup

,→", "Get-NetLocalGroupMember", "Get-NetShare", "Get-NetLoggedon", "Get-

,→NetSession", "Get-LoggedOnLocal", "Get-RegLoggedOn", "Get-NetRDPSession",

,→"Invoke-CheckLocalAdminAccess", "Test-AdminAccess", "Get-SiteName", "Get-

,→NetComputerSiteName", "Get-Proxy", "Get-WMIRegProxy", "Get-LastLoggedOn",

,→"Get-WMIRegLastLoggedOn", "Get-CachedRDPConnection", "Get-

,→WMIRegCachedRDPConnection", "Get-RegistryMountedDrive", "Get-

,→WMIRegMountedDrive", "Get-NetProcess", "Get-WMIProcess", "Find-InterestingFile",

(continues on next page)
,→"Invoke-UserHunter", "Find-DomainUserLocation", "Invoke-ProcessHunter", "Find-

,→DomainProcess", "Invoke-EventHunter", "Find-DomainUserEvent", "Invoke-ShareFinder

2.779. LP_PowerView PowerShell Commandlets 351
,→", "Find-DomainShare", "Invoke-FileFinder", "Find-InterestingDomainShareFile", "Find-

,→LocalAdminAccess", "Invoke-EnumerateLocalAdmin", "Find-DomainLocalGroupMember

,→", "Get-NetDomainTrust", "Get-DomainTrust", "Get-NetForestTrust", "Get-ForestTrust",

 Alert Rules Documentation, Release latest

(continued from previous page)

2.780 LP_SpringShell Indicators of Compromise Detected

• Trigger Condition: SpringShell indicator of compromise is detected. This alerts
checks if any of the request method parameter and URL is being used in conjunction
to access a command injection once a file has been created.

• ATT&CK Category: Execution, Persistence, Command and Control

• ATT&CK Tag: T1102 - Web Service, T1204.002 - Malicious File, T1505.003 - Web
Shell

• Minimum Log Source Requirement: -

• Query:

request_method in ["POST", "GET"] url IN ["*?class.module.classloader.resources.context.

,→parent.pipeline.first.*", "*java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di*",

,→"*pwd=*", "*cmd=*", "*.getParameter(%22pwd%22)*"]

2.781 LP_SpringShell Indicators of Compromise Detected

• Trigger Condition: SpringShell indicator of compromise is detected. This alerts
checks if any of the request method parameter and URL is being used in conjunction
to access a command injection once a file has been created.

• ATT&CK Category: Execution, Persistence, Command and Control

• ATT&CK Tag: T1102 - Web Service, T1204.002 - Malicious File, T1505.003 - Web
Shell

• Minimum Log Source Requirement: -

• Query:

request_method in ["POST", "GET"] url IN ["*?class.module.classloader.resources.context.

,→parent.pipeline.first.*", "*java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di*",

,→"*pwd=*", "*cmd=*", "*.getParameter(%22pwd%22)*"]

2.780. LP_SpringShell Indicators of Compromise Detected 352

 Alert Rules Documentation, Release latest

2.782 LP_SpringShell Webshell Detected in URL

• Trigger Condition: Successful SpringShell resources are requested. Based on the
POC, the alert rule may be false positives if the pages are hosted with .jsp or .class
files in the network.
• ATT&CK Category: Persistence
• ATT&CK Tag: T1505.003 - Web Shell
• Minimum Log Source Requirement: -
• Query:

status_code=200 url IN ["*.jsp*", "*.class*"]| norm on url <webShell:'\/.*\.(jsp|class)\?.*=.*

,→'> | filter webShell=*

2.783 LP_Stealthy VSTO Persistence

• Trigger Condition: Persistence via Visual Studio Tools for Office (VSTO) add-ins in
Office application.
• ATT&CK Category: Persistence
• ATT&CK Tag: T1137.006 - Add-ins
• Minimum Log Source Requirement: Windows Sysmon
• Query:

norm_id=WindowsSysmon event_id=13 target_object IN [

,→"*\Software\Microsoft\Office\Outlook\Addins\*",

,→"*\Software\Microsoft\Office\Word\Addins\*",

,→"*\Software\Microsoft\Office\Excel\Addins\*",

,→"*\Software\Microsoft\Office\Powerpoint\Addins\*",

,→"*\Software\Microsoft\VSTO\Security\Inclusion\*"] -user IN EXCLUDED_USERS -image�

,→IN ["*\msiexec.exe", "*\regsvr32.exe", "*\winword.exe", "*\integrator.exe",

,→"*\OfficeClickToRun.exe"]

2.784 LP_Suspicious DLL or VBS Files being created in

ProgramData
• Trigger Condition: When a file is created with .dll or vbs extension to the
ProgramData folder. A DLL is a library containing code and data that can be used by

2.782. LP_SpringShell Webshell Detected in URL 353

 Alert Rules Documentation, Release latest

multiple programs simultaneously. VBScript is an interpreted script language from

Microsoft that is a subset of its Visual Basic programming language designed for
interpretation by Microsoft’s Internet Explorer web browser. Attackers use these
techniques for the execution of malicious payloads. This method is predominantly
used in Bumblebee attacks.

• ATT&CK Category: Execution

• ATT&CK Tag: T1204.002 - Malicious File

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file IN ["*.dll", "*.vbs"] path="C:\ProgramData*"

2.785 LP_Suspicious VMToolsd Child Process

• Trigger Condition: Creation of suspicious child process VMware Tools process,
which may indicate persistence set up by attackers.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059 - Command and Scripting Interpreter

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer event_id=4688 parent_process="*\vmtoolsd.exe" image IN ["*\cmd.

,→exe", "*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\rundll32.exe", "*\regsvr32.

,→exe"] -command IN ["*\VMware\VMware Tools\poweron-vm-default.bat*",

,→"*\VMware\VMware Tools\poweroff-vm-default.bat*", "*\VMware\VMware Tools\resume-

,→vm-default.bat*", "*\VMware\VMware Tools\suspend-vm-default.bat*"]

2.786 LP_Suspicious WMPRVSE Child Process

• Trigger Condition: A suspicious child process of WMIC is detected.

• ATT&CK Category: Execution

• ATT&CK Tag: T1047 - Windows Management Instrumentation

• Minimum Log Source Requirement: Windows Sysmon

2.785. LP_Suspicious VMToolsd Child Process 354

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=1 parent_image="*\wmprvse.exe" -image IN [

,→"C:\Windows\System32\conhost.exe", "C:\Windows\system32\wbem\WMIC.exe",

,→"C:\Windows\syswow64\wbem\WMIC.exe", "C:\Windows\system32\WerFault.exe",

,→"C:\Windows\SysWOW64\WerFault.exe"]

2.787 LP_TerraMaster TOS CVE-2020-28188 Exploitation

• Trigger Condition: The exploitation of the TerraMaster TOS vulnerability
CVE-2020-28188 is detected. CVE-2020-28188 is a remote command
execution (RCE) vulnerability in TerraMaster TOS <= v4.2.06 that allows remote
unauthenticated attackers to inject OS commands.

• ATT&CK Category: Initial Access

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=GET url="*/include/makecvs.php*" url="*?Event=*" url IN [

,→"*curl*", "*wget*", "*.py*", "*.sh*", "*chmod*", "*_GET*"]

2.788 LP_VMware VSphere CVE-2021-21972 Exploitation

• Trigger Condition: The exploitation of VSphere Remote Code Execution
vulnerability CVE-2021-21972 is detected.

• ATT&CK Category: Initial Access

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST url="*/ui/vropspluginui/rest/services/uploadova*"

2.787. LP_TerraMaster TOS CVE-2020-28188 Exploitation 355

 Alert Rules Documentation, Release latest

2.789 LP_VMware View Planner CVE-2021-21978

Exploitation
• Trigger Condition: The exploitation of the VMware View Planner vulnerability
CVE-2021-21978 is detected. CVE-2021-21978 is a flaw due to proper input
validation and lack of authorization leading to arbitrary file upload in Log Upload
web applications.

• ATT&CK Category: Initial Access

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

norm_id=* request_method=POST url="*logupload*" url="*logMetaData*" url="*wsgi_

,→log_upload.py*"

2.790 LP_Zoho ManageEngine ADSelfService Plus

CVE-2021-40539 Exploitation
• Trigger Condition: The REST API authentication bypass vulnerability
(CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus (v6113
and prior) is detected. Administrators must have fetched logs from
\ManageEngine\ADSelfService Plus\logs path for the detection to work.

• ATT&CK Category: Initial Access, Persistence

• ATT&CK Tag: T1190 - Exploit Public-Facing Application, T1505.003 - Web Shell

• Minimum Log Source Requirement: Web Server

• Query:

url=* url IN ["*/help/admin-guide/Reports/ReportGenerate.jsp*", "*/RestAPI/

,→LogonCustomization*", "*/RestAPI/Connection*"]

2.791 LP_Possible Access to ADMIN Share

• Trigger Condition: Access to $ADMIN share that may help detect lateral
movement attempts is detected. Since Windows Admin Share activity is so

2.789. LP_VMware View Planner CVE-2021-21978 Exploitation 356

 Alert Rules Documentation, Release latest

common, it provides adversaries with a powerful, discreet way to move laterally

within an environment. Self-propagating ransomware and cryptocurrency miners,
both rapidly emerging threats, rely on Windows Admin Shares. Suppose an
adversary can obtain legitimate Windows credentials. The hidden shares (C$,
ADMIN$, and IPC$) can be accessed remotely via server message block (SMB) or
the Net utility to transfer files and execute code. Windows Admin Shares are often
used in conjunction with behaviors relating to Remote File Copy (T1105)—because
adversaries commonly use the technique to copy files remotely—and Network
Share Discovery (T1135). It can also occur with New Service (T1050) and Service
Execution (T1035) because tools like PsExec deploys their receiver executable
to admin shares, scheduling a service to execute it. Legitimate administrative
activities may generate false positives and will require whitelisting.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: T1021.002 - SMB/Windows Admin Shares

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id=5140 share_name="Admin$" -user="*$" -user IN�

,→EXCLUDED_USERS

2.792 LP_PsExec Tool Execution Detected

• Trigger Condition: PsExec service installation and execution events (service and
Sysmon).

• ATT&CK Category: Execution

• ATT&CK Tag: T1569 - System Services, T1569.002 - Service Execution

• Minimum Log Source Requirement: Windows

• Query:

((norm_id=WinServer service="PSEXESVC" event_id IN [7045, 7036]) OR (event_id=1�

,→image="*\PSEXESVC.exe" user="SYSTEM")) -user IN EXCLUDED_USERS

2.793 LP_Screensaver Activities Detected

• Trigger Condition: Adversaries modification of registry key containing the path to
binary used as screensaver executable is detected to establish persistence.

2.792. LP_PsExec Tool Execution Detected 357

 Alert Rules Documentation, Release latest

• ATT&CK Category: Persistence

• ATT&CK Tag: T1546 - Event Triggered Execution, T1546.002 - Screensaver

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon (event_id=12 or event_id=13 or event_id=14) (target_object=

,→"*\Control Panel\Desktop\SCRNSAVE.exe") (parent_command!="*explorer.exe" or�

,→image!="*rundll32.exe" or command!="*shell32.dll, Control_RunDLL desk.cpl,�

,→ScreenSaver, *") -user IN EXCLUDED_USERS

2.794 LP_Suspect Svchost Activity Detected

• Trigger Condition: Scvhost activity is detected. It is abnormal for svchost.exe
to spawn without any CLI arguments and is normally observed when a malicious
process spawns the process and injects code into the process memory space.

• ATT&CK Category: Privilege Escalation, Defense Evasion

• ATT&CK Tag: T1055 - Process Injection

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 image="*\svchost.exe" parent_image=* -parent_

,→image IN ["*\rpcnet.exe", "*\rpcnetp.exe", "*\svchost.exe", "*\Mrt.exe", "*\MsMpEng.

,→exe"] command=* command="*svchost.exe" -user IN EXCLUDED_USERS

2.795 LP_Time-Stomping of Users Directory Files

Detected
• Trigger Condition: Time-stomping of user directory file is detected. Sysmon can
only detect a change of CreationTime and not LastWriteTime and LastAccessTime.
Whitelisting legitimate noisy processes like browsers, Slack, or Teams are required
to reduce false positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1070 - Indicator Removal on Host, T1070.006 - Timestomp

• Minimum Log Source Requirement: Windows Sysmon

2.794. LP_Suspect Svchost Activity Detected 358

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=2 path="C:\Users*" -source_image IN ["*iexplore.exe

,→", "*cortana*", "*\StartMenuExperienceHost.exe", "C:\Windows\system32\cleanmgr.exe

,→", "C:\Windows\Explorer.EXE", "*\LocalBridge.exe", "*\svchost.exe", "*\RuntimeBroker.

,→exe", "*\msedge.exe", "*\SearchApp.exe", "C:\Windows\system32\ServerManager.exe

,→", "*\ServiceHub.RoslynCodeAnalysisService32.exe"] -path=

,→"*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" -user IN�

,→EXCLUDED_USERS

2.796 LP_Windows Defender Exclusion Set Detected

• Trigger Condition: Added Windows Defender exclusion in the registry where an
entity bypasses antivirus scanning from Windows Defender.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1562 - Impair Defenses, T1562.001 - Disable or Modify Tools

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_source="Microsoft-Windows-Windows Defender" event_

,→id=5007 new_value="HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\*"

2.797 LP_Suspicious Netsh DLL Persistence Detected

• Trigger Condition: Detects persistence via Netsh Helper.

• ATT&CK Category: Persistence, Privilege Escalation

• ATT&CK Tag: T1547 - Boot or Logon Autostart Execution(2), T1547.001 - Registry

Run Keys / Startup Folder(2)

• Minimum Log Source Requirement: Window Sysmon

• Query:

(norm_id=WindowsSysmon event_id=1 image="*\netsh.exe" command IN ["*add*",

,→"*helper*"] -user IN EXCLUDED_USERS) OR (label=Create label="Process" "process"�

,→IN ["*\netsh.exe", "*\Netsh.exe"] command="*add*" command="*helper*")

2.796. LP_Windows Defender Exclusion Set Detected 359

 Alert Rules Documentation, Release latest

2.798 LP_Suspicious Use of Procdump Detected

• Trigger Condition: Suspicious uses of the SysInternals ProcDump utility by using
a command-line parameter combined with the lsass.exe process. It uses a
command-line parameters “-ma” and “-accepteula” in a single step. This alert can
detect if an attacker renames the procdump.exe.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1003 - OS Credential Dumping, T1003.001 - LSASS Memory

• Minimum Log Source Requirement: Windows Sysmon

• Query:

(norm_id=WindowsSysmon event_id=1 ((command IN ["* -ma *"] command IN ["* lsass*

,→"]) OR command IN ["* -ma ls*"]) -user IN EXCLUDED_USERS) OR (label="Create"�

,→label="Process" command="* -ma *" command="* -accepteula *")

2.799 LP_Usage of Procdump Detected

• Trigger Condition: Suspicious use of the SysInternals ProcDump utility tool is
detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

label="Create" label="Process" "process" IN ["*\procdump.exe", "*\procdump64.exe"]�

,→command="* -ma*" command="*.exe"

2.800 LP_Conhost Spawning Suspicious Processes

• Trigger Condition: conhost.exe spawns other processes.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows

2.798. LP_Suspicious Use of Procdump Detected 360

 Alert Rules Documentation, Release latest

• Query:

label="Process" label="Create" "parent_process"="*\conhost.exe" "process"=*

2.801 LP_Proxy Execution via Explorer

• Trigger Condition: explorer.exe is used in cmd.exe to proxy execution.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows

• Query:

label="process" label=Create "parent_process"="*\cmd.exe" "process"="*\explorer.exe

,→" "command"="*explorer*"

2.802 LP_Wlrmdr Lolbin Use as Launcher

• Trigger Condition: wlrmdr.exe is used to proxy launch other executables.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows

• Query:

label="process" "process"="*\wlrmdr.exe" -"parent_process"="*\winlogon.exe"�

,→command IN ['*-s *', '*-f *', '*-t *', '*-m *', '*-a *', '*-u *']

2.803 LP_Suspicious Process Execution via Pester

Detected
• Trigger Condition: Detects code execution via Pester.bat (Pester - Powershell
Modulte for testing).

• ATT&CK Category: Defense Evasion, Execution

2.801. LP_Proxy Execution via Explorer 361

 Alert Rules Documentation, Release latest

• ATT&CK Tag: T1059.001 - PowerShell, T1216 - Signed Script Proxy Execution

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="create" label="process" event_source="Microsoft-Windows-Sysmon" (

,→"process"="*\powershell.exe" command="*Pester*Get-Help*") OR ("process"=

,→"C:\Windows\System32\cmd.exe" command="*pester*;*" command IN ["*help*",

,→"*?*"])

2.804 LP_Root Certificate Installation Detected

• Trigger Condition: Adversaries may install a root certificate on a compromised
system to avoid warnings when connecting to adversary-controlled web servers.
This alert can detect the installation of a root certificate.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1553.004 - Install Root Certificate

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="Create" label="Process" event_source="Microsoft-Windows-Sysmon"�

,→command="*root*" ("process"="C:\Windows\System32\certutil.exe" command=

,→"*-addstore*") OR ("process"="*\CertMgr.exe" command="*/add*") | norm on�

,→command <certificate:'\S+.cer'>

2.805 LP_Suspicious process spawned by FTP

• Trigger Condition: ftp.exe is used to file transfer, but it can be abused by spawning
a new process using ftp.exe. The alert detects; renamed ftp.exe, ftp.exe script
execution, and child processes run by ftp.exe.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1202 - Indirect

Command Execution

• Minimum Log Source Requirement: Windows Sysmon

2.804. LP_Root Certificate Installation Detected 362

 Alert Rules Documentation, Release latest

• Query:

label="create" label="process" event_source="Microsoft-Windows-Sysmon"�

,→(command="*-s:*" ("process"="C:\Windows\System32\ftp.exe" OR file="*ftp.exe*

,→")) OR (file="*ftp.exe*" -"process"="C:\Windows\System32\ftp.exe") OR parent_

,→process="C:\Windows\System32\ftp.exe"

2.806 LP_ChromeLoader IoC Domains Detected

• Trigger Condition: When any domains match with the list of known malicious
domains used in the ChromeLoader Malware campaign.

• ATT&CK Category: Resource Development, Initial Access

• ATT&CK Tag: T1566 - Phishing, T1587.001 - Malware

• Minimum Log Source Requirement: Firewall, Proxy Server, IDS

• Query:

device_category IN ["Firewall", "ProxyServer", "IDS"] domain IN CHROMELOADER_

,→DOMAINS OR query IN CHROMELOADER_DOMAINS

2.807 LP_ChromeLoader IoC Hashes Detected

• Trigger Condition: Hashes match with the list of known malicious hashes used in
the ChromeLoader Malware campaign.

• ATT&CK Category: Resource Development

• ATT&CK Tag: T1587.001 - Malware

• Minimum Log Source Requirement: -

• Query:

hash IN CHROMELOADER_HASHES OR hash_sha1 IN CHROMELOADER_HASHES OR hash_

,→sha256 IN CHROMELOADER_HASHES | rename hash as ioc, hash_sha1 as ioc, hash_sha256�

,→as ioc

2.806. LP_ChromeLoader IoC Domains Detected 363

 Alert Rules Documentation, Release latest

2.808 LP_Chromeloader Cross-Process Injection to Load

Extention
• Trigger Condition: Chromeloader uses process injection using PowerShell and
loads the malicious extension in Chrome.
• ATT&CK Category: Execution, Persistence, Privilege Escalation
• ATT&CK Tag: T1055 - Process Injection, T1059.001 - PowerShell, T1176 - Browser
Extensions
• Minimum Log Source Requirement: -
• Query:

label="Process" label=Create parent_process="*powershell" parent_command = "*-exe* byp*�

,→-win* hid* -e* JAB*" command IN ["*--load-extension=*", "*Appdata\\local\\chrome*"]

,→"process" = "*chrome"

2.809 LP_Proxy Execution via Explorer

• Trigger Condition: When Explorer is used to proxy execution. Explorer is
a Microsoft Windows GUI shell used for task-based file management systems.
Adversaries generally use Explorer to proxy the execution of other commands or
processes, evading defense mechanisms.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: T1202 - Indirect Command Execution
• Minimum Log Source Requirement: Windows, Windows Sysmon
• Query:

label="process" label=Create "process"="*\explorer.exe" "command"="*explorer*"

2.810 LP_Suspicious Root Certificate installation Detected

• Trigger Condition: Installation of a root certificate is detected. Adversaries
may install a root certificate on a compromised system to avoid warnings when
connecting to adversary-controlled web servers. However, sometimes Help Desk
or IT may need to add a corporate Root CA on occasion manually. So they need to
test if the GPO push doesn’t trigger a False Positive.

2.808. LP_Chromeloader Cross-Process Injection to Load Extention 364

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1553.004 - Install Root Certificate

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="create" label="process" (command="*root*" (("process"="*\certutil.exe" command=

,→"*-addstore*") OR ("process"="*\CertMgr.exe" command="*/add*")))

2.811 LP_Windows Logon Reminder Usage as Launcher

• Trigger Condition: When Wlrmdr is used to proxy launch other executables.
Wlrmdr (Windows Logon Reminder) is a Microsoft Windows Binary used by
Microsoft to display messages at login. Adversaries generally use Wlrmdr to pass
parameters to ShellExecute.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label=create "process"="*\wlrmdr.exe" -"parent_process"="*\winlogon.exe"�

,→command IN ['*-s *', '*-f *', '*-t *', '*-m *', '*-a *', '*-u *']

2.812 LP_Suspicious File Transfer Using Replace

• Trigger Condition: Replace is used to transfer (copy or download files) files.
Replace.exe is a Microsoft Windows executable that allows replacing existing or
adding new files in a directory if used with the /a option. Adversaries use the
replace process to silently download or copy files in the target system.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

2.811. LP_Windows Logon Reminder Usage as Launcher 365

 Alert Rules Documentation, Release latest

label="process" label=create "process"="*\replace.exe" command IN ["*/a*", "*-a*"]

2.813 LP_Proxy Execution via Program Compatibility

Wizard
• Trigger Condition: Pcwrun process is used to initiate a proxy execution. Pcwrun is
a Microsoft Windows Operating System file used to invoke Program Compatibility
Troubleshooter/Wizard. Adversaries generally use pcwrun to proxy the execution
of other commands, processes, or executables in order to evade defense
mechanisms. However, the specific focus needs to be on outlier events, for
example unique counts, instead of commonly seen artifacts to prevent false
positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label=create label="process" parent_process="*\pcwrun.exe"

2.814 LP_Suspicious Driver Installation via PnPUtil

• Trigger Condition: Pnputil process is used to install or add drivers. PnPUtil is a
Microsoft Windows process that lets an administrator perform actions on driver
packages. Adversaries use pnputil to install or add malicious drivers. Anyone who
uses pnputil.exe who is not a system administrator should be investigated, even
when they have system change permissions.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1547 - Boot or Logon Autostart Execution, T1547.006 - Kernel

Modules and Extensions

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

2.813. LP_Proxy Execution via Program Compatibility Wizard 366

 Alert Rules Documentation, Release latest

label="process" label=create "process"="*\pnputil.exe" command IN ["*-i*", "*/install*", "*-a*

,→", "*/add-driver*", "*.inf*"]

2.815 LP_Application Whitelisting Bypass via

PresentationHost
• Trigger Condition: Presentationhost process is used to execute browser
applications. Presesntationhost is a Microsoft Windows application that enables
the hosting of WPF applications in compatible browsers (including Microsoft
Internet Explorer 6 and later). Adversaries use presentationhost.exe to evade
application whitelisting and execute malicious XAML Browser Application (XBAP)
files.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label=create "process"="*\presentationhost.exe" command="*.xbap*"

2.816 LP_Suspicious File Extraction via Expand Detected

• Trigger Condition: Expand process is used for file transfer (copy or download
files). Expand is a Microsoft Windows binary file provided by Microsoft that can
extract one or more compressed files and retrieve them from distribution disks.
Adversaries use expand to silently download or copy files into the target system or
location.

• ATT&CK Category: Defense Evasion, Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer, T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label=create "process"="*\expand.exe" command IN ["*.cab*", "*/F:*", "*-F:*

,→", "*C:\ProgramData\*", "*C:\Public\*", "*\AppData\Local\Temp\*",

,→"*\AppData\Roaming\Temp\*"]

2.815. LP_Application Whitelisting Bypass via PresentationHost 367

 Alert Rules Documentation, Release latest

2.817 LP_Shell spawn via HTML Help Detected

• Trigger Condition: Hh (HTML Help) spawns shell processes. Hh.exe is a Microsoft
Windows executable program that allows developers to compile .chm file(s) with
expanding tables of contents, shortcuts, keyword search, and pop-up topics.
Adversaries use Hh as a target for overwriting and executing their malicious
commands, spawning other processes.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: T1047 - Windows Management Instrumentation, T1218.001 -

Compiled HTML File

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label=create parent_process="*\hh.exe" "process" IN ["*\cmd.exe",

,→"*\powershell.exe", "*\wscript.exe", "*\cscript.exe", "*\regsvr32.exe", "*\wmic.exe",

,→"*\rundll32.exe"]

2.818 LP_DLL Injection with Tracker Detected

• Trigger Condition: DLL injection with the tracker process is detected. Tracker.exe
is a legitimate internal Windows binary file required to incrementally generate
resources like building on a 64-bit OS using 32-bit MSBuild. Adversaries can use it
to bypass application whitelisting solutions by proxy execution of an arbitrary DLL
into another process.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1055.001 - Dynamic-link Library Injection

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="create" label="process" (("process"="*\tracker.exe" OR description="Tracker")�

,→command="* /d *" command="* /c *")

2.817. LP_Shell spawn via HTML Help Detected 368

 Alert Rules Documentation, Release latest

2.819 LP_Powershell Code Execution via

SyncAppvPublishingServer
• Trigger Condition: Arbitrary Powershell command is executed via
SyncAppvPublishingServer. VBScript files, such as SyncAppvPublishingServer.vbs,
are trusted scripts, often signed with certificates. Adversaries can use
SyncAppvPublishingServer.vbs to proxy execute PowerShell code.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1216 - Signed Script Proxy Execution, T1218 - Signed Binary Proxy
Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label='create' label='process' command='*\SyncAppvPublishingServer.vbs*' command='*;*'

2.820 LP_Malicious PE Execution by Microsoft Visual

Studio Debugger
• Trigger Condition: Arbitrary Powershell command is executed via
SyncAppvPublishingServer. VBScript files, such as SyncAppvPublishingServer.vbs,
are trusted scripts, often signed with certificates. Adversaries can use
SyncAppvPublishingServer.vbs to proxy execute PowerShell code.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Create" label="Process"(parent_process="*\vsjitdebugger.exe" -(("process"=

,→"*\vsimmersiveactivatehelper*.exe" OR "process"="*\devenv.exe")))

2.819. LP_Powershell Code Execution via SyncAppvPublishingServer 369

 Alert Rules Documentation, Release latest

2.821 LP_Suspicious Atbroker Registry Change Detected

• Trigger Condition: Creation or modification of Assistive Technology (AT) registry
value is detected. Atbroker is a Windows internal helper binary that provides
accessibility tools like screen readers, speech input and text readers, people
with disabilities use to accomplish tasks. Adversaries can modify the assistive
technology registry value and include their malicious application to maintain
persistence.

• ATT&CK Category: Persistence, Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution, T1547 - Boot or Logon
Autostart Execution

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon label=Registry label=Set target_object IN [

,→"*\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*",

,→"*\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration*"]

2.822 LP_DLL loaded Via Certoc Binary Detected

• Trigger Condition: DLL loading is detected using certoc binary. Certoc is Windows
internal binary used to install certificates, but it also has a feature to load a DLL by
LoadDll tag. Adversaries can use certoc binary to load their malicious DLL even
when they don’t have the relevant access rights.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label=Create command="*certoc.exe*" command IN ["* -LoadDll *", "* /

,→LoadDll *"] command="*.dll*"

2.821. LP_Suspicious Atbroker Registry Change Detected 370

 Alert Rules Documentation, Release latest

2.823 LP_Suspicious Remote Binary Usage Detected

• Trigger Condition: remote.exe binary is used to bypass application whitelisting
and execute or run a local or remote file. Remote.exe is a Windows binary
server/client tool that allows users to run command-line programs on remote
computers. Adversaries can use the remote.exe binary to spawn a new Powershell
session, AWL bypass, and execute other commands.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label="Create" "process"="*\remote.exe" command="* /s *"

2.824 LP_Suspicious File Execution Using wscript or

cscript
• Trigger Condition: A file with extensions of .jse, .vbe, .js, or .vba is executed
using wscript or cscript. Wscript and cscript are windows binaries that provide an
environment in which users can execute scripts in various languages or start a script
to run in a command-line environment. Adversaries can code malicious scripts in
files with above mention extensions and execute them using wscript or cscript and
bypass detection.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059.005 - Visual Basic, T1059.007 - JavaScript

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Create" label="Process" "process" IN ["*\wscript.exe", "*\cscript.exe"] -command in [

,→"*json*"] command IN ["*.jse*", "*.vbe*", "*.js *", "*.vba*"]

2.823. LP_Suspicious Remote Binary Usage Detected 371

 Alert Rules Documentation, Release latest

2.825 LP_Suspicious ASP NET Compiler Execution

Detected
• Trigger Condition: A file with the extension .jse, .vbe, .js, or .vba is executed
using wscript or cscript. Wscript and cscript are Windows binaries that provide
an environment in which users can execute scripts in various languages or start
a script to run in a command-line environment. Adversaries can code malicious
scripts in .jse, .vbe, .js, or .vba files and execute them using wscript or cscript and
bypass detection.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution

• Minimum Log Source Requirement: -

• Query:

label=Create label="Process" "process" ="C:\Windows\Microsoft.NET\Framework*" "process

,→"="*\aspnet_compiler.exe*"

2.826 LP_Suspicious LoadAssembly PowerShell Diagnostic

Script Execution
• Trigger Condition: Microsoft signed script is used to execute commands and
bypass AppLocker. CL_LoadAssembly.ps1, a windows native diagnostic script,
provides two functions (LoadAssemblyFromNS and LoadAssemblyFromPath) for
loading .NET/C# assemblies (DLLs/EXEs). An attacker can bypass Constrained
Language mode by invoking PowerShell version 2 (Note: this must be enabled)
and bypass AppLocker by loading an assembly through CL_LoadAssembly.ps1.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1216 - Signed Script Proxy Execution

• Minimum Log Source Requirement: -

• Query:

command IN ["*\CL_LoadAssembly.ps1", "*LoadAssemblyFromPath*"] "Process"=

,→"*\powershell.exe"

2.825. LP_Suspicious ASP NET Compiler Execution Detected 372

 Alert Rules Documentation, Release latest

2.827 LP_Suspicious Invocation PowerShell Diagnostic

Script Execution
• Trigger Condition: The execution of malicious payloads via SyncInvoke in
CL_Invocation.ps1 module is detected. CL_Invocation is a PowerShell Diagnostic
script, but an attacker can import it and then call SyncInvoke to launch a malicious
executable.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1216 - Signed Script Proxy Execution

• Minimum Log Source Requirement: -

• Query:

command IN ["*\CL_Invocation.ps1", "*SyncInvoke*"] "Process"="*\powershell.exe"

2.828 LP_Registry Configured RunOnce Task Execution

• Trigger Condition: The RunOnce task executes as configured in the registry.
Runonce.exe is a Microsoft Windows Operating System component called the
Run Once Wrapper Utility that allows the installation program to reboot after
initial start up to enable the user to make further configurations. Adversaries
use the runonce executable to evade defense mechanisms while running their
programs/code through registry entries in the host machine.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1112 - Modify Registry

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label=create "process"="*\runonce.exe" command="* /AlternateShellStartup*

,→"

2.827. LP_Suspicious Invocation PowerShell Diagnostic Script Execution 373

 Alert Rules Documentation, Release latest

2.829 LP_RunOnce Registry Key Configuration Change

• Trigger Condition: When the configuration of Run Once registry key is changed.
Runonce.exe is a Microsoft Windows Operating System component called the Run
Once Wrapper Utility that allows the installation program to reboot after initial
start up to enable the user to make further configurations. Adversaries use/change
the runonce registry key values to evade defense mechanisms while running their
programs/code in the host machine.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1112 - Modify Registry

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="process" label=create "process"="*\runonce.exe" command="* /AlternateShellStartup*

,→"

2.830 LP_Suspicious WSL Bash Execution

• Trigger Condition: When bash is used to execute the Linux command. Bash
is a Unix shell and command language. Adversaries can use bash to execute a
specified file or commands in the Windows subsystem for Linux and can be used
as a defensive evasion mechanism. Executing programs using bash can trigger this
alert, so alerts must be further analyzed to determine legitimate or illegitimate use.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" command="*bash* -c *"

2.831 LP_WSL Execution Detected

• Trigger Condition: When Windows subsystem for Linux (WSL) binary is used to
execute Linux commands. WSL is a compatibility layer that allows running Linux

2.829. LP_RunOnce Registry Key Configuration Change 374

 Alert Rules Documentation, Release latest

binaries in Windows. Adversaries can use the wsl binary to execute Windows and
Linux binaries, execute arbitrary Linux commands as root without a password or
download files.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" "process"="*\wsl.exe" command in ["* -e *", "*--exec *"]

2.832 LP_Supsicious Usage of Csharp or Roslyn Csharp

Interactive Console
• Trigger Condition: When the use of csi and rcsi binary are detected. Csi.exe
is a Microsoft signed binary that provides C# interactive capabilities. Rcsi.exe is
a Microsoft signed binary that can execute C# code. Adversaries can use these
binaries to execute their malicious C# code.

• ATT&CK Category: Execution

• ATT&CK Tag: T1072 - Software Deployment Tools

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" ("process" IN ["*\csi.exe", "*\rcsi.exe"]) OR (file in ["csi.exe",

,→"rcsi.exe"])

2.833 LP_Suspicious Use of CSharp Interactive Console

Detected
• Trigger Condition: The execution of the CSharp interactive console by using
PowerShell is detected. Csi.exe is a Microsoft signed binary that provides
C# interactive capabilities. PowerShell is a task automation and configuration
management program from Microsoft. Adversaries can run CSharp interactive
console from PowerShell and execute their malicious code.

2.832. LP_Supsicious Usage of Csharp or Roslyn Csharp Interactive Console 375

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "process"="*\csi.exe" file="csi.exe" parent_process=

,→"*\powershell.exe"

2.834 LP_Suspicious File Download via Certreq

• Trigger Condition: When a file is downloaded using certreq binary. Certreq is
a Windows binary used to manage and request a certificate from the certificate
authority. Adversaries can use certreq to download payload from their C2 server.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "process"="*\certreq.exe" command="*certreq*" command�

,→IN ["* -Post *"," /Post *"] command IN ["* -config *","* /config *"] command="* http*"�

,→command="* C:\windows\win.ini *"

2.835 LP_Process Dump via Rundll32 and Comsvcs

• Trigger Condition: When LSASS dump using Rundll32 with Comsvcs DLL is
detected. Rundll32.exe is a Windows binary that loads and runs 32-bit dynamic-link
libraries. comsvcs.dll is a DLL file used by COM+ Services created by Microsoft.
Adversaries can use the binary and DLL to perform a dump of the LSASS process.

• ATT&CK Category: Defense Evasion, Credential Access

• ATT&CK Tag: T1003.001 - LSASS Memory, T1036 - Masquerading

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.834. LP_Suspicious File Download via Certreq 376

 Alert Rules Documentation, Release latest

label="Process" label=Create "process"="*\rundll32.exe" command IN ["*comsvcs.dll*#24*",

,→"*comsvcs.dll*MiniDump*" ] -user IN EXCLUDED_USERS

2.836 LP_Registry Key Import Detected

• Trigger Condition: When registry key import is detected via regedit.exe. Regedit
is a Windows binary to access and manipulate the Windows registry. This
hierarchical database stores low-level settings for the Microsoft Windows operating
system and applications that opt to use the registry. A registry key is an
organizational unit in the Windows registry. Adversaries can use Regedit to import
their malicious registry key to achieve persistence.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1112 - Modify Registry

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label="Create" "process"="*\regedit.exe" OR file="regedit.exe" command�

,→IN ["*/i *","*-i *"] command="*.reg*" -command IN ["*/e *","*/a *","*/c *","*-e *","*-a *","*-

,→c *" ]

2.837 LP_Suspicious MachineGUID Query Detected

• Trigger Condition: When reg.exe is used to detect query machine GUID. Reg.exe
is a Windows binary that performs operations on registry subkey information
and values in registry entries. MachineGUID is a unique identifier for a machine.
Adversaries can use this technique to get MachineGuid information. Also,
ransomware abuses this technique to keep track of infected systems using a unique
ID.

• ATT&CK Category: Discovery

• ATT&CK Tag: T1082 - System Information Discovery

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

2.836. LP_Registry Key Import Detected 377

 Alert Rules Documentation, Release latest

label="Process" label="Create" "process"="*reg.exe" command="* query *" command=

,→"*SOFTWARE\Microsoft\Cryptography*" command IN ["*/v *", "*-v *"] command=

,→"*MachineGuid*"

2.838 LP_Process Injection Via Mavinject Detected

• Trigger Condition: When DLL is injected into a running process. Microsoft
Application Virtualization Injector (Mavinject) is a Windows utility that can inject
code into external processes as part of Microsoft Application Virtualization (App-V).
Adversaries can use mavinject to inject malicious DLL to obtain arbitrary code
execution.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218.013 - Mavinject

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label="Create" "process"="*\mavinject.exe" command IN ["* /injectrunning*",

,→ "* -injectrunning*", "*.dll*"]

2.839 Possible File Transfer Using Finger Detected

• Trigger Condition: When the execution of Finger.exe is detected. It is a simple
Windows binary that displays user information on a specified remote computer
running the Finger service or daemon. It can be abused as a data transfer tool
and makeshift C2 channel. However, general administrative use can trigger false
positives, but it is still unclear why they use finger.exe.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label="create" "process"="*\finger.exe"

2.838. LP_Process Injection Via Mavinject Detected 378

 Alert Rules Documentation, Release latest

2.840 LP_Suspicious Use of Findstr Detected

• Trigger Condition: When suspicious actions such as credential access, file
download, or creation of alternate data stream using findstr are detected.
Generally, it is used to search for strings in files or to filter command line output.
Adversaries can exploit it for defense evasion. However, general administrative
use of findstr can trigger false positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="create" label="process" "process"="*\findstr.exe" command="*findstr*" ((command=

,→"*/V*" command="*/L*") OR (command="*/S*" command="*/I*"))

2.841 LP_Suspicious File Overwrite Using extrac32

Detected
• Trigger Condition: When suspicious actions such as credential access, file
download, or creation of alternate data stream using findstr are detected.
Generally, it is used to search for strings in files or to filter command line output.
Adversaries can exploit it for defense evasion. However, general administrative
use of findstr can trigger false positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="create" label="process" "process"="*\findstr.exe" command="*findstr*" ((command=

,→"*/V*" command="*/L*") OR (command="*/S*" command="*/I*"))

2.840. LP_Suspicious Use of Findstr Detected 379

 Alert Rules Documentation, Release latest

2.842 LP_Suspicious Sysmon Driver Unload Detected

• Trigger Condition: When suspicious unload of SysmonDrv Filter Driver is detected.
Fltmc.exe program is a system-supplied command line utility for mini-filter driver
management operations. Adversaries can abuse its functionality to unload the filter
driver, which can affect sysmon and stop from collecting the data.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1070 - Indicator Removal on Host, T1562 - Impair Defenses,

T1562.002 - Disable Windows Event Logging

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label="create" "process"="*\fltmc.exe" command="*unload*" command =

,→"*sys*"

2.843 LP_Windows Packet Monitoring Tool Usage

Detected
• Trigger Condition: When the execution of pktmon (Packet Monitor) is detected.
Pktmon.exe is an in-box, cross-component network diagnostics tool of Microsoft
Windows used for packet capture, packet drop detection, packet filtering,
counting, and visibility within the networking stack. Adversaries generally abuse
pktmon.exe to sniff network traffic and capture information about an environment,
including authentication material sent over an insecure, unencrypted protocol,
revealing configuration details necessary for subsequent Lateral Movement and/or
Defense Evasion activities.

• ATT&CK Category: Discovery

• ATT&CK Tag: T1040 - Network Sniffing

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label=create ("process"="*\pktmon.exe" OR file="pktmon.exe")

2.842. LP_Suspicious Sysmon Driver Unload Detected 380

 Alert Rules Documentation, Release latest

2.844 LP_Suspicious Execution via IE per User Utility

• Trigger Condition: When ie4uinit is executed from unusual file directories.
Ie4uinit.exe (Internet Explorer (for) Each User Initialization) file is a software
component of Internet Explorer by Microsoft Corporation. Adversaries generally
abuse ie4uinit.exe to overwrite malicious programs on it and spread them via the
internet to execute them on target machines as legitimate processes.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label="create" ("process"="*\ie4uinit.exe" OR file="ie4uinit.exe") -(path IN [

,→"C:\Windows\System32\", "C:\Windows\SysWOW64\"])

2.845 LP_Proxy Execution via xWizard

• Trigger Condition: When the execution of the xWizard tool with runwizard and
CLSID arguments are utilized to achieve proxy execution. xWizard is Windows
internal binary used to run the Windows component object model (COM). COM
is operated to enable inter-process communication. Class ID (CLSID) is a unique
number representing a single application component in windows. Adversaries can
bypass the defense mechanism by proxying the execution of malicious content via
xWizard.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - System Binary Proxy Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\xwizard.exe" | process regex("(?P<new_

,→command>{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}})",command) | filter new_command=*

2.844. LP_Suspicious Execution via IE per User Utility 381

 Alert Rules Documentation, Release latest

2.846 LP_Suspicious MSHTA Process Pattern

• Trigger Condition: When suspicious mshta.exe process patterns, such as binary run
from a non-default path, mshta.exe binary masquerading as different binary, and
execution of HTML application (HTA) masquerading as non-HTA file are detected.
Mshta.exe is a utility that executes HTA files. HTAs are standalone applications
based on HTML and VBScript that can access local system resources, run scripts
and display dynamic content. Adversaries may abuse mshta.exe to evade defense
by proxy, executing malicious files and Javascript or VBScript through a trusted
Windows utility.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: Mshta, Native API

• ATT&CK ID: T1218.005, T1106

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\mshta.exe"

((parent_process IN ["*\cmd.exe","*\powershell.exe"] OR command IN ["*\AppData\Local*",
,→"*C:\Windows\Temp*", "*C:\Users\Public*"]) OR (-"process" IN ["C:\Windows\System32*",

,→"C:\Windows\SysWOW64*" ]) OR (-command IN ["*mshta.exe","*mshta"] -command IN ["*.

,→htm*", "*.hta*" ]))

2.847 LP_COM Object Execution via Shell Extension CLSID

Verification Host
• Trigger Condition: When verclsid.exe is used to run COM object via GUID.
Verclsid.exe (Verify COM Shell Extension CLSID) is a Microsoft Windows Native
Shell Extension CLSID (Class ID) verification host responsible for verifying each shell
extension before Windows Explorer or the Windows Shell uses them. Adversaries
may abuse verclsid.exe to execute malicious payloads-COM Scriptlets, by running
verclsid.exe and referencing files by Class ID (CLSID), a unique identification
number used to identify COM objects.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.846. LP_Suspicious MSHTA Process Pattern 382

 Alert Rules Documentation, Release latest

label="process" label="create" "process"="*\verclsid.exe" command="*/C*" command="*/S*

,→"

2.848 LP_Suspicious Setup Information File Invoked via

DefaultInstall
• Trigger Condition: When InfDefaultInstall.exe is used to install an INF file.
InfDefaultInstall.exe is a Microsoft Windows native tool invoked when an INF (Setup
Information) file is selected to install. Adversaries use InfDefaultInstall to install on
the target system through maliciously crafted INF files.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: T1562.001 - Disable or Modify Tools
• Minimum Log Source Requirement: Windows Sysmon, Windows
• Query:

label="process" label="create" "process"="*\InfDefaultInstall.exe" command=

,→"InfDefaultInstall*" command="*.inf"

2.849 LP_Creation of Alternate Data Stream

• Trigger Condition: When an alternate data stream is created. Alternate Data
Stream (ADS) is the ability of an NTFS file system to store different streams of
data, in addition to the default stream, which is used for a file. Attackers can
leverage a little-known compatibility feature to hide hacking tools, keyloggers,
and other malware on a compromised system and subsequently execute them
undetected. Also, it can be used for data exfiltration. The alert requires the
ADS_FILE_EXTENSIONS list to work.
• ATT&CK Category: Defense Evasion
• ATT&CK Tag: T1564.004 - NTFS File Attributes
• Minimum Log Source Requirement: Windows Sysmon, Windows
• Query:

(label="create" label="process" command IN ADS_FILE_EXTENSIONS ((command="*type *"�

,→command="* > *") OR (command="*makecab *" command="*.cab*") OR (command="*reg�

,→*" command="* export *") OR (command ="*diantz.exe*" command="*.cab*") OR�

,→(command="*regedit *" command="* /E *") OR (command="*print*" command

(continues IN
on ["*/D:*",
next page)
,→"*/d:*"]) OR (command="*expand*") OR (command="*extrac32*" command="*.cab*") OR�

,→(command="*curl*" command IN ["*--output*", "*-o*"]) OR (command="*certutil*"�

2.848. LP_Suspicious Setup Information File Invoked via DefaultInstall 383
,→command="*-urlcache*") OR (command="*esentutl*" command="*/y*" command="*/d*")�

,→OR (command="*esentutl *" command="* /y *" command="* /d *" command="* /o *")))�

,→OR (label="create" label="file" file in ADS_FILE_EXTENSIONS)

 Alert Rules Documentation, Release latest

(continued from previous page)

2.850 LP_Alternate Data Stream Created using Findstr

• Trigger Condition: When findstr is used to create an alternate data stream. Findstr
is generally used to search for strings in files or to filter command line output.
Adversaries can exploit it to create an alternate data stream for defense evasion.
For this alert to work, the ADS_FILE_EXTENSIONS list is required.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1564.004 - NTFS File Attributes

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

[label="create" label="process" "process"="*\findstr.exe" command="*findstr*" ((command=

,→"*/V*" command="*/L*") OR (command="*/S*" command="*/I*"))] as s1 followed by [label=

,→"Create" label="File" file in ADS_FILE_EXTENSIONS] as s2 on s1.process_id=s2.process_id |�

,→rename s1.process as "process", s1.log_ts as log_ts,s1.command as command,s1.host as host,

,→ s1.user as user, s1.parent_process as parent_process

2.851 LP_Suspicious Download Using Diantz

• Trigger Condition: When a remote file is downloaded using diantz.exe and stored
by compressing it into a .cab file on a local machine. It performs a similar function as
makecab.exe, which compresses a file into a smaller file with a .cab file extension.
Adversaries can use diantz.exe for ingress tool transfer to evade the defenses and
establish a c2 connection.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" command="*diantz.exe*" command="* \\*" command="*.

,→cab*"

2.850. LP_Alternate Data Stream Created using Findstr 384

 Alert Rules Documentation, Release latest

2.852 LP_Ngrok RDP Tunnel Detected

• Trigger Condition: When it detects the execution of Ngrok utility for tunneling
RDP connection. Threat actors often use Ngrok to expose internal services to the
internet, like making RDP publicly accessible. 16777216 artifact gets logged when
an incoming RDP connection is established via ngrok.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1572 - Protocol Tunneling

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer ((event_source IN ["Microsoft-Windows-TerminalServices-

,→LocalSessionManager", "Microsoft-Windows-TerminalServices-RemoteConnectionManager

,→"]) OR (channel=Security event_id=4779)) (source_address="::%16777216" OR eventxml.

,→address="::%16777216") | rename eventxml.address as source_address

2.853 LP_Ngrok Execution

• Trigger Condition: When it detects the execution of the Ngrok utility used for
port forwarding and protocol tunneling. Threat actors often use Ngrok to expose
internal services to the internet, like making RDP publicly accessible.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1572 - Protocol Tunneling

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="Process" label=Create (("process"="*\ngrok.exe" command IN ["* tcp *", "* http *", "*�
,→authtoken *"]) OR (command="* start *" command="*--all*" command="*.yml*" command=

,→"*--config*") OR (command IN ["* tcp 139*", "* tcp 445*", "* tcp 3389*", "* tcp 5985*", "*�

,→tcp 5986*"]))

2.852. LP_Ngrok RDP Tunnel Detected 385

 Alert Rules Documentation, Release latest

2.854 LP_AD Privesc CVE-2022-26923 Exploitation

• Trigger Condition: When it detects the creation of a computer account
spoofing a domain controller name, it successfully requests a machine certificate
template from the CA server. This indicates the privilege escalation vulnerability
(CVE-2022-26923) exploitation in the Active Directory (AD) patched on May 10,
2022. For this alert to work, you need the WINDOWS_DC list containing all the
FQDNs of the domain controllers operating in your domain.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: T1068 - Exploitation for Privilege Escalation

• Minimum Log Source Requirement: Windows

• Query:

[ norm_id=WinServer label=Computer label=Account label=Create dns_host IN WINDOWS_

,→DC ] as s1 followed by [ norm_id=WinServer label=Certificate label=Request label=Approve�

,→attributes="CertificateTemplate:Machine" | norm on requester \<requester_account:'\S+'> ]�

,→as s2 within 1 hour on s1.computer=s2.requester_account | rename s1.log_ts as account_

,→creation_ts, s1.computer as computer, s1.user as user, s1.service as service, s1.dns_host as�

,→dns_host, s2.subject as certificate_subject | chart count() by account_creation_ts, computer,�

,→user, service, dns_host, certificate_subject

2.855 LP_Possible Ransomware Deletion Volume Shadow

Copies Detected
• Trigger Condition: When LogPoint detects commands that delete all local volume
shadow copies as used by different Ransomware families.

• ATT&CK Category: Impact

• ATT&CK Tag: T1490 - Inhibit System Recovery

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=1 command IN ["*vssadmin* delete shadows*", "*wmic*�

,→SHADOWCOPY*DELETE*"] -user IN EXCLUDED_USERS

2.854. LP_AD Privesc CVE-2022-26923 Exploitation 386

 Alert Rules Documentation, Release latest

2.856 LP_Windows Defender Uninstall via PowerShell

• Trigger Condition: When PowerShell is used to uninstall Windows Defender.
PowerShell is a Microsoft task automation and configuration management program
consisting of a command-line shell with its scripting language. Microsoft Defender
Antivirus is an anti-malware component of Microsoft Windows. Adversaries can use
this technique to avoid the detection of their malware.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1562 - Impair Defenses

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\powershell.exe" command="*Uninstall-

,→WindowsFeature*Name*Windows-Defender*"

2.857 LP_Hijacked Binary Execution via Settings

Synchronizer
• Trigger Condition: When SettingSyncHost is used to run hijacked binaries.
SettingSyncHost is a Microsoft Windows host process that synchronizes system
settings with other devices, including Internet Explorer, a mail application,
OneDrive, Xbox and other application settings. Adversaries can exploit
SettingSyncHost to run hijacked binaries and other specified files.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1574.008 - Path Interception by Search Order Hijacking

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" -"process" IN ["C:\Windows\System32\*",

,→"C:\Windows\SysWOW64\*"] parent_command IN ["*cmd.exe /c*", "*cmd /c*"] parent_

,→command="*RoamDiag.cmd*" parent_command="*-outputpath*"

2.856. LP_Windows Defender Uninstall via PowerShell 387

 Alert Rules Documentation, Release latest

2.858 LP_Suspicious Execution of Dump64

• Trigger Condition: When suspicious use of dump64.exe is detected. dump64.exe
is a memory dump tool bundled with Microsoft Visual Studio. Adversaries can
leverage it to create a memory dump and parse it offline to retrieve credentials.
Adversaries can bypass Microsoft Defender by renaming a tool to dump64.exe and
placing it in a Visual Studio folder, for example, procdump.exe. It can trigger false
positives if dump64.exe is executed from any folder other than excluded one, even
for a legitimate purpose.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1003.001 - LSASS Memory

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\dump64.exe" (-("process"=

,→"*\Installer\Feedback\dump64.exe*") OR command IN ["* -ma *", "*accpeteula*"])

2.859 LP_Code Compilation via Visual Basic Command

Line Compiler
• Trigger Condition: When a successful compilation of code using Visual Basic
Command Line Compiler is detected. vbc.exe is Microsoft’s Visual Basic compiler
used to compile programs within the Visual Studio integrated development
environment (IDE). Adversaries can leverage it to collect malicious code on the
system to bypass defensive countermeasures. The legitimate use of this tool can
trigger false positives, but it is barely used in enterprise environments, so the
detection of service is suspicious.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1027.004 - Compile After Delivery

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" parent_process="*\vbc.exe" "process"="*\cvtres.exe"

2.858. LP_Suspicious Execution of Dump64 388

 Alert Rules Documentation, Release latest

2.860 LP_File Downloaded from Suspicious URL Using

GfxDownloadWrapper
• Trigger Condition: When downloading files from suspicious (non-standard)
URLs using GfxDownloadWrapper.exe is detected. Intel Graphics Executable
Download Wrapper (GfxDownloadWrapper) is an application file that allows
you to update your graphics card module. It downloads JSON files from
https://gameplayapi.intel.com. Adversaries can leverage its functionality to
download files from other non-standard URLs.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" "process"="*\GfxDownloadWrapper.exe" - command=

,→"*gameplayapi.intel.com*" - parent_process="*\GfxDownloadWrapper.exe"

2.861 LP_Suspicious CLR Logs File Creation

• Trigger Condition: When .NET code is executed via applications, such as mshta,
cscript, wscript, regsvr32 and wmic. .NET is a developer platform with tools and
libraries for building applications, including web, mobile, desktop, games, IoT,
cloud, and microservices. Common Language Runtime in a .NET environment runs
code and provides services to make the development process more manageable.
The binaries included in the query are Windows internal binary which adversaries
can use to execute their malicious scripts.

• ATT&CK Category: Privilege Escalation

• ATT&CK Tag: T1055 - Process Injection

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=File label=Create label=Overwrite path="*\AppData\Local\Microsoft\CLR*\UsageLogs\*

,→" file IN ["mshta*","cscript*","wscript*","regsvr32*","wmic*"]

2.860. LP_File Downloaded from Suspicious URL Using GfxDownloadWrapper 389

 Alert Rules Documentation, Release latest

2.862 LP_CLR DLL Loaded via Scripting Application

• Trigger Condition: When Common Language Runtime (CLR) DLL is loaded via
scripting applications. mshta.exe, wscript.exe and cscript.exe are Windows internal
binary. Common Language Runtime works in the .NET environment, which runs the
code and provides services that make the development process more manageable.
Adversaries can use this technique to execute malicious scripts.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218.005 - Mshta

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=image label=load source_image IN ["*\wscript.exe","*\cscript.exe","*\mshta.exe"] �

,→image IN ["*\clr.dll","*\mscoree.dll","*mscorlib.dll"]

2.863 LP_Obfuscation Script Usage via MSHTA to Execute

Vbscript
• Trigger Condition: When execution of invoke-obfuscation PowerShell script with
mshta to execute vbscript is detected. mshta.exe file is a software component
of Windows Internet Explorer that runs HTML application(HTA) files. Invoke
Obfuscation is a PowerShell command and script obfuscation framework. VBScript
is an Active Scripting language developed by Microsoft modeled on Visual Basic.
Adversaries can use this technique to bypass defensive mechanisms.

• ATT&CK Category: Defense Evasion, Execution

• ATT&CK Tag: T1027 - Obfuscated Files or Information, T1059.001 - PowerShell

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create command=* | process regex("(?P<new_command>(?i).*(set).*(&&

,→).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*)",command) | filter new_

,→command=*

2.862. LP_CLR DLL Loaded via Scripting Application 390

 Alert Rules Documentation, Release latest

2.864 LP_Microsoft Defender Logging Disabled

• Trigger Condition: When Windows Defender Registry key is modified to disable
Windows Defender’s logging. Windows Defender is an anti-malware component
of Microsoft Windows. Adversaries use this technique to disable logs generated
from Windows Defender and avoid detection.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1562 - Impair Defenses

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Registry label=Value label=Set target_object=

,→"*\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-

,→Windows Defender/Operational\Enabled" detail="DWORD (0x00000000)"

2.865 LP_UAC Bypass via CMLUA or CMSTPLUA

• Trigger Condition: When user CMLUA OR CMSTPLUA DLL is loaded to perform
user account control (UAC) bypass.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1562 - Impair Defenses

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Image label=Load image IN ["*\cmlua.dll","*\cmstplua.dll","*\cmluautil.dll"] -"process"�

,→IN ["*\cmstp.exe","*\cmmgr32.exe"] -source_image IN ["*\windows\*","*\program files\*"]

2.866 LP_High Number of Service Stop or Task Kill in Short

Span
• Trigger Condition: When suspicious mshta.exe process patterns like binary run
from a non-default path, execution of mshta.exe binary masquerading as different
binary and execution of HTML application (HTA) masquerading as non-HTA file
are detected. mshta.exe is a utility that executes HTA files. HTAs are standalone

2.864. LP_Microsoft Defender Logging Disabled 391

 Alert Rules Documentation, Release latest

applications that run using the same models and technologies as Internet Explorer
but outside the browser. Adversaries may abuse mshta.exe to evade defense by
proxy, executing malicious files and Javascript/VBScript through a trusted Windows
utility.

• ATT&CK Category: Impact

• ATT&CK Tag: T1489 - Service Stop

• Minimum Log Source Requirement: Windows

• Query:

(label="process" label=create "process"="*\taskkill.exe" (command= "*f *" command="*im *

,→") OR command="*IM *") OR (label="process" label=create ("process" IN ["*\sc.exe", "*\net.

,→exe", "*\net1.exe"] command="*stop*") OR ("process"="*\sc.exe" command="*delete*") -

,→user IN EXCLUDED_USERS) | chart count() as occurrence by user,host,domain,"process",

,→parent_process | search occurrence > 8

2.867 LP_LSA Protected Process Light Disabled

• Trigger Condition: When modification of the registry value of Protection Process
Light (PPL) to disable, it is detected. Protected Process can be accessed
by executables that are digitally signed with a unique Windows Media, with
administrator privilege. Protected Process Light is an extension of a protected
process where a process can be assigned a different level of protection.
Adversaries can use this technique to access the LSASS process and dump it to
retrieve credentials.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1112 - Modify Registry

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Registry label=Set label=Value target_object=

,→"*\System\CurrentControlSet\Control\Lsa\RunAsPPL" detail="DWORD (0x00000000)"

2.867. LP_LSA Protected Process Light Disabled 392

 Alert Rules Documentation, Release latest

2.868 LP_Suspicious Invocation of Microsoft Workflow

Compiler
• Trigger Condition: When the use of Microsoft Workflow Compiler is detected.
Microsoft Workflow Compiler is a utility included by default in the .NET framework,
capable of compiling and executing arbitrary, unsigned C# or VB.net code.
Adversaries can leverage it for the proxy execution of executables to evade
detection. The use of MWC in an enterprise environment is highly unlikely.
However, legitimate use can trigger false positives.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" ("process"="*\Microsoft.Workflow.Compiler.exe" OR (file=

,→"Microsoft.Workflow.Compiler.exe" command="*.xml*"))

2.869 LP_Process Dump via Sqldumper Detected

• Trigger Condition: When a process dump via Sqldumper.exe is detected. The
Sqldumper.exe is a debugging utility, included with Microsoft SQL Server, which
generates memory dumps of SQL Server and of related processes for debugging
purposes. Adversaries can leverage its functionality to dump processes like LSASS.
Legitimate MSSQL Server actions can trigger false positives.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1003 - OS Credential Dumping, T1003.001 - LSASS Memory

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\sqldumper.exe" command IN ["*0x0110*",

,→"*0x01100:40*"]

2.868. LP_Suspicious Invocation of Microsoft Workflow Compiler 393

 Alert Rules Documentation, Release latest

2.870 LP_Suspicious Usage of SQLToolsPS Detected

• Trigger Condition: When the proxy execution of PowerShell code through
the SQLToolsPS.exe is detected. SQLToolsPS.exe is a utility shipped along
with Microsoft SQL Server Management Studio that loads SQL Server cmdlts.
Adversaries can leverage its functionality to execute malicious powershell codes
and bypass the detection methods. Direct execution of PowerShell codes via
SQLToolsPS.exe are uncommon. However, the child process sqltoolsps.exe
spawned by smss.exe is a legitimate action.

• ATT&CK Category: Execution, Defense Evasion

• ATT&CK Tag: T1059.001 - PowerShell, T1127 - Trusted Developer Utilities Proxy

Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" (("process"="*\sqltoolsps.exe" OR parent_process=

,→"*\sqltoolsps.exe") OR (file="\sqltoolsps.exe" -(parent_process="*\smss.exe")))

2.871 LP_Proxy Execution of Malicious Payload via Pubprn

• Trigger Condition: When proxy execution of malicious payloads via PubPrn.bs
is detected. PubPrn.vbs is a signed Visual Basic script that publishes a printer
to Active Directory Domain Services. Adversaries can abuse PubPrn to execute
malicious payloads hosted on remote sites.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1216.001 - PubPrn

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" command="*\pubprn.vbs*" command="*script:*"

2.870. LP_Suspicious Usage of SQLToolsPS Detected 394

 Alert Rules Documentation, Release latest

2.872 LP_File Download via IMEWDBLD

• Trigger Condition: When a network connection is detected via the IMEWDBLD.exe
binary. IMEWDBLD.EXE is a part of Microsoft Input Method Editor (IME). IME is
a software component that enables a user to enter text in a language that can’t
easily be typed using a standard keyboard. Adversaries can use this technique to
download remote system payload.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Connection label=Network label=Detect "process"="*\IMEWDBLD.exe" is_initiated=true

2.873 LP_Memory Dump via Adplus

• Trigger Condition: When LSASS process dump via adplus.exe is detected. Local
Security Authority Server Service (LSASS) is a process in Microsoft Windows
operating systems that is responsible for enforcing the security policy on the
system and handles authentication, password change and tokens. ADPlus is a
console-based Visual Basic script included with Microsoft Debugging Tools for
Windows installation. Adversaries may attempt to access credentials stored in the
process memory of the LSASS.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1003.001 - LSASS Memory

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\adplus.exe" command IN ["* -hang *" ,"* -pn *",
,→"* -pmn *" ,"* -p *","* -po *","* -c *","* -sc *"]

2.872. LP_File Download via IMEWDBLD 395

 Alert Rules Documentation, Release latest

2.874 LP_TTDInject Usage Detected

• Trigger Condition: When the use of ttdinject binary is detected. Ttdinject is a
binary that is a part of the Time Travel Debugging utility, which is used in Windows
10 v1809. Time Travel Debugging is a tool that captures a process trace as it
executes and allows to replay it later. Adversaries can use this technique to proxy
execute malicious payloads.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create ("process"="*\ttdinject.exe" OR file="TTDInject.exe")

2.875 LP_Remote Thread Created via Ttdinject

• Trigger Condition: When a remote thread is created by ttdinject binary. Ttdinject
is a binary that is a part of the Time Travel Debugging utility, which is used in
Windows 10 v1809. Time Travel Debugging is a tool that captures a process trace
as it executes and allows to replay it later. Adversaries can use this technique to
proxy execute malicious payloads.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127 - Trusted Developer Utilities Proxy Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create ("process"="*\ttdinject.exe" OR file="TTDInject.exe")

2.876 LP_Proxy Download via OneDriveStandaloneUpdater

• Trigger Condition: When OneDriveStandaloneUpdater registry value is modified.
OneDriveStandaloneUpdater.exe is a binary that belongs to the Standalone
Updater process and comes with Microsoft OneDrive. Adversaries can use this
technique for transferring tools or other files to the victim system from a URL that is

2.874. LP_TTDInject Usage Detected 396

 Alert Rules Documentation, Release latest

set in the OneDriveStandaloneUpdater registry. Registry auditing must be enabled

and permission must be allowed for auditing the OneDriveStandaloneUpdater
registry.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=registry label=value label=set target_object=

,→"*\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC*"

2.877 LP_Suspicious WMIC ActiveScriptEventConsumer

Created
• Trigger Condition: When WMIC is executed to create an event consumer.
ActiveScriptEventConsumer is a class that runs a predefined script in an arbitrary
scripting language when an event is delivered to it. Adversaries may establish
persistence and elevate privileges by executing malicious content triggered by a
Windows Management Instrumentation (WMI) event subscription.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1546.003 - Windows Management Instrumentation Event

Subscription

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create command="*ActiveScriptEventConsumer*" command="*�

,→CREATE *"

2.878 LP_Remote Connection Established via Msbuild

• Trigger Condition: When a network connection is initiated via MSBuild while
building an application is detected. Microsoft Build (MSBuild) Engine is a platform
for building applications. Adversaries can use this technique to build their payload
and establish a network connection to their controlled server.

2.877. LP_Suspicious WMIC ActiveScriptEventConsumer Created 397

 Alert Rules Documentation, Release latest

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1127.001 - MSBuild

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=windowssysmon image="*\msbuild.exe" event_id=3 destination_port IN ["80","443"]�

,→is_initiated=true

2.879 LP_Executables Started in Suspicious Folder

• Trigger Condition: When the execution of binaries from a suspicious folder is
detected. Paths mentioned in lists are not Windows default paths from where
native and internal binaries are executed. Adversaries may attempt to masquerade
their payload as legitimate binaries and execute from non-default paths to avoid
detection. Legitimate binaries executed from those paths can trigger an alert, so
include those binaries in the excluded process list.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1036 - Masquerading

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label="process" label=create "process" IN SUSPICIOUS_FOLDER_EXE_EXECUTION

-"process" IN ["*SpeechUXWiz.exe","*SystemSettings.exe","*TrustedInstaller.exe",
,→"*PrintDialog.exe",

"*MpSigStub.exe","*LMS.exe","*mpam-*.exe"]

2.880 LP_Windows RDP Port Modified

• Trigger Condition: When remote desktop protocol (RDP) for Windows protocol
is modified. RDP is a protocol that allows users to have GUI access to a remote
desktop. Adversaries can modify the RDP port to evade the defense mechanism
used to detect connections in the default RDP port.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: T1021.001 - Remote Desktop Protocol

2.879. LP_Executables Started in Suspicious Folder 398

 Alert Rules Documentation, Release latest

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Registry label=Value label=Set target_object=

,→"*\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber"

2.881 LP_Binary Creation in System Folder Detected

• Trigger Condition: When a binary or DLL is dropped in the Windows root folder
by a system process. System folders are used by the operating system to store
files necessary for proper function. A system folder is a primary location for
DLL files. Adversaries may copy files between internal victim systems to support
lateral movement using inherent file-sharing protocols, such as file sharing over
SMB/Windows Admin Shares to connected network shares or with authenticated
connections via Remote Desktop Protocol.

• ATT&CK Category: Lateral Movement

• ATT&CK Tag: T1570 - Lateral Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=File label=Create label=Overwrite "process"=system path IN ["C:\windows\*"] file IN ["*.

,→exe", "*.dll"]

2.882 LP_Curl Silent Mode Execution Detected

• Trigger Condition: When curl is run in silent mode. Client URL (curl) is a command
line tool that is used to transfer data to and from a server. Adversaries can use this
technique to prevent showing file transfer progress and redirect output to a file.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.881. LP_Binary Creation in System Folder Detected 399

 Alert Rules Documentation, Release latest

label="Process" label=Create command="*curl*" ((command="*-s*" command="*-o*") OR�

,→command="*-s*")

2.883 LP_High Volume of File Modification or Deletion in

Short Span
• Trigger Condition: When 30 file modifications or deletions are detected within a
single minute. A large number of file modifications and deletions is an indicator of
ransomware. Based on requirements and the number of detected false positives, a
user can modify the number of events needed or the time frame. To generate logs,
enable the auditing policy of the relevant folders. When a user/software modifies
a large number of files this can result in a false positive. To reduce the number of
false positives events exclude the process in the query.

• ATT&CK Category: Impact

• ATT&CK Tag: T1565 - Data Manipulation

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

[30 label=File label=Object label=Storage access IN ["Delete*","writedata*"] -"process" IN [

,→"*\tiworker.exe","*\poqexec.exe","*\msiexec.exe"] having same host,domain,user,"process

,→" within 1 minutes]

2.884 LP_Non-Existent User Login Attempt Detected

• Trigger Condition: When eight non-existent user login attempts on SSH service are
detected within a minute. Secure Shell (SSH) is a protocol that provides a secure
way to access a computer over a network. Adversaries can perform username brute
force to find a valid username. Based on the requirement and false positive, the
user can modify the number of invalid login attempts and time frame.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1110 - Brute Force

• Minimum Log Source Requirement: Unix

• Query:

2.883. LP_High Volume of File Modification or Deletion in Short Span 400

 Alert Rules Documentation, Release latest

[8 label=Invalid label=User "process"=sshd having same source_address within 1 minutes]

2.885 LP_Execution of Temporary Files Via Office

Application
• Trigger Condition: When Office applications creates a child process that executes
a file with .tmp extension. Adversaries use this technique to avoid detection by
using the legit application to run a payload that is masquerading as a temporary
file.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1036 - Masquerading

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "parent_process" IN ["*\winword.exe", "*\powerpnt.exe",

,→"*\excel.exe"] "process"="*.tmp"

2.886 LP_Execution of Temporary Files Via Office

Application
• Trigger Condition: When Office applications creates a child process that executes
a file with .tmp extension. Adversaries use this technique to avoid detection by
using the legit application to run a payload that is masquerading as a temporary
file.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1036 - Masquerading

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" "parent_process" IN ["*\winword.exe", "*\powerpnt.exe",

,→"*\excel.exe"] "process"="*.tmp"

2.885. LP_Execution of Temporary Files Via Office Application 401

 Alert Rules Documentation, Release latest

2.887 LP_Malicious Image Loaded Via Excel

• Trigger Condition: When an unsigned image is loaded via Excel. An XLL file is
an add-in used by Microsoft Excel. It contains extra functions, templates, or other
tools that enhance the capabilities of Excel. Examples of add-ins include custom
chart generators and template managers. Adversaries can use this technique
to load their malicious unsigned add-ins to execute their payload or download
malware from a remote server.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1137 - Office Application Startup, T1137.001 - Office Template

Macros

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=Image label=Load "process"="*\excel.exe" file IN ["*.xlam ","*.xla","*.xll"] is_sign=false

2.888 LP_Malicious Chrome Extension Detected

• Trigger Condition: When malicious Chrome extension IDs are detected by
Osquery. This analytic relies on chrome_extensions table and requires analysts to
keep an up-to-date list of malicious chrome extension IDs.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1176 - Browser Extensions

• Minimum Log Source Requirement: -

• Query:

event_source=OSQuery event_type=chrome_extension* columns_identifier IN MALICIOUS_

,→CHROME_EXTENSIONS

2.889 LP_Chrome Extension Installed Outside of the

Webstore
• Trigger Condition: When malicious chrome extensions are installed from outside
the official Chrome webstore. Adversaries can manually install the browser

2.887. LP_Malicious Image Loaded Via Excel 402

 Alert Rules Documentation, Release latest

extension via their batch, PowerShell or VBS scripts. Analysts need to make sure
they place the correct event types in the query.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1176 - Browser Extensions

• Minimum Log Source Requirement: -

• Query:

event_source=OSQuery event_type="chrome_extension*" columns_from_webstore=false

2.890 LP_Chrome Extension Installed with DevTools

Permission
• Trigger Condition: When OSQuery detects the chrome extension installed with
devtools permission. Analyst must check for unusual extensions installed with this
permission and also check if the extensions were installed from the webstore.

• ATT&CK Category: Persistence

• ATT&CK Tag: T1176 - Browser Extensions

• Minimum Log Source Requirement: -

• Query:

event_source=OSQuery event_type="chrome_extension*" columns_permission="*devtools*"

2.891 LP_Defender SpyNet Reporting Disabled

• Trigger Condition: When the SpyNet reporting feature is disabled via registry
value modification. SpyNet reporting is a feature of windows defender antivirus
that sends information about potential threats and suspicious activity to Microsoft.
The submitted file is analyzed to improve the software’s threat detection and
response capabilities. Adversaries use this technique to prevent their malware from
being sent to Microsoft.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1562.001 - Disable or Modify Tools

• Minimum Log Source Requirement: Windows Sysmon

2.890. LP_Chrome Extension Installed with DevTools Permission 403

 Alert Rules Documentation, Release latest

• Query:

norm_id=WindowsSysmon event_id=13 target_object="*\SOFTWARE\Microsoft\Windows�

,→Defender\SpyNet\SpyNetReporting" detail IN ["0","DWORD (0x00000000)"] event_

,→type=SetValue

2.892 LP_Suspicious WMIC Process Creation

• Trigger Condition: When WMIC executes “Process Call Create,” suspicious
calls to processes such as, rundll32, regsrv32, mshta. The WMI command-line
(WMIC) utility provides a command-line interface for Windows Management
Instrumentation (WMI). WMI is a Microsoft technology that provides a common
framework for managing and monitoring Windows-based systems. Adversaries can
use this technique to proxy execute their malicious files and payloads via wmic.exe.

• ATT&CK Category: Execution

• ATT&CK Tag: T1047 - Windows Management Instrumentation

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create command="process" command=call command=create

command IN ["*rundll32*","*bitsadmin*","*regsvr32*","*cmd.exe /c *","*cmd.exe /k *","*cmd.
,→exe /r *","*cmd /c *","*cmd /k *",

"*cmd /r *", "*powershell*","*pwsh*","*certutil*","*cscript*","*wscript*", "*mshta*",

,→"*\Users\Public\*", "*\Windows\Temp\*", "*\AppData\Local\*","*%temp%*","*%tmp%*","*

,→%ProgramData%*","*%appdata%*","*%comspec%*","*%localappdata%"]

2.893 LP_Browser Credential Files Accessed

• Trigger Condition: When access to a browser (Chrome, Edge & Firefox) using
stored credential is detected. When a user saves any credentials in the browser,
those credentials are stored in files that are included in the query. Adversaries can
access those files in an attempt to retrieve the stored credentials.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1202 - Indirect Command Execution

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.892. LP_Suspicious WMIC Process Creation 404

 Alert Rules Documentation, Release latest

label=File label=Access ((path IN ["*\AppData\Local\Google\Chrome\User�

,→Data\Default\Network\Cookies*","*\Appdata\Local\Chrome\User Data\Default\Login Data*",

,→"*\AppData\Local\Google\Chrome\User Data\Local State*"] object_name IN [

,→"*\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat","*\cookies.sqlite"])

OR object_name IN ["*\Microsoft\Edge\User Data\Default\Web Data", "*Firefox*release\logins.

,→json","*firefox*release\key3.db","*firefox*release\key4.db"])

-"process" IN ["*\firefox.exe", "*\chrome.exe","C:\Program Files\*","C:\Program Files (x86)\*",

,→"C:\WINDOWS\system32\*","*\MsMpEng.exe","*\MpCopyAccelerator.exe","*\thor64.exe",

,→"*\thor.exe"] -parent_process IN ["C:\Windows\System32\msiexec.exe"] -("process"=system�

,→parent_process=idle) "access"="ReadData*"

2.894 LP_Windows Defender Antivirus Definitions

Removal Detected
• Trigger Condition: When Microsoft Defender Antivirus signature definitions are
removed from the system. Microsoft Defender Antivirus (formerly Windows
Defender) offers protection against all threats on Windows devices. The Malware
Protection Command Line Utility (MpCmdRun) is a Microsoft Windows internal
command-line tool dedicated to automating and managing Microsoft Defender
Antivirus operations on Windows devices. Adversaries leverage this method to
remove Antivirus definitions and ultimately avoid detection.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1562.001 - Disable or Modify Tools

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\MpCmdRun.exe" command="*RemoveDefinitions*

,→"

2.895 LP_Exchange ProxyShell Pattern Detected

• Trigger Condition: When a URL pattern associated with ProxyShell exploitation
attempts (both successful and failure) against Exchange servers is detected.
ProxyShell is an attack chain that exploits three known vulnerabilities in Microsoft
Exchange: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Adversaries
may exploit these vulnerabilities to perform remote code execution.

• ATT&CK Category: Initial Access

2.894. LP_Windows Defender Antivirus Definitions Removal Detected 405

 Alert Rules Documentation, Release latest

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Webserver

• Query:

norm_id=* ((url="*/autodiscover.json*" url IN ["*/powershell*", "*/mapi/nspi*", "*/EWS*", "*X-

,→Rps-CAT*"]) OR url IN ["*autodiscover.json?@*", "*autodiscover.json%3f@*", "*%[email protected]*

,→", "*Email=autodiscover/autodiscover.json*", "*[email protected]*"])

2.896 LP_Successful Exchange ProxyShell Attack

• Trigger Condition: When a URL pattern and status code associated with a
successful ProxyShell exploitation attack against Exchange servers are detected.
ProxyShell is an attack chain that exploits three known vulnerabilities in Microsoft
Exchange: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Adversaries
may exploit these vulnerabilities to perform remote code execution.

• ATT&CK Category: Initial Access

• ATT&CK Tag: T1190 - Exploit Public-Facing Application

• Minimum Log Source Requirement: Webserver

• Query:

norm_id=* (url="*/autodiscover.json*" url IN ["*/powershell*", "*/mapi/nspi*", "*/EWS*", "*X-

,→Rps-CAT*"] status_code IN [200, 301])

2.897 LP_Malicious Base64 Encoded PowerShell

Keywords in Command Lines Detected
• Trigger Condition: When base64 encoded strings are used in hidden malicious
Command and Scripting Interpreter and PowerShell command lines. Adversaries
hide their activities by encoding commands to bypass detection with this technique.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059 - Command and Scripting Interpreter, T1059.001 - PowerShell

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.896. LP_Successful Exchange ProxyShell Attack 406

 Alert Rules Documentation, Release latest

label="process" label=create "process"="*\powershell.exe" command IN ["* hidden *",

,→"*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*",

,→"*aXRzYWRtaW4gL3RyYW5zZmVy*",

,→"*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*",

,→"*JpdHNhZG1pbiAvdHJhbnNmZX*",

,→"*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*",

,→"*Yml0c2FkbWluIC90cmFuc2Zlc*", "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*",

,→"*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*",

,→"*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*",

,→"*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*",

,→"*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*",

,→"*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*",

,→"*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*",

,→"*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*", "*lPLk1lbW9yeVN0cmVhb*",

,→"*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*",

,→"*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*",

,→"*AEcAZQB0AEMAaAB1AG4Aaw*", "*LgBHAGUAdABDAGgAdQBuAGsA*",

,→"*LkdldENodW5r*", "*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*",

,→"*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*",

,→"*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*",

,→"*VEhSRUFEX0lORk82N*",

,→"*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*",

,→"*cmVhdGVSZW1vdGVUaHJlYW*",

,→"*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*",

,→"*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*",

,→"*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*",

,→"*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*",

,→"*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"] -user IN EXCLUDED_USERS

2.898 LP_DLL Loaded Via AllocConsole and RunDLL32

• Trigger Condition: When DLL loading through allocconsole function and rundll32.
AllocConsole is a Windows internal function that allocates a new console for the
calling process. Rundll32.exe is a Windows internal binary that loads and runs
32-bit dynamic-link libraries (DLLs). Adversaries can use this technique to execute
their payload using rundll32 to load a malicious DLL by invoking the AllocConsole
function.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218.011 - Rundll32

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

2.898. LP_DLL Loaded Via AllocConsole and RunDLL32 407

 Alert Rules Documentation, Release latest

label="process" label=create "process" ="*\rundll32.exe" command="*.dll*" command=

,→"*allocconsole*"

2.899 LP_Active Directory Database Dump Attempt

• Trigger Condition: When an attempt to dump the ntds.dit file is detected.
NTDS.dit file is a database that stores the Active Directory data (including users,
groups, security descriptors and password hashes). Adversaries can use this
technique to retrieve credentials and obtain other domain information.

• ATT&CK Category: Credential Access

• ATT&CK Tag: T1003.003 - NTDS

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create (("process" IN ["*\NTDSDump.exe", "*\NTDSDumpEx.exe"] OR�

,→(command="*ntds.dit*" command="*system.hiv*") OR command="*NTDSgrab.ps1*") OR�

,→(command="*ac i ntds*" command="*create full*") OR (command="*/c copy *" command=

,→"*\windows\\ntds\\ntds.dit*") OR (command="*activate instance ntds*" command="*create�

,→full*") OR (command="*powershell*" command="*ntds.dit*")) OR (command="*ntds.dit*"�

,→(parent_process IN ["*\\apache*", "*\\tomcat*", "*\\AppData\\*", "*\\Temp\\*", "*\\Public\\*

,→", "*\\PerfLogs\\*"] OR "process" IN ["*\apache*", "*\tomcat*", "*\AppData\*", "*\Temp\*",

,→ "*\Public\*", "*\PerfLogs\*"]))

2.900 LP_Suspicious Child Process Creation via OneNote

• Trigger Condition: When the creation of suspicious child processes, execution
of binaries from non-default paths and script file execution through OneNote are
detected. Adversaries can use malicious OneNote files to social engineer users
to execute it and drop their malicious payload or execute commands in the victim
system.

• ATT&CK Category: Initial Access, Execution

• ATT&CK Tag: T1204.002 - Malicious File, T1566.001 - Spearphishing Attachment

• Minimum Log Source Requirement: Windows Sysmon

• Query:

2.899. LP_Active Directory Database Dump Attempt 408

 Alert Rules Documentation, Release latest

norm_id=WindowsSysmon event_id=1 parent_image="*\onenote.exe"

(file IN ["RUNDLL32.exe","REGSVR32.exe","bitsadmin.exe","CertUtil.exe","InstallUtil.exe",
,→"schtasks.exe","wmic.exe","cscript.exe","wscript.exe","CMSTP.EXE","Microsoft.Workflow.

,→Compiler.exe","RegAsm.exe","RegSvcs.exe","MSHTA.EXE","Msxsl.exe","IEExec.exe","Cmd.

,→Exe","PowerShell.EXE","HH.exe","javaw.exe","pcalua.exe","curl.exe","ScriptRunner.exe",

,→"CertOC.exe","WorkFolders.exe","odbcconf.exe","msiexec.exe","msdt.exe"] OR

(image="*\explorer.exe" command IN ["*.hta*","*.vb*","*.wsh*","*.js*","*.ps*","*.scr*","*.pif*

,→","*.bat","*.cmd*"]) OR image IN ["*\AppData\*","*\Users\Public\*","*\ProgramData\*",

,→"*\Windows\Tasks\*","*\Windows\Temp\*","*\Windows\System32\Tasks\*"])

2.901 LP_Usage of Web Request Command

• Trigger Condition: The usage of various web request commands with
CommandLine tools and Windows PowerShell cmdlets (including aliases) via
CommandLine are detected. Adversaries can utilize this technique to download
malicious payloads. However, the Usage of Get-Command and Get-Help
modules referencing Invoke-WebRequest and Start-BitsTransfer might trigger false
positives. Script Block Logging must be enabled for this alert rule to work.

• ATT&CK Category: Execution

• ATT&CK Tag: PowerShell

• ATT&CK ID: T1059.001

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

norm_id=WinServer script_block IN ["*Invoke-WebRequest*", "*iwr *", "*wget *", "*curl *",

,→"*Net.WebClient*", "*Start-BitsTransfer*", "*Resume-BitsTransfer*", "*[System.Net.

,→WebRequest]::create*", "*Invoke-RestMethod*", "*WinHttp.WinHttpRequest*"] -path=

,→"C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\*"

2.902 LP_Reconnaissance Activity with Nltest

• Trigger Condition: When possible reconnaissance activity via nltest binary is
detected. Nltest is a Windows command-line utility that comes with a Windows
Server, which is used to list domain controllers and enumerate domain trusts. The
binary is available if you have installed the AD DS or the AD LDS server role. It is also
available if you install the Active Directory Domain Services Tools that are part of
the Remote Server Administration Tools (RSAT). Adversaries can use this technique
to discover domain controllers, users and query the domain trust relationship.

2.901. LP_Usage of Web Request Command 409

 Alert Rules Documentation, Release latest

• ATT&CK Category: Discovery

• ATT&CK Tag: T1016 - System Network Configuration Discovery, T1482 - Domain

Trust Discovery

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create" process"="*\nltest.exe" file="nltestrk.exe" ((command ="*/

,→server*" command="*/query*") OR command IN ["*/dclist:*","*/domain_trusts*","*/trusted_

,→domains*","*/user*","*/parentdomain*"])

2.903 LP_Regsvr32 Network Activity Detected

• Trigger Condition: When network connections and Application Layer Protocol,
DNS queries initiated via regsvr32 binary are detected. Regsvr32 is a command-line
utility to register and unregister OLE controls, such as DLLs and ActiveX controls,
in the Windows Registry. Adversaries utilized regsvr32 to run their malicious DLL,
which downloads their other stager payload.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1218 - Signed Binary Proxy Execution, T1218.010 - Regsvr32

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon image="*\regsvr32.exe"event_id IN ["3", "22"]

2.904 LP_Possible Reconnaissance Activity

• Trigger Condition: When possible, reconnaissance activity, like the execution of
several discovery commands in a short time, is detected. The binary in the process
list is Window’s internal binary. Adversaries use this technique to discover the OS,
user, network, subnets, file shares and domain trust, which will be used for further
actions.

• ATT&CK Category: Defense Evasion

2.903. LP_Regsvr32 Network Activity Detected 410

 Alert Rules Documentation, Release latest

• ATT&CK Tag: T1016 - System Network Configuration Discovery, T1033 - System

Owner/User Discovery, T1069 - Permission Groups Discovery, T1069.002 - Domain
Groups, T1082 - System Information Discovery, T1087 - Account Discovery,
T1087.002 - Domain Account, T1135 - Network Share Discovery, T1482 - Domain
Trust Discovery

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process" IN ["*\whoami.exe", "*\nltest.exe", "*\net1.exe",

,→"*\ipconfig.exe", "*\systeminfo.exe"] | chart count() as cnt, distinct_list(command) as�

,→command by log_ts,user,host,domain | search cnt > 3

2.905 LP_Privilege Escalation via Kerberos KrbRelayUp

• Trigger Condition: KrbRelayUp performs a universal no-fix local privilege
escalation in Windows domain environments where LDAP signing is not enforced.
KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus,
KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker and ADCSPwn tools in
attacks.

• ATT&CK Category: Credential Access, Lateral Movement

• ATT&CK Tag: Pass the Ticket, Kerberoasting

• ATT&CK ID: T1550.003, T1558.003

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create
(parent_image="KrbRelayUp.exe" OR image="KrbRelayUp.exe" OR
(command=" relay " AND command=" -Domain " AND command=" -ComputerName ") OR
(command=" krbscm " AND command=" -sc ") OR
(command=" spawn " AND command=" -d " AND command=" -cn " AND command=" -cp *"))

2.906 LP_Suspicious Execution of LNK File

• Trigger Condition: When the execution of suspicious LNK files that either spawns
Powershell or command prompt and has high entropy in the command field is
detected. A LNK file is a Windows Shortcut that is a pointer to open a file, folder or

2.905. LP_Privilege Escalation via Kerberos KrbRelayUp 411

 Alert Rules Documentation, Release latest

application. Adversaries can utilize LNK files to embed their malicious scripts and
commands and lure victims into executing the payload to gain initial access and
evade defense. For this alert to work, an entropy plugin is required. Analysts can
set the entropy value depending on the environment to filter out false positives.
In our environment, legitimate use entropy was below five, so we used an entropy
value greater than five to filter out false positives. The baseline time for using the
process entropy command to detect such events is 90 days.

• ATT&CK Category: Execution

• ATT&CK Tag: T1204.002 - Malicious File

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create parent_process="*\explorer.exe" "process" IN ["*\cmd.exe",

,→"*\powershell.exe"]

| process entropy(command) as command_entropy

| search command_entropy > 5

2.907 LP_Insecure Policy Set via Set-ExecutionPolicy

• Trigger Condition: When the Set-ExecutionPolicy command is utilized to set
insecure policies such as Unrestricted, bypass, RemoteSigned. Set-ExecutionPolicy
is a PowerShell command that can change PowerShell execution policies for
Windows systems. The bypass option allows the script to be executed without
warning or prompt. The RemoteSigned option allows the scripts downloaded from
the internet to be executed. The unsigned option will allow scripts that are not
digitally signed to be executed. Adversaries can utilize this technique to change
the execution policy to run their choice of malicious PowerShell scripts. To generate
relevant logs, Script Block Logging should be enabled.

• ATT&CK Category: Execution

• ATT&CK Tag: T1059.001 - PowerShell

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WinServer event_id=4104 script_block="*Set-ExecutionPolicy*" script_block IN [

,→"*Unrestricted*","*bypass*","*RemoteSigned*"] -script_block IN [

,→"*\AppData\Roaming\Code\*"]

2.907. LP_Insecure Policy Set via Set-ExecutionPolicy 412

 Alert Rules Documentation, Release latest

2.908 LP_Network Connection to Suspicious Server

• Trigger Condition: When communication between hosts and domains is
mentioned in the query’s list. The query will search for logs generated from the
Windows system or proxies and firewalls. The mentioned sites are either file storing
or hosting sites. Adversaries have utilized such sites in many campaigns to upload
and download data.

• ATT&CK Category: Command and Control

• ATT&CK Tag: T1105 - Ingress Tool Transfer

• Minimum Log Source Requirement: Windows Sysmon, Firewall, Proxy Server,

WAF

• Query:

(norm_id=WindowsSysmon event_id=3 "image" IN ["C:\Windows\*","C:\Users\Public\*"]�

,→destination_host IN ["*dl.dropboxusercontent.com*","*.pastebin.com*","*.githubusercontent.

,→com*", "*cdn.discordapp.com/attachments*","*mediafire.com*","*mega.nz*","*ddns.net*",

"*.paste.ee*","*.hastebin.com/raw/*","*.ghostbin.co/*", "*ufile.io*","*anonfiles.com*", "*send.

,→exploit.in*","*transfer.sh*","*privatlab.net*","*privatlab.com*","*sendspace.com*",

,→"*pastetext.net*","*pastebin.pl*","*paste.ee*","*api.telegram.org*"]) OR

(device_category IN ["Firewall", "ProxyServer"] url IN ["*dl.dropboxusercontent.com*","*.

,→pastebin.com*","*.githubusercontent.com*", "*cdn.discordapp.com/attachments*",

,→"*mediafire.com*","*mega.nz*","*ddns.net*",

"*.paste.ee*","*.hastebin.com/raw/*","*.ghostbin.co/*", "*ufile.io*","*anonfiles.com*", "*send.

,→exploit.in*","*transfer.sh*","*privatlab.net*","*privatlab.com*","*sendspace.com*",

,→"*pastetext.net*","*pastebin.pl*","*paste.ee*","*api.telegram.org*"])

2.908. LP_Network Connection to Suspicious Server 413

 CHAPTER

THREE

NON-MITRE ATT&CK ANALYTICS

The NON-MITRE ATT&CK alerts available in Alert Rules are:

3.1 LP_Windows Login Attempt on Disabled Account

• Trigger condition: A user attempts to log in using a disabled account.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer* label=User label=Login label=Fail sub_status_code= "0xC0000072" -

,→target_user=*−user = �-user IN EXCLUDED_USERS | rename user as target_user,�

,→domain as target_domain,reason as failure_reason

3.2 LP_VMware Link Up

• Trigger condition: VMware connection is up.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: VMware

• Query:

414
 Alert Rules Documentation, Release latest

norm_id=VmwareESX label = Link label=Up | chart count() by log_ts, host, switch, port_
,→group, network_adapter

3.3 LP_VMware Link Down

• Trigger condition: VMmware’s connection is down.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: VMware

• Query:

norm_id=VmwareESX label = Link label=Down | chart count() by log_ts, host, switch, port_
,→group, network_adapter

3.4 LP_LogPoint License Expiry Status

• Trigger condition: LogPoint license is about to expire.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: LogPoint

• Query:

norm_id=LogPoint label=Audit object='License checker' days_remaining=*

3.5 LP_Mitre Initial Access Using Spearphishing link

Detected
• Trigger condition: Malicious URL is detected.

• ATT&CK Category: N/A

3.3. LP_VMware Link Down 415

 Alert Rules Documentation, Release latest

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Mimecast

• Query:

norm_id=Mimecast label=Detect label=Malicious label=URL | process eval("attack_class=

,→'Initial Access'")| process eval("technique='Spearphishing Link'")

3.6 LP_Mitre Command and Control Using Standard

Application Layer Protocol Detected
• Trigger condition: Command and control activity using standard application layer
protocol is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Proxy server

• Query:

norm_id=*proxy source_address=* destination_address=* destination_port IN�

,→STANDARD_APPLICATION_PORTS | process ti(destination_address)| rename et_

,→category as ti_category | process eval("attack_class='Command and Control'")| process�

,→eval("technique='Standard Application Layer Protocol'") | search ti_category=

,→"*Command and Control*"

3.7 LP_Endpoint Protect Threat Content Detected

• Trigger condition: Threat content is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

3.6. LP_Mitre Command and Control Using Standard Application Layer Protocol Detected 416
 Alert Rules Documentation, Release latest

• Query:

norm_id=EndPointProtector label=Threat label=Content (label=Detect OR label=Block)�

,→file=* user=*

3.8 LP_Endpoint Protect Device Disconnect

• Trigger condition: A USB device is disconnected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

norm_id = EndPointProtector label=disconnect user=* device_type="USB Storage Device"

3.9 LP_Endpoint Protect File Delete

• Trigger condition: A file is deleted.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

norm_id=EndPointProtector label=File label=Delete file=* user=*

3.10 LP_Endpoint Protect File Copied To USB Device

• Trigger condition: A file is copied to external USB drive.

• ATT&CK Category: N/A

3.8. LP_Endpoint Protect Device Disconnect 417

 Alert Rules Documentation, Release latest

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Endpoint Protector

• Query:

norm_id=EndPointProtector label=File label=Copy device_type="USB Storage Device"�

,→file=* user=*

3.11 LP_System Owner or User Discovery Process

Detected
• Trigger condition: An attack Discovery is performed using the attack technique
System Owner or User Discovery.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*whoami*" OR�

,→commandline="*quser*" OR commandline="*wmic.exe*useraccount get*" OR�

,→command="*whoami*" OR command="*quser*" OR command="*wmic.

,→exe*useraccount get*") -user IN EXCLUDED_USERS | rename commandline as command

3.12 LP_System Services Discovery Detected

• Trigger condition: An attack Discovery is performed using the attack technique
System Service Discovery.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Windows

3.11. LP_System Owner or User Discovery Process Detected 418

 Alert Rules Documentation, Release latest

• Query:

norm_id=WinServer label="Process" label=Create (commandline="*net.exe*start*" OR�

,→commandline="*tasklist.exe*" OR command="*net.exe*start*" OR command="*tasklist.

,→exe*" ) -user IN EXCLUDED_USERS | rename commandline as command

3.13 LP_SolarisLDAP Password Spraying Attack Detected

• Trigger condition: Password spraying attack is detected.

• ATT&CK Category: N/A

• ATT&CK Tag: N/A

• ATT&CK ID: N/A

• Minimum Log Source Requirement: Solaris LDAP

• Query:

norm_id=SolarisLDAP label=User (label=Login OR label=Authentication) label=Fail | chart�

,→distinct_count(user) as UserCount, distinct_list(user) as Users | search UserCount > 5

3.14 LP_Bumblebee IoC Domains Detected

• Trigger Condition: A match for the Bumblebee IoC domain is found.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

(domain IN BUMBLEBEE_DOMAINS OR query IN BUMBLEBEE_DOMAINS) | rename�

,→query as ioc, domain as ioc

3.13. LP_SolarisLDAP Password Spraying Attack Detected 419

 Alert Rules Documentation, Release latest

3.15 LP_Bumblebee IoC Hashes Detected

• Trigger Condition: A match for Bumblebee malware IoC hash is found. The
IoC reference CISA’s Alert AR21-126A and Mandiant’s UNC2447 SOMBRAT and
FIVEHANDS Ransomware report, April 2021.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Firewall, Proxy Server

• Query:

(hash IN BUMBLEBEE_HASHES OR hash_sha1 IN BUMBLEBEE_HASHES OR hash_sha256�

,→IN BUMBLEBEE_HASHES) | rename hash as ioc, hash_sha1 as ioc, hash_sha256 as ioc

3.16 LP_Bumblebee User Agent Detected

• Trigger Condition: The hardcoded bumblebee user-agent value used by
Bumblebee malware is detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Proxy Server, Firewall

• Query:

device_category=ProxyServer user_agent=bumblebee

3.17 LP_Microsoft Defender AMSI Trigger

• Trigger Condition: LogPoint detects Microsoft Defender with AMSI as the
detection source. The Windows Antimalware Scan Interface (AMSI) is a versatile
interface standard that allows your applications and services to integrate with any
antimalware product on a machine.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

3.15. LP_Bumblebee IoC Hashes Detected 420

 Alert Rules Documentation, Release latest

• Query:

norm_id=WinServer event_id=1116 source_name=AMSI event_source="Microsoft-

,→Windows-Windows Defender"

3.18 LP_Petitpotam - Anonymous RPC and File Share

• Trigger Condition: Events related to Petitpotam are logged.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

[event_id=4624 package="NTLM*" (user="ANONYMOUS LOGON" or -workstation=*)]�

,→as stream1 join [event_id=5145 share_name=IPC$ access="*ReadData (or ListDirectory)�

,→WriteData (or AddFile)*" relative_target IN ["lsarpc", "efsrpc", "lsass", "samr",

,→"netlogon"]] as stream2 on stream1.source_address = stream2.source_address and�

,→stream1.host = stream2.host | rename stream1.user as user, stream1.host as host,�

,→stream1.domain as domain, stream2.source_address as source_address, stream2.share_

,→name as share_name, stream2.access as access, stream2.log_ts as log_ts

3.19 LP_RDP Sensitive Settings Changed

• Trigger Condition: Changes to RDP terminal service sensitive settings are
detected.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WindowsSysmon event_id=13 target_object IN [

,→"*\services\TermService\Parameters\ServiceDll*", "*\Control\Terminal�

,→Server\fSingleSessionPerUser*", "*\Control\Terminal Server\fDenyTSConnections*"] -

,→user IN EXCLUDED_USERS

3.18. LP_Petitpotam - Anonymous RPC and File Share 421

 Alert Rules Documentation, Release latest

3.20 LP_Secure Deletion with SDelete

• Trigger Condition: Renamed a file while deleting it with the SDelete tool.
Adversaries use various tools to clean traces left after their intrusion activity.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id=WinServer event_id IN ["4656", "4663", "4658"] object_name IN ["*.AAA", "*.ZZZ

,→"] -user IN EXCLUDED_USERS

3.21 LP_Suspicious Keyboard Layout Load Detected

• Trigger Condition: The keyboard preload installation with a suspicious keyboard
layout, for example, Chinese, Iranian, or Vietnamese layout, loads in user sessions
on systems that is maintained by US staff only.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=13 target_object IN ["*\Keyboard Layout\Preload\*",

,→"*\Keyboard Layout\Substitutes\*"] detail IN ["00000804", "00000c04", "00000404",

,→"00001004", "00001404", "00000429", "00050429", "0000042a", "00000401", "00010401

,→", "00020401"] -user IN EXCLUDED_USERS

3.22 LP_Remote Code Execution using WMI

Win32_Process Class over WinRM
• Trigger Condition: When an attempt to execute code or create a service on a
remote host via winrm.vbs is detected. WinRM is a windows native script used
to manage Windows RM settings. The functionality of the WinRM command is
provided through a Visual Basic Script, winrm.vbs. This script can be abused to
create a process leading to remote code execution and lateral movement. False

3.20. LP_Secure Deletion with SDelete 422

 Alert Rules Documentation, Release latest

positives are uncommon, but legitimate use for administrative purposes such as
remote PowerShell execution can trigger this alert.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" command="*winrm*" command="*invoke Create wmicimv2/

,→Win32_*" command="*-r:http*"

3.23 LP_Remote Code Execution using WMI

Win32_Service Class over WinRM
• Trigger Condition: Application Whitelisting Bypass and Arbitrary Unsigned Code
Execution Technique is attempted using winrm.vbs. It detects the execution of
attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe
(can be renamed). winrm.vbs (a Windows-signed script) can consume and execute
attacker-controlled XSL, which is not subject to enlightened script host restrictions,
resulting in the execution of arbitrary, unsigned code execution.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" command="*winrm*" command IN ['*format:pretty*', '*format:

,→"pretty"*', '*format:"text"*', '*format:text*'] -(image IN ["C:\Windows\System32\*",

,→"C:\Windows\SysWOW64\*"])

3.24 LP_Suspicious Microsoft SQL Server PowerShell

Module Use Detected
• Trigger Condition: The execution of a PowerShell code by the sqlps.exe utility,
which is included in the standard set of utilities supplied with the MSSQL Server is
detected. Script blocks are not logged in this case, so this utility helps to bypass

3.23. LP_Remote Code Execution using WMI Win32_Service Class over WinRM 423
 Alert Rules Documentation, Release latest

protection mechanisms based on the analysis of these logs. As this attack requires
sqlps.exe bundled with MSSQL installation, any device without it is not vulnerable.
Also, child process sqlps.exe spawned by sqlagent.exe is a legitimate action. Direct
PS command execution through SQLPS.exe is rare, but if it occurs, it results in a
false positive.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" ("process"="*\sqlps.exe" OR parent_process="*\sqlps.exe" OR�

,→file="*\sqlps.exe" ) -(parent_process="*\sqlagent.exe")

3.25 LP_Shadow Copy Deletion Using OS Utilities

Detected
• Trigger Condition: When shadow copies are deleted using operating systems
utilities. Shadow copy is a Microsoft technology that can create backup copies or
snapshots of computer files or volumes. Windows internal binaries are PowerShell,
wmic, vssadmin, diskshadow, wbadmin, and vssadmin. Adversaries can utilize
these binaries to delete shadow copies from the system so that the data recovery
and reverting the system to a saved state is impossible after dropping malware.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label="Create" ("process" IN ["*\powershell.exe", "*\wmic.exe", "*\vssadmin.

,→exe", "*\diskshadow.exe"] command="* shadow*" command="*delete*") OR ("process"=

,→"*\wbadmin.exe" command="*delete*" command="*catalog*" command="*quiet*") OR (

,→"process"="*\vssadmin.exe" command="*resize*" command="*shadowstorage*"�

,→command="*unbounded*")

3.25. LP_Shadow Copy Deletion Using OS Utilities Detected 424

 Alert Rules Documentation, Release latest

3.26 LP_Child Process Spawned via Diskshadow Detected

• Trigger Condition: When child processes are created using the diskshadow binary.
DiskShadow.exe is a Windows internal binary that exposes the functionality offered
by the Volume Shadow Copy Service. Volume shadow copy service is a Windows
framework that backs up a volume by creating a copy of it. Adversaries can use
diskshadow binary’s interactive mode and execute other binaries using the exec
command to bypass defensive countermeasures.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "parent_process"="*\diskshadow.exe" -command="*conhost.

,→exe*"

3.27 LP_Code Execution Via Diskshadow Detected

• Trigger Condition: When diskshadow binary is used to execute code from a file.
DiskShadow.exe is Windows internal binary that exposes the functionality offered
by the Volume Shadow Copy Service. Volume shadow copy service is a framework
in Windows that provides the function to backup a volume by creating a copy of it.
Adversaries can use diskshadow with -s or /s tag to execute a command from a file
and bypass detection.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\diskshadow.exe" command IN ["*/s *", "*-s *"]

3.26. LP_Child Process Spawned via Diskshadow Detected 425

 Alert Rules Documentation, Release latest

3.28 LP_Process Pattern Match For CVE-2021-40444

Exploitation
• Trigger Condition: The process pattern for CVE-2021-40444 is detected.
CVE-22021-4044 is a remote code execution vulnerability in MSHTML, which is
Microsoft’s proprietary browser engine for Internet Explorer. Control.exe is a
Windows internal binary to access the control panel. Adversaries can rename their
malware or payload to control.exe and execute it to escape detection.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "process"="*\control.exe" parent_process IN ["*\winword.exe",

,→"*\excel.exe", "*\powerpnt.exe"] -command="*\control.exe input.dll"

3.29 LP_Suspicious Extexport Execution Detected

• Trigger Condition: When a service is created by loading a DLL using the ExtExport
service in IE. ExtExport is a module that serves to import/export data from other
programs, for example, favorites or bookmarks from other browsers. Attackers
can use Extexport.exe to load any DLL using the built-in tool ExtExport.exe which
can be found inside the Internet Explorer directory.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label=Create label="Process" command IN ["*ExtExport*", "extexport"]

3.28. LP_Process Pattern Match For CVE-2021-40444 Exploitation 426

 Alert Rules Documentation, Release latest

3.30 LP_Proxy Execution via Workfolders

• Trigger Condition: When LogPoint detects the use of workfolders binary to
execute other process. Workfolders is a Windows internal binary that provides
a consistent way for users to access their work files from their PCs and devices.
Adversaries can use this technique to evade defensive countermeasures or to hide
as a persistence mechanism.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Process" label=Create "parent_process"="*\workfolders.exe" "process"="*\control.exe

,→" "process"="C:\Windows\System32\control.exe"

3.31 LP_Proxy Execution via Windows Update Client

• Trigger Condition: When wuauclt.exe is used to proxy execute codes. Wuauclt.exe
(Windows Update Auto Update Client) is a Microsoft Windows native AutoUpdate
Client used to check for available updates from Microsoft Update. Adversaries may
abuse wuauclt.exe to camouflage and execute malicious codes.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" ("process"="*\wuauclt.exe" OR file="wuauclt.exe")�

,→(command="*UpdateDeploymentProvider*" command="*.dll*" command=

,→"*RunHandlerComServer*")

-(command IN ["* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *", "* wuaueng.

,→dll *"])

3.30. LP_Proxy Execution via Workfolders 427

 Alert Rules Documentation, Release latest

3.32 LP_Suspicious DLL Execution Using Windows

Address Book
• Trigger Condition: When a suspicious DLL is executed using wab.exe. Windows
Address Book stores addresses, contact details, and e-mail addresses by programs
like Outlook. When wab.exe executes, it tries to load DLL pointed by the registry
key. But adversaries leverage this functionality to load their custom malicious DLL
from a path other than the default by modifying the path pointed by the registry
key.

• ATT&CK Category: Defense Evasion

• ATT&CK Tag: T1564.004 - NTFS File Attributes

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="registry" label="set" target_object="*\Software\Microsoft\WAB\DLLPath*" - detail="

,→%CommonProgramFiles%\System\wab32.dll"

3.33 LP_Suspicious Use of Dotnet Detected

• Trigger Condition: When the execution of either suspicious DLL or unsigned code
using dotnet.exe is detected. dotnet.exe is a command line tool for managing
.NET source codes and binaries. Adversaries can use it to execute DLL or some
unsigned code and can bypass default AppLocker rules. dotnet.exe might trigger
false positives if used for penetrating testing or system administration.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="create" label="process" command IN ["*.dll", "*.csproj"] "process"="*\dotnet.exe"

3.32. LP_Suspicious DLL Execution Using Windows Address Book 428

 Alert Rules Documentation, Release latest

3.34 LP_Execution of Arbitrary Executable Using Stordiag

• Trigger Condition: When a renamed arbitrary executable is executed using
stordiag.exe. stordiag.exe collects storage and file system diagnostic logs and
outputs to a folder. Generally, stordiag.exe performs schtasks.exe, systeminfo.exe
and fltmc.exe after it is executed. Adversaries can abuse its functionality by copying
it into a random folder, renaming the malicious executables as schtasks.exe,
systeminfo.exe and fltmc.exe, and running them. It might trigger false positives
for legitimate use of stordiag.exe.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="Create" label="Process" parent_process="*\stordiag.exe" "process" IN ["*\schtasks.exe

,→", "*\systeminfo.exe", "*\fltmc.exe"] - parent_process IN ["C:\windows\system32\*",

,→"C:\windows\syswow64\*"]

3.35 LP_Process Creation via Time Travel Tracer

• Trigger Condition: When a new child process is spawned via tttracer.exe.
Microsoft Time Travel Tracing Tool (Tttracer) is a diagnostic tool to collect time
travel traces of given processes. Later, traces are analyzed by Microsoft Support for
troubleshooting purposes. Adversaries can use this binary to launch their malicious
binary and create a dump of a process.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "parent_process"="*\tttracer.exe"

3.34. LP_Execution of Arbitrary Executable Using Stordiag 429

 Alert Rules Documentation, Release latest

3.36 LP_Time Travel Debugging Utility DLL Loaded

• Trigger Condition: When loading of time travel debugging utility DLLs are
detected. Ttdrecord.dll, ttdwriter.dll and ttdloader.dll are part of a time travel
debugging utility. Time Travel Debugging is a tool that captures a trace of a process
as it executes and replays it later, forward and backward. DLL adversaries can run
other binaries or dump a process by loading.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

label=image label=load image IN ["*\ttdrecord.dll","*\ttdwriter.dll","*\ttdloader.dll"]

3.37 LP_File Execution via Msdeploy

• Trigger Condition: When MSDeploy is used to execute files. Microsoft Deploy
(MSDeploy) is a binary that allows users to deploy Web Applications. Adversaries
can use this technique to bypass application whitelisting.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\msdeploy.exe" command="*verb:sync*"�

,→command="*-source:RunCommand*" command="*-dest:runCommand*"

3.38 LP_CVE-2022-40684 Exploitation Detected

• Trigger Condition: When an exploitation attempt of CVE-2022-40684 is detected.
CVE-2022-40684 is an authentication bypass using an alternate path or channel
vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager that may
allow an unauthenticated attacker to perform operations on the administrative
interface via specially crafted HTTP or HTTPS requests. Adversaries can use

3.36. LP_Time Travel Debugging Utility DLL Loaded 430

 Alert Rules Documentation, Release latest

this technique to gain remote access to a system. The affected versions

are: FortiOS v7.2.0-7.2.1, FortiOS v7.0.0-7.0.6, FortiProxy v7.2.0, FortiProxy
v7.0.0-7.0.6, FortiSwitchManager v7.2.0 and FortiSwitchManager v7.0.0.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Firewall, Proxy Server, Web Server

• Query:

(url="*/api/v2/cmdb/system/admin/*" OR resource="*/api/v2/cmdb/system/admin/*") user_

,→agent IN ["report runner","Node.js"]

3.39 LP_Possible Proxy Execution of Malicious Code

• Trigger Condition: When the possible use of TE.exe for proxy execution of
malicious scripts is detected. TE.exe is a testing tool included with Microsoft Test
Authoring and Execution Framework (TAEF). TAEF allows users to run automation
by executing test files written in different languages (C, C#, Microsoft COM
Scripting interfaces). Adversaries can leverage its functionality to execute malicious
codes (such as WSC files with VBScript or DLL) directly by running te.exe. It is not
unusual to use te.exe directly to execute legal TAEF tests, so legitimate use can
trigger false positives.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label="create" "process"="*\te.exe" OR parent_process="*\te.exe" OR file=

,→"\te.exe"

3.40 LP_Suspicious Usage of BitLocker Management

Script
• Trigger Condition: When proxy execution of malicious payloads via
Manage-bde.wsf is detected. Manage-bde.wsf is a BitLocker management script
file that is generally used to turn BitLocker, specify unlock mechanisms, update

3.39. LP_Possible Proxy Execution of Malicious Code 431

 Alert Rules Documentation, Release latest

recovery methods and unlock BitLocker-protected data drives. Adversaries can

use it for the proxy execution of malicious payloads.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows, Windows Sysmon

• Query:

label="process" label="create" command="*cscript*" command="*manage-bde.wsf*"

3.41 LP_Proxy Execution of Payloads via Microsoft Signed

Script
• Trigger Condition: When proxy execution of PowerShell code via Microsoft signed
script CL_Mutexverifiers.ps1 is detected. Adversaries can execute payloads via
runAfterCancelProcess in CL_Mutexverifiers.ps1 module. Script block logging
must have been enabled for the alert to work.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows

• Query:

norm_id="WinServer" event_id=4104 script_block IN ["*\CL_Mutexverifiers.ps1*",

,→"*runAfterCancelProcess *"]

3.42 LP_Execution of Windows Defender Offline Shell

from Suspicious Folder
• Trigger Condition: When OfflineScannerShell.exe is executed from a folder other
than the default. Microsoft Defender Offline is an antimalware scanning tool that
lets you boot and run a scan from a trusted environment. Adversaries can use
OfflineScannerShell.exe to execute the mpclient.dll library in the current working
directory and execute arbitrary codes.

• ATT&CK Category: -

3.41. LP_Proxy Execution of Payloads via Microsoft Signed Script 432

 Alert Rules Documentation, Release latest

• ATT&CK Tag: -
• Minimum Log Source Requirement: Windows
• Query:

label="create" label="process" ("process"="*\OfflineScannerShell.exe" -((path="C:\Program�

,→Files\Windows Defender\Offline\") OR (-path=*)))

3.43 LP_DLL Loaded Via AccCheckConsole

• Trigger Condition: When DLL loading through AccCheckConsole binary is
detected. AccCheckConsole is a command-line tool for verifying the accessibility
implementation of your application’s UI. Adversaries can use this technique to load
their malicious DLL.
• ATT&CK Category: -
• ATT&CK Tag: -
• Minimum Log Source Requirement: Windows Sysmon, Windows
• Query:

label="process" label=create "process"="*\AccCheckConsole.exe" command="*-window*.dll*

,→"

3.44 LP_Proxy Execution via Appvlp

• Trigger Condition: When proxy execution of binaries via appvlp.exe is detected.
Appvlp, also known as Application Virtualization Utility, is included with Microsoft
Office 2016, which makes applications available to end-user computers without
having to install applications directly on those computers. Adversaries can use
this technique to bypass process or signature-based defenses by proxying the
execution of malicious content with signed or otherwise trusted binaries.
• ATT&CK Category: -
• ATT&CK Tag: -
• Minimum Log Source Requirement: Windows Sysmon, Windows
• Query:

3.43. LP_DLL Loaded Via AccCheckConsole 433

 Alert Rules Documentation, Release latest

label="process" label=create "process"="*\appvlp.exe" command IN ["*cmd.exe*",

,→"*powershell.exe*"] command IN ["*.sh*","*.exe*","*.dll*","*.bin*","*.bat*","*.cmd*","*.js*",

,→"*.msh*","*.reg*","*.scr*","*.ps*","*.vb*","*.jar*","*.pl*","*.inf*"]

3.45 LP_Proxy DLL Execution via UtilityFunctions

• Trigger Condition: When the use of UtilityFunctions script to execute a managed
DLL is detected. UtilityFunctions is one of several powershell scripts from Microsoft
for diagnostic and maintenance work. Adversaries can use this technique to proxy
execute malicious files.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create command IN ["*UtilityFunctions.ps1*", "*RegSnapin*"]

3.46 LP_Suspicious Usage of Squirrel Binary

• Trigger Condition: When squirrel.exe is run via using arguments download, update
and updateRoolback arguments. Squirrel.exe is a binary to update the existing
installed NuGet or squirrel package. NuGet is a package manager designed to
enable developers to share reusable code. Adversaries can use this technique to
download and execute malicious NuGet package.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label="create" "process"="*\Squirrel.exe" command IN ["*download*",

,→"*update*"]

3.45. LP_Proxy DLL Execution via UtilityFunctions 434

 Alert Rules Documentation, Release latest

3.47 LP_Suspicious File Share Permission

• Trigger Condition: When the execution of binaries from a suspicious folder is
detected. Paths mentioned in the lists are not Windows default paths from where
native and internal binaries are executed. Adversaries may attempt to masquerade
their payload as legitimate binaries and execute from non-default paths to avoid
detection. Legitimate binaries executed from those paths can trigger an alert, so
include those binaries in the excluded process list.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon, Windows

• Query:

label="process" label=create "process"="*\net.exe" command="* share *grant:*FULL*"

3.48 LP_Legitimate Application Dropping Script File

• Trigger Condition: When the creation of a new script file by those applications
which should not create one such as office applications, Wordpad. Script files
contain a set of instructions or commands and are executed by a script interpreter
or runtime environment. Adversaries can use this technique to drop their payload
in the system and execute it.

• ATT&CK Category: -

• ATT&CK Tag: -

• Minimum Log Source Requirement: Windows Sysmon

• Query:

norm_id=WindowsSysmon event_id=11 file IN ["*.ps1","*.bat","*.vbs","*.scf","*.wsf","*.wsh"]

,→"process" IN ["*\onenote.exe","*\winword.exe","*\excel.exe","*\powerpnt.exe",

,→"*\msaccess.exe","*\mspub.exe","*\eqnedt32.exe","*\visio.exe","*\wordpad.exe",

,→"*\wordview.exe","*\certutil.exe","*\certoc.exe","*\CertReq.exe","*\Desktopimgdownldr.exe

,→","*\esentutl.exe","*\finger.exe","*\AcroRd32.exe","*\RdrCEF.exe","*\mshta.exe","*\hh.exe

,→"]

3.47. LP_Suspicious File Share Permission 435

 CHAPTER

FOUR

ALERT RULES DASHBOARDS

4.1 Adding the Alert Rules Dashboard

1. Go to Settings >> Knowledge Base from the navigation bar and click Dashboards.

2. Select VENDOR DASHBOARD from the drop-down.

3. Click Add from Actions.

Fig. 1: Adding the Alert Rules Dashboard

4. Click Choose Repos.

436
 Alert Rules Documentation, Release latest

Fig. 2: Selecting Repos

5. Select the repo and click Done.

Fig. 3: Selecting Repos

6. Click Ok.

4.1. Adding the Alert Rules Dashboard 437

 Alert Rules Documentation, Release latest

Fig. 4: Confirmation for Repo

You can find the Alert Rules dashboards under Dashboards.

Fig. 5: Alert Rules Dashboard

Fig. 6: Alert Rules Dashboard

4.1. Adding the Alert Rules Dashboard 438

 Alert Rules Documentation, Release latest

Fig. 7: Alert Rules Dashboard

Widgets available in the dashboard LP_Mitre Attack Analytics Overview provide:

Widget Name Description

Triggered Attack Tactics The count of tactics that the attacker may use to
perform an attack. The tactics are Initial Access,
Execution, Persistence, Privilege Escalation,
Defense Evasion, Credential Access, Discovery,
Lateral Movement, Collection, Command and
Control, Exfiltration and Impact.
Triggered Attack Tactics - A time trend for the attack tactics that the attacker
Timetrend used to perform an attack.
Mitre Att&ck Matrix An ATT&CK chart, a heatmap describing the attacks
carried out in a system in the form of attack tactics,
techniques and procedures defined by MITRE.
Top Recurring Attacks The most recurring attacks, their attack category
and the count of attacks. For example, Console
History Discover Detected is an attack, Collection
is its attack category and the attack occurred three
times.
Top Users by Attack Tactics The top users based on attack tactics.
Top Hosts in Attack The count of top hosts by attack category.

4.1. Adding the Alert Rules Dashboard 439

 CHAPTER

FIVE

KB-LISTS

• EXCLUDED_USERS

• BLACKLIST_IPS

• LOCKERGOGA_EMAILS

• DRAGONFLY_MALICIOUS_FOLDER

• KNOWN_COUNTRY

• EXISTING_USERS

• VALAK_DOMAINS

• SQL_INJECTION_CHARACTERS

• MAZE_RANSOMWARE_IPS

• REVIL_RANSOMWARE_DOMAINS

• CLOUD_APPLICATION_IP

• VULNERABLE_CONTENT

• CLOUD_APPLICATIONS

• HIDDEN_COBRA_IP

• HIDDEN_COBRA_EMAIL

• DRAGONFLY_MALICIOUS_FILES

• MALICIOUS_POWERSHELL_COMMANDS

• MAZE_RANSOMWARE_DOMAINS

• APPLICATION_SHIM_OBJECTS

• SQL_INJECTION_CHARACTER

440
 Alert Rules Documentation, Release latest

• BLACKLISTED_IP

• POWERSPLOIT_RECON_MODULES

• LOCKERGOGA_FILES

• DOPPELPAYMENR_RANSOMWARE_DOMAINS

• MAZE_RANSOMWARE_HASHES

• KASPERSKY_UPDATE_FAILURES

• MOST_EXPLOITABLE_EMAILS

• DOMAIN

• PROWLI_CVE

• YOUTUBE

• EXTREMIST_CONTENT

• BLOCKED_APPLICATION

• LOCKERGOGA_HASHES

• KASPERSKY_DETECTED_MALWARE_HASHES

• EXECUTABLES

• MALWARE_HASH

• DRAGONFLY_CNC_REQUEST

• MAGECART_DOMAINS

• HOME_DOMAIN

• ALERT_IRC_PORT

• MAGECART_IPS

• ATTACK_COMMANDS

• PROWLI_DOMAIN

• MOST_EXPLOITABLE_CVE

• WASTEDLOCKER_IPS

• SERVER_ADDRESS

• HOME_DIR

441
 Alert Rules Documentation, Release latest

• NON_PCI_COMPLIANT_PORT

• MAIL_SERVER_IP

• DRAGONFLY_MALICIOUS_REGISTRY

• VALAK_HASHES

• MOST_EXPLOITABLE_IPS

• INACTIVE_USERS

• ALERT_UNUSUAL_SOURCE

• WINADMINS

• CLOUD_APP

• KNOWN_FILE

• MALWARE_IP

• INVISIMOLE_MALWARE_HASHES

• WASTEDLOCKER_HASHES

• VULNERABLE_WORKSTATIONS

• HIDDEN_COBRA_HASH

• PETYA_COMMAND

• MAIL_SERVERS

• BLACKLISTED_DOMAIN

• NON_EXISTING_USERS

• DOPPELPAYMER_RANSOMWARE_CVE

• WANNACRY_DOMAIN

• MALICIOUS_POWERSHELL_COMMANDLET_NAMES

• NEFILIM_RANSOMWARE_EMAILS

• PETYA_DIGEST

• MATRIX_FILE

• HOME_FOLDER

• ALLOWED_PORTS

442
 Alert Rules Documentation, Release latest

• WEBSERVER_SYSTEMS

• INVISIMOLE_MALWARE_IPS

• BAD_RABBIT_HASH

• WINDOWS_DC

• ADMIN_SOURCES

• DEFAULT_USERS

• UNAPPROVED_PORT

• MALWARE_FILES

• XSS_TAG

• HIDDEN_COBRA_CVE

• MAZE_RANSOMWARE_EMAILS

• WANNACRY_EXTENSION

• ROBBINHOOD_RANSOMWARE_HASHES

• ADMINS

• KNOWN_SERVER_HOST

• PROWLI_HASH

• HOMENET

• KNOWN_DOMAINS

• ABNORMAL_FILES

• MALWARE_EMAILS

• ALERT_PRESENT_EMPLOYEES

• DYNAMIC_CATEGORIES

• CONCERNED_CONTENT

• PROWLI_EMAIL

• CRITICAL_FOLDER

• CRITICAL_FILE

• PROWLI_FILE

443
 Alert Rules Documentation, Release latest

• CRITICAL_FILES

• COMMON_PORTS

• MOST_EXPLOITABLE_DOMAINS

• PRIVILEGED_USER

• PERSISTENCE_ACCESSIBILITY_OBJECT

• REVIL_RANSOMWARE_CVE

• ALERT_OPEN_PORTS

• MAZE_RANSOMWARE_CVE

• DOPPELPAYMER_RANSOMWARE_HASHES

• PROWLI_IP

• HTTP_ERROR

• HIDDEN_COBRA_FILE

• MOST_EXPLOITABLE_HASHES

• REVIL_RANSOMWARE_IPS

• REVIL_RANSOMWARE_HASHES

• RYUK_RANSOMWARE_HASH

• BLACKLISTED_PORTS

• INVISIMOLE_MALWARE_DOMAINS

• NEFILIM_RANSOMWARE_HASHES

• PERSISTENCE_ACCESSIBILITY_PROCESS

• CRIMINAL_CONTENT

• BAD_RABBIT_FILE

• KNOWN_APPLICATIONS

• ADMIN_GROUPS

• WASTEDLOCKER_DOMAINS

• SUSPICIOUS_COUNTRY

• HERMETIC_WIPER_HASHES

444
 Alert Rules Documentation, Release latest

• HERMETIC_WIPER_DRIVER_HASHES

• ISAAC_WIPER_HASHES

• ACTINIUM_HASHES

• ACTINIUM_DOMAINS

• WHISPERGATE_HASHES

• GHOSTWRITER_DOMAINS

• GHOSTWRITER_IPS

For more details on Lists, go to the Lists section in the LogPoint Data Integration guide.

445
446
 Alert Rules Documentation, Release latest

CHAPTER

SIX

APPENDIX

Alerts Changed Items

LP_Active Directory Enumeration via query, mitre_hash
ADFind
LP_File Creation by PowerShell Detected query, description, mitre_hash
LP_Firewall Configuration Modification description, context_template,
Detected email_template, syslog_template,
mitre_hash
LP_First Time Seen Remote Named Pipe query
LP_Grabbing Sensitive Hives via Reg query, description, context_template,
Utility email_template, syslog_template,
log_source, mitre_hash
LP_Microsoft Defender Disabling query, mitre_hash
Attempt via PowerShell
LP_Password Spraying Attack Detected log_source
LP_Possible Access to ADMIN Share description, context_template,
email_template, syslog_template,
mitre_hash
LP_PsExec Tool Execution Detected query
LP_RDP Sensitive Settings Changed query, context_template,
email_template, syslog_template,
mitre_hash
LP_Screensaver Activities Detected description, mitre_hash
LP_Secure Deletion with SDelete description, context_template,
email_template, syslog_template,
mitre_hash
LP_Suspect Svchost Activity Detected query
LP_Suspicious Keyboard Layout Load query, context_template,
Detected email_template, syslog_template,
mitre_hash
LP_Suspicious Rundll32 Activity Detected query, description, mitre_hash
LP_Time-Stomping of Users Directory query
Files Detected
LP_Windows Defender Exclusion Set query
Detected
447