List of Available Attack Detection API Correlation Rules (49):
| Name | Description | Technique(s) | Subtechnique(s) |
|---|---|---|---|
| AttackDetection – Execution with AT – Rule | In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. | T1053 | T1053.002 |
| AttackDetection – Running executables with same hash and different names – Rule | Executables are generally not renamed, thus a given hash of an executable should only have ever one name. | T1036 | T1036.003 |
| AttackDetection – Active Directory Dumping via NTDSUtil – Rule | The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. | T1003 | T1003.003 |
| AttackDetection – Squiblydoo – Rule | Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. | T1218 | T1218.010 |
| AttackDetection – Services launching Cmd – Rule | To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed. To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command | T1543 | T1543.003 |
| AttackDetection – Credential Dumping via Windows Task Manager – Rule | The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. | T1003 | T1003.001 |
| AttackDetection – UAC Bypass – Rule | Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool. | T1548 | T1548.002 |
| AttackDetection – Command Launched from WinLogon – Rule | An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. | T1546 | T1546.008 |
| AttackDetection – Host Discovery Commands – Rule | When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. | T1087 T1069 T1016 T1082 T1033 T1057 T1007 | 1087.001 1087.002 1069.001 1069.002 |
| AttackDetection – Create Remote Process via WMIC – Rule | Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely. | T1047 | None |
| AttackDetection – Generic Regsvr32: Main Pattern – Rule | Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. | T1218 | T1218.010 |
| AttackDetection – Generic Regsvr32: Spawning Child Processes – Rule | Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. | T1218 | T1218.010 |
| AttackDetection – Powershell Execution – Rule | PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. | T1059 | T1059.001 |
| AttackDetection – Suspicious Arguments – Rule | Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. Any tool of interest with commonly known command line usage can be detecting by command line analysis (PuTTY, port forwarding, scp, mimikatz, RAR, archive) – excluding IP address search. | T1003 T1021 T1105 | T1003.001 |
| AttackDetection – Lsass Process Dump via Procdump: Process Create – Rule | ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. | T1003 | T1003.001 |
| AttackDetection – User Activity from Clearing Event Logs (Security) – Rule | It is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a “Clear Event Log” is generated could point to this intruder technique. | T1070 | T1070.001 |
| AttackDetection – Simultaneous Logins on a Host – Rule | Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. | T1078 | T1078.002 T1078.003 |
| AttackDetection – Execution with schtasks – Rule | Scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. | T1053 | T1053.001 T1053.002 T1053.003 T1053.004 T1053.005 |
| AttackDetection – Quick execution of a series of suspicious commands – Rule | Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing. | T1087 T1003 T1069 T1057 T1021 T1543 T1112 T1574 T1018 T1569 T1053 T1029 T1033 T1007 T1082 T1049 T1016 T1010 T1518 T1046 T1562 T1098 T1059 T1012 | T1087.001 T1087.002 T1003.002 T1069.001 T1069.002 T1021.002 T1543.003 T1574.011 T1569.002 T1053.002 T1053.005 T1518.001 T1562.001 T1562.006 T1059.005 |
| AttackDetection – Reg.exe called from Command Shell – Rule | The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. If it is not, the process tree might be malicious. | T1012 T1112 T1547 T1574 | T1547.001 T1574.011 |
| AttackDetection – Remote PowerShell Sessions – Rule | According to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe | T1059 T1021 | T1059.001 T1021.006 |
| AttackDetection – User Logged in to Multiple Hosts – Rule | Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement. | T1078 | T1078.002 T1078.003 |
| AttackDetection – Suspicious Run Locations – Rule | In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. | T1036 | None |
| AttackDetection – Processes Spawning cmd.exe – Rule | The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. | T1059 | T1059.003 |
| AttackDetection – RDP Connection Detection – Rule | The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. RDP can be detected in several ways. This rule detects it via the authentication events. | T1021 | T1021.001 |
| AttackDetection – RunDLL32.exe monitoring – Rule | Adversaries may find it necessary to use Dynamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. | T1218 | T1218.011 |
| AttackDetection – Successful Local Account Login – Rule | Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass The Hash for lateral movement is detected with the authentication events in this rule. | T1550 | T1550.002 |
| AttackDetection – Scheduled Task FileAccess – Rule | In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Note: Need to add file_path field to Endpoint.Proccesses Dataset and make sure action field for EventCode=11 is properly extracted as “created”. | T1053 | T1053.005 |
| AttackDetection – Compiled HTML Access – Rule | Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic. | T1218 | T1218.001 |
| AttackDetection – Network Share Connection Removal – Rule | Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event. | T1070 | T1070.005 |
| AttackDetection – Local Network Sniffing – Rule | Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. | T1040 | None |
| AttackDetection – DLL Injection with Mavinject – Rule | The ways of injecting a malicious DLL into a process are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. | T1055 | T1055.001 |
| AttackDetection – MSBuild and msxsl – Rule | Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe and msxsl.exe. | T1127 | T1127.001 |
| AttackDetection – Component Object Model Hijacking – Rule | Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. | T1546 | T1546.015 |
| AttackDetection – CMSTP – Rule | CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP. | T1218 | T1218.003 |
| AttackDetection – Registry Edit from Screensaver – Rule | Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs. | T1546 | T1546.002 |
| AttackDetection – Credentials in Files & Registry – Rule | Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. | T1552 | T1552.001 T1552.002 |
| AttackDetection – AppInit DLLs – Rule | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. | T1546 | T1546.010 |
| AttackDetection – Clear Powershell Console Command History – Rule | Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. | T1070 | T1070.003 |
| AttackDetection – Indicator Blocking – Driver Unloaded – Rule | Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. | T1562 | T1562.006 |
| AttackDetection – Processes Started From Irregular Parent – Rule | Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. | T1068 | None |
| AttackDetection – Local Permission Group Discovery – Rule | Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives. | T1069 | T1069.001 T1069.002 |
| AttackDetection – Unusual Child Process for Spoolsv.Exe or Connhost.Exe – Rule | A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity. | T1068 | None |
| AttackDetection – Unusual Child Process spawned using DDE exploit – Rule | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. This analytic looks for unusually spawned child process. | T1559 | T1559.002 |
| AttackDetection – Webshell-Indicative Process Tree – Rule | A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. | T1505 | T1505.003 |
| AttackDetection – Detecting Tampering of Windows Defender Command Prompt – Rule | In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. | T1562 | T1562.001 |
| AttackDetection – Identifying Port Scanning Activity – Rule | After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the lateral movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc. | T1046 | None |
| AttackDetection – Disable UAC – Rule | Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. | T1548 | T1548.002 |
| AttackDetection – Detecting Shadow Copy Deletion via Vssadmin.exe – Rule | After compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. | T1490 | None |