Product: Auditbeat
Use-Case: Evasion
Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
44 | 3 | 40 | 1 | 0 |
Event Type | Rules | Models |
process-created | T1564 - Hide Artifacts ↳ A-Powershell-ADS: Powershell invoked using 'Alternate Data Stream' on this asset ↳ A-HiddenFile-Attrib: Hidden system Windows file was created using the attrib.exe on this asset. ↳ A-HiddenFile-SetFile: File was hidden using SetFile on this asset. ↳ A-HiddenFile-ChFlags: File was hidden using ChFlags on this asset. T1564.001 - T1564.001 ↳ A-HiddenFile-Attrib: Hidden system Windows file was created using the attrib.exe on this asset. ↳ A-HiddenFile-SetFile: File was hidden using SetFile on this asset. ↳ A-HiddenFile-ChFlags: File was hidden using ChFlags on this asset. T1059 - Command and Scripting Interperter ↳ EXPERT-POWERSHELL-ENCRYPTED: Encrypted argument in a Powershell command detected ↳ Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands. ↳ Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines ↳ A-Base64-CommandLine: Base64 string in command line execution on this asset ↳ A-TasksFolder-Evasion: The 'tasks' directory was observed in a file creation command on this asset ↳ A-Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset. ↳ A-Sus-Powershell-Param: Powershell was invoked with a suspicious parameter substring on this asset. ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ A-Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed on this asset. ↳ A-RASdial-Activity: Process was executed on this asset with rasdial as a command line argument. T1218 - Signed Binary Proxy Execution ↳ EPA-CtrlPnl-A: First control panel function usage for peer group ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset ↳ A-Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed on this asset. ↳ A-EPA-Rundll-FTP-F: First rundll activity for FTP firewall port blocking/unblocking on the asset. ↳ A-EPA-Rundll-FTP-A: Abnormal rundll activity for FTP firewall port blocking/unblocking ↳ A-DNX-App-Whitelisting: C# code located in consoleapp folder was executed on this asset. ↳ A-Dxcap-Possible-Subprocess: Dxcap.exe was executed on this asset. ↳ A-Odbcconf-DLL-Load: DLL loaded on this asset via odbcconf.exe execution. T1218.008 - T1218.008 ↳ A-Odbcconf-DLL-Load: DLL loaded on this asset via odbcconf.exe execution. T1027 - Obfuscated Files or Information ↳ EXPERT-POWERSHELL-ENCRYPTED: Encrypted argument in a Powershell command detected ↳ Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands. ↳ Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines ↳ A-Ping-Hex-IP: A ping command used a hex decoded IP address on this asset. ↳ A-Certutil-Encode: Certutil commands to encode files were used on this asset. ↳ A-DNX-App-Whitelisting: C# code located in consoleapp folder was executed on this asset. T1027.004 - Obfuscated Files or Information: Compile After Delivery ↳ A-DNX-App-Whitelisting: C# code located in consoleapp folder was executed on this asset. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-EPA-Rundll-FTP-F: First rundll activity for FTP firewall port blocking/unblocking on the asset. ↳ A-EPA-Rundll-FTP-A: Abnormal rundll activity for FTP firewall port blocking/unblocking T1562 - Impair Defenses ↳ A-Firewall-Disabled-Netsh: Windows firewall was turned off using netsh commands on this asset. ↳ A-Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset. ↳ A-Netsh-Connections-Win-Firewall: Netsh commands were used to allow incoming connections by Port or Application on Windows Firewall on this asset. ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ A-Sysmon-Driver-Unload: Possible Sysmon driver unloaded on this asset. ↳ A-EPA-Rundll-FTP-F: First rundll activity for FTP firewall port blocking/unblocking on the asset. ↳ A-EPA-Rundll-FTP-A: Abnormal rundll activity for FTP firewall port blocking/unblocking T1562.004 - Impair Defenses: Disable or Modify System Firewall ↳ A-Firewall-Disabled-Netsh: Windows firewall was turned off using netsh commands on this asset. ↳ A-Netsh-Connections-Win-Firewall: Netsh commands were used to allow incoming connections by Port or Application on Windows Firewall on this asset. ↳ A-EPA-Rundll-FTP-F: First rundll activity for FTP firewall port blocking/unblocking on the asset. ↳ A-EPA-Rundll-FTP-A: Abnormal rundll activity for FTP firewall port blocking/unblocking T1059.005 - T1059.005 ↳ A-Bginfo-App-Whitelisting: VBscript referenced in a .bgi file was executed on this asset. T1070 - Indicator Removal on Host ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset ↳ A-Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage on this asset. T1542 - Pre-OS Boot ↳ A-Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage on this asset. T1542.003 - T1542.003 ↳ A-Unauthorized-MBR-Mods: Bcdedit.exe has signs of malicious unauthorized usage on this asset. T1197 - BITS Jobs ↳ A-BITS-Suspicious-Service: First abnormal BITS job created on the asset. T1562.006 - T1562.006 ↳ A-ETW-Trace-Disable: Event tracing has been disabled, possible logging evasion on this asset T1059.001 - Command and Scripting Interperter: PowerShell ↳ EXPERT-POWERSHELL-ENCRYPTED: Encrypted argument in a Powershell command detected ↳ Sus-Encoded-PS-CmdLine: Suspicious Powershell process was started with base64 encoded commands. ↳ Base64-Powershell-CmdLine-Keywords: Base64 encoded strings were found in hidden malicious Powershell command lines ↳ A-Base64-CommandLine: Base64 string in command line execution on this asset ↳ A-Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset. ↳ A-Sus-Powershell-Param: Powershell was invoked with a suspicious parameter substring on this asset. T1562.001 - T1562.001 ↳ A-Powershell-AMSI-Bypass-NET: Request to amsiInitFailed that can be used to disable AMSI Scanning was found on this asset. T1574 - Hijack Execution Flow ↳ A-TasksFolder-Evasion: The 'tasks' directory was observed in a file creation command on this asset T1036 - Masquerading ↳ Sus-Double-Extension: An .exe extension was used after a different non-executable file extension. ↳ A-Winword-Uncommon-Process: 'MicroScMgmt' executable run by 'WinWord.exe' on this asset ↳ A-PSExec-Rename: PS Exec used on this asset ↳ A-Sus-MsiExec-Directory: Suspicious msiexec process started in an uncommon directory on this asset. ↳ A-Sus-Svchost-Process: A suspicious svchost process was started on this asset. ↳ A-Taskmgr-Local-System: A taskmgr.exe process was executed in the context of LOCAL_SYSTEM ↳ A-Sys-File-Exec-Anomaly: A Windows program executable was started in a suspicious folder on this asset. ↳ A-Win-Proc-Sus-Parent: A suspicious parent process of well-known Windows processes was detected on this asset. ↳ A-Taskmgr-as-Parent: A process was created from Windows task manager on this asset. T1036.005 - Masquerading: Match Legitimate Name or Location ↳ A-Sus-MsiExec-Directory: Suspicious msiexec process started in an uncommon directory on this asset. ↳ A-Sus-Svchost-Process: A suspicious svchost process was started on this asset. ↳ A-Win-Proc-Sus-Parent: A suspicious parent process of well-known Windows processes was detected on this asset. T1127 - Trusted Developer Utilities Proxy Execution ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset T1218.004 - Signed Binary Proxy Execution: InstallUtil ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm ↳ A-Applocker-Bypass: Execution of executables that can be used to bypass Applocker on this asset T1202 - Indirect Command Execution ↳ A-Indirect-Cmd-Exec: An indirect command was executed via Program Compatibility Assistant pcalua.exe or forfiles.exe on this asset. T1070.001 - Indicator Removal on Host: Clear Windows Event Logs ↳ A-EventLog-Tamper: EventLog has been tampered with on this asset T1105 - Ingress Tool Transfer ↳ A-CertUtil-Suspicious-Usage: The 'certutil' Windows utility was used with known suspicious command line flags on this asset T1140 - Deobfuscate/Decode Files or Information ↳ A-Base64-CommandLine: Base64 string in command line execution on this asset ↳ A-CertUtil-Suspicious-Usage: The 'certutil' Windows utility was used with known suspicious command line flags on this asset T1564.004 - Hide Artifacts: NTFS File Attributes ↳ A-Powershell-ADS: Powershell invoked using 'Alternate Data Stream' on this asset T1036.003 - Masquerading: Rename System Utilities ↳ A-PSExec-Rename: PS Exec used on this asset T1203 - Exploitation for Client Execution ↳ A-EquationEditor-Droppers: Possible 'Eqnetd32.exe' exploit usage on this asset T1484 - Group Policy Modification ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1484.001 - T1484.001 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1552 - Unsecured Credentials ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1552.006 - T1552.006 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1543 - Create or Modify System Process ↳ EPA-RANDOM-SERVICE: Random service name for the user T1543.003 - Create or Modify System Process: Windows Service ↳ EPA-RANDOM-SERVICE: Random service name for the user T1218.002 - Signed Binary Proxy Execution: Control Panel ↳ EPA-CtrlPnl-A: First control panel function usage for peer group |
• A-EPA-Rundll-FTP: Rundll actions for FTP port blocking/unblocking on the asset • EPA-OG-SYSVOL: SYSVOL domain group policy access by group in the organization • EPA-CntrlPnl: Control Panel actions for peer group |