Product: NPE
Use-Case: Evasion
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 77 | 3 | 34 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| process-created | T1564.001 - T1564.001 ↳ A-HiddenFile-Attrib: Hidden system Windows file was created using the attrib.exe on this asset. ↳ A-HiddenFile-SetFile: File was hidden using SetFile on this asset. ↳ A-HiddenFile-ChFlags: File was hidden using ChFlags on this asset. ↳ HiddenFile-Attrib: Hidden system Windows file was created using the attrib.exe ↳ HiddenFile-SetFile: File was hidden using SetFile ↳ HiddenFile-ChFlags: File was hidden using ChFlags T1059 - Command and Scripting Interperter ↳ A-TasksFolder-Evasion: The 'tasks' directory was observed in a file creation command on this asset ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ A-RASdial-Activity: Process was executed on this asset with rasdial as a command line argument. ↳ TasksFolder-Evasion: The 'tasks' directory was observed in a file creation command ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion ↳ RASdial-Activity: Process was executed with rasdial as a command line argument. T1218.008 - T1218.008 ↳ A-Odbcconf-DLL-Load: DLL loaded on this asset via odbcconf.exe execution. ↳ Odbcconf-DLL-Load: DLL loaded via odbcconf.exe execution. T1218.010 - Signed Binary Proxy Execution: Regsvr32 ↳ Odbcconf-DLL-Load: DLL loaded via odbcconf.exe execution. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-EPA-Rundll-FTP-F: First rundll activity for FTP firewall port blocking/unblocking on the asset. ↳ A-EPA-Rundll-FTP-A: Abnormal rundll activity for FTP firewall port blocking/unblocking ↳ Odbcconf-DLL-Load: DLL loaded via odbcconf.exe execution. T1218 - Signed Binary Proxy Execution ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset ↳ A-Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed on this asset. ↳ A-DNX-App-Whitelisting: C# code located in consoleapp folder was executed on this asset. ↳ A-Dxcap-Possible-Subprocess: Dxcap.exe was executed on this asset. ↳ Applocker-Bypass: Execution of executables that can be used to bypass Applocker ↳ Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed. ↳ DNX-App-Whitelisting: C# code located in consoleapp folder was executed. ↳ Dxcap-Possible-Subprocess: Dxcap.exe was executed. T1027.004 - Obfuscated Files or Information: Compile After Delivery ↳ A-DNX-App-Whitelisting: C# code located in consoleapp folder was executed on this asset. ↳ DNX-App-Whitelisting: C# code located in consoleapp folder was executed. T1027 - Obfuscated Files or Information ↳ A-Ping-Hex-IP: A ping command used a hex decoded IP address on this asset. ↳ A-Certutil-Encode: Certutil commands to encode files were used on this asset. ↳ EXPERT-POWERSHELL-ENCRYPTED: Encrypted argument in a Powershell command detected ↳ Ping-Hex-IP: A ping command used a hex decoded IP address ↳ Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands. ↳ Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines ↳ Certutil-Encode: Certutil commands to encode files were used. T1059.005 - T1059.005 ↳ A-Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed on this asset. ↳ Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed. T1070 - Indicator Removal on Host ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ A-Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage on this asset. ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion ↳ Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage. T1542.003 - T1542.003 ↳ A-Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage on this asset. ↳ Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage. T1197 - BITS Jobs ↳ A-BITS-Suspicious-Service: First abnormal BITS job created on the asset. ↳ BITS-Suspicious-Service: First abnormal BITS jobs created on the endpoint T1562.006 - T1562.006 ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion ↳ Sysmon-Driver-Unload: Possible Sysmon driver unloaded. T1562.004 - Impair Defenses: Disable or Modify System Firewall ↳ A-Firewall-Disabled-Netsh: Windows firewall was turned off using netsh commands on this asset. ↳ A-Netsh-Connections-Win-Firewall: Netsh commands were used to allow incoming connections by Port or Application on Windows Firewall on this asset. ↳ A-EPA-Rundll-FTP-F: First rundll activity for FTP firewall port blocking/unblocking on the asset. ↳ A-EPA-Rundll-FTP-A: Abnormal rundll activity for FTP firewall port blocking/unblocking ↳ Firewall-Disabled-Netsh: Windows firewall was turned off using netsh commands. ↳ Netsh-Connections-Win-Firewall: Netsh commands were used to allow incoming connections by Port or Application on Windows Firewall. T1036 - Masquerading ↳ A-Winword-Uncommon-Process: 'MicroScMgmt' executable run by 'WinWord.exe' on this asset ↳ A-Taskmgr-Local-System: A taskmgr.exe process was executed in the context of LOCAL_SYSTEM ↳ A-Sys-File-Exec-Anomaly: A Windows program executable was started in a suspicious folder on this asset. ↳ A-Taskmgr-as-Parent: A process was created from Windows task manager on this asset. ↳ Winword-Uncommon-Process: 'MicroScMgmt' executable run by 'WinWord.exe' ↳ Sys-File-Exec-Anomaly: A Windows program executable was started in a suspicious folder. ↳ Taskmgr-as-Parent: A process was created from Windows task manager. ↳ Sus-Double-Extension: An .exe extension was used after a different non-executable file extension. T1059.001 - Command and Scripting Interperter: PowerShell ↳ A-Base64-CommandLine: Base64 string in command line execution on this asset ↳ A-Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset. ↳ A-Sus-Powershell-Param: Powershell was invoked with a suspicious parameter substring on this asset. ↳ EXPERT-POWERSHELL-ENCRYPTED: Encrypted argument in a Powershell command detected ↳ Base64-CommandLine: Base64 string in command line ↳ Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found. ↳ Sus-Powershell-Param: Powershell was invoked with a suspicious parameter substring ↳ Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands. ↳ Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines T1562.001 - T1562.001 ↳ A-Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset. ↳ Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found. T1574 - Hijack Execution Flow ↳ A-TasksFolder-Evasion: The 'tasks' directory was observed in a file creation command on this asset ↳ TasksFolder-Evasion: The 'tasks' directory was observed in a file creation command T1036.005 - Masquerading: Match Legitimate Name or Location ↳ A-Sus-MsiExec-Directory: Suspicious msiexec process started in an uncommon directory on this asset. ↳ A-Sus-Svchost-Process: A suspicious svchost process was started on this asset. ↳ A-Win-Proc-Sus-Parent: A suspicious parent process of well-known Windows processes was detected on this asset. ↳ Sus-MsiExec-Directory: Suspicious msiexec process started in an uncommon directory. ↳ Sus-Svchost-Process: A suspicious svchost process was started. ↳ Win-Proc-Sus-Parent: A suspicious parent process of well-known Windows processes was detected. T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset ↳ Applocker-Bypass: Execution of executables that can be used to bypass Applocker T1218.004 - Signed Binary Proxy Execution: InstallUtil ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset ↳ Applocker-Bypass: Execution of executables that can be used to bypass Applocker T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset ↳ Applocker-Bypass: Execution of executables that can be used to bypass Applocker T1202 - Indirect Command Execution ↳ A-Indirect-Cmd-Exec: An indirect command was executed via Program Compatibility Assistant pcalua.exe or forfiles.exe on this asset. ↳ Indirect-Cmd-Exec: An indirect command was executed via Program Compatibility Assistant pcalua.exe or forfiles.exe. T1140 - Deobfuscate/Decode Files or Information ↳ A-Base64-CommandLine: Base64 string in command line execution on this asset ↳ A-CertUtil-Suspicious-Usage: The 'certutil' Windows utility was used with known suspicious command line flags on this asset ↳ Base64-CommandLine: Base64 string in command line ↳ CertUtil-Suspicious-Usage: The 'certutil' Windows utility was used with known suspicious command line flags ↳ Ping-Hex-IP: A ping command used a hex decoded IP address T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset ↳ EventLog-Tamper: EventLog has been tampered with T1105 - Ingress Tool Transfer ↳ A-CertUtil-Suspicious-Usage: The 'certutil' Windows utility was used with known suspicious command line flags on this asset ↳ CertUtil-Suspicious-Usage: The 'certutil' Windows utility was used with known suspicious command line flags T1564.004 - Hide Artifacts: NTFS File Attributes ↳ A-Powershell-ADS: Powershell invoked using 'Alternate Data Stream' on this asset ↳ Powershell-ADS: Powershell invoked using 'Alternate Data Stream' T1036.003 - Masquerading: Rename System Utilities ↳ A-PSExec-Rename: PS Exec used on this asset ↳ PSExec-Rename: PS Exec used T1203 - Exploitation for Client Execution ↳ A-EquationEditor-Droppers: Possible 'Eqnetd32.exe' exploit usage on this asset ↳ EquationEditor-Droppers: Possible 'Eqnetd32.exe' exploit usage T1484.001 - T1484.001 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1552.006 - T1552.006 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1543.003 - Create or Modify System Process: Windows Service ↳ EPA-RANDOM-SERVICE: Random service name for the user T1218.002 - Signed Binary Proxy Execution: Control Panel ↳ EPA-CtrlPnl-A: First control panel function usage for peer group T1562 - Impair Defenses ↳ A-Sysmon-Driver-Unload: Possible Sysmon driver unloaded on this asset. |
• EPA-OG-SYSVOL: SYSVOL domain group policy access by group in the organization • EPA-CntrlPnl: Control Panel actions for peer group • A-EPA-Rundll-FTP: Rundll actions for FTP port blocking/unblocking on the asset |