Product: Sysmon
Use-Case: Malware
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 256 | 39 | 70 | 6 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| dns-response | T1071 - Application Layer Protocol ↳ A-DNS-MALDOM-RESPONSE: DNS query for blacklisted domain was successful from this asset ↳ A-DNS-DGADOM-RESPONSE: DNS query for DGA domain was successful from this asset T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ A-DNS-DGADOM-RESPONSE: DNS query for DGA domain was successful from this asset |
|
| process-created | T1003.002 - T1003.002 ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool T1059.005 - T1059.005 ↳ A-WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. ↳ WMIExec-VBS-Script: Suspicious usage of wscript/cscript ↳ WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories ↳ Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process ↳ Mshta-Script: Mshta.exe .NET code execution T1059.007 - T1059.007 ↳ A-WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories on this asset ↳ A-Mshta-Javascript: Mshta.exe has executed a javascript related command on this asset ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. ↳ WScript-CScript-Dropper: Wscript or Cscript used for script execution from User directories ↳ Mshta-Javascript: Mshta.exe has executed a javascript related command ↳ Mshta-Script: Mshta.exe .NET code execution T1218.005 - T1218.005 ↳ A-CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery on this asset ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-MSHTA-SVCHOST: Mshta.exe spawned by svchost.exe, possible lateral movement on this asset ↳ A-Mshta-Javascript: Mshta.exe has executed a javascript related command on this asset ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-PC-Mshta-Hta-F: First time hta file usage by Mshta.exe on this asset. ↳ A-PC-Mshta-Hta-A: Abnormal hta file usage by Mshta.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ A-Mshta-Script: Mshta.exe .NET code execution on this asset. ↳ CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery ↳ Baby-Shark-Activity: Activity related to Baby Shark malware has been found. ↳ MSHTA-SVCHOST: Mshta.exe spawned by svchost.exe, possible lateral movement ↳ Mshta-Javascript: Mshta.exe has executed a javascript related command ↳ Mshta-CMD-Spawn: Mshta.exe has executed a command line executable ↳ Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process ↳ PC-Mshta-Hta-F: First time hta file usage by Mshta.exe ↳ PC-Mshta-Hta-A: Abnormal hta file usage by Mshta.exe ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ DotNET-URL: DotNET command line contains remote file ↳ Mshta-Script: Mshta.exe .NET code execution T1047 - Windows Management Instrumentation ↳ A-Squibly-Two: A WMI SquiblyTwo Attack with possibly renamed WMI by looking for imphash was detected on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ Powershell-WMI-F: First time for user using powershell WMI ↳ Powershell-WMI-A: Abnormal user using powershell WMI ↳ Squibly-Two: A WMI SquiblyTwo Attack with possibly renamed WMI by looking for imphash was detected. ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ DotNET-URL: DotNET command line contains remote file T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild ↳ A-PC-MSBuild-xml-F: First time xml file usage by MSBuild.exe on this asset. ↳ A-PC-MSBuild-Csproj-F: First time csproj file usage by MSBuild.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ PC-MSBuild-xml-F: First time xml file usage by MSBuild.exe ↳ PC-MSBuild-Csproj-F: First time csproj file usage by MSBuild.exe ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ DotNET-URL: DotNET command line contains remote file T1218.004 - Signed Binary Proxy Execution: InstallUtil ↳ A-PC-InstallUtil-exe-F: First time exe file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-exe-A: Abnormal for exe file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-dll-F: First time dll file usage by InstallUtil.exe on this asset. ↳ A-PC-InstallUtil-dll-A: Abnormal dll file usage by InstallUtil.exe on this asset. ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ PC-InstallUtil-exe-F: First time exe file usage by InstallUtil.exe ↳ PC-InstallUtil-exe-A: Abnormal exe file usage by InstallUtil.exe ↳ PC-InstallUtil-dll-F: First time dll file usage by InstallUtil.exe ↳ PC-InstallUtil-dll-A: Abnormal dll file usage by InstallUtil.exe ↳ DotNET-URL: DotNET command line contains remote file T1218.010 - Signed Binary Proxy Execution: Regsvr32 ↳ A-Empire-Monkey: EmpireMonkey APT activity was found on this asset. ↳ A-Regsvr32-Suspicious-Cmd: Suspicious command line arguments related to regsvr32.exe have been observed on this asset. ↳ A-PC-Regsvr32-sct-F: First time sct file usage by Regsvr32.exe on this asset. ↳ A-PC-Regsvr32-sct-A: Abnormal sct file usage by Regsvr32.exe on the asset. ↳ Empire-Monkey: EmpireMonkey APT activity was found ↳ Regsvr32-Suspicious-Cmd: Suspicious commands related to regscr32.exe have been observed. ↳ PC-Regsvr32-sct-F: First time sct file usage by Regsvr32.exe ↳ PC-Regsvr32-sct-A: Abnormal sct file usage by Regsvr32.exe ↳ PC-ParentName-ProcessName-DotNET-A: Abnormal child process creation for .NET associated process ↳ DotNET-URL: DotNET command line contains remote file TA0002 - TA0002 ↳ A-EPA-HP-F: First execution of process on asset ↳ A-EPA-HP-A: Abnormal execution of process on asset ↳ A-EPA-ZP-A: Abnormal execution of process for the asset in this zone ↳ A-EPA-ZP-F: First execution of process for the asset in this zone ↳ A-EPA-OP-F: First execution of process for the asset in this organization ↳ A-EPA-OP-A: Abnormal execution of process for the asset in this organization ↳ A-EPA-HPP-F: First parent-process combination on asset ↳ A-EPA-HPP-A: Abnormal parent-process combination on asset ↳ A-EPA-OPP-F: First parent-process combination in this organization ↳ A-EPA-OPP-A: Abnormal parent-process combination in this organization ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ A-Emotet: A process associated with the Emotet malware has been executed on this asset ↳ A-Qbot: Artifacts related to Qbot banking malware have been observed on this asset ↳ A-TropicTrooper-APT: Possible TropicTrooper APT artifacts observed on this asset ↳ EPA-UP-A: Abnormal execution of process for user ↳ EPA-GP-F: First execution of process for this peer group ↳ EPA-GP-A: Abnormal execution of process for this peer group ↳ EPA-OP-F: First execution of process in this organization ↳ EPA-OP-A: Abnormal execution of process in this organization ↳ EPA-HP-F: First execution of process on host ↳ EPA-PDir-F: First execution of a process in this directory for the organization ↳ EPA-HDir-Server-F: First execution of a process in this directory on a server ↳ EPA-PH-F: First execution of process (vssadmin.exe) on host ↳ EPA-F-CLI: Suspicious Windows process executed ↳ EPA-UH-Pen-F: Known pentest tool used ↳ EPA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during endpoint activity ↳ EPA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during endpoint activity ↳ TropicTrooper-APT: Possible TropicTrooper APT artifacts observed ↳ SW-UC: Unusual child process loaded by SolarWinds tool ↳ ParentProcess-P-F: First execution of this parent process for peer group. ↳ ParentProcess-P-A: Abnormal parent process for peer group T1059.001 - Command and Scripting Interperter: PowerShell ↳ A-Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage on this asset ↳ A-Sus-Powershell-Invocation-Parent-Proc: Suspicious Powershell invocation from interpreters or unusual programs on this asset. ↳ A-Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands on this asset. ↳ A-Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines on this asset. ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Non-Interactive-Powershell: Non-Interactive Powershell activity was found on this asset. ↳ A-Powershell-Script-AppData: Powershell was invoked in a suspicious command line execution with reference to an AppData folder on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. ↳ A-Powershell-CMDLETS: Malicious PowerShell script was used via get cmdlets function of PowerShell on the asset ↳ A-PowerShell-BITS-Job: BITS job via PowerShell was created on this asset. ↳ EPA-PU-PS-F: First execution of powershell process for user ↳ EPA-PU-PS-A: Abnormal execution of powershell process for user ↳ EPA-PG-PS-F: First execution of powershell process for this peer group ↳ EPA-PG-PS-A: Abnormal execution of powershell process for this peer group ↳ Powershell-Advanced-A: Abnormal user using advanced powershell capabilities ↳ Powershell-Commands-F: First new Powershell Command ↳ Powershell-Commands-A: Abnormal Powershell Command ↳ Powershell-Script-F: First time this powershell script has been run ↳ Powershell-RunType-A: Abnormal invocation of powershell ↳ Powershell-WMI-F: First time for user using powershell WMI ↳ Powershell-WMI-A: Abnormal user using powershell WMI ↳ Powershell-Empire: The attacker tool, Powershell Empire, has been used ↳ Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage ↳ Baby-Shark-Activity: Activity related to Baby Shark malware has been found. ↳ Non-Interactive-Powershell: Non-Interactive Powershell activity was found. ↳ Sus-Powershell-Invocation-Parent-Proc: Suspicious Powershell invocation from interpreters or unusual programs. ↳ Powershell-Script-AppData: Powershell was invoked in a suspicious command line execution with reference to an AppData folder. ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments ↳ Mshta-CMD-Spawn: Mshta.exe has executed a command line executable ↳ Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process ↳ Powershell-CMDLETS: Malicious PowerShell script was used via get cmdlets function of PowerShell ↳ WMI-Spawn-PowerShell: PowerShell was spawned via WMI. ↳ PowerShell-BITS-Job: BITS job via PowerShell was created. ↳ PC-PowerShell-SocketCreate: Powershell TCP Socket Creation through Powershell. ↳ PC-PowerShell-ExchangeSnapIns: Exchange Snap-In was imported and run by Powershell. ↳ PC-PowerShell-PowerCatDownload: PowerCat tool was downloaded via Powershell. ↳ PC-Powershell-HafniumActivity: Powershell HAFNIUM Activity T1127 - Trusted Developer Utilities Proxy Execution ↳ A-CSharp-Interactive-Console: Execution of CSharp interactive console by PowerShell on this asset. ↳ A-Microsoft-Workflow-Compiler: Microsoft Workflow Compiler was invoked on this asset. ↳ A-CDB-App-Whitelisting: 64-bit shellcode was launched using cdb.exe on this asset. ↳ CSharp-Interactive-Console: Execution of CSharp interactive console by PowerShell. ↳ Microsoft-Workflow-Compiler: Microsoft Workflow Compiler was invoked. ↳ CDB-App-Whitelisting: 64-bit shellcode was launched using cdb.exe. T1218 - Signed Binary Proxy Execution ↳ A-Devtoolslauncher-Binary: Devtoolslauncher.exe has executed a binary on this asset ↳ A-OpenWith-Exec-Cmd: OpenWith.exe executed via command line on this asset. ↳ A-CDB-App-Whitelisting: 64-bit shellcode was launched using cdb.exe on this asset. ↳ Devtoolslauncher-Binary: Devtoolslauncher.exe has executed a binary ↳ OpenWith-Exec-Cmd: OpenWith.exe executed via command line ↳ CDB-App-Whitelisting: 64-bit shellcode was launched using cdb.exe. T1059.003 - T1059.003 ↳ A-DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed on this asset ↳ A-TrojanLoader: Possible Trojan Loader activity on this asset ↳ A-ZxShell: Known backdoor software, ZxShell, possibly loaded on this asset ↳ A-Archer: 'Archer' malware executed on this asset ↳ A-Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor on this asset ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-Koadic-Tool-Usage: 'Koadic' attacker tool usage on this asset ↳ A-Mshta-CMD-Spawn: Mshta.exe has executed a command line executable on this asset ↳ A-Mustang-Panda-Dropper: Possible Mustang Panda droppers execution on this asset. ↳ DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed ↳ Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor ↳ Baby-Shark-Activity: Activity related to Baby Shark malware has been found. ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments ↳ Koadic-Tool-Usage: 'Koadic' attacker tool usage ↳ Mshta-CMD-Spawn: Mshta.exe has executed a command line executable ↳ FE-WC: Modified WMIPRVSE by FIREEYE for pentesting ↳ Mustang-Panda-Dropper: Possible Mustang Panda droppers execution. T1197 - BITS Jobs ↳ A-PowerShell-BITS-Job: BITS job via PowerShell was created on this asset. ↳ A-Bitsadmin-Download: Bitsadmin was used to download a file on this asset. ↳ PowerShell-BITS-Job: BITS job via PowerShell was created. ↳ Bitsadmin-Download: Bitsadmin was used to download a file. T1546.003 - T1546.003 ↳ A-WMI-Spawn-PowerShell: PowerShell was spawned via WMI on this asset. ↳ FE-WC: Modified WMIPRVSE by FIREEYE for pentesting ↳ WMI-Script-Event-Consumers: Suspicious usage of WMI script event consumers. ↳ WMI-Spawn-PowerShell: PowerShell was spawned via WMI. T1053 - Scheduled Task/Job ↳ A-Defrag-Deactivation: Scheduled defragmentation task was deactivated on this asset. ↳ ChaferAPT-Activity: Chafer APT related activity observed ↳ Defrag-Deactivation: Scheduled defragmentation task was deactivated. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed on this asset ↳ A-TrojanLoader: Possible Trojan Loader activity on this asset ↳ A-ZxShell: Known backdoor software, ZxShell, possibly loaded on this asset ↳ A-Archer: 'Archer' malware executed on this asset ↳ A-Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process on this asset ↳ A-Ordinal-Rundll32-Call: Suspicious calls of DLLs in rundll32.dll exports by ordinal on this asset. ↳ DLL-ULOAD-EquationGroup: A known 'Equation Group' artifact was observed ↳ Suspicious-Shell-Child-Process: Windows shell has spawned a suspicious process ↳ Ordinal-Rundll32-Call: Suspicious calls of DLLs in rundll32.dll exports by ordinal. T1563.002 - T1563.002 ↳ A-MSTSC-RDP-Hijack: MSTSC Shadowing, possible RDP session hijack/shadowing of session on this asset ↳ MSTSC-RDP-Hijack: MSTSC Shadowing, possible RDP session hijack/shadowing of session T1218.001 - Signed Binary Proxy Execution: Compiled HTML File ↳ A-HH-EXE-CHM: HH.exe usage, possible code execution on this asset ↳ A-DotNET-URL: DotNET command line contains remote file on this asset. ↳ HH-EXE-CHM: HH.exe usage, possible code execution T1012 - Query Registry ↳ A-Baby-Shark-Activity: Activity related to Baby Shark malware has been found on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ Baby-Shark-Activity: Activity related to Baby Shark malware has been found. ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments T1027 - Obfuscated Files or Information ↳ A-Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands on this asset. ↳ A-Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments T1036.004 - T1036.004 ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments T1059 - Command and Scripting Interperter ↳ A-Outlook-Unsafe-Execution: A suspicious sub process was spawned by Microsoft Outlook on this asset ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset ↳ A-Dtrack: Known banking malware, Dtrack, observed on this asset ↳ A-Suspicious-DAT: A suspicious .dat file used, possible APT activity on this asset ↳ Outlook-Unsafe-Execution: A suspicious sub process was spawned by Microsoft Outlook ↳ TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed ↳ Suspicious-DAT: A suspicious .dat file used, possible APT activity T1055 - Process Injection ↳ A-Svchost-Suspicious-Launch: Svchost.exe has launched without any command line arguments on this asset ↳ A-Formbook: Possible Formbook usage on this asset ↳ Svchost-Suspicious-Launch: Svchost.exe has launched without any command line arguments T1482 - Domain Trust Discovery ↳ A-Trickbot-Recon: Trickbot malware domain recon activity on this asset ↳ Trickbot-Recon: Trickbot malware domain recon activity T1203 - Exploitation for Client Execution ↳ A-Word-FLTLDR-Exploit-Vector: Possible loading of exploit using Microsoft Office and the fltldr.exe application on this asset ↳ A-Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor on this asset ↳ A-WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe, on this asset ↳ A-PC-ParentName-UMWorkerProcess-F: First time child process creation for Exchange Unified Messaging service UMWorkerProcess.exe ↳ Word-FLTLDR-Exploit-Vector: Possible loading of exploit using Microsoft Office and the fltldr.exe application ↳ Hanword-Subprocess: Suspicious processes spawned by the Hangul word processor ↳ WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe T1204.002 - T1204.002 ↳ A-CMD-Spawn-From-Office: A command line executable was spawned from an Office application on this asset ↳ A-UserProcess-Spawned-FromOffice: An executable running under the 'Users' path has been spawned from an Office application on this asset ↳ A-WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe, on this asset ↳ CMD-Spawn-From-Office: A command line executable was spawned from an Office application ↳ UserProcess-Spawned-FromOffice: An executable running under the 'Users' path has been spawned from an Office application ↳ WinWord-Uncommon-Subprocess: Winword has spawned an uncommon subprocess, csc.exe T1218.002 - Signed Binary Proxy Execution: Control Panel ↳ A-Suspicious-ControlPanel: Control Panel commandlets loaded outside the default directory on this asset ↳ Suspicious-ControlPanel: Control Panel commandlets loaded outside the default directory T1547.002 - T1547.002 ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 T1574 - Hijack Execution Flow ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 T1112 - Modify Registry ↳ ChaferAPT-Activity: Chafer APT related activity observed T1546.001 - T1546.001 ↳ A-FileType-Association-Change: File Association changed for this file extension on this asset ↳ FileType-Association-Change: File Association changed for this file extension T1562 - Impair Defenses ↳ A-Java-Remote-Dubugging: Java executed with remote debugging enabled on this asset ↳ Java-Remote-Dubugging: Java executed with remote debugging enabled T1113 - Screen Capture ↳ A-PSR-Screenshot: Psr.exe was used to take a screenshot on this asset ↳ PSR-Screenshot: Psr.exe was used to take a screenshot T1505.003 - Server Software Component: Web Shell ↳ A-WebShell-CLI: Possible command line web shell detected on this asset ↳ A-WebShell-WebServer: Possible web server web shell detected on this asset ↳ A-Suspicious-IIS-Modules: Native-Code modules for IIS installed via command line on this asset ↳ A-PC-ParentName-W3WP-F: First time child process creation for Exchange web front-end process w3wp.exe ↳ WebShell-CLI: Possible command line web shell detected ↳ WebShell-WebServer: Possible web server web shell detected ↳ Suspicious-IIS-Modules: Native-Code modules for IIS installed via command line T1547.001 - T1547.001 ↳ A-AutoRun-Modification: AutoRun Keys modified using reg.exe on this asset ↳ AutoRun-Modification: AutoRun Keys modified using reg.exe T1123 - Audio Capture ↳ A-Powershell-AudioCapture: Powershell has recorded external audio on this asset ↳ A-SoundRecorder-AudioCapture: SoundRecorder has recorded external audio on this asset ↳ Powershell-AudioCapture: Powershell has recorded external audio ↳ SoundRecorder-AudioCapture: SoundRecorder has recorded external audio T1543.003 - Create or Modify System Process: Windows Service ↳ A-EPA-USF-F: First process per service name for asset ↳ A-ServicePath-Modification: Suspicious service path identified on this asset ↳ EPA-SERVICE-PARAMS: Suspicious parameters found in process for service creation ↳ ServicePath-Modification: Suspicious service path identified T1105 - Ingress Tool Transfer ↳ A-MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter on this asset. ↳ A-Office-Payload-Download: Possible malicious payload download via Microsoft Office binaries on this asset ↳ MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter. ↳ Office-Payload-Download: Possible malicious payload download via Microsoft Office binaries T1546.011 - T1546.011 ↳ A-Shim-Installation: Possible installation of a 'shim' using sdbinst.exe on this asset ↳ Shim-Installation: Possible installation of a 'shim' using sdbinst.exe T1490 - Inhibit System Recovery ↳ A-Mod-Boot-Config: Boot configuration data was deleted using the bcdedit command on this asset. ↳ EPA-EXPERT-SHADOW-COPIES: A Suspicious command that deletes shadow copies has been executed for process ↳ EPA-EXPERT-DISABLE-RECOVERY: A Suspicious command that disables recovery mode has been executed for process ↳ Mod-Boot-Config: Boot configuration data was deleted using the bcdedit command. T1021.002 - Remote Services: SMB/Windows Admin Shares ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset ↳ TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed T1083 - File and Directory Discovery ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset ↳ TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed T1135 - Network Share Discovery ↳ A-TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed on this asset ↳ TurlaGroup-LateralMovement: Artifacts from the ATP 'Turla Group' have been observed T1202 - Indirect Command Execution ↳ A-UserProcess-Spawned-FromOffice: An executable running under the 'Users' path has been spawned from an Office application on this asset ↳ A-Outlook-Unsafe-Execution: A suspicious sub process was spawned by Microsoft Outlook on this asset ↳ Outlook-Unsafe-Execution: A suspicious sub process was spawned by Microsoft Outlook T1218.007 - Signed Binary Proxy Execution: Msiexec ↳ A-MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter on this asset. ↳ MsiExec-Web-Install: A suspicious msiexec process was started with web addresses as a parameter. T1036 - Masquerading ↳ A-Executable-Suspicious-Folder: A process has been run from a binary located in a suspicious folder on this asset ↳ A-Sus-Double-Extension: An .exe extension was used after a different non-executable file extension on this asset. ↳ Executable-Suspicious-Folder: A process has been run from a binary located in a suspicious folder T1055.001 - Process Injection: Dynamic-link Library Injection ↳ A-Zoho-DCTask: Dctask64.exe executed, possible process injection on this asset ↳ Zoho-DCTask: Dctask64.exe executed, possible process injection T1027.004 - Obfuscated Files or Information: Compile After Delivery ↳ A-CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery on this asset ↳ A-CSC-Suspicious-Folder: Csc.exe spawned from suspicious folder on this asset ↳ CSC-Suspicious-Parent-Process: Suspicious parent process for csc.exe, possible payload delivery T1574.002 - Hijack Execution Flow: DLL Side-Loading ↳ A-Winnti-Malware: Artifacts of 'Winnti' malware have been observed on this asset ↳ A-PlugX-DLL-Sideloading: DLL loaded from suspicous location on this asset, typically seen by the PlugX malware family ↳ Winnti-Malware: Artifacts of 'Winnti' malware have been observed T1555 - Credentials from Password Stores ↳ A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset ↳ SecX-Tool-Exec: SecurityXploded Tool execution detected T1003 - OS Credential Dumping ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset ↳ Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset ↳ Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected on this asset ↳ Rubeus-CMD-Tool: Command line parameters used by Rubeus hack tool detected T1053.005 - Scheduled Task/Job: Scheduled Task ↳ A-Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage on this asset ↳ A-New-ScheduledTask: New scheduled task created using shctasks.exe on this asset ↳ Suspicious-Persistence: Suspicious 'schtask' creation, possible attack tool usage ↳ New-ScheduledTask: New scheduled task created using shctasks.exe T1574.010 - T1574.010 ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service T1574.011 - T1574.011 ↳ A-ServiceName-ServiceCmdline-F: First time binary command line for this service on this asset. ↳ A-ServiceName-ServiceCmdline-A: Abnormal binary command line for this service T1210 - Exploitation of Remote Services ↳ A-SIGRed: Possible SIGRed (CVE-2020-1350) exploitation on this asset T1569 - System Services ↳ A-SIGRed: Possible SIGRed (CVE-2020-1350) exploitation on this asset T1134.001 - Access Token Manipulation: Token Impersonation/Theft ↳ A-Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem on this asset T1134.002 - T1134.002 ↳ A-Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem on this asset |
• PC-InstallUtil-dll: DLL file parameter passed to Installutil.exe • PC-InstallUtil-exe: EXE file parameter passed to Installutil.exe • PC-ParentName-ProcessName: Child processes created by a parent process • PC-MSBuild-Csproj: CSPROJ file parameter passed to MSBuild.exe • PC-MSBuild-xml: XML file parameter passed to MSBuild.exe • PC-Regsvr32-sct: SCT file parameter passed to Regsvr32.exe • PC-Mshta-Hta: HTA file parameter passed to Mshta.exe • ParentProcess-P: Parent processes for peer group • Powershell-WMI-O: Users using Powershell WMI • Powershell-Commands: Powershell Commands per user • Powershell-Advanced: Users who use powershell capabilities • EPA-UP-TEMP: Process executable TEMP directories for this user during endpoint activity • EPA-UH-Pen: Malicious tools used by user • EPA-PH: Hosts that executed 'vssadmin.exe' process • EPA-PDir: Process executable directories in the organization • EPA-HP: Processes on this host • EPA-OP: Processes in the organization • EPA-PG-PS: Powershell executions for the peer group • EPA-PU-PS: Powershell executions for the user • EPA-GP: Processes for the peer group • A-PC-InstallUtil-exe: EXE file parameter passed to InstallUtil.exe on the asset. • A-PC-MSBuild-Csproj: CSPROJ file parameter passed to MSBuild.exe on the asset in the organization. • A-PC-MSBuild-xml: XML file parameter passed to MSBuild.exe on the asset in the organization. • A-PC-Regsvr32-sct: SCT file parameter passed to Regsvr32.exe on the asset in the organization. • A-PC-Mshta-Hta: HTA file parameter passed to Mshta.exe on the asset in the organization. • A-ServiceName-ServiceCmdline: Service Executable Files on the asset • A-PC-ParentName-ProcessName: Processes for parent parent processes. • A-EPA-USF: Processes per service name for asset • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • A-EPA-OPP: Parent processes in the organization • A-EPA-HPP: Parent processes per host on this asset • A-EPA-ZP: Processes in the zone on asset |
| process-network | TA0002 - TA0002 ↳ A-EPA-HP-F: First execution of process on asset ↳ A-EPA-HP-A: Abnormal execution of process on asset ↳ A-EPA-ZP-A: Abnormal execution of process for the asset in this zone ↳ A-EPA-ZP-F: First execution of process for the asset in this zone ↳ A-EPA-OP-F: First execution of process for the asset in this organization ↳ A-EPA-OP-A: Abnormal execution of process for the asset in this organization ↳ A-EPA-HPP-F: First parent-process combination on asset ↳ A-EPA-HPP-A: Abnormal parent-process combination on asset ↳ A-EPA-OPP-F: First parent-process combination in this organization ↳ A-EPA-OPP-A: Abnormal parent-process combination in this organization ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory ↳ EPA-UH-Pen-F: Known pentest tool used ↳ EPA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during endpoint activity ↳ EPA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during endpoint activity T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ EPA-UD-DGA-F: First access to this domain through network which has been identified as DGA ↳ EPA-UD-DGA-A: Abnormal access to this domain through network which has been identified as DGA ↳ EPA-UD-DGA-N: Common access to this domain through network which has been identified as DGA TA0010 - TA0010 ↳ EPA-PI-ThreatIp: Process has created a connection to a bad reputation IP address TA0011 - TA0011 ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP ↳ A-NET-TI-H-Inbound: Inbound connection from a known malicious host ↳ EPA-PI-ThreatIp: Process has created a connection to a bad reputation IP address |
• EPA-UP-TEMP: Process executable TEMP directories for this user during endpoint activity • EPA-UH-Pen: Malicious tools used by user • EPA-UD-DGA: Top web domains that seem to be DGA generated for this user • A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • A-EPA-OPP: Parent processes in the organization • A-EPA-HPP: Parent processes per host on this asset • A-EPA-ZP: Processes in the zone on asset |
| web-activity-denied | T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-IOC: Indicator of Compromise (IOC) found in user's web activity ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA |
• WEB-URank: Web activity to low ranked domains for the user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity • A-WEB-IP: IPs an asset has directly browsed to |