Windows

File and Directory Discovery

Jan 9, 2023 · Elastic Host Windows Threat Detection Discovery ·

Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.

Suspicious Process from Conhost

Jan 9, 2023 · Elastic Host Windows Threat Detection Defense Evasion ·

Share on:

Identifies a suspicious Conhost child process which may be an indication of code injection activity.

Threat Intel Filebeat Module (v7.x) Indicator Match

Jan 9, 2023 · Elastic Windows Elastic Endgame Network Continuous Monitoring SecOps Monitoring ·

Share on:

This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations.

Whitespace Padding in Process Command Line

Jan 9, 2023 · Elastic Host Windows Threat Detection Defense Evasion ·

Share on:

Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.

Potential Privilege Escalation via Local Kerberos Relay over LDAP

Aug 1, 2022 · Elastic Host Windows Threat Detection Privilege Escalation Credential Access ·

Share on:

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Potential PrintNightmare Exploit Registry Modification

Mar 17, 2022 · Elastic Host Windows Threat Detection Privilege Escalation ·

Share on:

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.

Potential PrintNightmare File Modification

Mar 17, 2022 · Elastic Host Windows Threat Detection Privilege Escalation ·

Share on:

Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527 and verify that the impacted system is investigated.

Network Connection via Mshta

Oct 20, 2021 · Elastic Host Windows Threat Detection Defense Evasion ·

Share on:

Identifies mshta.exe making a network connection. This may indicate adversarial activity, as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection.

PowerShell spawning Cmd

Apr 21, 2021 · Elastic Host Windows Threat Detection Execution ·

Share on:

Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe.

Query Registry via reg.exe

Apr 21, 2021 · Elastic Host Windows Threat Detection Discovery ·

Share on:

Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on activities.

Process Discovery via Tasklist

Apr 15, 2021 · Elastic Host Windows Threat Detection Discovery ·

Share on:

Adversaries may attempt to get information about running processes on a system.

Trusted Developer Application Usage

Apr 15, 2021 · Elastic Host Windows Threat Detection Defense Evasion ·

Share on:

Identifies possibly suspicious activity using trusted Windows developer activity.

Execution via Regsvcs/Regasm

Mar 19, 2021 · Elastic Host Windows Threat Detection Execution ·

Share on:

RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.