windows

Defense evasion via process reimaging

Apr 21, 2023 · attack.defense_evasion ·

Share on:

Detects process reimaging defense evasion technique

Detection of Possible Rotten Potato

Apr 21, 2023 · attack.privilege_escalation attack.t1134 attack.t1134.002 ·

Share on:

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges

Disabled Users Failing To Authenticate From Source Using Kerberos

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.

DNSCat2 Powershell Implementation Detection Via Process Creation

Apr 21, 2023 · attack.command_and_control attack.t1071 attack.t1071.004 attack.t1001.003 attack.t1041 ·

Share on:

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Enumeration via the Global Catalog

Apr 21, 2023 · attack.discovery attack.t1087.002 ·

Share on:

Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.

Execution via CL_Invocation.ps1 (2 Lines)

Apr 21, 2023 · attack.defense_evasion attack.t1216 ·

Share on:

Detects Execution via SyncInvoke in CL_Invocation.ps1 module

Execution via CL_Mutexverifiers.ps1 (2 Lines)

Apr 21, 2023 · attack.defense_evasion attack.t1216 ·

Share on:

Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module

Failed Logins with Different Accounts from Single Source System

Apr 21, 2023 · attack.persistence attack.privilege_escalation attack.t1078 ·

Share on:

Detects suspicious failed logins with different user accounts from a single source system

Failed Mounting of Hidden Share

Apr 21, 2023 · attack.t1021.002 attack.lateral_movement ·

Share on:

Detects repeated failed (outgoing) attempts to mount a hidden share

Failed NTLM Logins with Different Accounts from Single Source System

Apr 21, 2023 · attack.persistence attack.privilege_escalation attack.t1078 ·

Share on:

Detects suspicious failed logins with different user accounts from a single source system

File Creation by Office Applications

Apr 21, 2023 · attack.t1204.002 attack.t1047 attack.t1218.010 attack.execution attack.defense_evasion ·

Share on:

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

Files Dropped to Program Files by Non-Priviledged Process

Apr 21, 2023 · attack.persistence attack.defense_evasion attack.t1574 attack.t1574.010 ·

Share on:

Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes

Invalid Users Failing To Authenticate From Single Source Using NTLM

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.

Invalid Users Failing To Authenticate From Source Using Kerberos

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.

Invoke-Obfuscation CLIP+ Launcher

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation COMPRESS OBFUSCATION

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation Obfuscated IEX Invocation

Apr 21, 2023 · attack.defense_evasion attack.t1027 ·

Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block)

Invoke-Obfuscation RUNDLL LAUNCHER

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation STDIN+ Launcher

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation VAR+ Launcher

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation Via Stdin

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Use Clip

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use MSHTA

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use Rundll32

Apr 21, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

Malicious Service Installations

Apr 21, 2023 · attack.persistence attack.privilege_escalation attack.t1003 attack.t1035 attack.t1050 car.2013-09-005 attack.t1543.003 attack.t1569.002 ·

Share on:

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Metasploit Or Impacket Service Installation Via SMB PsExec

Apr 21, 2023 · attack.lateral_movement attack.t1021.002 attack.t1570 attack.execution attack.t1569.002 ·

Share on:

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Meterpreter or Cobalt Strike Getsystem Service Installation

Apr 21, 2023 · attack.privilege_escalation attack.t1134.001 attack.t1134.002 ·

Share on:

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

MSI Spawned Cmd and Powershell Spawned Processes

Apr 21, 2023 · attack.privilege_escalation attack.t1548.002 ·

Share on:

This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes

Multiple Users Failing to Authenticate from Single Process

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects failed logins with multiple accounts from a single process on the system.

Multiple Users Remotely Failing To Authenticate From Single Source

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects a source system failing to authenticate against a remote host with multiple users.

Password Spraying via Explicit Credentials

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects a single user failing to authenticate to multiple users using explicit credentials.

Possible DNS Rebinding

Apr 21, 2023 · attack.initial_access attack.t1189 ·

Share on:

Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).

Quick Execution of a Series of Suspicious Commands

Apr 21, 2023 · car.2013-04-002 attack.execution attack.t1059 ·

Share on:

Detects multiple suspicious process in a limited timeframe

Reconnaissance Activity Using BuiltIn Commands

Apr 21, 2023 · attack.discovery attack.t1087 attack.t1082 car.2016-03-001 ·

Share on:

Detects execution of a set of builtin commands often used in recon stages by different attack groups

Remote Service Creation

Apr 21, 2023 · attack.lateral_movement attack.persistence attack.execution attack.t1543.003 ·

Share on:

Detects remote execution via service creation on the destination host

Stored Credentials in Fake Files

Apr 21, 2023 · attack.credential_access attack.t1555 ·

Share on:

Search for accessing of fake files with stored credentials

Suspicious Multiple File Rename Or Delete Occurred

Apr 21, 2023 · attack.impact attack.t1486 ·

Share on:

Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).

Suspicious Werfault.exe Network Connection Outbound

Apr 21, 2023 · attack.command_and_control attack.t1571 ·

Share on:

Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.

Tap Driver Installation

Apr 21, 2023 · attack.exfiltration attack.t1048 ·

Share on:

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Valid Users Failing to Authenticate From Single Source Using Kerberos

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.

Valid Users Failing to Authenticate from Single Source Using NTLM

Apr 21, 2023 · attack.t1110.003 attack.initial_access attack.privilege_escalation ·

Share on:

Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.

Windows Kernel and 3rd-Party Drivers Exploits Token Stealing

Apr 21, 2023 · attack.privilege_escalation attack.t1068 ·

Share on:

Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level