Cyber Threat Intelligence (CTI) Attack Taxonomy

List of Available Attack Detection API Correlation Rules (49):

AttackDetection – Execution with AT – RuleIn order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host.T1053T1053.002
AttackDetection – Running executables with same hash and different names – RuleExecutables are generally not renamed, thus a given hash of an executable should only have ever one name.T1036T1036.003
AttackDetection – Active Directory Dumping via NTDSUtil – RuleThe NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz.T1003T1003.003
AttackDetection – Squiblydoo – RuleSquiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting.T1218T1218.010
AttackDetection – Services launching Cmd – RuleTo be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed. To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired commandT1543T1543.003
AttackDetection – Credential Dumping via Windows Task Manager – RuleThe Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz.T1003T1003.001
AttackDetection – UAC Bypass – RuleBypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool.T1548T1548.002
AttackDetection – Command Launched from WinLogon – RuleAn adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access.T1546T1546.008
AttackDetection – Host Discovery Commands – RuleWhen entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment.T1087 T1069 T1016 T1082 T1033 T1057 T10071087.001 1087.002 1069.001 1069.002
AttackDetection – Create Remote Process via WMIC – RuleAdversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.T1047None
AttackDetection – Generic Regsvr32: Main Pattern – RuleRegsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool.T1218T1218.010
AttackDetection – Generic Regsvr32: Spawning Child Processes – RuleRegsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool.T1218T1218.010
AttackDetection – Powershell Execution – RulePowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.T1059T1059.001
AttackDetection – Suspicious Arguments – RuleMalicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. Any tool of interest with commonly known command line usage can be detecting by command line analysis (PuTTY, port forwarding, scp, mimikatz, RAR, archive) – excluding IP address search.T1003 T1021 T1105T1003.001
AttackDetection – Lsass Process Dump via Procdump: Process Create – RuleProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz.T1003T1003.001
AttackDetection – User Activity from Clearing Event Logs (Security) – RuleIt is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a “Clear Event Log” is generated could point to this intruder technique.T1070T1070.001
AttackDetection – Simultaneous Logins on a Host – RuleMultiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.T1078T1078.002 T1078.003
AttackDetection – Execution with schtasks – RuleScheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution.T1053T1053.001 T1053.002 T1053.003 T1053.004 T1053.005
AttackDetection – Quick execution of a series of suspicious commands – RuleCertain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.T1087 T1003 T1069 T1057 T1021 T1543 T1112 T1574 T1018 T1569 T1053 T1029 T1033 T1007 T1082 T1049 T1016 T1010 T1518 T1046 T1562 T1098 T1059 T1012T1087.001 T1087.002 T1003.002 T1069.001 T1069.002 T1021.002 T1543.003 T1574.011 T1569.002 T1053.002 T1053.005 T1518.001 T1562.001 T1562.006 T1059.005
AttackDetection – Reg.exe called from Command Shell – RuleThe built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. If it is not, the process tree might be malicious.T1012 T1112 T1547 T1574T1547.001 T1574.011
AttackDetection – Remote PowerShell Sessions – RuleAccording to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exeT1059 T1021T1059.001 T1021.006
AttackDetection – User Logged in to Multiple Hosts – RuleMost users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement.T1078T1078.002 T1078.003
AttackDetection – Suspicious Run Locations – RuleIn Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute.T1036None
AttackDetection – Processes Spawning cmd.exe – RuleThe Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice.T1059T1059.003
AttackDetection – RDP Connection Detection – RuleThe Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. RDP can be detected in several ways. This rule detects it via the authentication events.T1021T1021.001
AttackDetection – RunDLL32.exe monitoring – RuleAdversaries may find it necessary to use Dynamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be “executed” is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point.T1218T1218.011
AttackDetection – Successful Local Account Login – RuleAdversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass The Hash for lateral movement is detected with the authentication events in this rule.T1550T1550.002
AttackDetection – Scheduled Task FileAccess – RuleIn order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Note: Need to add file_path field to Endpoint.Proccesses Dataset and make sure action field for EventCode=11 is properly extracted as “created”.T1053T1053.005
AttackDetection – Compiled HTML Access – RuleAdversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.T1218T1218.001
AttackDetection – Network Share Connection Removal – RuleAdversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.T1070T1070.005
AttackDetection – Local Network Sniffing – RuleAdversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc.T1040None
AttackDetection – DLL Injection with Mavinject – RuleThe ways of injecting a malicious DLL into a process are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows.T1055T1055.001
AttackDetection – MSBuild and msxsl – RuleTrusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe and msxsl.exe.T1127T1127.001
AttackDetection – Component Object Model Hijacking – RuleAdversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys.T1546T1546.015
AttackDetection – CMSTP – RuleCMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.T1218T1218.003
AttackDetection – Registry Edit from Screensaver – RuleAdversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.T1546T1546.002
AttackDetection – Credentials in Files & Registry – RuleAdversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”.T1552T1552.001 T1552.002
AttackDetection – AppInit DLLs – RuleAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes.T1546T1546.010
AttackDetection – Clear Powershell Console Command History – RuleAdversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this.T1070T1070.003
AttackDetection – Indicator Blocking – Driver Unloaded – RuleAdversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility.T1562T1562.006
AttackDetection – Processes Started From Irregular Parent – RuleAdversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect.T1068None
AttackDetection – Local Permission Group Discovery – RuleCyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.T1069T1069.001 T1069.002
AttackDetection – Unusual Child Process for Spoolsv.Exe or Connhost.Exe – RuleA common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.T1068None
AttackDetection – Unusual Child Process spawned using DDE exploit – RuleAdversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. This analytic looks for unusually spawned child process.T1559T1559.002
AttackDetection – Webshell-Indicative Process Tree – RuleA web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.T1505T1505.003
AttackDetection – Detecting Tampering of Windows Defender Command Prompt – RuleIn an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services.T1562T1562.001
AttackDetection – Identifying Port Scanning Activity – RuleAfter compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the lateral movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc.T1046None
AttackDetection – Disable UAC – RuleThreat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts.T1548T1548.002
AttackDetection – Detecting Shadow Copy Deletion via Vssadmin.exe – RuleAfter compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies.T1490None
Table 1. Taxonomy of Cyber Attack referenced from Mitre Attack, Splunk, and Seynur.