Chronicle Rule Coverage
28 events across 5 providers with Chronicle/YARA-L detection rules, 186 rule mappings total.
Microsoft-Windows-Security-Auditing (11 events, 91 rules) #
Security-Auditing - Event ID 4624 - An account was successfully logged on. #
- ADFS DKM Key Access (source) high - Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value
- MITRE ATT&CK T1110.003 RW Windows Password Spray (source) medium - Detect repeated authentication failure with multiple users indicative of a password spray attack.
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One (source) medium - Detect Multiple Failed Login Attempts followed by Successful Login
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity (source) medium - Detect Multiple Failed Login Attempts followed by Successful Login
- Windows Short Term Account Use (source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 4625 - An account failed to log on. #
- ADFS DKM Key Access (source) high - Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value
- MITRE ATT&CK T1110.003 RW Windows Password Spray (source) medium - Detect repeated authentication failure with multiple users indicative of a password spray attack.
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One (source) medium - Detect Multiple Failed Login Attempts followed by Successful Login
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity (source) medium - Detect Multiple Failed Login Attempts followed by Successful Login
- Windows Short Term Account Use (source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 4648 - A logon was attempted using explicit credentials. #
- ADFS DKM Key Access (source) high - Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value
- MITRE ATT&CK T1110.003 RW Windows Password Spray (source) medium - Detect repeated authentication failure with multiple users indicative of a password spray attack.
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One (source) medium - Detect Multiple Failed Login Attempts followed by Successful Login
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity (source) medium - Detect Multiple Failed Login Attempts followed by Successful Login
- Windows Short Term Account Use (source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 4656 - A handle to an object was requested. #
MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report(source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Security-Auditing - Event ID 4657 - A registry value was modified. #
- Blackbyte Ransomware Registry (source) high - BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
- CurrentControlSet Autorun Keys Modification (source) medium - Detects modification of autostart extensibility point (ASEP) in registry
- CurrentVersion Autorun Keys Modification (source) medium - Detects modification of autostart extensibility point (ASEP) in registry
- Default RDP Port Changed to Non Standard Port (source) high - Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
- Disable Internal Tools or Feature in Registry (source) medium - Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
- Modify User Shell Folders Startup Value (source) high - Detect modification of the startup key to a path where a payload could be stored to be launched during startup
- New RUN Key Pointing to Suspicious Folder (source) high - Detects suspicious new RUN key element pointing to an executable in a suspicious folder
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
- Potential Credential Dumping Via LSASS SilentProcessExit Technique (source) critical - Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
- RDP Sensitive Settings Changed (source) high - Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
- RDP Sensitive Settings Changed to Zero (source) medium - Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
- RestrictedAdminMode Registry Value Tampering (source) high - Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
- Session Manager Autorun Keys Modification (source) medium - Detects modification of autostart extensibility point (ASEP) in registry
- Suspicious Powershell In Registry Run Keys (source) medium - Detects potential PowerShell commands or code within registry run keys
- Wdigest Enable UseLogonCredential (source) high - Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials
Security-Auditing - Event ID 4662 - An operation was performed on an object. #
ADFS DKM Key Access(source) high - Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value
Security-Auditing - Event ID 4688 - A new process has been created. #
- Base64 Encoded PowerShell Command Detected (source) high - Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string
- ConvertTo-SecureString Cmdlet Usage Via CommandLine (source) medium - Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
- Copy From Or To Admin Share Or Sysvol Folder (source) medium - Detects a copy command or a copy utility execution to or from an Admin share or remote
- CreateDump Process Dump (source) high - Detects uses of the createdump.exe LOLOBIN utility to dump process memory
- Direct Autorun Keys Modification (source) medium - Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe
- File Download Using Notepad++ GUP Utility (source) high - Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
- File Download Via Windows Defender MpCmpRun.EXE (source) high - Detects the use of Windows Defender MpCmdRun.EXE to download files
- Finger.EXE Execution (source) high - Detects execution of the finger.exe utility. Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any...
- HackTool - Dumpert Process Dumper Execution (source) critical - Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
- Hacktool - IronSharpPack Execution (source) medium - Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
- HackTool - Mimikatz Execution (source) high - Detection well-known mimikatz command line arguments
- Purple Knight Tool Execution Detected (source) medium - This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized...
- Hacktool - SharpSuccessor Execution (source) high - SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators...
- Hacktool - WinPEAS Execution Patterns (source) medium - This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team...
- Impacket WMIExec CISA Report (source) medium - Detects the artifacts generally associated with the use of wmiexec.py
- Local Accounts Discovery (source) low - Local accounts, System Owner/User discovery using operating systems utilities
- LSASS Dump Keyword In CommandLine (source) high - Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process
- MITRE ATT&CK T1021.002 Windows Admin Share Basic (source) low - Detect the use of net use for SMB/Windows admin shares
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity (source) low - Net use commands for SMB/Windows admin shares based on asset entity group
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment (source) low - Net use commands for SMB/Windows admin shares focused on UDM enriched user fields
- MITRE ATT&CK T1021.002 Windows Admin Share With User Entity (source) low - Net use commands for SMB/Windows admin shares focused on specific user entity characteristics
- MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task (source) info - Creation of scheduled task using command line
- MITRE ATT&CK T1140 Encoded Powershell Command (source) info - Detects encoded powershell commands
- MITRE ATT&CK T1570 Suspicious Command PSExec (source) info - Command-line execution of the PsExec tool on Windows
- New User Created Via Net.EXE (source) medium - Identifies the creation of local users via the net.exe command
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
- potential lsass process dump via procdump (source) high - Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. Procdump dump of lsass using minidump or memory dump options. Covers atomic tests 1 and 8
- Potential Suspicious Activity Using SeCEdit (source) medium - Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE (source) high - Detects the execution of reg.exe for enabling/disabling the RDP service on the host by tampering with the CurrentControlSet\\Control\\Terminal Server values
- PowerShell DownloadFile (source) high - Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
- PowerShell Web Download (source) medium - Detects suspicious ways to download files or content using PowerShell
- PrintBrm ZIP Creation of Extraction (source) high - Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation
- Process Memory Dump Via Comsvcs.DLL (source) high - Detects a process memory dump via comsvcs.dll using rundll32, covering multiple different techniques
- Process Memory Dump via RdrLeakDiag.exe (source) high - Detects the use of the Microsoft Windows Resource Leak Diagnostic tool rdrleakdiag.exe to dump process memory
- PUA - Nimgrab Execution (source) high - Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
- Recon Credential Theft CISA Report (source) low - Detects suspicious credential access commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Recon Environment Enumeration Active Directory CISA Report (source) low - Detects group enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Recon Environment Enumeration Network CISA Report (source) low - Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Recon Environment Enumeration System CISA Report (source) low - Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report (source) info - Detects the use of powershell to enumerate successful logins on a specific host
- Recon Suspicious Commands CISA Report (source) low - Detects suspicious commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Reg Add Suspicious Paths (source) high - Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
- Renamed CreateDump Utility Execution (source) high - Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
- MITRE ATT&CK T1003 RW Mimikatz (source) critical - Detects the process mimikatz being issued from the command line.
- MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit (source) high - Detects process launches from processes related to ntds against key servers
- ShimCache Flush (source) high - Detects actions that clear the local ShimCache and remove forensic evidence
- Suspicious Certreq Command to Download (source) high - Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
- Suspicious Curl.EXE Download (source) high - Detects a suspicious curl process start on Windows and outputs the requested document to a local file
- Suspicious Download Via Certutil.EXE (source) medium - Detects the execution of certutil with certain flags that allow the utility to download files
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE (source) high - Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites
- Suspicious Invoke-WebRequest Execution (source) high - Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
- Whoami Execution (source) info - Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
- Uncommon or Suspicious RMM Tool Execution Detected (source) medium - This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent...
- Windows Event Log Cleared (source) medium - Detects the clearing of event logs within the Windows Event Viewer.
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report (source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
Security-Auditing - Event ID 4697 - A service was installed in the system. #
Suspicious Windows Service Installation Detected(source) medium - This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (`A service was installed in the system`). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation....
Security-Auditing - Event ID 4720 - A user account was created. #
Windows Short Term Account Use(source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 4726 - A user account was deleted. #
Windows Short Term Account Use(source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 5156 - The Windows Filtering Platform has permitted a connection. #
Potential Remote PowerShell Session Initiated(source) high - Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
Microsoft-Windows-Sysmon (11 events, 89 rules) #
Sysmon - Event ID 1 - Process creation #
- Base64 Encoded PowerShell Command Detected (source) high - Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string
- ConvertTo-SecureString Cmdlet Usage Via CommandLine (source) medium - Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
- Copy From Or To Admin Share Or Sysvol Folder (source) medium - Detects a copy command or a copy utility execution to or from an Admin share or remote
- CreateDump Process Dump (source) high - Detects uses of the createdump.exe LOLOBIN utility to dump process memory
- Direct Autorun Keys Modification (source) medium - Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe
- File Download Using Notepad++ GUP Utility (source) high - Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
- File Download Via Windows Defender MpCmpRun.EXE (source) high - Detects the use of Windows Defender MpCmdRun.EXE to download files
- Finger.EXE Execution (source) high - Detects execution of the finger.exe utility. Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any...
- HackTool - Dumpert Process Dumper Execution (source) critical - Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
- Hacktool - IronSharpPack Execution (source) medium - Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
- HackTool - Mimikatz Execution (source) high - Detection well-known mimikatz command line arguments
- Purple Knight Tool Execution Detected (source) medium - This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized...
- Hacktool - SharpSuccessor Execution (source) high - SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators...
- Hacktool - WinPEAS Execution Patterns (source) medium - This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team...
- Impacket WMIExec CISA Report (source) medium - Detects the artifacts generally associated with the use of wmiexec.py
- Local Accounts Discovery (source) low - Local accounts, System Owner/User discovery using operating systems utilities
- LSASS Dump Keyword In CommandLine (source) high - Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process
- MITRE ATT&CK T1021.002 Windows Admin Share Basic (source) low - Detect the use of net use for SMB/Windows admin shares
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity (source) low - Net use commands for SMB/Windows admin shares based on asset entity group
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment (source) low - Net use commands for SMB/Windows admin shares focused on UDM enriched user fields
- MITRE ATT&CK T1021.002 Windows Admin Share With User Entity (source) low - Net use commands for SMB/Windows admin shares focused on specific user entity characteristics
- MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task (source) info - Creation of scheduled task using command line
- MITRE ATT&CK T1140 Encoded Powershell Command (source) info - Detects encoded powershell commands
- MITRE ATT&CK T1570 Suspicious Command PSExec (source) info - Command-line execution of the PsExec tool on Windows
- New User Created Via Net.EXE (source) medium - Identifies the creation of local users via the net.exe command
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
- potential lsass process dump via procdump (source) high - Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. Procdump dump of lsass using minidump or memory dump options. Covers atomic tests 1 and 8
- Potential Suspicious Activity Using SeCEdit (source) medium - Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE (source) high - Detects the execution of reg.exe for enabling/disabling the RDP service on the host by tampering with the CurrentControlSet\\Control\\Terminal Server values
- PowerShell DownloadFile (source) high - Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
- PowerShell Web Download (source) medium - Detects suspicious ways to download files or content using PowerShell
- PrintBrm ZIP Creation of Extraction (source) high - Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation
- Process Memory Dump Via Comsvcs.DLL (source) high - Detects a process memory dump via comsvcs.dll using rundll32, covering multiple different techniques
- Process Memory Dump via RdrLeakDiag.exe (source) high - Detects the use of the Microsoft Windows Resource Leak Diagnostic tool rdrleakdiag.exe to dump process memory
- PUA - Nimgrab Execution (source) high - Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
- Recon Credential Theft CISA Report (source) low - Detects suspicious credential access commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Recon Environment Enumeration Active Directory CISA Report (source) low - Detects group enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Recon Environment Enumeration Network CISA Report (source) low - Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Recon Environment Enumeration System CISA Report (source) low - Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report (source) info - Detects the use of powershell to enumerate successful logins on a specific host
- Recon Suspicious Commands CISA Report (source) low - Detects suspicious commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
- Reg Add Suspicious Paths (source) high - Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
- Renamed CreateDump Utility Execution (source) high - Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
- MITRE ATT&CK T1003 RW Mimikatz (source) critical - Detects the process mimikatz being issued from the command line.
- MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit (source) high - Detects process launches from processes related to ntds against key servers
- ShimCache Flush (source) high - Detects actions that clear the local ShimCache and remove forensic evidence
- Suspicious Certreq Command to Download (source) high - Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
- Suspicious Curl.EXE Download (source) high - Detects a suspicious curl process start on Windows and outputs the requested document to a local file
- Suspicious Download Via Certutil.EXE (source) medium - Detects the execution of certutil with certain flags that allow the utility to download files
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE (source) high - Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites
- Suspicious Invoke-WebRequest Execution (source) high - Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
- Whoami Execution (source) info - Detects the execution of whoami, which is often used by attackers after exploitation to establish what credentials they are logged in under
- Uncommon or Suspicious RMM Tool Execution Detected (source) medium - This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent...
- Windows Event Log Cleared (source) medium - Detects the clearing of event logs within the Windows Event Viewer.
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report (source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
Sysmon - Event ID 2 - A process changed a file creation time #
Suspicious Unusual Location LNK File(source) low - Detects creation and movement of .lnk files to specific folders
Sysmon - Event ID 3 - Network connection #
Potential Remote PowerShell Session Initiated(source) high - Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
Sysmon - Event ID 10 - ProcessAccess #
- Credential Dumping Attempt Via WerFault (source) high - Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up
- HackTool - Generic Process Access (source) high - Detects process access requests from hacktool processes based on their default image name
- LSASS Memory Access by Tool With Dump Keyword In Name (source) high - Detects LSASS process access requests from a source process with the dump keyword in its image name
- Lsass Memory Dump via Comsvcs DLL (source) high - Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass
- Potential Credential Dumping Activity Via LSASS (source) medium - Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Sysmon - Event ID 11 - FileCreate #
- Cred Dump Tools Dropped Files (source) high - Files with well-known filenames (parts of credential dump software or files produced by them) creation
- HackTool - Dumpert Process Dumper Default File (source) critical - Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
- Impacket WMIExec CISA Report (source) medium - Detects the artifacts generally associated with the use of wmiexec.py
- LSASS Process Memory Dump Files (source) high - Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
- LSASS Process Memory Dump Creation Via Taskmgr.exe (source) high - Detects the creation of an lsass.dmp file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager
- Suspicious Unusual Location LNK File (source) low - Detects creation and movement of .lnk files to specific folders
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report (source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
Sysmon - Event ID 12 - RegistryEvent (Object create and delete) #
MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report(source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Sysmon - Event ID 13 - RegistryEvent (Value Set) #
- Blackbyte Ransomware Registry (source) high - BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
- CurrentControlSet Autorun Keys Modification (source) medium - Detects modification of autostart extensibility point (ASEP) in registry
- CurrentVersion Autorun Keys Modification (source) medium - Detects modification of autostart extensibility point (ASEP) in registry
- Default RDP Port Changed to Non Standard Port (source) high - Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
- Disable Internal Tools or Feature in Registry (source) medium - Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
- Modify User Shell Folders Startup Value (source) high - Detect modification of the startup key to a path where a payload could be stored to be launched during startup
- New RUN Key Pointing to Suspicious Folder (source) high - Detects suspicious new RUN key element pointing to an executable in a suspicious folder
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
- Potential Credential Dumping Via LSASS SilentProcessExit Technique (source) critical - Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
- RDP Sensitive Settings Changed (source) high - Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
- RDP Sensitive Settings Changed to Zero (source) medium - Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
- RestrictedAdminMode Registry Value Tampering (source) high - Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
- Session Manager Autorun Keys Modification (source) medium - Detects modification of autostart extensibility point (ASEP) in registry
- Suspicious Powershell In Registry Run Keys (source) medium - Detects potential PowerShell commands or code within registry run keys
- Wdigest Enable UseLogonCredential (source) high - Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials
Sysmon - Event ID 17 - PipeEvent (Pipe Created) #
ADFS DB Suspicious Named Pipe Connection(source) medium - Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes
Sysmon - Event ID 18 - PipeEvent (Pipe Connected) #
ADFS DB Suspicious Named Pipe Connection(source) medium - Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes
Sysmon - Event ID 22 - DNSEvent (DNS query) #
Recon Environment Enumeration Network CISA Report(source) low - Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Sysmon - Event ID 23 - FileDelete (File Delete archived) #
Suspicious Unusual Location LNK File(source) low - Detects creation and movement of .lnk files to specific folders
ESENT (4 events, 4 rules) #
ESENT - Event ID 216 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
ESENT - Event ID 325 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
ESENT - Event ID 326 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
ESENT - Event ID 327 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
Microsoft-Windows-Eventlog (1 event, 1 rule) #
Eventlog - Event ID 1102 - The audit log was cleared. #
Windows Event Log Cleared(source) medium - Detects the clearing of event logs within the Windows Event Viewer.
Service-Control-Manager (1 event, 1 rule) #
Service-Control-Manager - Event ID 7045 - A service was installed in the system. #
Suspicious Windows Service Installation Detected(source) medium - This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (`A service was installed in the system`). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation....