Skip to main content
Sumo Logic

CSE Built-In Rules

See a list and descriptions of CSE's built-in rules.

This page lists and describes CSE's built-in rules.

ADPassHunt Tool

From FireEye Red Team Tool Countermeasures: This IOC detects indicators associated with the ADPassHunt Tool. This tool is used to hunt for AD credentials and used via execute-assembly that looks for passwords in GPP, Autoruns and AD objects

AWS - Excessive OAuth Application Permissions Scope

Alert when an OAuth application has requested a high number of permissions to aspects of AWS.

AWS - New UserPoolClient Created

UserPoolClient {{application}} has been created in AWS. A UserPoolClient is an entity that has permission to call unauthenticated API operations (operations that do not have an authenticated user).

AWS CloudTrail - AWS ConsoleLogin without MFA from IP

An AWS console login was successful where the account did NOT use multi-factor authentication (MFA) to gain access. It is strongly recommended that all accounts used for console access require MFA to protect your AWS account in the event credentials are stolen.

AWS CloudTrail - Customer Master Key Disabled or Scheduled for Deletion

A Customer Master Key (CMK) was disabled or scheduled for deletion. The AWS Key Management Service (KMS) can be used to generate key pairs for encrypting and decrypting your data. Disabling or deleting keys can come with heavy destructive consequences as data encrypted with those keys cannot be decrypted. AWS forces users to either disable keys allowing them to be re-enabled at a later time or users must schedule a key deletion at a later time if the keys absolutely must be removed. The default time for scheduling a key deletion is 30 days.

AWS CloudTrail - Database Snapshot Created (IP)

Creating DB snapshots is an efficient way for an attacker to begin downloading a targets database. These signals should be considered around the context of other signals that may indicate data theft is in progress.

AWS CloudTrail - Database Snapshot Created (Username)

Creating DB snapshots is an efficient way for an attacker to begin downloading a targets database. These signals should be considered around the context of other signals that may indicate data theft is in progress.

AWS CloudTrail - EC2 Access Key Action Detected

Actions observed that create, import and delete access keys to EC2 could indicate an advisary is taking action on their objective to extend or otherwise manipulate access to EC2 instance(s).

AWS CloudTrail - GetSecretValue from non Amazon IP

The secrets manager service is commonly used by cloud components to retrieve secrets (connection strings etc) while performing routine functions. This signal identifies when secret values are retrieved via the GetSecretValue API call and the source host does not belong in an Amazon instance IP space.

AWS CloudTrail - IAM CreateUser Action Observed (IP)

Username affected: '{{changeTarget}}'. This signal fires for all observances of the CreateUser action in the IAM event source. Creating AWS users is likely a benign, infrequent activity. Hostile actors will create users to persist access. Use this signal in context of other activity to determine intent.

AWS CloudTrail - IAM CreateUser Action Observed (Username)

Username affected: '{{changeTarget}}'. This signal fires for all observances of the CreateUser action in the IAM event source. Creating AWS users is likely a benign, infrequent activity. Hostile actors will create users to persist access. Use this signal in context of other activity to determine intent.

AWS CloudTrail - IAM Policy Applied

A policy was attached to a user, group, or role. By default, IAM denies all access to all services for users, and policies must be applied to grant access to AWS services and resources. This signal could indicate a policy is granting additional access within your cloud environment.

AWS CloudTrail - IAM Privileged Policy Applied to Group (IP)

Privileged Policy: [{{fields['requestParameters.policyArn']}}] An Amazon default policy that carries a high level of access was noticed being applied to a group. This rule identifies both 'attach' and 'put' actions with this privileged policy. The difference between 'attach' and 'put' is that 'attach' actions apply a managed policy to an item, where a 'put' action indicates the policy is defined in-line and is part of the items definition. Applying privileged policies to items could indicate hostile action that attempts to increase the privilege level of a user or set of users. There are legitimate times when this will occur, consider this signal in context of other activities that may indicate suspicious behavior.

AWS CloudTrail - IAM Privileged Policy Applied to Group (Username)

Privileged Policy: [{{fields['requestParameters.policyArn']}}] An Amazon default policy that carries a high level of access was noticed being applied to a group. This rule identifies both 'attach' and 'put' actions with this privileged policy. The difference between 'attach' and 'put' is that 'attach' actions apply a managed policy to an item, where a 'put' action indicates the policy is defined in-line and is part of the items definition. Applying privileged policies to items could indicate hostile action that attempts to increase the privilege level of a user or set of users. There are legitimate times when this will occur, consider this signal in context of other activities that may indicate suspicious behavior.

AWS CloudTrail - IAM Privileged Policy Applied to Role (IP)

Privileged Policy: [{{fields['requestParameters.policyArn']}}] An Amazon default policy that carries a high level of access was noticed being applied to a role. This rule identifies both 'attach' and 'put' actions with this privileged policy. The difference between 'attach' and 'put' is that 'attach' actions apply a managed policy to an item, where a 'put' action indicates the policy is defined in-line and is part of the items definition. Applying privileged policies to items could indicate hostile action that attempts to increase the privilege level of a user or set of users. There are legitimate times when this will occur, consider this signal in context of other activities that may indicate suspicious behavior.

AWS CloudTrail - IAM Privileged Policy Applied to Role (Username)

Privileged Policy: [{{fields['requestParameters.policyArn']}}] An Amazon default policy that carries a high level of access was noticed being applied to a role. This rule identifies both 'attach' and 'put' actions with this privileged policy. The difference between 'attach' and 'put' is that 'attach' actions apply a managed policy to an item, where a 'put' action indicates the policy is defined in-line and is part of the items definition. Applying privileged policies to items could indicate hostile action that attempts to increase the privilege level of a user or set of users. There are legitimate times when this will occur, consider this signal in context of other activities that may indicate suspicious behavior.

AWS CloudTrail - IAM Privileged Policy Applied to User (IP)

Privileged Policy: [{{fields['requestParameters.policyArn']}}] An Amazon default policy that carries a high level of access was noticed being applied to a user. This rule identifies both 'attach' and 'put' actions with this privileged policy. The difference between 'attach' and 'put' is that 'attach' actions apply a managed policy to an item, where a 'put' action indicates the policy is defined in-line and is part of the items definition. Applying privileged policies to items could indicate hostile action that attempts to increase the privilege level of a user or set of users. There are legitimate times when this will occur, consider this signal in context of other activities that may indicate suspicious behavior.

AWS CloudTrail - IAM Privileged Policy Applied to User (Username)

Privileged Policy: [{{fields['requestParameters.policyArn']}}] An Amazon default policy that carries a high level of access was noticed being applied to a user. This rule identifies both 'attach' and 'put' actions with this privileged policy. The difference between 'attach' and 'put' is that 'attach' actions apply a managed policy to an item, where a 'put' action indicates the policy is defined in-line and is part of the items definition. Applying privileged policies to items could indicate hostile action that attempts to increase the privilege level of a user or set of users. There are legitimate times when this will occur, consider this signal in context of other activities that may indicate suspicious behavior.

AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS CloudTrail - IAM User Generating AccessDenied Errors Across Multiple Actions from IP

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS CloudTrail - Logging Configuration Change Observed (IP)

Changing the configuration of logging to any mission-critical service or platform should be closely monitored. This signal identifies when AWS logging configurations have been changed. The severity of signals increases depending on the type of action observed. For instance disabling/deleting logs is a higher severity than enabling logs.

AWS CloudTrail - Logging Configuration Change Observed (Username)

Changing the configuration of logging to any mission-critical service or platform should be closely monitored. This signal identifies when AWS logging configurations have been changed. The severity of signals increases depending on the type of action observed. For instance disabling/deleting logs is a higher severity than enabling logs.

AWS CloudTrail - Multiple Failed Console Logins From a User

Multiple failed logins were detected from the same user within a short period of time. It is important to note that AWS CloudTrail does not log failed authentications for the root account user.

AWS CloudTrail - Multiple Failed Console Logins From an Source IP

Multiple failed logins were detected from the same source IP address within a short period of time. It is important to note that AWS CloudTrail does not log failed authentications for the root account user.

AWS CloudTrail - OpsWorks Describe Permissions Event (IP)

This event sourced from AWS OpsWorks occurrs rarely. It could indicate that an adversary is attempting to collect information for later attack. When successful, the Describe Permissions event returns information regarding a specified stack's permissions for access.

AWS CloudTrail - OpsWorks Describe Permissions Event (Username)

This event sourced from AWS OpsWorks occurrs rarely. It could indicate that an adversary is attempting to collect information for later attack. When successful, the Describe Permissions event returns information regarding a specified stack's permissions for access.

AWS CloudTrail - Permissions Boundary Lifted (IP)

Username affected: '{{changeTarget}}'. A Permissions Boundary was lifted against an IAM User or Role. This unusual action may increase the effect permissions to the asset by allowing all the actions granted in its permissions policies.

AWS CloudTrail - Permissions Boundary Lifted (Username)

Username affected: '{{changeTarget}}'. A Permissions Boundary was lifted against an IAM User or Role. This unusual action may increase the effect permissions to the asset by allowing all the actions granted in its permissions policies.

AWS CloudTrail - Public S3 Bucket Exposed From IP

An AWS request occurred to either create a new public bucket or to add a bucket access control list (ACL) to an existing bucket to make it public. While there are some use cases for AWS S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public.

AWS CloudTrail - Public S3 Bucket Exposed by User

An AWS request occurred to either create a new public bucket or to add a bucket access control list (ACL) to an existing bucket to make it public. While there are some use cases for AWS S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public.

AWS CloudTrail - Reconnaissance related event (IP)

This signal identifies a small number of CloudTrail API actions that when observed could indicate an actors intent to enumerate the environment. These events are generally benign, and occur during normal operations. Use this signal as context around an unfolding security story.

AWS CloudTrail - Reconnaissance related event (Username)

This signal identifies a small number of CloudTrail API actions that when observed could indicate an actors intent to enumerate the environment. These events are generally benign, and occur during normal operations. Use this signal as context around an unfolding security story.

AWS CloudTrail - Root Console Successful Login Observed

This signal detects when a successful root account login occurred within an AWS account. This privileged account should seldomly be used within an AWS cloud environment. Amazon's best practices state you should only use the root account to create the initial local IAM users and assigned one of the accounts administrative privileges or to perform rare tasks only available to the root user. The security operations center should be aware when the AWS root account is accessed.

AWS CloudTrail - SQS List Queues Event (IP)

This event sourced from AWS SQS occurrs rarely. It could indicate that an adversary is attempting to collect information for later attack. When successful, the List Queues event returns all SQS queues that may be valid targets for further probing/attack.

AWS CloudTrail - SQS List Queues Event (Username)

This event sourced from AWS SQS occurrs rarely. It could indicate that an adversary is attempting to collect information for later attack. When successful, the List Queues event returns all SQS queues that may be valid targets for further probing/attack.

AWS CloudTrail - ScheduleKeyDeletion in KMS (IP)

Deleting cryptographic key material managed by KMS can be risky. The risk is that after key material is deleted, cypher text may remain that is now indecipherable. Because of this risk, AWS enforces a minimum 7 day waiting period. A key cannot be deleted, it must first be scheduled for deletion by the system. This signal indicates that a key has been scheduled or canceled for deletion. This signal in context of other signals around this entity may describe a hostile pattern of attack.

AWS CloudTrail - ScheduleKeyDeletion in KMS (Username)

Deleting cryptographic key material managed by KMS can be risky. The risk is that after key material is deleted, cypher text may remain that is now indecipherable. Because of this risk, AWS enforces a minimum 7 day waiting period. A key cannot be deleted, it must first be scheduled for deletion by the system. This signal indicates that a key has been scheduled or canceled for deletion. This signal in context of other signals around this entity may describe a hostile pattern of attack.

AWS CloudTrail - Secrets Manager sensitive admin action observed (IP)

Administrative changes to the AWS Secrets Manager aren't overtly hostile, but are generally low volume and can be considered sensitive. These signals highlight when these actions occur and can be used in context of other suspicious activity to raise the risk of a hostile entity. Several Secrets Manager API actions are included and assessed as sensitive.

AWS CloudTrail - Secrets Manager sensitive admin action observed (Username)

Administrative changes to the AWS Secrets Manager aren't overtly hostile, but are generally low volume and can be considered sensitive. These signals highlight when these actions occur and can be used in context of other suspicious activity to raise the risk of a hostile entity. Several Secrets Manager API actions are included and assessed as sensitive.

AWS CloudTrail - Successful Console Login without MFA

An AWS console login was successful where the account did NOT use multi-factor authentication (MFA) to gain access. It is strongly recommended that all accounts used for console access require MFA to protect your AWS account in the event credentials are stolen.

AWS CloudTrail - sensitive activity in KMS (IP)

AWS KMS is an encryption and key management web service. Besides encrypting and decrypting data, users and adminstrators can use this service to create keys, manage keys etc. This signal indicates activity that enables and disables keys explicitly. This activity has been surveyed to be a low volume event and could be considered suspicious given other activity involving the entitiy. Additionally, monitoring for these events is required to achieve certain industry audit compliance.

AWS CloudTrail - sensitive activity in KMS (Username)

AWS KMS is an encryption and key management web service. Besides encrypting and decrypting data, users and adminstrators can use this service to create keys, manage keys etc. This signal indicates activity that enables and disables keys explicitly. This activity has been surveyed to be a low volume event and could be considered suspicious given other activity involving the entitiy. Additionally, monitoring for these events is required to achieve certain industry audit compliance.

AWS GuardDuty - Pass-Through Rule (Device Name)

The AWS GuardDuty service generated an alert for your cloud environment with the following details: {{description}}

AWS GuardDuty - Pass-Through Rule (IP)

The AWS GuardDuty service generated an alert for your cloud environment with the following details: {{description}}

AWS GuardDuty - Pass-Through Rule (User)

The AWS GuardDuty service generated an alert for your cloud environment with the following details: {{description}}

Abnormal Parent-Child Process Combination

This alert detects a Windows process spawned by a parent process that does not normally spawn it.

Active Directory Domain Enumeration - Track IP

Potentially detects an attacker attempting to enumerate active users on the network. Attacks will use enumeration tools such as Bloodhound that will quickly query the domain controller by submitting multiple Kerberos ticket requests with forged device names to gather user and group information for those devices.

Active Directory Domain Enumeration - Track User

Potentially detects an attacker attempting to enumerate active users on the network. Attacks will use enumeration tools such as Bloodhound that will quickly query the domain controller by submitting multiple Kerberos ticket requests with forged device names to gather user and group information for those devices.

Active Directory Password Spray Attack (Track Hostname)

High number of failed logon attempts with in a 5 minute window from a single endpoint with unique usernames.

Active Directory Password Spray Attack (Track IP)

High number of failed logon attempts in a 5 minute window from a single endpoint with unique usernames.

Administrator Login via RDP

This rule looks for successful logins over RDP for administrator accounts.

AlphaSOC NFR

IP: {{srcDevice_ip}}, Potentially Malicious Domain: {{threat_referenceUrl}}, Signature: {{fields['signature']}}, Tags: {{fields['cs1']}}

Amazon VPC - Network Scan

Attackers will often perform reconnaissance against customer environments to better understand resources on the network. In doing this behavior they are usually blocked by firewall rules while performing their discovery. This rule looks for a single source IP address network traffic rejected by AWS security groups to at least 10 different destination IP addresses within a 5-minute window.

Amazon VPC - Port Scan

Attackers will often perform reconnaissance against customer environments to better understand resources on the network. In doing this behavior they are usually blocked by firewall rules while performing their discovery. This rule looks for a single source IP address network traffic rejected by AWS security groups to multiple distinct destination port numbers within a short time window.

Attempt to Clear Windows Event Logs Using Wevtutil (Hostname)

Observes for attempts to clear Windows event logs using wevtutil. Command line auditing is necessary for this rule to function.

Attempt to Clear Windows Event Logs Using Wevtutil (User)

Observes for attempts to clear Windows event logs using wevtutil. Command line auditing is necessary for this rule to function.

Attempted Credential Dump From Registry Via Reg.Exe (Hostname)

Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. Audit Object Access (success & failure) must be enabled for this rule to function. Monitoring of the following registry keys is necessary: HKLM\Security HKLM\Security\Cache HKLM\System HKLM\Security\Policy\Secrets HKLM\Sam

Attempted Credential Dump From Registry Via Reg.Exe (User)

Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. Audit Object Access (success & failure) must be enabled for this rule to function. Monitoring of the following registry keys is necessary: HKLM\Security HKLM\Security\Cache HKLM\System HKLM\Security\Policy\Secrets HKLM\Sam

Attrib.exe use to Hide Files and Folders (Hostname)

Observes for use of attrib.exe with the hide flag. The built in Windows utilty attrib.exe can be used by adversaries to hide files and folders from the end user, a form of defense evasion. Command line auditing or Sysmon are required for this rule to function.

Attrib.exe use to Hide Files and Folders (User)

Observes for use of attrib.exe with the hide flag. The built in Windows utilty attrib.exe can be used by adversaries to hide files and folders from the end user, a form of defense evasion. Command line auditing or Sysmon are required for this rule to function.

Auth0 - Excessive Failed Logins

Too many failed logins in a short timeframe are indicative of a possible brute force attack.

Auth0 - High Risk Event

{{description}}

Auth0 - Password Spray Attack

High number of failed logon attempts in a 5 minute window from a single endpoint with unique usernames.

Auth0 - User Login From Two Different Countries

This signal triggers when there are two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives. For example, a match list containing known VPN IP addresses that should be filtered out from consideration in the expression.

Authentication Brute Force Attempt

This signal indicates that a security appliance is reporting that a brute force attack is underway. A brute force attack is a hostile attempt to gain access through rapid guessing of passwords. This pass-through signal is different from other signals that actively monitor for the frequency of failed attempts, and therefore can be more difficult to analyze as the source records are often hidden from analysts view. Nevertheless this signal is important to include when building context around suspicious activity.

Azure - Add Member to Group (IP)

{{user_username}} added {{changeTarget}} to group {{fields['properties.targetResources.1.modifiedProperties.2.newValue']}} It is recommended to add additional expression logic to this rule to either exclude non-sensitive groups, or to only include sensitive groups

Azure - Add Member to Group (User)

{{user_username}} added {{changeTarget}} to group {{fields['properties.targetResources.1.modifiedProperties.2.newValue']}} It is recommended to add additional expression logic to this rule to either exclude non-sensitive groups, or to only include sensitive groups

Azure - Add Member to Role Outside of PIM (IP)

{{device_ip}} added {{changeTarget}} to {{fields['properties.targetResources.1.modifiedProperties.2.newValue']}} Privileged Identity Management (PIM) allows administrators to provide users privileged access with greater oversight of activties undertaken while said access is granted as well as control over the duration of access. Adding a user to a role, especially one with administrative privileges, outside of PIM may indicate a threat actor attempting to persist privileged access.

Azure - Add Member to Role Outside of PIM (User)

{{user_username}} added {{changeTarget}} to {{fields['properties.targetResources.1.modifiedProperties.2.newValue']}} Privileged Identity Management (PIM) allows administrators to provide users privileged access with greater oversight of activties undertaken while said access is granted as well as control over the duration of access. Adding a user to a role, especially one with administrative privileges, outside of PIM may indicate a threat actor attempting to persist privileged access.

Azure - Brute Force Login Attempt

Detection of a potentially brute force login attempt

Azure - Create User (IP)

User {{fields['properties.targetResources.userPrincipalName']}} created from IP {{device_ip}}

Azure - Create User (User)

User {{user_username}} created user {{fields['properties.targetResources.userPrincipalName']}}

Azure - External User Invitation Redeemed (IP)

User {{user_username}} redeemed external user invitation from IP {{device_ip}}

Azure - External User Invitation Redeemed (User)

User {{user_username}} redeemed external user invitation

Azure - External User Invited (IP)

User {{user_username}} invited an external user to create an account from IP {{device_ip}}

Azure - External User Invited (User)

User {{user_username}} invited an external user to create an account

Azure - Group Information Downloaded (IP)

IP: {{device_ip}} successfully downloaded user information

Azure - Group Information Downloaded (User)

{{user_username}} successfully downloaded group information

Azure - High Risk Sign-In (Aggregate) (IP)

A sign-in with a high aggregate risk level was detected. User: {{user_username}} IP: {{device_ip}} https://docs.microsoft.com/en-us/azu...protection-faq

Azure - High Risk Sign-In (Aggregate) (User)

A sign-in with a high aggregate risk level was detected. User: {{user_username}} IP: {{device_ip}} https://docs.microsoft.com/en-us/azu...protection-faq

Azure - High Risk Sign-In (Real Time) (IP)

A sign-in with a high real time risk level was detected. User: {{user_username}} IP: {{device_ip}} https://docs.microsoft.com/en-us/azu...protection-faq

Azure - High Risk Sign-In (Real Time) (User)

A sign-in with a high real time risk level was detected. User: {{user_username}} IP: {{device_ip}} https://docs.microsoft.com/en-us/azu...protection-faq

Azure - Member Added to Company Administrator Role (IP)

{{changeTarget}} added to Company (Global) Administrator role by IP {{device_ip}}

Azure - Member Added to Company Administrator Role (User)

{{changeTarget}} added to Company (Global) Administrator role by {{user_username}}

Azure - Member Added to Company Administrator Role Non-PIM (IP)

{{changeTarget}} added to Company (Global) Administrator role by IP {{device_ip}}

Azure - Member Added to Company Administrator Role Non-PIM (User)

{{changeTarget}} added to Company (Global) Administrator role by {{user_username}}

Azure - Member Added to Non-Company Administrator Role (IP)

{{changeTarget}} added to {{fields['properties.targetResources.1.modifiedProperties.2.newValue']}} role by IP {{device_ip}}

Azure - Member Added to Non-Company Administrator Role (User)

{{changeTarget}} added to {{fields['properties.targetResources.1.modifiedProperties.2.newValue']}} role by {{user_username}}

Azure - Password Spraying (IP)

Detects potential password spray attacks against Azure user accounts

Azure - Policy Added (IP)

This rule is designed to monitor for conditional access policy additions. It is recommended to include or exclude certain policies from monitoring for better security value, expressions are below for inclusion and exclusion. AND application in ('policy','example') AND application not in ('policy','example')

Azure - Policy Added (User)

This rule is designed to monitor for conditional access policy additions. It is recommended to include or exclude certain policies from monitoring for better security value, expressions are below for inclusion and exclusion. AND application in ('policy','example') AND application not in ('policy','example')

Azure - Policy Deleted (IP)

This rule is designed to monitor for conditional access policy deletions. It is recommended to include or exclude certain policies from monitoring for better security value, expressions are below for inclusion and exclusion. AND application in ('policy','example'). AND application not in ('policy','example')

Azure - Policy Deleted (User)

This rule is designed to monitor for conditional access policy deletions. It is recommended to include or exclude certain policies from monitoring for better security value, expressions are below for inclusion and exclusion. AND application in ('policy','example')AND application not in ('policy','example')

Azure - Policy Updated (IP)

This rule is designed to monitor for conditional access policy updates. It is recommended to include or exclude certain policies from monitoring for better security value, expressions are below for inclusion and exclusion. AND application in ('policy','example') AND application not in ('policy','example')

Azure - Policy Updated (User)

This rule is designed to monitor for conditional access policy updates. It is recommended to include or exclude certain policies from monitoring for better security value, expressions are below for inclusion and exclusion. AND application in ('policy','example') AND application not in ('policy','example')

Azure - Risky User State : User Confirmed Compromised (IP)

An administrator has flagged this sign in in Identity Protection as not having been performed by the account owner, indicating a compromise.

Azure - Risky User State : User Confirmed Compromised (User)

An administrator has flagged this sign in in Identity Protection as not having been performed by the account owner, indicating a compromise.

Azure - Sign On Without MFA (IP)

User {{user_username}} signed in without Multi-Factor Authentication from IP {{device_ip}}

Azure - Sign On Without MFA (User)

User {{user_username}} signed in without Multi-Factor Authentication

Azure - Suspicious User Risk State Associated with Login (IP)

Sign in by {{user_username}} has been flagged as at risk. Risk Type(s): {{fields['properties.riskEventTypes.1']}} {{fields['properties.riskEventTypes.2']}} {{fields['properties.riskEventTypes.3']}} {{fields['properties.riskEventTypes.4']}} {{fields['properties.riskEventTypes.5']}} {{fields['properties.riskEventTypes.6']}} {{fields['properties.riskEventTypes.7']}} {{fields['properties.riskEventTypes.8']}} {{fields['properties.riskEventTypes.9']}}

Azure - Suspicious User Risk State Associated with Login (User)

Sign in by {{user_username}} has been flagged as at risk. Risk Type(s): {{fields['properties.riskEventTypes.1']}} {{fields['properties.riskEventTypes.2']}} {{fields['properties.riskEventTypes.3']}} {{fields['properties.riskEventTypes.4']}} {{fields['properties.riskEventTypes.5']}} {{fields['properties.riskEventTypes.6']}} {{fields['properties.riskEventTypes.7']}} {{fields['properties.riskEventTypes.8']}} {{fields['properties.riskEventTypes.9']}}

Azure - Unauthorized OAuth Application

Alert when a non-approved OAuth Application has been identified on Azure. This rule is disabled by default as a list of approved OAuth applications is required to be enabled. The approved applications should be added to the rule logic under the 'application not in' condition.

Azure - User Information Downloaded (IP)

IP: {{device_ip}} successfully downloaded user information

Azure - User Information Downloaded (User)

{{user_username}} successfully downloaded user information

Azure - User Login From 2+ Countries Within 1 Hour

User logged in from 2+ countries in 1 hour. It is recommended to add filtering criteria to the expression to reduce false positives. For example, a match list containing known VPN IP addresses that should be filtered out from consideration in the expression.

Backdoor.HTTP.BEACON.[CSBundle CDN GET]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP headers related to the HTTP GET request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for a specific HTTP URI value in combination with HTTP header values and payload content. These are related to the HTTP GET request values designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for a specific HTTP URI value in combination with HTTP header values and payload content. These are related to the HTTP POST request values designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP headers and URI content. This is related to the HTTP GET request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]

From FireEye Red Team Tool Countermeasures:

Backdoor.HTTP.BEACON.[CSBundle Original GET]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP headers and URI content. This is related to the HTTP GET request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle Original POST]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP header and URI values. These are related to the HTTP POST request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle Original Stager]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP headers and URI content. This is related to the HTTP GET and POST request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle USAToday GET]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP headers and URI content. This is related to the HTTP GET request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[CSBundle USAToday Server]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific response body content within Cobalt Strike malleable C2 profile. This is used as an attempt to blend in and provide legitimacy within the malware C2 communications.

Backdoor.HTTP.BEACON.[Yelp GET]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP header and URI values. These are related to the HTTP GET request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.BEACON.[Yelp Request]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP header for either a POST or GET request. These are related to the HTTP request content designated within the Cobalt Strike malleable C2 profile.

Backdoor.HTTP.GORAT.[POST]

From FireEye Red Team Tool Countermeasures: GORAT is the modular backdoor portion of the REDFLARE framework. This rule looks for unique content within the HTTP request communications of the backdoor.

Backdoor.HTTP.GORAT.[SID1]

From FireEye Red Team Tool Countermeasures: GORAT is the modular backdoor portion of the REDFLARE framework. This rule looks for unique content within the HTTP request communications of the backdoor.

Backdoor.SSL.BEACON.[CSBundle Ajax]

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific SSL/TLS certificate metadata attempting to masquerade as a legitimate certificate. The content in this rule is looking for a self-signed certificate which is designated within the Cobalt Strike malleable C2 profile.

Base32 in DNS Query

By using base32, binary and text data can be encoded in a way that is fully compliant with DNS protocol specifications. Since common standard base32 uses 2-7 and the letters a-z, entropy must be measured to distinguish from normal text. The presence of long base32 encoding in a DNS query may indicate tunneling of information out of a network. Some security vendors and internet providers also use this technique to operate cloud infrastructure or transport information through firewalled environments.

Bitsadmin to Uncommon TLD

Detects BITS connections to external domains with uncommon TLDs. Reference: https://isc.sans.edu/forums/diary/In...ctivity/23281/

Blocked Email Host

The originator's address is seen in the block list error message, which means an SMTP server sent a reply mentioning an SMTP block list. This is useful to detect local hosts sending SPAM with a high positive rate.

Blocked Email Message

An SMTP server sent a reply mentioning an SMTP block list.

BlueMashroom DLL Load (Hostname)

Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report

BlueMashroom DLL Load (IP)

Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report

BlueMashroom DLL Load (Username)

Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report

Bluecoat Proxy - Suspicious or Malicious Categories

This rule triggers any time there is a Suspicious or Malicious Bluecoat category which could indicate there is a problem with the host making the connection.

Browser Exploitation Framework (BeEF) Hook

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that include the default BeEF cookie, which indicates a hooked browser.

COMPlus_ETWEnabled Command Line Arguments (Hostname)

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

COMPlus_ETWEnabled Command Line Arguments (IP)

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

COMPlus_ETWEnabled Command Line Arguments (Username)

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Carbon Black Defense - High Threat Event (Hostname)

{{description}}

Carbon Black Defense - High Threat Event (IP)

{{description}}

Carbon Black Defense - High Threat Event (Username)

{{description}}

Carbon Black Defense - Low Threat Event (Hostname)

{{description}}

Carbon Black Defense - Low Threat Event (IP)

{{description}}

Carbon Black Defense - Low Threat Event (Username)

{{description}}

Carbon Black Defense - Medium Threat Event (Hostname)

{{description}}

Carbon Black Defense - Medium Threat Event (IP)

{{description}}

Carbon Black Defense - Medium Threat Event (Username)

{{description}}

Checkpoint Firewall

Templated rule for all security related Checkpoint Firewall Alerts.

Cisco AMP - Templated Events (Hostname)

Cisco AMP has raised the event {{action}} on the host {{device_hostname}}

Cisco AMP - Templated Events (IP)

Cisco AMP has raised the event {{action}} on the host {{device_hostname}}

Cisco Firepower - Attack Alert

Cisco Firepower is an IDS system which generates alerts based on network traffic. This rule creates CSE signals from the IDS alerts allowing Cisco Firepower IDS alerts to participate in the CSE Insight generation. This specific rule looks for IDS attacks where the source IP address is the attacker.

Cisco Firepower - IDS Attack Alert Diversity

5 or more diverse IDS attack signatures was observed within 5 minutes from a single source IP address. A single IP address producing a diverse signature alerts within a short period of time if often times a more interesting attack detection.

Cisco Firepower - IDS Attack Alert Spike

A spike of 50 IDS attack alerts in 10 minutes from the same source IP entity was observed.

Cisco Firepower - IDS Response Alert Diversity

5 or more diverse IDS response signatures was observed within 5 minutes from a single destination IP address. A single IP address producing a diverse signature alerts within a short period of time if often times a more interesting attack detection.

Cisco Firepower - IDS Response Alert Spike

A spike of 50 IDS response alerts in 10 minutes from the same destination IP entity was observed.

Cisco Firepower - Response Alert

Cisco Firepower is an IDS system which generates alerts based on network traffic. This rule creates CSE signals from the IDS alerts allowing Cisco Firepower IDS alerts to participate in the CSE Insight generation. This specific rule looks for IDS attacks where the destination IP address is the attacker.

Cisco Meraki Threat Events

Event Type: {{description}}; Endpoint IP: {{srcDevice_ip}}; Destination IP: {{dstDevice_ip}}

Cisco Stealthwatch Template Alerts

{{fields['fullmessage']}}

Cisco Umbrella - DNS Request Category: Adware

Cisco Umbrella detected a DNS request to a domain categorized as Adware.

Cisco Umbrella - DNS Request Category: Command and Control

Cisco Umbrella detected a DNS request to a domain categorized as Command and Control.

Cisco Umbrella - DNS Request Category: Cryptomining

Cisco Umbrella detected a DNS request to a domain categorized as Cryptomining.

Cisco Umbrella - DNS Request Category: DNS Tunneling VPN

Cisco Umbrella detected a DNS request to a domain categorized as Adware.

Cisco Umbrella - DNS Request Category: Dynamic DNS

Cisco Umbrella detected a DNS request to a domain categorized as Dynamic DNS.

Cisco Umbrella - DNS Request Category: Hacking

Cisco Umbrella detected a DNS request to a domain categorized as Hacking.

Cisco Umbrella - DNS Request Category: Malware

Cisco Umbrella detected a DNS request to a domain categorized as Malware.

Cisco Umbrella - DNS Request Category: Newly Seen Domains

Cisco Umbrella detected a DNS request to a domain categorized as Newly Seen Domains. It can be unusual for a host to communicate with a new domain under normal operations, but malware authors register domains specifically for malicious intent will have hosts connect to them shortly after registering them.

Cisco Umbrella - DNS Request Category: P2P/File sharing

Cisco Umbrella detected a DNS request to a domain categorized as P2P/File sharing.

Cisco Umbrella - DNS Request Category: Personal VPN

Cisco Umbrella detected a DNS request to a domain categorized as Personal VPN.

Cisco Umbrella - DNS Request Category: Phishing

Cisco Umbrella detected a DNS request to a domain categorized as Adware.

Cisco Umbrella - DNS Request Category: Potentially Harmful

Cisco Umbrella detected a DNS request to a domain categorized as Potentially Harmful.

Cisco Umbrella - DNS Request Category: Proxy/Anonymizer

Cisco Umbrella detected a DNS request to a domain categorized as Proxy/Anonymizer.

Cisco Umbrella - Proxy Logs with Cisco AMP Detections

Cisco Umbrella proxy logs with a Cisco AMP disposition of malicious was detected.

Clipboard Copied (Host)

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Clipboard Copied (User)

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Command Line Execution with Suspicious URL and AppData Strings (Host)

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers.

Command Line Execution with Suspicious URL and AppData Strings (User)

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers.

Connection to High Entropy Domain

An HTTP connection was made to a high entropy domain name. Entropy is a measure of randomness, DGA domains used by malware (i.e. g46mbrrzpfszonuk) often have high entropy.

Copy from Admin Share (Host)

Detects a suspicious copy command from a remote C$ or ADMIN$ share.

Copy from Admin Share (User)

Detects a suspicious copy command from a remote C$ or ADMIN$ share.

Create Windows Share (Hostname)

Observes for net.exe being used to create a network share. Requires command line auditing for Sysmon to function.

Create Windows Share (User)

Observes for net.exe being used to create a network share. Requires command line auditing for Sysmon to function.

CrowdStrike Threat Detection Alert (Hostname)

CrowdStrike: {{description}} on {{device_hostname}}

CrowdStrike Threat Detection Alert (IP)

CrowdStrike: {{description}} on {{device_ip}}

CrowdStrike Threat Detection Alert (Username)

CrowdStrike: {{description}} with user: {{user_username}}

Crypto Miner HTTP User Agent

This signal looks for HTTP requests where the user agent matches common names associated with crypto miners. It is common for attackers to install crypto miners on compromised hosts to use your CPU resources for their profit.

Curl Start Combination (Host)

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Curl Start Combination (User)

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Cylance Protect - Event Severity 1

Cylance Protect event with the severity between -0.199 and -0.001

Cylance Protect - Event Severity 2

Cylance Protect event with the severity between -0.299 and -0.200

Cylance Protect - Event Severity 3

Cylance Protect event with the severity between -0.399 and -0.300

Cylance Protect - Event Severity 4

Cylance Protect event with the severity between -0.499 and -0.400

Cylance Protect - Event Severity 5

Cylance Protect event with the severity between -0.599 and -0.500

Cylance Protect - Event Severity 6

Cylance Protect event with the severity between -0.699 and -0.600

Cylance Protect - Event Severity 7

Cylance Protect event with the severity between -0.799 and -0.700

Cylance Protect - Event Severity 8

Cylance Protect event with the severity between -0.899 and -0.800

Cylance Protect - Event Severity 9

Cylance Protect event with the severity between -1.000 and -0.900

DCE-RPC Service Control Call - Destination Match

The Remote Procedure Call (RPC) protocol allows remote administrative commands to be executed. Creating/Deleting Services , when combined with other signals can be part of an attempt to expand influence inside a network using SMB and related protocols.

DCE-RPC Service Control Call - Source Match

The Remote Procedure Call (RPC) protocol allows remote administrative commands to be executed. Creating/Deleting Services , when combined with other signals can be part of an attempt to expand influence inside a network using SMB and related protocols.

DCERPC - SAMR Enumeration of All Users

Microsoft provides a protocol called SAMR which stands for Security Account Manager Remote Protocol. It is designed for developers to perform (RPC) remote procedure calls for interacting the account database for both local and remote Activity Directory domains. It contains a method called SamrEnumerateUsersInDomain which return a list of users in a domain. Attackers who have network access to the domain can use this method to enumerate a list of user accounts in Active Directory. This signal looks for an RPC connection using the SAMR protocol with the method SamrEnumerateUsersInDomain signifying a request to enumerate user accounts over the network.

DNS DGA Lookup Behavior - NXDOMAIN Responses

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions. This technique is described in https://attack.mitre.org/techniques/T1483/.

DNS Lookup of High Entropy Domain

DNS lookup of a high entropy domain name, which may be indicative of a domain generation algorithm (DGA) related domain. This technique is described at https://attack.mitre.org/techniques/T1483/.

DNS RCE Exploit CVE-2020-1350 (Hostname)

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

DNS RCE Exploit CVE-2020-1350 (IP)

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

DNS RCE Exploit CVE-2020-1350 (Username)

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

DNS query for dynamic DNS provider

Dynamic DNS providers are often abused to host malware control servers and other malicious content. https://attack.mitre.org/techniques/T1311/ and https://attack.mitre.org/techniques/T1333/ describe the use of this technique by attackers.

DNS.EXE Observed as Parent Process

With very few exceptions, the DNS.EXE program should not spawn other processes. This could be an indication that the process is a trojan, or has been compromised. This behavior against DNS has been shown as a behavioral indicator after successful attacks (i.e. SigRED). Examine the process created by DNS.EXE ({{baseImage}}) and analyze for legitimacy.

DTRACK Process Creation (Hostname)

Detects specific process parameters as seen in DTRACK infections

DTRACK Process Creation (IP)

Detects specific process parameters as seen in DTRACK infections

DTRACK Process Creation (Username)

Detects specific process parameters as seen in DTRACK infections

Delete Windows Share (Hostname)

Observes for net.exe being used to delete a network share. Requires command line auditing for Sysmon to function.

Delete Windows Share (User)

Observes for net.exe being used to delete a network share. Requires command line auditing for Sysmon to function.

Directory Traversal - Successful

Directory traversal is an attempt by an attacker to access files located on the host which are not intended to be returned by the web server. For example, attackers seeking usernames/passwords for the host will focus on paths like ../../etc/passwd, ../../../etc/shadow, etc. When successful, a directory traversal attack results in the attacker gaining access to sensitive information and identifying a mechanism of future attack. When unsuccessful, directory traversal is an indication of ongoing external reconnaissance.

Directory Traversal - Unsuccessful

Directory traversal is an attempt by an attacker to access files located on the host which are not intended to be returned by the web server. For example, attackers seeking usernames/passwords for the host will focus on paths like ../../etc/passwd, ../../../etc/shadow, etc. When successful, a directory traversal attack results in the attacker gaining access to sensitive information and identifying a mechanism of future attack. When unsuccessful, directory traversal is an indication of ongoing external reconnaissance.

Disabled Account Logon Attempt

Detects a disabled account being used for a logon attempt in a Windows environment.

Domain Resolution in Non-Standard TLD

DNS resolution of a domain that is not under an ICANN-standard TLD. These TLDs are provided by alternate DNS root servers such as OpenNIC. Their use on corporate networks is fundamentally suspicious and potentially a sign of abuse by threat actors.

Doublepulsar scan - likely not infected

Doublepulsar scans to check if the host is already infected before attempting to install the backdoor.

Dridex Process Pattern (Hostname)

Detects typical Dridex process patterns

Dridex Process Pattern (IP)

Detects typical Dridex process patterns

Dridex Process Pattern (Username)

Detects typical Dridex process patterns

Duo Security - Excessive Authentication Failures From IP

An IP address was observed generating an excessive amount of authentication failures. This could indicate an attack or misconfigured system.

Duo Security - Multiple Authentication Failures From a User

A user account was observed generating an excessive amount of authentication failures. This could indicate an attack or misconfigured system.

Duo Security - Source IP Failing Authentication with Excessive Usernames

A source IP address was observed making excessive authentication failures using many different user accounts in a short period of time. This could indicate an attacker attempting a brute force attack.

Excavator Utility

From FireEye Red Team Tool Countermeasures: Excavator is a tool for dumping the process via a service. It can also dump the process directly if not used as a service.

Excessive Firewall Denies

This rule is designed to detect excessive firewall blocks within a shortened time frame. Customers will need to adjust the threshold of this rule to align with their environment's normal vs abnormal firewall traffic patterns.

Executable Downloaded - Content-Type Mismatch

This rule identifies scenarios where an attacker may have attempted to surreptitiously download an executable file by hiding it behind a different Content-Type, such as image/png. This technique has been observed in samples of Trickbot malware.

Exfiltration and Tunneling Tools Execution (Host)

Execution of well known tools for data exfiltration and tunneling.

Exfiltration and Tunneling Tools Execution (User)

Execution of well known tools for data exfiltration and tunneling.

External Device Installation Denied (Host)

Detects a denied attempt to attached a removeable media device. External media can be used to exfiltrate sensitive data and is also a common source of infections. Attempts to use these devices could indicate the intent for malicious activity.

External Device Installation Denied (User)

Detects a denied attempt to attached a removeable media device. External media can be used to exfiltrate sensitive data and is also a common source of infections. Attempts to use these devices could indicate the intent for malicious activity.

Fake Windows Processes (Hostname)

Observes for known Windows processes being executed outside of normal directories (System32 and SysWOW64). This would indicate process masquerading. Note that this rule requires creating a match list 'known_windows_processes' containing known OK Windows processes that would not normally be executed outside of System32 or SysWOW64. This rule requires either Windows process auditing or Sysmon to be enabled to function.

Fake Windows Processes (User)

Observes for known Windows processes being executed outside of normal directories (System32 and SysWOW64). This would indicate process masquerading. Note that this rule requires creating a match list 'known_windows_processes' containing known OK Windows processes that would not normally be executed outside of System32 or SysWOW64. This rule requires either Windows process auditing or Sysmon to be enabled to function.

File or Folder Permissions Modifications (Host)

Detects a file or folder permissions modifications.

File or Folder Permissions Modifications (User)

Detects a file or folder permissions modifications.

Findstr Launching .lnk File (Host)

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack.

Findstr Launching .lnk File (User)

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack.

FireEye CMS - Malware Callback

FireEye detected a malware callback with the following details: {{fields['channel']}}

FireEye CMS - Riskware Callback

This rule detects CMS Riskware Callback events

FireEye CMS Domain Matches

FireEye flagged the domain {{dns_queryDomain}}

FireEye CMS IPS Attack Events

FireEye IPS detected the threat {{threat_name}} from {{srcDevice_ip}} to {{dstDevice_ip}}

FireEye CMS IPS Response Events

FireEye IPS detected the threat {{threat_name}} from {{srcDevice_ip}} to {{dstDevice_ip}}

FireEye Web Infection Alert

FireEye detected a web infection to the following path: {{http_url}}

Firewall Allowed SMB Traffic (Hostname)

Observes for SMB traffic allowed through the firewall.

Firewall Allowed SMB Traffic (IP)

Observes for SMB traffic allowed through the firewall.

First Seen Access - SMB Share

Adversaries may access a networked system remotely using Server Message Block (SMB) to transfer files, and run transferred binaries through remote execution. Although not malicious on its own, this first-seen access to a DISK share over SMB can be an indicator of lateral movement.

Fortinet Critical App-Risk

This signal fires when Fortinet identifies a critical risk application in use within the network.

Fortinet High App-Risk

This signal fires when Fortinet detects a high risk application within the environment

Fortinet IDS Alerts

An {{severity}} Fortigate IDS alert triggered. Additional documentation can be found at {{threat_referenceUrl}}

G Suite - Access - Access Transparency

Google Access Transparency Activity Events

G Suite - Admin - User Settings - Turn Off 2SV

Admin disabled 2SV for user

G Suite - Admin Activity

The admin activity report returns information on the Admin console activities of all of your account's administrators.

G Suite - Drive - Drive Open To Public

Google Drive resource shared publicly

G Suite - Excessive OAuth Application Permissions Scope

Alert when an OAuth application has requested a high number of permissions to aspects of G Suite.

G Suite - Login - Account Warning

Google Accounts warnings

G Suite - Login - Government Attack Warning

Government-backed attack warnings

G Suite - Mobile - Suspicious Activity

Google G Suite alert for mobile suspicious activity

G Suite - SAML Failed Logons (Track IP)

An G Suite user has failed multiple authentications (via SAML) in a short period of time.

G Suite - SAML Failed Logons (Username)

An G Suite user has failed multiple authentications (via SAML) in a short period of time.

G Suite - Unauthorized OAuth Application

Alert when a non-approved OAuth Application has been identified on Google G Suite. This rule is disabled by default as a list of approved OAuth applications is required to be enabled. The approved applications should be added to the rule logic under the 'application not in' condition.

G Suite - User Accounts - 2SV Disabled

User disabled 2SV

G Suite - User Failed Logons (Track IP)

An G Suite user has failed multiple authentications in a short period of time.

G Suite - User Failed Logons (Track Username)

An G Suite user has failed multiple authentications in a short period of time.

G Suite - User Login From Two Different Countries

This signal triggers when there are two successful logins from the same user with different country codes indicating possible credential theft.

G Suite Alert Center - AppMaker Editor

Alerts from App Maker to notify admins to set up default SQL instance.

G Suite Alert Center - Data Loss Prevention

Alerts that get triggered on violations of Data Loss Prevention (DLP) rules.

G Suite Alert Center - Domain wide takeout - Customer takeout initiated

A takeout operation for the entire domain was initiated by an admin.

G Suite Alert Center - Gmail phishing

Proto for all phishing alerts with common payload

G Suite Alert Center - Gmail phishing - Misconfigured whitelist

Alert for setting the domain or IP that malicious email comes from as whitelisted domain or IP in Gmail advanced settings.

G Suite Alert Center - Google Operations

An incident reported by Google Operations for a G Suite application.

G Suite Alert Center - Google identity

Alerts for user account warning events.

G Suite Alert Center - Mobile device management - Device compromised

A mobile device compromised alert.

G Suite Alert Center - Mobile device management - Suspicious activity

A mobile suspicious activity alert.

G Suite Alert Center - Security Center Rules.

Alerts from G Suite Security Center rules service configured by admin.

G Suite Alert Center - State Sponsored Attack

A state-sponsored attack alert.

GitHub Raw URL Resource Request

Github.com is the most popular code repo site on the internet. Typically users of GitHub will look at the code from the Github.com website or clone it locally to their system. You can however request a raw version of a individual file directly. Attackers like to use GitHub as well to host their malicious code and will often download malicious files and scripts directly from the site which uses the domain raw.githubusercontent.com instead of github.com. This signal looks for HTTP requests to that raw domain to monitor individual file downloads from the site.

Global YARA Rule (DstIp)

{{fields.yaraRuleDescription}}

Global YARA Rule (SrcIp)

{{fields.yaraRuleDescription}}

Grabbing Sensitive Hives via Reg Utility

Dump sam, system or security hives using REG.exe utility.

Greenbug Campaign Indicators (Hostname)

Detects tools and process executions as observed in a Greenbug campaign in May 2020

Greenbug Campaign Indicators (IP)

Detects tools and process executions as observed in a Greenbug campaign in May 2020

Greenbug Campaign Indicators (Username)

Detects tools and process executions as observed in a Greenbug campaign in May 2020

HTTP CloudFlare Protocol Violation or Empty Response

Error code 520 is used as a catch-all status when the origin server returns something that is unexpected, not tolerated, or not interpreted. This can include protocol violations and empty responses.

HTTP External Request to PowerShell Extension

Attackers will often download a PowerShell script from an external web server to help maintain persistence or to invoke additional functionally on Windows machines. It is not common for internal computers to download PowerShell scripts over HTTP from an external web server, but in some rare cases software like Anti-Virus does perform this behavior.

HTTP Request to Domain in Non-Standard TLD

HTTP request to a domain that is not under an ICANN-standard TLD. These TLDs are provided by alternate DNS root servers such as OpenNIC. Their use on corporate networks is fundamentally suspicious and potentially a sign of abuse by threat actors.

HTTP Request with Single Header

HTTP requests typically have multiple headers. It is odd in some cases if the event only contains a single header. This produces a low severity signal when an HTTP event is observed containing only one header in the request.

HTTP Response Error Spike - External

HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a web client receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host external to the monitored network triggers the threshold.

HTTP Response Error Spike - Internal

HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a web client receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host on the monitored network triggers the threshold.

HTTP Shell Script Download Disguised as a Common Web File

Attackers who have compromised Unix/Linux machines will sometimes download additional payloads using clear text HTTP where a shell script is downloaded disguised with another file extension. This signal looks for HTTP requests to common web file extensions where the network sensor detected a shell script was returned.

HTTP activity over port 53 - Possible SIGRED

Detects a possible exploitation of CVE-2020-1350 (aka SIGRED) using rare HTTP requests over port 53. HTTP should rarely (if ever) hosted on port 53. Technique: T1068. Derived from SOC Prime logic.

HTTP request for single character file name

Many threats are served from websites using lazy single character based filenames like 1.exe, etc. These nondescript file names are rare with most legitimate content. This rule looks for requests to retrieve high risk file extensions from such paths.

Hexadecimal User-Agent

User-Agent strings with hexadecimal values are often indicative of malware.

Hexadecimal in DNS Query Domain

Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic. While hexadecimal often appears in subdomains, it much less frequent in domains.

High Volume of DNS 'Any' Queries

Observes for a large number of DNS 'Any' queries which may be indicative of a Distributed Denial of Service Attack (DDoS)

High risk file extension download without hostname and referrer

Although executable and dynamic-link libraries (.exe, .dll) are regularly downloaded from the Internet, benign ones are normally downloaded with the hostname and referrer fields populated. Thus, downloads from an IP address without referrer carry an elevated risk.

Houdini/Iniduoh/njRAT User-Agent

User-Agent strings used by Houdini/Iniduoh/njRAT malware.

IP Address Scan - External

A scan of IP addresses

IP Address Scan - Internal

A scan of IP addresses

IRC traffic internal-to-external

IRC traffic is uncommonly used for business use in most organizations. IRC traffic that originates inside a network and is outbound to the internet is especially unusual and a common channel for command and control

IRC traffic over nonstandard ports

IRC traffic is uncommonly used for business use in most organizations. IRC traffic that originates inside a network and is outbound to the internet is especially unusual and a common channel for command and control. Combine this with the non-standard port observed and this pattern is considered high priority.

Impacket Lateralization Detection (Hostname)

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Impacket Lateralization Detection (IP)

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Impacket Lateralization Detection (Username)

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Impacket-Obfuscation SMBEXEC Utility

From FireEye Red Team Tool Countermeasures: Impacket-Obfuscation is a slightly obfuscated version of the open source Impacket framework. This IOC looks for artifacts from the execution of SMBEXEC python script which is part of Impacket-Obfuscation framework.

Impacket-Obfuscation WMIEXEC Utility

From FireEye Red Team Tool Countermeasures: Impacket-Obfuscation is a slightly obfuscated version of the open source Impacket framework. This IOC looks for artifacts from the execution of WMIEXEC python script which is part of Impacket-Obfuscation framework.

InstallUtil App WhiteListing Bypass

From FireEye Red Team Tool Countermeasures: This alert looks for evidence of the native signed Windows binary InstallUtil.exe being used to load PE files. This technique can be used to bypass application whitelisting and has been observed used in the wild.

Interactive Logon with Service Account

Detects an interactive login using a service account. Service accounts should only be used by applications or services and not users. An interactive logon indicates a user has the service account credentials.

Internal Communication on Unassigned Low Ports - Destination Match

Many ports in the 0-1023 are unassigned by the IANA. These can be used as communication channels inside a network, as there are rarely legitimate services using these ports.

Judgement Panda Credential Access Activity (Hostname)

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Judgement Panda Credential Access Activity (IP)

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Judgement Panda Credential Access Activity (Username)

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Judgement Panda Exfil Activity (Hostname)

Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike

Judgement Panda Exfil Activity (IP)

Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike

Judgement Panda Exfil Activity (Username)

Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike

Kerberos Manipulation (IP)

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages.

Kerberos Manipulation (User)

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages.

Known Ransomware File Extensions (Hostname)

Observes for common file extensions associated with ransomware indicating the presence of encrypted files. Some known ransomware file extensions are shared with other applications and may cause this rule to fire. File extension list sourced from: https://techviral.net/ransomware-enc...le-extensions/

Known Ransomware File Extensions (User)

Observes for common file extensions associated with ransomware indicating the presence of encrypted files. Some known ransomware file extensions are shared with other applications and may cause this rule to fire. File extension list sourced from: https://techviral.net/ransomware-enc...le-extensions/

LNKSmasher Utility Commands

From FireEye Red Team Tool Countermeasures: LNKSmasher embeds an arbitrary payload in an LNK that can be executed by the embedded command. This IOC will detect the commands executed by both the new and old version of LNKSmasher.

LSASS Memory Dump (Hostname)

Detects memory dumping from LSASS. For this rule to work, Microsoft SysInternal Sysmon must be running on the endpoint.

LSASS Memory Dump (User)

Detects memory dumping from LSASS. For this rule to work, Microsoft SysInternal Sysmon must be running on the endpoint.

LSASS Memory Dumping (Host)

Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.

LSASS Memory Dumping (User)

Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.

Large File Upload

Observes for file uploads above 50MB in size. It is recommended to tune this rule to desired file size threshold for your organization as well as to exclude users/systems typically sending large outbound files.

Large Outbound ICMP Packets

A typical ping packet will be very small. A large ICMP packet may indicate the presence of command and control traffic.

Lateral Movement Using the Windows Hidden Admin Share - Track Hostname

Detects pivoting to an internal host from another internal host. Attackers will connect to the ADMIN$ share of an internal host and upload a program to execute remote commands to fully compromise the host.

Lateral Movement Using the Windows Hidden Admin Share - Track Username

Detects pivoting to an internal host from another internal host. Attackers will connect to the ADMIN$ share of an internal host and upload a program to execute remote commands to fully compromise the host.

Likely doublepulsar Infected

Hosts infected with the Doublepulsar typically exhibit this type of SMB behavior

Local User Created

Observes for the creation of a local Windows user account. Informational signal, severity 0.

Long URL Containing SQL Commands

Observes for long URLs with possible SQL commands within them, an indication of SQL injection activity

MS-LSAT Username Enumeration

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

MSHTA Suspicious Execution (Host)

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism.

MSHTA Suspicious Execution (User)

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism.

Malicious Payload Download via Office Binaries (Host)

Detects downloaded payloads from remote server.

Malicious Payload Download via Office Binaries (User)

Detects downloaded payloads from remote server.

Malicious PowerShell Get Commands

This rule detects commandlets from common PowerShell exploitation frameworks.

Malicious PowerShell Invoke Commands

Detects Commandlet names from well-known PowerShell exploitation frameworks.

Malicious PowerShell Keywords

This rule detects well known keywords from PowerShell exploitation frameworks.

MavInject Process Injection (Hostname)

Detects process injection using the signed Windows tool Mavinject32.exe

MavInject Process Injection (IP)

Detects process injection using the signed Windows tool Mavinject32.exe

MavInject Process Injection (Username)

Detects process injection using the signed Windows tool Mavinject32.exe

McAfee Endpoint Security Alerts (Hostname)

McAfee Endpoint Security detected a security event named '{{threat_name}}' with the description '{{description}}'.

McAfee Endpoint Security Alerts (Username)

McAfee Endpoint Security detected a security event named '{{threat_name}}' with the description '{{description}}'.

McAfee Solidifier Deny Events (Hostname)

{{threat_name}} occurred for {{file_path}}

McAfee Solidifier Deny Events (IP Address)

{{threat_name}} occurred for {{file_path}}

McAfee Solidifier Deny Events (Username)

{{threat_name}} occurred for {{file_path}}

McAfee Web Gateway - Poor Reputation

The McAfee Web Gateway detected an HTTP connection to the following site with a poor reputation of "{{description}}": {{fields['urlCategories']}}

Meterpreter or Cobalt Strike Getsystem Service Start (Host)

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting.

Meterpreter or Cobalt Strike Getsystem Service Start (User)

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting.

Microsoft ATA Alerts (Target Hostname)

{{fields['msg']}}

Microsoft ATA Alerts (Target Username)

{{fields['msg']}}

Mimecast - Message with Virus Detections from IP

Mimecast detected a message with one or more virus detections.

Mimecast - Message with Virus Detections to Recipient

Mimecast detected a message with one or more virus detections.

Mimecast - SPAM Message from IP

Mimecast detected an email message with an elevated SPAM score.

Mimecast - SPAM Message to Recipient

Mimecast detected an email message with an elevated SPAM score.

Mimecast - Targeted Threat Protection from IP

Mimecast's Targeted Threat Protection matched on an email message.

Mimecast - Targeted Threat Protection to Recipient

Mimecast's Targeted Threat Protection matched on an email message.

Mimikatz Loaded Images Detected (IP)

Observes for image accesses of images used for credential dumping via Mimikatz

Mimikatz via Powershell and EventID 4703 (Hostname)

Observes for eventID 4703 with SeDebugPrivileges added by powershell. May indicate the presence of Mimikatz credential dumping.

Mimikatz via Powershell and EventID 4703 (User)

Observes for eventID 4703 with SeDebugPrivileges added by powershell. May indicate the presence of Mimikatz credential dumping.

MsiExec Web Install (Host)

Detects suspicious msiexec process starts with web addreses as parameter.

MsiExec Web Install (User)

Detects suspicious msiexec process starts with web addreses as parameter.

Multiple File Extensions (Hostname)

Observes for common file extensions appearing before the actual file extension (ex. totallynotmalware.pdf.exe)

Multiple File Extensions (IP)

Observes for common file extensions appearing before the actual file extension (ex. totallynotmalware.pdf.exe)

Multiple File Extensions (User)

Observes for common file extensions appearing before the actual file extension (ex. totallynotmalware.pdf.exe)

Multiple Windows Account Lockouts On Endpoint

Observes for multiple Windows account lockouts in a short period on a single endpoint.

Network Share Scan

Detects multiple network share access attempts from one internal host to another. Attackers will often scan the network for open network shares in order to pivot between internal hosts.

Network Share Sweep

Detects multiple network share access attempts from one internal host to another for a single share. Attackers will often scan the network for specific open network shares, such as ADMIN$ used for PSEXEC, in order to pivot between internal hosts.

New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch (Hostname)

The Service Control Manager, or services.exe, has no legitimate reason to launch commands like cmd.exe, powershell.exe, or regedit.exe. Incidentally, a common way for malware to masquerade as something legitimate is to call itself service.exe.

New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch (User)

The Service Control Manager, or services.exe, has no legitimate reason to launch commands like cmd.exe, powershell.exe, or regedit.exe. Incidentally, a common way for malware to masquerade as something legitimate is to call itself service.exe.

New or Renamed Windows User Account Mimicking a Machine Account

A new or renamed user account which starts with a $ following machine account naming conventions. Attackers could use this to bypass detection logic where machine names are filtered from rules.

Noncompliant Protocol Tunnel Over Common Service Port

Tools or malware may be configured to send communications over a network by using a common service port to carry unrelated traffic. This is often done to bypass security controls or to obfuscate malicious traffic by mimicking a legitimate service. For example, this is often done with UDP based VPN tunnels connecting over port 53. https://attack.mitre.org/techniques/T1043/ describes the use of this technique by attackers.

NotPetya Ransomware Activity (Hostname)

Detects NotPetya ransomware activity by identifying one of these occuring: the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted or windows eventlogs are cleared using wevtutil.

NotPetya Ransomware Activity (IP)

Detects NotPetya ransomware activity by identifying one of these occuring: the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted or windows eventlogs are cleared using wevtutil.

NotPetya Ransomware Activity (Username)

Detects NotPetya ransomware activity by identifying one of these occuring: the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted or windows eventlogs are cleared using wevtutil.

O365 - Exchange DLP Policy Match

The user {{user_username}} triggered the Exchange DLP policy '{{fields['PolicyDetails.1.PolicyName']}}' on an email message. The incident ID is {{fields['IncidentId']}}

O365 - IP Failing Authentications with Multiple Usernames

An IP address has been observed failing multiple authentications in Office 365 while using many different usernames in a short period of time.

O365 - Multiple Failed Authentications (IP)

An IP address has generated multiple failed authentications sourced from Office 365.

O365 - Multiple Failed Authentications (User)

A user account has generated multiple failed authentications sourced from Office 365.

O365 - SecurityComplianceAlerts

Office 365 SecurityComplianceAlerts

O365 - SharePoint DLP Policy Match

The user {{user_username}} triggered the SharePoint DLP policy '{{fields['PolicyDetails.1.PolicyName']}}' and rule '{{fields['PolicyDetails.1.Rules.1.RuleName']}}' on a file. The file path is '{{fields['SharePointMetaData.FilePathUrl']}}' and the incident ID is {{fields['IncidentId']}}

O365 - Successful Authentication with PowerShell User Agent (IP)

Detects a successful authentication to Office 365 where the user agent string contains PowerShell. By default, PowerShell will appear in the user agent string when used in authentication attempts for 0365. This can be an indication of a PowerShell Exploitation framework being used to authenticate.

O365 - Successful Authentication with PowerShell User Agent (User)

Detects a successful authentication to Office 365 where the user agent string contains PowerShell. By default, PowerShell will appear in the user agent string when used in authentication attempts for 0365. This can be an indication of a PowerShell Exploitation framework being used to authenticate.

O365 - Successful Brute Force

Detects a series of failed logins followed by a successful login. This could indicate that an attacker was successful in guessing a user's password and has compromised their account.

O365 - Threat Intel ATP Detection

Office 365 Advanced Threat Protection has identified a file as {{fields['DetectionMethod']}} with a classification of {{fields['FileData.MalwareFamily']}}. The file in question is {{file_basename}}

O365 - Threat Intel Email Match (IP)

Office 365 threat intelligence flagged an email from {{fields['P2Sender']}} sent to {{user_username}}. The detection method used was '{{fields['DetectionMethod']}}'.

O365 - Threat Intel Email Match (User)

Office 365 threat intelligence flagged an email from {{fields['P2Sender']}} sent to {{user_username}}. The detection method used was '{{fields['DetectionMethod']}}'.

O365 - Threat Intel URL Match (IP)

Office 365 threat intelligence identified the user {{user_username}} clicked on a malicious URL {{fields['Url']}}.

O365 - Threat Intel URL Match (User)

Office 365 threat intelligence identified the user {{user_username}} clicked on a malicious URL {{fields['Url']}}.

O365 - User attempted login from 2+ countries in 1 hour

O365 - User logged in from 2+ countries in 1 hour

O365 - User successfully logged in from 2+ countries in 1 hour

User successfully logged in from 2+ countries in an hour.

O365 - Users Password Changed

The account {{user_username}} had its password changed by the account {{fields['UserId']}}

O365 - Users Password Reset

The account {{user_username}} was reset by the account {{fields['UserId']}}

Office Application or Browser Launching Shell

This alert detects a shell launched by an office product or browser that should not be spawning shell processes. Attackers may inject code into Office documents or abuse Windows utilities to spawn shells that will execute malicious commands.

Okta Account Lockout (IP)

Observes for Okta user account lock out events

Okta Account Lockout (User)

Observes for Okta user account lock out events

Okta SSO - Source IP Authentication Failure Spike with Distinct Usernames

This signal looks for a spike in failed Okta authentications from the same source IP address trying multiple user accounts.

Okta SSO - User Failed Logons (Track IP)

An Okta user has failed multiple authentications in a short period of time.

Okta SSO - User Failed Logons (Track Username)

An Okta user has failed multiple authentications in a short period of time.

Okta SSO - User Login From Two Different Countries

This signal triggers when there are two successful logins from the same user with different country codes indicating possible credential theft.

Outbound TFTP Traffic

TFTP is rarely used externally and has been observed as a means to deliver malicious code from the outside.

Outbound Traffic to Countries Outside the United States

Traffic was observed leaving your network destined to some countries outside the United States within a time frame. This rule is shipped disabled by default as is intended for environments based in the United States with very tight network restriction policies.

PXELoot Utilty

From FireEye Red Team Tool Countermeasures: PXELoot (PAL) is a C# tool designed to aid in the discovery and exploitation of misconfigurations in Windows Deployment Services (WDS).

Palo Alto - Traps Templated Events

Palo Alto Traps reported a {{fields['profile']}} event from the module {{fields['module_status_id']}}. Additional details include: {{fields['misc']}}

Palo Alto Correlation Event (IP)

The Palo Alto device {{fields['device_name']}} detected '{{fields['object_name']}}' from the IP address {{srcDevice_ip}}.

Palo Alto Correlation Event (User)

The Palo Alto device {{device_hostname}} detected '{{fields['object_id']}}' from the IP address {{srcDevice_ip}}.

Palo Alto Failed Authentication - Multiple Attempts from the Same IP

A source IP address failed authentication multiple times within a short period of time.

Palo Alto Failed Authentication - Multiple Attempts from the User

A user account failed authentication multiple times within a short period of time.

Palo Alto Failed Authentication - Multiple Usernames Attempted

A source IP address attempted and failed to authenticate multiple times while providing multiple usernames. This can indicate a dictionary attack where the attacker is attempting to log in with a list of commonly known usernames and passwords.

Palo Alto Firewall Threat (IP)

The Palo Alto firewall detected a threat type of '{{fields['sub_type']}}' categorized as '{{fields['category']}}' as a {{severity}} severity. The source zone is {{fields['source_zone']}} and the destination zone is {{fields['destination_zone']}}. The policy which detected the traffic is {{fields['rule_name']}}.

Palo Alto Firewall Threat (User)

The Palo Alto firewall detected a threat type of '{{fields['sub_type']}}' categorized as '{{fields['category']}}' as a {{severity}} severity. The source zone is {{fields['source_zone']}} and the destination zone is {{fields['destination_zone']}}. The policy which detected the traffic is {{fields['rule_name']}}.

Pastebin Raw URL Resource Request

Attackers will often host malicious code on pastebin.com and attempt to download their additional payloads if their initial attack is successful. They will download the post with the raw URI. Generally the malicious content hosted on Pastebin.com is quickly removed automatically by the poster setting an expire time.

Port Scan - External

External port scan. A host external to the monitored network was detected as showing behavior consistent with a scan for a port on multiple destination addresses in a short time.

Port Scan - Internal

Internal port scan. A host on the monitored network was detected as showing behavior consistent with a scan for a port on multiple destination addresses in a short time.

Possible Black Energy Command and Control

Black Energy is a botnet with HTTP based Command and Control communication

Possible Credential Abuse

This signal logic is designed to catch repetitive attempts to call (and presumably attempt to auth via) login pages for drupal, wordpress, and jira.

Possible DGA Domain

The CSE anomaly engine has determined that the observed domain may have been created using a domain generation algorithm (DGA).

Possible DNS Data Exfiltration

Some families of malware use data nested within the subdomain portion of a DNS query as a means of data exfiltration. This can be identified by looking for DNS queries where the full query is substantially longer than the top-level domain (e.g., ooo.nu6tgnzvgm2tmmbzgq4a.rkgotw5.5z5i6fjnugmxfowy.beevish.com is substantially longer than beevish.com). This technique is described in https://attack.mitre.org/techniques/T1001/.

Possible DNS over TLS (DoT) Activity

This rule detects attempted or successful connections to the standard service port for DoT services. DNS over TLS (RFC 7858, DoT) is a name resolution service that allows clients to resolve DNS records over encrypted and validated connections. DoT operates over standards compliant TLS and is specified to operate over port 853/tcp. In some environments this may be abused as a method to bypass security and policy controls. Some malicious actors leverage DoT to tunnel DNS traffic over TLS, and research has demonstrated the ability to carry out other DNS related abuse such as malware C2 over DoT as well.

Possible Dynamic DNS Domain

This rule looks for domains which appear to be associated with a dynamic DNS service.

Possible Malicious Nirsoft Tool Usage (Hostname)

Detects command line parameters common with Nirsoft tools.

Possible Malicious Nirsoft Tool Usage (User)

Detects command line parameters common with Nirsoft tools.

Possible TOR Connection

The subject and issuer of the SSL certificate match the pattern for certificates used by TOR connections.

Potential Cobalt Strike Profile

From FireEye Red Team Tool Countermeasures: This IOC detects indicators associated with cobalt strike beacon network activity.

Potential Pass the Hash Activity

The behavior discovered here loosly matches the behavior of known pass the hash tools. A Pass the Hash (PtH) attack is a way for an attacker to move laterally through a type of credential theft. Because this behavior is known to occur in some environments during normal activity, tuning is recommended and attention payed to a possible spike in signals after enableing this rule.

Potential malicious JVM download

A document was downloaded and opened followed by a file download using a Java user-agent.

Potential malicious document executed

A document was downloaded and opened followed shortly by an executable or dll download shortly thereafter

Potentially vulnerable software detected

The software version has a known vulnerability

PowerShell Encoded Command

PowerShell can execute encoded Base64 strings with the Encoded Command cmdlet. Attackers will often use Base64 to obfuscate their payloads until they can decode and execute it with PowerShell.

PowerShell File Download

PowerShell scripts are commonly used as droppers, which will download additional tools onto a compromised host.

PowerShell Remote Administration

Remote Administration from Powershell is logged by default in the admin$temp folder. These commands should only be associated with IP addresses that are expected to carry out remote administration tasks.

PowerShell Rundll32 Remote Thread Creation (Host)

Detects PowerShell remote thread creation in Rundll32.exe.

PowerShell Rundll32 Remote Thread Creation (User)

Detects PowerShell remote thread creation in Rundll32.exe.

PowerShell via SMB

PowerShell being accessed via SMB should never occur in a Windows environment, and indicates malicious activity.

Powershell Execution Policy Bypass (Host)

Observes for parameters used to bypass the Powershell execution policy Requires command line auditing or Sysmon to function It is recommended to tune this rule to hosts/users that are not ordinarily bypassing Powershell execution policy.

Powershell Execution Policy Bypass (User)

Observes for parameters used to bypass the Powershell execution policy Requires command line auditing or Sysmon to function It is recommended to tune this rule to hosts/users that are not ordinarily bypassing Powershell execution policy.

Process Dump via Rundll32 and Comsvcs.dll (Host)

Detects a process memory dump performed via ordinal function 24 in comsvcs.dll.

Process Dump via Rundll32 and Comsvcs.dll (User)

Detects a process memory dump performed via ordinal function 24 in comsvcs.dll.

Process Execution Inside Webserver Root Folder (Hostname)

A process was executed from inside a web hosting directory. This signal could indicate when adversaries upload a malicious file to the webserver and run the file as a process. Approved web applications that require process execution from inside the web hosting directory should be excluded from the rule and filtered out.

Process Execution Inside Webserver Root Folder (User)

A process was executed from inside a web hosting directory. This signal could indicate when adversaries upload a malicious file to the webserver and run the file as a process. Approved web applications that require process execution from inside the web hosting directory should be excluded from the rule and filtered out.

Proofpoint TAP - IP Sent Email with Malware

Proofpoint TAP detected an IP address sending an email with a malware score 75 or higher. Records indicating the email was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - IP Sent Email with Malware Link

Proofpoint TAP detected a user clicking on a link containing malware in an email sent from an IP address. This rule only includes messages where Proofpoint considers the malware link still active. Records indicating the link was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - IP Sent Email with Phishing Link

Proofpoint TAP detected a user clicking on a phishing link in an email sent from an IP address. This rule only includes messages where Proofpoint considers the phishing link still active. Records indicating the link was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - IP Sent Impostor Email

Proofpoint TAP detected an IP address sending an email with an impostor score 75 or higher. Records indicating the email was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - IP Sent Phishing Email

Proofpoint TAP detected an IP address sending an email with a phishing score 75 or higher. Records indicating the email was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - User Received Email with Malware

Proofpoint TAP detected a user receiving an email with a malware score 75 or higher. Records indicating the email was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - User Received Email with Malware Link

Proofpoint TAP detected a user clicking on a malware link in an email. This rule only includes messages where Proofpoint considers the malware link still active. Records indicating the link was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - User Received Email with Phishing Link

Proofpoint TAP detected a user clicking on a phishing link in an email. This rule only includes messages where Proofpoint considers the phishing link still active. Records indicating the link was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - User Received Impostor Email

Proofpoint TAP detected a user receiving an email with an impostor score 75 or higher. Records indicating the email was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

Proofpoint TAP - User Received Phishing Email

Proofpoint TAP detected a user receiving an email with a phishing score 75 or higher. Records indicating the email was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.

PsExec Admin Tool Detection

Detects PSEXESVC.EXE being written to remote computer via SMB/CIFS. This is a service executable that is copied in place and started when a remote client connects to a host with PsExec.

Psr.exe Capture Screenshots (Host)

The psr.exe captures desktop screenshots and saves them on the local machine.

Psr.exe Capture Screenshots (User)

The psr.exe captures desktop screenshots and saves them on the local machine.

QuarksPwDump Dump File Observed (Hostname)

Signal identifies the observance of a filename consistant with QuarksPwDump file password dumper.

QuarksPwDump Dump File Observed (IP)

Signal identifies the observance of a filename consistant with QuarksPwDump file password dumper.

QuarksPwDump Dump File Observed (Username)

Signal identifies the observance of a filename consistant with QuarksPwDump file password dumper.

RDP Brute Force - Success

Hydra and Ncrack are popular tools for attempting brute force attacks to access a targeted system. In this case, a brute force attempt against an RDP server has succeeded and the attacker has gained access to the targeted system.

RDP Brute Force Attempt

An attacker is making a brute force attempt to gain access to an RDP server.

RDP Error Messages

When setting up an RDP connection, there are a number of negotiation steps that happen. If a connection is enrypted, not all of these can be analyzed. Errors can indicate an operational issue or potential exploitation of a vulnerability in negotiation.

RDP Login from Localhost

RDP login with a localhost source address may indicate a tunneled login and an attacker attempting to move through the environment.

RDP Traffic to Unexpected Host

Observes for RDP traffic to hosts not within an allow list. Note that this rule requires the creation and population of a match list for known OK hosts named 'RDP_Hosts'

RDP external-to-internal

Access of Remote Desktop from the internet is not common and may represent an intrusion on the network.

RDP with non-standard client

While the product_id of the RDP client is not required, a missing one or one that does not look like a client access license can indicate an RDP attack with hacker software (ie NCRACK, hydra).

Recon Using Common Windows Commands

Detects a set of commands often used in recon stages by different attack groups

Renamed MSBUILD.EXE by Arguments

From FireEye Red Team Tool Countermeasures: This alert looks for renamed msbuild.exe process executions based on common command line arguments used for msbuild.exe. Attackers frequently use msbuild.exe (or renamed versions of this binary) to execute arbitrary CSharp payloads written to disk most commonly as .csproj files (though any file with an extension ending in "proj" will work) either referenced on the command line or located in the same directory as the msbuild.exe binary. The XML payload on disk should be acquired and examined to determine the functionality of the payload.

Request to Anomalous Web Server Software

Attackers often stage content during intrusions using external web infrastructure to host exploits, malware and other tooling. In rare cases attacker playbooks show the threat actor hosting web files by serving them using the SimpleHTTPServer server, a lightweight built-in web server module installed with Python. Occurrences of clients connecting to servers implemented using SimpleHTTPServer are anomalous and may indicate an active attack.

Request to DNS over HTTPS (DoH) Service Provider

DNS over HTTPS (RFC 8484, DoH) is a web based name resolution service that allows clients to resolve DNS records over web services. DoH operates over standards compliant HTTPS and is therefore typically encrypted and validated TLS over port 443/tcp. In some environments this may be abused as a method to bypass security and policy controls. Some malicious actors leverage DoH to tunnel DNS traffic over HTTPS, and research has demonstrated the ability to carry out other DNS related abuse such as malware C2 over DoH as well.

Rogue DHCP Server

Observes for Cisco events indicating the presence of a rogue DHCP server

Rubeus Hack Tool (Hostname)

Detects command line parameters associated with use of the Rubeus hack tool

Rubeus Hack Tool (IP)

Detects command line parameters associated with use of the Rubeus hack tool

Rubeus Hack Tool (Username)

Detects command line parameters associated with use of the Rubeus hack tool

Rubeus Hack Tool Logon Process Name

From FireEye Red Team Tool Countermeasures: Rubeus is a utility that provides Kerberos abuse capabilities. This rule is looking for the hardcoded LogonProcessName value, "User32LogonProcesss".

Ryuk Ransomware Endpoint Indicator (Hostname)

Indicates a process has started with charachteristics that are highly similar to the Ryuk ransomware's execution behavior.

Ryuk Ransomware Endpoint Indicator (IP)

Indicates a process has started with charachteristics that are highly similar to the Ryuk ransomware's execution behavior.

Ryuk Ransomware Endpoint Indicator (Username)

Indicates a process has started with charachteristics that are highly similar to the Ryuk ransomware's execution behavior.

SC Exe Manipulating Windows Services

Observes for command line arguments with sc.exe indicating Windows services being modified

SMB - Remote execution and/or persistence via scheduled task using ATSVC

Remote execution and/or persistence via scheduled task using ATSVC named pipe.

SMB Brute Force Attempt

This rule looks for failed SMB login attempts.

SMB External to Internal File Share Access

This signal identifies external sources connecting to file shares. Do to the vulnerabilities and insecurities of SMB this type of traffic should be prohibited.

SMB Internal to External traffic

SMB/CIFS is a workgroup protocol for file sharing intended to be used among trusted systems on an internal LAN. A number of risks are associated with internal systems connecting to untrusted external SMB servers, including exploit delivery, credential harvesting, and data exfiltration. SMB access should be limited to the enterprise network to prevent participation in unknown SMB related attacks. Limited exceptions may exist, such as file server access over extranet connections.

SMB Scanning Detected

This rule looks for a host scanning other SMB hosts for specific commands similar to WannaCry

SMB write to hidden admin share

SMB is primarily used for remote file access across a network. SMB access to admin shares should be a rare occurrence, especially by a non-administrator account. Such access is often a part of an attack pivot once an attacker has compromised one machine in a network.

SQL Injection Attacker

SQL Injection attempt detected

SQL Injection Victim

Successful SQL Injection attack detected

SQL-Select-From

Requests to web applications containing SQL statement keywords may indicate attempts to compromise the web application or access data in a backend database engine in an unauthorized manner. This technique is described at https://attack.mitre.org/techniques/T1190/.

SSH Authentication Failures

Many SSH authentication failures from the same source IP in a short period of time can signal a brute-force attack.

SSH Interesting Hostname Login

"Interesting hostname" in this context include those that start with dns, ns, smtp, mail, pop, imap, www, and ftp. Using SSH to hosts that appear to be purposed as servers corresponding to one of these hostnames is considered suspicious.

SSH to non-standard port

SSH connections to a non-standard port.

SSL Certificate Expired

A server responded on a SSL or TLS service using an expired certificate.

SSL Certificate Expires Soon

A server responded on a SSL or TLS service using a certificate that will expire soon.

SSL Certificate Not Valid Yet

A server responded on a SSL or TLS service using a certificate with a future-dated NotValidBefore attribute.

SSL Heartbleed Attack

SSL Heartbleed Attack detected

SSL Heartbleed Attack Successful

SSL Heartbleed Attack Successful

SSL Heartbleed Many Requests

Indicates we saw many heartbeat requests without a reply. Might be an attack.

SSL Heartbleed Odd Length

SSL Heartbleed Odd Length

SSL Invalid Server Cert

A server responded on a SSL or TLS service using a certificate identified as invalid by the Network Sensor.

SYSVOL Share Sweep

When attempting to pivot within an internal AD network, attacks will query the Domain Controllers for passwords stored within group policy files. This is typically done by querying the SYSVOL share. A host querying the SYSVOL share is suspicious activity and could be indicative of this type of attack.

SafetyKatz Credential Stealer

From FireEye Red Team Tool Countermeasures: SafetyKatz is a combination of slightly modified version of Mimikatz project and .NET PE Loader.

Scheduled Task Created via PowerShell

Attackers have been known to leverage PowerShell for scheduled task creation for the purpose of maintaining persistence in a Windows based environment.

Scheduled Task Creation with Suspicious Task Executable

Attackers may create scheduled tasks to execute commands in various scenarios. Inclusion of commonly abused or high risk Windows executables may be an indication of an attack.

Script Interpreter Launched by Cmd (Hostname)

Observes for wscript or cscript being executed by cmd Rule requires command line auditing or sysmon to function. It is recommended this rule be tuned to exclude hosts/users that are expected to regularly make use of script interpreters.

Script Interpreter Launched by Cmd (User)

Observes for wscript or cscript being executed by cmd Rule requires command line auditing or sysmon to function. It is recommended this rule be tuned to exclude hosts/users that are expected to regularly make use of script interpreters.

Script/CLI UserAgent string

This pattern discovers HTTP communications from an internal source where a development library or command line client user-agent string was observed (e.g. Wget, cURL, etc.). Use of these techniques by attackers is described in https://attack.mitre.org/techniques/T1105/ and https://attack.mitre.org/techniques/T1064/.

Seatbelt Utility

From FireEye Red Team Tool Countermeasures: Seatbelt is an open source C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. This IOC also detects some variations of this project namely Beltalowda and Shamwow.

Secure Deletion with SDelete (Host)

Detects renaming of file while deletion with SDelete tool.

Secure Deletion with SDelete (User)

Detects renaming of file while deletion with SDelete tool.

SecurityXploded Tool (Hostname)

Detects the execution of SecurityXploded Tools

SecurityXploded Tool (IP)

Detects the execution of SecurityXploded Tools

SecurityXploded Tool (Username)

Detects the execution of SecurityXploded Tools

Self-signed Certificates

A server responded on a SSL or TLS service using a self-signed certificate.

Server-Side Code Injection in URL

Attackers may use improper URL checking to inject code that is executed on a server. This may be used in DoS attacks or to execute commands to elevate privilege. The attack pattern is similar to Shellshock exploitation.

Shadow Copies Deletion Using OS Utilities (Hostname)

When adversaries take destructive action (e.g. encrypting files for ransomware) 'shadow copies' of the file system volumes are often destroyed in order to prevent these files from being easily recovered. This signal indicates that a command was observed that may indicate this destructive action.

Shadow Copies Deletion Using OS Utilities (IP)

When adversaries take destructive action (e.g. encrypting files for ransomware) 'shadow copies' of the file system volumes are often destroyed in order to prevent these files from being easily recovered. This signal indicates that a command was observed that may indicate this destructive action.

Shadow Copies Deletion Using OS Utilities (Username)

When adversaries take destructive action (e.g. encrypting files for ransomware) 'shadow copies' of the file system volumes are often destroyed in order to prevent these files from being easily recovered. This signal indicates that a command was observed that may indicate this destructive action.

Shadow Copy Creation (Hostname)

Observes for ntdsutil, vssadmin, wmic, or powershell creating shadow copies. This is another method to extract credentials.

Shadow Copy Creation (User)

Observes for ntdsutil, vssadmin, wmic, or powershell creating shadow copies. This is another method to extract credentials.

SharPersist A Utility

From FireEye Red Team Tool Countermeasures: This IOC detects windows persistence activity performed by the Sharpersist utility. It has multiple persistence functionalities such as Keepass, hotkey, new schedule task, Startup Folder and Scheduled Task Backdoor.

SharPersist Utility

From FireEye Red Team Tool Countermeasures: This IOC detects a Windows Persistence Toolkit called SharPersist.

SharPivot Utility

From FireEye Red Team Tool Countermeasures: SHARPIVOT is a .NET console application that can be used to perform command execution against a remote target for the purposes of lateral movement.

SharpStomp Utility

From FireEye Red Team Tool Countermeasures: SharpStomp is a C# utility that can be used to timestomp the specified file's creation, last access, and last write time.

Shellshock

HTTP requests with headers indicating an attempt to exploit CVE-2014-6271 and related vulnerabilities in the Bash shell using Bashdoor/Shellshock attack. This vulnerability is most often triggered in CGI scripts implemented against vulnerable versions of the shell.

Snatch Ransomware (Hostname)

Detects specific process characteristics of Maze ransomware word document droppers

Snatch Ransomware (IP)

Detects specific process characteristics of Maze ransomware word document droppers

Snatch Ransomware (Username)

Detects specific process characteristics of Maze ransomware word document droppers

Solarwinds Suspicious Child Processes

From FireEye Red Team Tool Countermeasures: This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.

Solarwinds Suspicious URL Hostname

From FireEye Red Team Tool Countermeasures: This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.

Sophos Endpoint Not Protected

Sophos detected a condition indicating that endpoint protection is not activated

Sophos HMPA Exploit Prevented

Sophos HMPA Exploit Prevented

Sophos PUA Detected

Sophos detected a potentially unwanted application (PUA) on the endpoint

Sophos SAV Disabled

Sophos real time protection disabled

Sophos Service Not Running

One or more Sophos services are missing or not running

Sophos Threat Detected

Sophos detected a medium severity threat on the endpoint

Sophos Web Control Violation

Sophos blocked access to a website for an undisclosed reason

Sophos Web Filtering - Blocked

Sophos blocked access to malicious web content

Spaces Before File Extension (Hostname)

Observes for files being executed that contain at least 5 spaces preceeding the file extension. This may indicate an attempt to hide the true extension of a file.

Spaces Before File Extension (IP)

Observes for files being executed that contain at least 5 spaces preceeding the file extension. This may indicate an attempt to hide the true extension of a file.

Spaces Before File Extension (User)

Observes for files being executed that contain at least 5 spaces preceeding the file extension. This may indicate an attempt to hide the true extension of a file.

Spoolsv Child Process Created

Observes for Spoolsv launching unexpected child processes. This may be related to behavior in CVE-2018-8440

Successful Overpass the Hash Attempt (IP)

Identifies a suspicious windows logon of type 9 (NewCredentials). This signal is suspicious due to its similarity to the behavior observed when using Mimikatz's sekurlsa::pth tool.

Successful Overpass the Hash Attempt (Username)

Identifies a suspicious windows logon of type 9 (NewCredentials). This signal is suspicious due to its similarity to the behavior observed when using Mimikatz's sekurlsa::pth tool.

Sumo Logic Scheduled Searches - Hostname

{{description}}

Sumo Logic Scheduled Searches - IP

{{description}}

Sumo Logic Scheduled Searches - Username

{{description}}

Sunburst Suspicious File Writes

From FireEye Sunburst Countermeasures: This rule identifies writes of specific file types associated with activity related to the SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. This rule may generate false positives depending on the configuration of SolarWinds in a given environment, and may require tuning to exclude legitimate activity. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.

Suricata IDS Alerts (Attack Signatures)

A Suricata IDS alert triggered and the source IP address is likely the initiator of the traffic based on when the source port is higher than the destination port.

Suricata IDS Alerts (Response Signatures)

A Suricata IDS alert triggered and the destination IP address is likely the initiator of the traffic based on when the source port is lower than the destination port.

Suspect Svchost Activity (Hostname)

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Suspect Svchost Activity (IP)

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Suspect Svchost Activity (Username)

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Suspicious Certutil Command (Host)

Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility.

Suspicious Certutil Command (User)

Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility.

Suspicious Compression Tool Parameters (Host)

Detects suspicious command line arguments of common data compression tools.

Suspicious Compression Tool Parameters (User)

Detects suspicious command line arguments of common data compression tools.

Suspicious Curl File Upload (Host)

Detects a suspicious curl process start the adds a file to a web request.

Suspicious Curl File Upload (User)

Detects a suspicious curl process start the adds a file to a web request.

Suspicious DC Logon

Suspicious DC login. Non ADMIN logging into a domain controller.

Suspicious Email Attachment Extension

Observes for e-mail attachments with file extensions commonly used by attackers or associated with malware.

Suspicious Email Origin

The email has originitated from a suspicious location

Suspicious Execution of Search Indexer

From FireEye Red Team Tool Countermeasures: This IOC detects suspicious execution of searchindexer. This technique is known to be used by Cobaltstrike which inject malicious code into a newly spawned searchindexer process to evade detection.

Suspicious External Device Installation (Host)

Detects removeable media attached to a device that was previously denied by policy. External media can be used to exfiltrate sensitive data and is also a common source of infections, so some organizations block their use. Attempts to use these devices could indicate the intent for malicious activity.

Suspicious External Device Installation (User)

Detects removeable media attached to a device that was previously denied by policy. External media can be used to exfiltrate sensitive data and is also a common source of infections, so some organizations block their use. Attempts to use these devices could indicate the intent for malicious activity.

Suspicious HTTP User-Agent

Common administrative tools may be used by malware authors and attackers who use live-off-the-land methods to operate on victim networks.

Suspicious PowerShell Keywords

Detects keywords that could indicate the use of a PowerShell exploitation framework.

Suspicious Registry Key Modification

This rule detects modifications to registry keys commonly targeted to achieve persistence.

Suspicious Shells Spawned by Web Servers (Hostname)

Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack

Suspicious Shells Spawned by Web Servers (User)

Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack

Suspicious Shortcut File Launching Process

Observes for a shortcut (lnk) executing a process from directories common in various phishing tools.

Suspicious Typical Malware Back Connect Ports (IP)

Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases.

Suspicious Typical Malware Back Connect Ports (User)

Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases.

Suspicious Use of Procdump (Host)

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.

Suspicious Use of Procdump (User)

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.

Suspicious Use of Workflow Compiler for Payload Execution

From FireEye Red Team Tool Countermeasures: This IOC detects indicators associated with suspicious execution of Microsoft WorkFlow Compiler. This is known to be used by Cobaltstrike for lateral movement with specially crafted XLM and OXLM files.

Suspicious Windows ANONYMOUS LOGON Account Created

Detects the creation of suspicious accounts similar to ANONYMOUS LOGON. These accounts could be created as a covering detection vs network type 3 logons for shared resources, such as folders or printers.

Suspicious use of Dev-Tools-Launcher (Hostname)

DevToolsLauncher.exe has a switch 'LaunchForDeploy' that takes the location of another bianry to launch. Attackers have abused this ability to launch their own non-trusted code.

Suspicious use of Dev-Tools-Launcher (IP)

DevToolsLauncher.exe has a switch 'LaunchForDeploy' that takes the location of another bianry to launch. Attackers have abused this ability to launch their own non-trusted code.

Suspicious use of Dev-Tools-Launcher (Username)

DevToolsLauncher.exe has a switch 'LaunchForDeploy' that takes the location of another bianry to launch. Attackers have abused this ability to launch their own non-trusted code.

Symantec SEP Alerts (Target Hostname)

Symantec SEP alerted on behavior from the host {{device_hostname}}

Symantec SEP Alerts (Target IP)

Symantec SEP alerted on behavior from the host {{device_hostname}}

Symantec SEP Alerts (Target Username)

Symantec SEP alerted on behavior from the host {{device_hostname}}

TAIDOOR RAT DLL Load (Hostname)

Looks for process creation with command line references that are consistant with the Chinese TAIDOOR remote access trojan (RAT)

TAIDOOR RAT DLL Load (IP)

Looks for process creation with command line references that are consistant with the Chinese TAIDOOR remote access trojan (RAT)

TAIDOOR RAT DLL Load (Username)

Looks for process creation with command line references that are consistant with the Chinese TAIDOOR remote access trojan (RAT)

Tanium - Templated Signals

A Tanium signal has been reported with the following tags '{{fields['Intel Labels']}}' based on the process '{{file_path}}'

The Audit Log was Cleared - 1102

Attackers may attempt to clear the Windows Security Event Log in an effort to hide records of their activity during an intrusion. This rule detects that action.

Threat Intel - Device IP Matched Threat Intel Domain Name

A record flagged a hostname or domain from a threat intelligence match list

Threat Intel - Device IP Matched Threat Intel File Hash

A record flagged a file hash from a threat intelligence match list

Threat Intel - Device IP Matched Threat Intel URL

A record flagged a URL from a threat intelligence match list

Threat Intel - Source IP Matched Threat Intel Domain Name

A record flagged a hostname or domain from a threat intelligence match list

Threat Intel Match - IP Address

A record flagged an IP address from a threat intelligence match list

Too Many Failed Login Attempts

Excessive failed login attempts were observed for accounts in a Windows domain

Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting) - Track IP

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection. This is facilitated by requesting service tickets that have data encrypted with weak encryption types (typically RC4). This technique is described in https://attack.mitre.org/techniques/T1208/.

Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting) - Track User

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection. This is facilitated by requesting service tickets that have data encrypted with weak encryption types (typically RC4). This technique is described in https://attack.mitre.org/techniques/T1208/.

Too many empty/refused DNS queries

The DNS request/response was empty or refused. This may be an indication of DNS tunneling. (Excludes IPv4/IPv6 multicast DNS and LLMNR traffic).

Trend Micro Deep Security File Integrity Monitoring Alerts (Device Hostname)

{{description}}

Trend Micro Deep Security File Integrity Monitoring Alerts (Device IP)

{{description}}

Trend Micro Deep Security File Integrity Monitoring Alerts (User)

{{description}}

Unauthorized External Device Installation (Host)

Detects a removable media device attached to a host. External media can be used to exfiltrate sensitive data and is also a common source of infections, so some organizations block their use. Attempts to use these devices could indicate the intent for malicious activity. Customer should populate a list of devices that should not have external media installed on them.

Unauthorized External Device Installation (User)

Detects a removable media device attached to a host. External media can be used to exfiltrate sensitive data and is also a common source of infections, so some organizations block their use. Attempts to use these devices could indicate the intent for malicious activity. Customer should populate a list of devices that should not have external media installed on them.

Unsigned Image Loaded by LSASS (Hostname)

This rule observes for an unsigned image being loaded by LSASS as this may indicate attempted credential access. Note that this rule requires Microsoft SysInternals Sysmon installed with Image Loaded (Event Id 7) logging enabled.

User Account Created and Deleted in 24 Hours

User Account Created and Deleted in 24 Hours.

User Added to Local Administrators

Observes for a user being added to the Windows local administrators group.

UserInit Process Launched by MSBuild.exe

From FireEye Red Team Tool Countermeasures: MSBuild is the build system for Visual Studio. This IOC detects the suspicious execution of userinit process by MSBUILD.

VBS file downloaded from Internet

Although Visual Basic scripts (.vbs) are sometimes regularly downloaded from the Internet, they are often part of malware establishment. They carry an elevated risk.

Varonis Alerts

Description: {{description}}, Outcome: {{fields['outcome']}}

WMI Launching Shell

A WMI process has been used to launch a SHELL on "{{device_hostname}}"

WMI Managed Object Format (MOF) Process Execution

Attackers will often utilize The Managed Object Format (MOF) compiler to conceal and execute their malicious code within the WMI Repository.

WMI Process Call Create

An attacker can use WMI to create malicious processes on the local or remote host to bypass application whitelisting, since WMI is an authorized Windows tool.

WMI Process Get Brief

An attacker can use WMI to execute scripts on a host by pointing to malicious XSL files.

WMIExec VBS Script (Hostname)

Detects suspicious file execution by wscript and cscript

WMIExec VBS Script (IP)

Detects suspicious file execution by wscript and cscript

WMIExec VBS Script (Username)

Detects suspicious file execution by wscript and cscript

WannaCry Ransomware (Hostname)

Uses data from process creation events to detect indicators of the WannaCry Ransomware.

WannaCry Ransomware (IP)

Uses data from process creation events to detect indicators of the WannaCry Ransomware.

WannaCry Ransomware (Username)

Uses data from process creation events to detect indicators of the WannaCry Ransomware.

Web Services Executing Common Web Shell Commands (Hostname)

This rule looks for web server executables attempting to use commands commonly associated with adversaries utilizing a successfully uploaded web shell.

Web Services Executing Common Web Shell Commands (IP)

This rule looks for web server executables attempting to use commands commonly associated with adversaries utilizing a successfully uploaded web shell.

Web Services Executing Common Web Shell Commands (User)

This rule looks for web server executables attempting to use commands commonly associated with adversaries utilizing a successfully uploaded web shell.

Websense - Blocked Activity Threshold

Websense blocked a large amount of activity originating from a single host within a short period of time.

Windows - Delete Windows Backup Catalog (Host)

Detects the deletion of backup catalogs on a Windows host through the command line. This activity is commonly seen in ransomware, where the program encrypts the host and deletes the backups to remove the possibility of restoring the computer and avoid paying the ransom.

Windows - Delete Windows Backup Catalog (User)

Detects the deletion of backup catalogs on a Windows host through the command line. This activity is commonly seen in ransomware, where the program encrypts the host and deletes the backups to remove the possibility of restoring the computer and avoid paying the ransom.

Windows - Discovery of a System Time

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system."

Windows - Domain Trust Discovery (Hostname)

Suspicious Domain Trust Discovery Activity - T1482

Windows - Domain Trust Discovery (User)

Suspicious Domain Trust Discovery Activity - T1482

Windows - Excessive User Interactive Logons Across Multiple Hosts

A user performed a significant number of Windows interactive logins to multiple destination hosts in the past 24 hours. This behavior can be expected for some accounts, such as administrators in a Windows environment. Tuning this rule is highly recommended to filter out usernames where applicable.

Windows - Incoming LSASS Network Connection - Zerologon Behavior(CVE-2020-1472)

CVE-2020-1472 can be exploited by attackers to hijack enterprise servers due to Netlogon cryptographic weaknesses. The vulnerability allows an attacker to set a password for the computer account of an Active Directory Domain Controller, which can then be abused to pull credentials from the Domain Controller. This rule detects an incoming network connection made from the attacking machine to the victim Domain Controller to the LSASS process.

Windows - Local System executing whoami.exe (Hostname)

Local system account - Suspicious System Owner/User Discovery Activity - T1033 - requires commandline auditing 4688

Windows - Microsoft Office Add-In File Created

This rule detects when a Microsoft Office Add-In is created by monitoring certain directories with specific file extensions. This rule requires the setup of file creation auditing.

Windows - Network Connection from CMSTP (Host)

Detects potential CMSTP.exe abuse. Adversaries use CMSTP.exe to load and execute DLLs or COM scriptlets from remote servers to bypass application control defenses.

Windows - Network Connection from CMSTP (IP)

Detects potential CMSTP.exe abuse. Adversaries use CMSTP.exe to load and execute DLLs or COM scriptlets from remote servers to bypass application control defenses.

Windows - Network Connection from CMSTP (User)

Detects potential CMSTP.exe abuse. Adversaries use CMSTP.exe to load and execute DLLs or COM scriptlets from remote servers to bypass application control defenses.

Windows - Network trace capture using netsh.exe (Hostname)

Detects capture of a network trace via the netsh.exe trace functionality - requires commandline auditing of Event ID 4688

Windows - Network trace capture using netsh.exe (User)

Detects capture of a network trace via the netsh.exe trace functionality - requires commandline auditing of Event ID 4688

Windows - Permissions Group Discovery (Hostname)

Suspicious Permissions Group Discovery Activity - T1069

Windows - Permissions Group Discovery (User)

Suspicious Permissions Group Discovery Activity - T1069

Windows - Possible Impersonation Token Creation Using Runas (Host)

Detects the use of the runas command. Runas can be used to create impersonation tokens in an attempt to elevate privileges.

Windows - Possible Impersonation Token Creation Using Runas (User)

Detects the use of the runas command. Runas can be used to create impersonation tokens in an attempt to elevate privileges.

Windows - Possible Squiblydoo Technique Observed (Host)

The Squiblydoo technique is a way for unapproved scripts to run on a machine that is setup to allow only approved scripts to run. Squiblydoo utilizes regsvr32.exe to download an XML file that contains scriptlets for executing code on the victim machine.

Windows - Possible Squiblydoo Technique Observed (User)

The Squiblydoo technique is a way for unapproved scripts to run on a machine that is setup to allow only approved scripts to run. Squiblydoo utilizes regsvr32.exe to download an XML file that contains scriptlets for executing code on the victim machine.

Windows - PowerShell Process Discovery (Host)

Detects the use of various Get-Process PowerShell commands to discover information about running processes.

Windows - PowerShell Process Discovery (User)

Detects the use of various Get-Process PowerShell commands to discover information about running processes.

Windows - Powershell Scheduled Task Creation from PowerSploit or Empire

This rule detects the creation of a Windows scheduled task via PowerSploit or the default configuration of Empire.

Windows - Remote System Discovery (Hostname)

Suspicious Remote System Discovery Activity - T1018

Windows - Remote System Discovery (User)

Suspicious Remote System Discovery Activity - T1018

Windows - Rogue Domain Controller - dcshadow (Host)

Mimikatzs LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.

Windows - Rogue Domain Controller - dcshadow (User)

Mimikatzs LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.

Windows - Scheduled Task Creation

A scheduled task was created in Windows or Azure. It is common for system administrators and approved software to create scheduled tasks, but adversaries are known to use them for persistence within a Windows environment. This rule is disabled by default due to the volume of events it can produce. Users should filter/exclude allowed scheduled tasks according to their environment before enabling the rule. The scheduled task name is logged in the "commandLine" field.

Windows - Successful Brute Force

Detects a series of failed logins followed by a successful login. This could indicate that an attacker was successful in guessing a user's password and has compromised their account.

Windows - Suspicious Anonymous Logon Activity - Zerologon Behavior(CVE-2020-1472)

CCVE-2020-1472 can be exploited by attackers to hijack enterprise servers due to Netlogon cryptographic weaknesses. The vulnerability allows an attacker to set a password for the computer account of an Active Directory Domain Controller, which can then be abused to pull credentials from the Domain Controller. This rule detects the domain controller computer account being changed after a successful anonymous login occurred.

Windows - Suspicious CMSTP Process Spawn (Host)

Detects potential CMSTP.exe abuse. Adversaries use CMSTP.exe to load and execute DLLs or COM scriptlets from remote servers to bypass application control defenses.

Windows - Suspicious CMSTP Process Spawn (User)

Detects potential CMSTP.exe abuse. Adversaries use CMSTP.exe to load and execute DLLs or COM scriptlets from remote servers to bypass application control defenses.

Windows - System Network Configuration Discovery (Hostname)

Suspicious System Network Configuration Discovery Activity - T1016

Windows - System Network Configuration Discovery (User)

Suspicious System Network Configuration Discovery Activity - T1016

Windows - User Adds Self to Security Group

The user account {{user_username}} has added themselves to the Windows security group {{changeTarget}}.This could indicate a user attempting to escalate their privileges.

Windows - WiFi Credential Harvesting with netsh (Hostname)

Harvesting of Wifi Credentials Using netsh.exe

Windows - WiFi Credential Harvesting with netsh (User)

Harvesting of Wifi Credentials Using netsh.exe

Windows Account Added To Privileged Security Group

This signal alerts on the elevation of privileges assigned to a domain user account according to Windows Event ID 4728, 4732, and/or 4756.

Windows Account Locked Out - 4740

This signal fires whenever Windows Event type 4740 is seen in the environment.

Windows Admin User Remote Logon

Detects remote logins by Administrative users. Administrative users are identified using your local naming convention. Because each environment controls their user nameing convention, this rule's expression must first be tailored around your environment and enabled. Adjust the section that reads: "LIKE '%admin%'" to your environment's administrator naming convention.

Windows Credential Editor (WCE) Tool Use Detected (Hostname)

This signal inciates that an indicator in the windows registry was found that indicates the Windows Credential Editor (WCE) tool may be in use. This tool use is highly suspicious and can indicate lateral movement attempts (pass-the-hash etc.) REF: https://www.ampliasecurity.com/resea...ntials-editor/

Windows Credential Editor (WCE) Tool Use Detected (IP)

This signal inciates that an indicator in the windows registry was found that indicates the Windows Credential Editor (WCE) tool may be in use. This tool use is highly suspicious and can indicate lateral movement attempts (pass-the-hash etc.) REF: https://www.ampliasecurity.com/resea...ntials-editor/

Windows Credential Editor (WCE) Tool Use Detected (Username)

This signal inciates that an indicator in the windows registry was found that indicates the Windows Credential Editor (WCE) tool may be in use. This tool use is highly suspicious and can indicate lateral movement attempts (pass-the-hash etc.) REF: https://www.ampliasecurity.com/resea...ntials-editor/

Windows Credential Editor (WCE) in use (Hostname)

Looks for the possible use of Windows Credential Editor, a common open-source tool used for pass-the-hash amongst other attacks. This detection examins the import hash (aka imphash) as well as process start identifiers associated with the tool.

Windows Credential Editor (WCE) in use (IP)

Looks for the possible use of Windows Credential Editor, a common open-source tool used for pass-the-hash amongst other attacks. This detection examins the import hash (aka imphash) as well as process start identifiers associated with the tool.

Windows Credential Editor (WCE) in use (Username)

Looks for the possible use of Windows Credential Editor, a common open-source tool used for pass-the-hash amongst other attacks. This detection examins the import hash (aka imphash) as well as process start identifiers associated with the tool.

Windows Defender Download Activity (Host)

Detect the use of Windows Defender to download payloads.

Windows Defender Download Activity (User)

Detect the use of Windows Defender to download payloads.

Windows Network Sniffing (Hostname)

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Windows Network Sniffing (User)

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Windows Process Name Impersonation

This alert detects a process executing with a name that closely resembles a default Windows process. Malware will often attempt to disguise its execution by using a similar name to blend in with standard processes.

Windows Query Registry (Hostname)

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Windows Query Registry (User)

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Windows Service Executed from Nonstandard Execution Path

Windows services launching from locations outside of their standard installation path is a common malware persistence mechanism.

Windows Temp Directory Access Via SMB

This can be seen as suspicious, as you will not often see remote systems pulling files from the Windows Temp directory of other systems.

Windows User Account Created with Abnormal Naming Convention

'changeTarget' should be populated with a reguar expression that matches the user naming convention. This rule detects a user account that has been created that does not fit the normal naming convention established. If an unauthorized account has been created, it could be used to maliciously access additional systems.

Winnti Pipemon Characteristics (Hostname)

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Winnti Pipemon Characteristics (IP)

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Winnti Pipemon Characteristics (Username)

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Write-only SNMP attempt from external

Probing for the default SNMP write password is a way to bypass network security hardware

XSL Script Processing (Host)

Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

XSL Script Processing (User)

Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

ZScaler Proxy-Traffic to Malicious Categorized Domain (IP)

ZScaler Detected Traffic to Malicious Categorized Domain from {{srcDevice_ip}}

ZScaler Proxy-Traffic to Malicious Categorized Domain (Username)

ZScaler Detected Traffic to Malicious Categorized Domain from {{user_username}}

ZeroLogon Privilege Escalation Behavior

An attack against CVE-2020-1472 may create thousands of NetrServerReqChallenge & NetrServerAuthenticate3 requests in a short amount of time. https://github.com/SecuraBV/CVE-2020-1472

Zscaler - Elevated Risk Score Events

Zscaler generated a record with an elevated risk score of {{fields['riskscore']}} from the user {{user_username}} and IP address {{srcDevice_ip}}.

iOS Implant URL Pattern

Detects a string in a http request url that is associated with an iOS Implant. Ref: https://googleprojectzero.blogspot.c...-teardown.html https://twitter.com/craiu/status/1167358457344925696

vpnoverdns.com DNS lookup

vpnoverdns.com is a free service providing VPN functionality over DNS. DNS resolutions for *.tun.vpnoverdns.com indicate usage of their VPN service. The service describes itself as "Data exfiltration, for those times when everything else is blocked.".