Documentation

Contents
Contents
Contents
Contents

uberAgent-ESA-am-sigma-proc-creation-medium.conf

The following is the uberAgent-ESA-am-sigma-proc-creation-medium.conf configuration file that ships with uberAgent. It contains activity monitoring rules derived from the Sigma project for use with uberAgent ESA.

#
# The rules are generated from the Sigma GitHub repository at https://github.com/Neo23x0/sigma
# Follow these steps to get the latest rules from the repository with Python
#    1. Clone the repository locally
#    2. Using a commandline, change working directory to the just cloned repository
#    3. Run sigmac -I --target uberagent -r rules/
#
# The rules in this file are marked with sigma-level: medium
#

[ActivityMonitoringRule]
# Detects suspicious DNS queries using base64 encoding
RuleName = Suspicious DNS Query with B64 Encoded String
EventType = Dns.Query
Tag = suspicious-dns-query-with-b64-encoded-string
RiskScore = 50
Query = (Dns.QueryRequest like r"%==.%")
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
RuleName = Telegram Bot API Request
EventType = Dns.Query
Tag = telegram-bot-api-request
RiskScore = 50
Query = (Dns.QueryRequest like r"api.telegram.org")
GenericProperty1 = Dns.QueryRequest
GenericProperty2 = Dns.QueryResponse

[ActivityMonitoringRule]
# Detects when an admin share is mounted using net.exe
RuleName = Mounted Windows Admin Shares with net.exe
EventType = Process.Start
Tag = proc-start-mounted-windows-admin-shares-with-net.exe
RiskScore = 50
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% use %" and Process.CommandLine like r"%\\%\*$%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
RuleName = Root Certificate Installed
EventType = Process.Start
Tag = proc-start-root-certificate-installed
RiskScore = 50
Query = (Process.CommandLine like r"%root%" and ((Process.Path like r"%\\certutil.exe" and Process.CommandLine like r"%-addstore%") or (Process.Path like r"%\\CertMgr.exe" and Process.CommandLine like r"%/add%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
RuleName = Detected Windows Software Discovery
EventType = Process.Start
Tag = proc-start-detected-windows-software-discovery
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%query%" and Process.CommandLine like r"%\\software\\%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%svcversion%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
RuleName = Suspicious System.Drawing Load
EventType = Image.Load
Tag = suspicious-system.drawing-load
RiskScore = 50
Query = (Image.Path like r"%\\System.Drawing.ni.dll" and not (Process.Path like r"%\\WmiPrvSE.exe"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
RuleName = UIPromptForCredentials DLLs
EventType = Image.Load
Tag = uipromptforcredentials-dlls
RiskScore = 50
Query = ((Image.Path like r"%\\credui.dll" or Image.Path like r"%\\wincredui.dll") or Process.Name in ["credui.dll", "wincredui.dll"])
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
RuleName = Suspicious WSMAN Provider Image Loads
EventType = Image.Load
Tag = suspicious-wsman-provider-image-loads
RiskScore = 50
Query = ((((Image.Path like r"%\\WsmSvc.dll" or Image.Path like r"%\\WsmAuto.dll" or Image.Path like r"%\\Microsoft.WSMan.Management.ni.dll") or Process.Name in ["WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"]) and not (Process.Path like r"%\\powershell.exe")) or (Process.Path like r"%\\svchost.exe" and Process.Name == "WsmWmiPl.dll"))
GenericProperty1 = Image.Name
GenericProperty2 = Image.Path
GenericProperty3 = Image.Hash.MD5
GenericProperty4 = Image.Hash.SHA1
GenericProperty5 = Image.Hash.SHA256
GenericProperty6 = Image.Hash.IMP

[ActivityMonitoringRule]
# Detects specific combinations of encoding methods in the PowerShell command lines
RuleName = Encoded PowerShell Command Line
EventType = Process.Start
Tag = proc-start-encoded-powershell-command-line
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and (((((Process.CommandLine like r"%ToInt%" or Process.CommandLine like r"%ToDecimal%" or Process.CommandLine like r"%ToByte%" or Process.CommandLine like r"%ToUint%" or Process.CommandLine like r"%ToSingle%" or Process.CommandLine like r"%ToSByte%") and (Process.CommandLine like r"%ToChar%" or Process.CommandLine like r"%ToString%" or Process.CommandLine like r"%String%")) or (Process.CommandLine like r"%char%" and Process.CommandLine like r"%join%")) or (Process.CommandLine like r"%split%" and Process.CommandLine like r"%join%")) or (Process.CommandLine like r"%ForEach%" and Process.CommandLine like r"%Xor%") or (Process.CommandLine like r"%cOnvErTTO-SECUreStRIng%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of various web request methods (including aliases) via Windows PowerShell
RuleName = Windows PowerShell Web Request
EventType = Process.Start
Tag = proc-start-windows-powershell-web-request
RiskScore = 50
Query = (Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%curl %" or Process.CommandLine like r"%Net.WebClient%" or Process.CommandLine like r"%Start-BitsTransfer%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# dotnet.exe will execute any DLL and execute unsigned code
RuleName = Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
EventType = Process.Start
Tag = proc-start-dotnet.exe-exec-dll-and-execute-unsigned-code-lolbin
RiskScore = 50
Query = ((Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.csproj") and (Process.Path like r"%\\dotnet.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects file execution using the msdeploy.exe lolbin
RuleName = Execute Files with Msdeploy.exe
EventType = Process.Start
Tag = proc-start-execute-files-with-msdeploy.exe
RiskScore = 50
Query = (Process.CommandLine like r"%verb:sync%" and Process.CommandLine like r"%-source:RunCommand%" and Process.CommandLine like r"%-dest:runCommand%" and (Process.Path like r"%\\msdeploy.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
RuleName = Always Install Elevated MSI Spawned Cmd And Powershell
EventType = Process.Start
Tag = proc-start-always-install-elevated-msi-spawned-cmd-and-powershell
RiskScore = 50
Query = ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe") and Parent.Path like r"%\\Windows\\Installer\\%" and Parent.Path like r"%msi%" and (Parent.Path like r"%tmp"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
RuleName = Sdclt Child Processes
EventType = Process.Start
Tag = proc-start-sdclt-child-processes
RiskScore = 50
Query = Parent.Path like r"%\\sdclt.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
RuleName = Suspicious WebDav Client Execution
EventType = Process.Start
Tag = proc-start-suspicious-webdav-client-execution
RiskScore = 50
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
RuleName = Advanced IP Scanner
EventType = Process.Start
Tag = proc-start-advanced-ip-scanner
RiskScore = 50
Query = Process.Path like r"%\\advanced\_ip\_scanner%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
RuleName = Defrag Deactivation
EventType = Process.Start
Tag = proc-start-defrag-deactivation
RiskScore = 50
Query = (Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/change%") and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%\\Microsoft\\Windows\\Defrag\\ScheduledDefrag%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash
RuleName = SquiblyTwo
EventType = Process.Start
Tag = proc-start-squiblytwo
RiskScore = 50
Query = (Process.CommandLine like r"%http%" and (((Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%format%") or (Process.Hash.IMP in ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] and Process.CommandLine like r"%format:%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a discovery of domain trusts
RuleName = Domain Trust Discovery
EventType = Process.Start
Tag = proc-start-domain-trust-discovery
RiskScore = 50
Query = ((Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%-filter%" and Process.CommandLine like r"%trustedDomain%") or (Process.Path like r"%\\nltest.exe" and Process.CommandLine like r"%domain\_trusts%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Execution of well known tools for data exfiltration and tunneling
RuleName = Exfiltration and Tunneling Tools Execution
EventType = Process.Start
Tag = proc-start-exfiltration-and-tunneling-tools-execution
RiskScore = 50
Query = (Process.Path like r"%\\plink.exe" or Process.Path like r"%\\socat.exe" or Process.Path like r"%\\stunnel.exe" or Process.Path like r"%\\httptunnel.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
RuleName = Exploit for CVE-2017-0261
EventType = Process.Start
Tag = proc-start-exploit-for-cve-2017-0261
RiskScore = 50
Query = (Parent.Path like r"%\\WINWORD.EXE" and Process.Path like r"%\\FLTLDR.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a file or folder permissions modifications
RuleName = File or Folder Permissions Modifications
EventType = Process.Start
Tag = proc-start-file-or-folder-permissions-modifications
RiskScore = 50
Query = (((Process.Path like r"%\\takeown.exe" or Process.Path like r"%\\cacls.exe" or Process.Path like r"%\\icacls.exe") and Process.CommandLine like r"%/grant%") or (Process.Path like r"%\\attrib.exe" and Process.CommandLine like r"%-r%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Dump sam, system or security hives using REG.exe utility
RuleName = Grabbing Sensitive Hives via Reg Utility
EventType = Process.Start
Tag = proc-start-grabbing-sensitive-hives-via-reg-utility
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and (Process.CommandLine like r"%save%" or Process.CommandLine like r"%export%") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
RuleName = Suspicious Usage of the Manage-bde.wsf Script
EventType = Process.Start
Tag = proc-start-suspicious-usage-of-the-manage-bde.wsf-script
RiskScore = 50
Query = (Process.CommandLine like r"%cscript%" and Process.CommandLine like r"%manage-bde.wsf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detection well-known mimikatz command line arguments
RuleName = Mimikatz Command Line
EventType = Process.Start
Tag = proc-start-mimikatz-command-line
RiskScore = 50
Query = ((Process.CommandLine like r"%DumpCreds%" or Process.CommandLine like r"%invoke-mimikatz%") or ((Process.CommandLine like r"%rpc%" or Process.CommandLine like r"%token%" or Process.CommandLine like r"%crypto%" or Process.CommandLine like r"%dpapi%" or Process.CommandLine like r"%sekurlsa%" or Process.CommandLine like r"%kerberos%" or Process.CommandLine like r"%lsadump%" or Process.CommandLine like r"%privilege%" or Process.CommandLine like r"%process%") and (Process.CommandLine like r"%::%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Allow Incoming Connections by Port or Application on Windows Firewall
RuleName = Netsh Port or Application Allowed
EventType = Process.Start
Tag = proc-start-netsh-port-or-application-allowed
RiskScore = 50
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects capture a network trace via netsh.exe trace functionality
RuleName = Capture a Network Trace with netsh.exe
EventType = Process.Start
Tag = proc-start-capture-a-network-trace-with-netsh.exe
RiskScore = 50
Query = (Process.CommandLine like r"%netsh%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%start%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that configure a port forwarding
RuleName = Netsh Port Forwarding
EventType = Process.Start
Tag = proc-start-netsh-port-forwarding
RiskScore = 50
Query = (Process.Path like r"%\\netsh.exe" and ((Process.CommandLine like r"%interface%" and Process.CommandLine like r"%portproxy%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%v4tov4%") or (Process.CommandLine like r"%connectp%" and Process.CommandLine like r"%listena%" and Process.CommandLine like r"%c=%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect the harvesting of wifi credentials using netsh.exe
RuleName = Harvesting of Wifi Credentials Using netsh.exe
EventType = Process.Start
Tag = proc-start-harvesting-of-wifi-credentials-using-netsh.exe
RiskScore = 50
Query = (Process.Path like r"%\\netsh.exe" and Process.CommandLine like r"%wlan%" and Process.CommandLine like r"% s%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"% k%" and Process.CommandLine like r"%=clear%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies creation of local users via the net.exe command
RuleName = Net.exe User Account Creation
EventType = Process.Start
Tag = proc-start-net.exe-user-account-creation
RiskScore = 50
Query = ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects nltest query commands which may leak credential hashes
RuleName = Nltest Credential Hash Theft
EventType = Process.Start
Tag = proc-start-nltest-credential-hash-theft
RiskScore = 50
Query = (Process.Path like r"%\\nltest.exe" and Process.CommandLine like r"%\\query%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
RuleName = Non Interactive PowerShell
EventType = Process.Start
Tag = proc-start-non-interactive-powershell
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and not ((Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\CompatTelRunner.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects audio capture via PowerShell Cmdlet
RuleName = Audio Capture via PowerShell
EventType = Process.Start
Tag = proc-start-audio-capture-via-powershell
RiskScore = 50
Query = Process.CommandLine like r"%WindowsAudioDevice-Powershell-Cmdlet%"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect download by BITS jobs via PowerShell
RuleName = Suspicious Bitsadmin Job via PowerShell
EventType = Process.Start
Tag = proc-start-suspicious-bitsadmin-job-via-powershell
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Start-BitsTransfer%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
RuleName = PowerShell Downgrade Attack
EventType = Process.Start
Tag = proc-start-powershell-downgrade-attack
RiskScore = 50
Query = ((Process.CommandLine like r"% -version 2 %" or Process.CommandLine like r"% -versio 2 %" or Process.CommandLine like r"% -versi 2 %" or Process.CommandLine like r"% -vers 2 %" or Process.CommandLine like r"% -ver 2 %" or Process.CommandLine like r"% -ve 2 %") and Process.Path like r"%\\powershell.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a Powershell process that contains download commands in its command line string
RuleName = PowerShell Download from URL
EventType = Process.Start
Tag = proc-start-powershell-download-from-url
RiskScore = 50
Query = (Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%new-object%" and Process.CommandLine like r"%net.webclient).%" and Process.CommandLine like r"%download%" and (Process.CommandLine like r"%string(%" or Process.CommandLine like r"%file(%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of bitsadmin downloading a file
RuleName = Bitsadmin Download
EventType = Process.Start
Tag = proc-start-bitsadmin-download
RiskScore = 50
Query = (((Process.Path like r"%\\bitsadmin.exe") and (Process.CommandLine like r"% /transfer %")) or (Process.CommandLine like r"%copy bitsadmin.exe%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
RuleName = DLL Execution via Rasautou.exe
EventType = Process.Start
Tag = proc-start-dll-execution-via-rasautou.exe
RiskScore = 50
Query = ((Process.Path like r"%\\rasautou.exe" or Process.Name == "rasdlui.exe") and (Process.CommandLine like r"%-d%" and Process.CommandLine like r"%-p%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)
RuleName = Remote PowerShell Session
EventType = Process.Start
Tag = proc-start-remote-powershell-session
RiskScore = 50
Query = (Process.Path like r"%\\wsmprovhost.exe" or Parent.Path like r"%\\wsmprovhost.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
RuleName = Renamed Binary
EventType = Process.Start
Tag = proc-start-renamed-binary
RiskScore = 50
Query = ((Process.Name like r"cmd.exe" or Process.Name like r"powershell.exe" or Process.Name like r"powershell\_ise.exe" or Process.Name like r"psexec.exe" or Process.Name like r"psexec.c" or Process.Name like r"cscript.exe" or Process.Name like r"wscript.exe" or Process.Name like r"mshta.exe" or Process.Name like r"regsvr32.exe" or Process.Name like r"wmic.exe" or Process.Name like r"certutil.exe" or Process.Name like r"rundll32.exe" or Process.Name like r"cmstp.exe" or Process.Name like r"msiexec.exe" or Process.Name like r"7z.exe" or Process.Name like r"winrar.exe" or Process.Name like r"wevtutil.exe" or Process.Name like r"net.exe" or Process.Name like r"net1.exe" or Process.Name like r"netsh.exe") and not ((Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\psexec.exe" or Process.Path like r"%\\psexec64.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\7z.exe" or Process.Path like r"%\\winrar.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netsh.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Shadow Copies storage symbolic link creation using operating systems utilities
RuleName = Shadow Copies Access via Symlink
EventType = Process.Start
Tag = proc-start-shadow-copies-access-via-symlink
RiskScore = 50
Query = (Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%HarddiskVolumeShadowCopy%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Shadow Copies creation using operating systems utilities, possible credential access
RuleName = Shadow Copies Creation Using Operating Systems Utilities
EventType = Process.Start
Tag = proc-start-shadow-copies-creation-using-operating-systems-utilities
RiskScore = 50
Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe") and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%create%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect attacker collecting audio via SoundRecorder application
RuleName = Audio Capture via SoundRecorder
EventType = Process.Start
Tag = proc-start-audio-capture-via-soundrecorder
RiskScore = 50
Query = (Process.Path like r"%\\SoundRecorder.exe" and Process.CommandLine like r"%/FILE%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of a AdFind for Active Directory enumeration
RuleName = Suspicious AdFind Execution
EventType = Process.Start
Tag = proc-start-suspicious-adfind-execution
RiskScore = 50
Query = ((Process.CommandLine like r"%objectcategory%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%dclist%" or Process.CommandLine like r"%computers\_pwdnotreqd%") and Process.Path like r"%\\adfind.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects, possibly, malicious unauthorized usage of bcdedit.exe
RuleName = Possible Ransomware or Unauthorized MBR Modifications
EventType = Process.Start
Tag = proc-start-possible-ransomware-or-unauthorized-mbr-modifications
RiskScore = 50
Query = (Process.Path like r"%\\bcdedit.exe" and (Process.CommandLine like r"%delete%" or Process.CommandLine like r"%deletevalue%" or Process.CommandLine like r"%import%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Execute VBscript code that is referenced within the *.bgi file.
RuleName = Application Whitelisting Bypass via Bginfo
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-bginfo
RiskScore = 50
Query = (Process.Path like r"%\\bginfo.exe" and Process.CommandLine like r"%/popup%" and Process.CommandLine like r"%/nolicprompt%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Launch 64-bit shellcode from a debugger script file using cdb.exe.
RuleName = Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
EventType = Process.Start
Tag = proc-start-possible-app-whitelisting-bypass-via-windbg/cdb-as-a-shellcode-runner
RiskScore = 50
Query = (Process.Path like r"%\\cdb.exe" and Process.CommandLine like r"%-cf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
RuleName = Certutil Encode
EventType = Process.Start
Tag = proc-start-certutil-encode
RiskScore = 50
Query = (Process.Path like r"%\\certutil.exe" and Process.CommandLine like r"%-f%" and Process.CommandLine like r"%-encode%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
RuleName = Command Line Execution with Suspicious URL and AppData Strings
EventType = Process.Start
Tag = proc-start-command-line-execution-with-suspicious-url-and-appdata-strings
RiskScore = 50
Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%http%" and Process.CommandLine like r"%://%" and Process.CommandLine like r"%\%AppData\%%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a code page switch in command line or batch scripts to a rare language
RuleName = Suspicious Code Page Switch
EventType = Process.Start
Tag = proc-start-suspicious-code-page-switch
RiskScore = 50
Query = (Process.Path like r"%\\chcp.com" and (Process.CommandLine like r"% 936" or Process.CommandLine like r"% 1258"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process memory dump via comsvcs.dll and rundll32
RuleName = Process Dump via Comsvcs DLL
EventType = Process.Start
Tag = proc-start-process-dump-via-comsvcs-dll
RiskScore = 50
Query = ((Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and (Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%MiniDump%" and Process.CommandLine like r"%full%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the conhost execution as parent process. Can be used to evaded defense mechanism.
RuleName = Conhost Parent Process Executions
EventType = Process.Start
Tag = proc-start-conhost-parent-process-executions
RiskScore = 50
Query = Parent.Path like r"%\\conhost.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
RuleName = Suspicious Copy From or To System32
EventType = Process.Start
Tag = proc-start-suspicious-copy-from-or-to-system32
RiskScore = 50
Query = ((Process.CommandLine like r"% /c copy%" or Process.CommandLine like r"%xcopy%") and Process.CommandLine like r"%\\System32\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
RuleName = Suspicious Csi.exe Usage
EventType = Process.Start
Tag = proc-start-suspicious-csi.exe-usage
RiskScore = 50
Query = ((Process.Path like r"%\\csi.exe" or Process.Path like r"%\\rcsi.exe" or Process.Name == "csi.exe" or Process.Name == "rcsi.exe") and Process.Company == "Microsoft Corporation")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious curl process start the adds a file to a web request
RuleName = Suspicious Curl File Upload
EventType = Process.Start
Tag = proc-start-suspicious-curl-file-upload
RiskScore = 50
Query = (Process.Path like r"%\\curl.exe" and Process.CommandLine like r"% -F %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
RuleName = Curl Start Combination
EventType = Process.Start
Tag = proc-start-curl-start-combination
RiskScore = 50
Query = (Process.CommandLine like r"%curl%" and Process.CommandLine like r"% start %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
RuleName = Direct Autorun Keys Modification
EventType = Process.Start
Tag = proc-start-direct-autorun-keys-modification
RiskScore = 50
Query = (Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%add%" and (Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Run%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServices%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows%" or Process.CommandLine like r"%\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders%" or Process.CommandLine like r"%\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Execute C# code located in the consoleapp folder
RuleName = Application Whitelisting Bypass via Dnx.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dnx.exe
RiskScore = 50
Query = Process.Path like r"%\\dnx.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of of Dxcap.exe
RuleName = Application Whitelisting Bypass via Dxcap.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dxcap.exe
RiskScore = 50
Query = (Process.Path like r"%\\dxcap.exe" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%.exe%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious program execution in a web service root folder (filter out false positives)
RuleName = Execution in Webserver Root Folder
EventType = Process.Start
Tag = proc-start-execution-in-webserver-root-folder
RiskScore = 50
Query = ((Process.Path like r"%\\wwwroot\\%" or Process.Path like r"%\\wmpub\\%" or Process.Path like r"%\\htdocs\\%") and not ((Process.Path like r"%bin\\%" or Process.Path like r"%\\Tools\\%" or Process.Path like r"%\\SMSComponent\\%") and (Parent.Path like r"%\\services.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
RuleName = Explorer Root Flag Process Tree Break
EventType = Process.Start
Tag = proc-start-explorer-root-flag-process-tree-break
RiskScore = 50
Query = (Process.CommandLine like r"%explorer.exe%" and Process.CommandLine like r"% /root,%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when GfxDownloadWrapper.exe downloads file from non standard URL
RuleName = GfxDownloadWrapper.exe Downloads File from Suspicious URL
EventType = Process.Start
Tag = proc-start-gfxdownloadwrapper.exe-downloads-file-from-suspicious-url
RiskScore = 50
Query = ((Process.Path like r"%\\GfxDownloadWrapper.exe" and not (Process.CommandLine like r"%gameplayapi.intel.com%")) and not (Parent.Path like r"%\\GfxDownloadWrapper.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
RuleName = Abusing Findstr for Defense Evasion
EventType = Process.Start
Tag = proc-start-abusing-findstr-for-defense-evasion
RiskScore = 50
Query = ((Process.CommandLine like r"%findstr%") and ((Process.CommandLine like r"%/V%" and Process.CommandLine like r"%/L%") or (Process.CommandLine like r"%/S%" and Process.CommandLine like r"%/I%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
RuleName = Findstr Launching .lnk File
EventType = Process.Start
Tag = proc-start-findstr-launching-.lnk-file
RiskScore = 50
Query = (Process.Path like r"%\\findstr.exe" and Process.CommandLine like r"%.lnk")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects netsh commands that turns off the Windows firewall
RuleName = Firewall Disabled via Netsh
EventType = Process.Start
Tag = proc-start-firewall-disabled-via-netsh
RiskScore = 50
Query = (Process.CommandLine like r"netsh firewall set opmode mode=disable" or Process.CommandLine like r"netsh advfirewall set % state off")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
RuleName = Suspicious ftp.exe
EventType = Process.Start
Tag = proc-start-suspicious-ftp.exe
RiskScore = 50
Query = ((Process.CommandLine like r"%-s:%" and (Process.Path like r"%ftp.exe" or Process.Name like r"%ftp.exe%")) or (Process.Name like r"%ftp.exe%" and not (Process.Path like r"%ftp.exe")) or Parent.Path like r"%ftp.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious IIS native-code module installations via command line
RuleName = IIS Native-Code Module Command Line Installation
EventType = Process.Start
Tag = proc-start-iis-native-code-module-command-line-installation
RiskScore = 50
Query = (Process.Path like r"%\\appcmd.exe" and Process.CommandLine like r"%install%" and Process.CommandLine like r"%module%" and Process.CommandLine like r"%/name:%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious msiexec process starts with web addresses as parameter
RuleName = MsiExec Web Install
EventType = Process.Start
Tag = proc-start-msiexec-web-install
RiskScore = 50
Query = (Process.CommandLine like r"% msiexec%" and Process.CommandLine like r"%://%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
RuleName = Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
EventType = Process.Start
Tag = proc-start-invocation-of-active-directory-diagnostic-tool-(ntdsutil.exe)
RiskScore = 50
Query = Process.Path like r"%\\ntdsutil.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects defence evasion attempt via odbcconf.exe execution to load DLL
RuleName = Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
EventType = Process.Start
Tag = proc-start-application-whitelisting-bypass-via-dll-loaded-by-odbcconf.exe
RiskScore = 50
Query = ((Process.Path like r"%\\odbcconf.exe" and (Process.CommandLine like r"%-f%" or Process.CommandLine like r"%regsvr%")) or (Parent.Path like r"%\\odbcconf.exe" and Process.Path like r"%\\rundll32.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
RuleName = Code Execution via Pcwutl.dll
EventType = Process.Start
Tag = proc-start-code-execution-via-pcwutl.dll
RiskScore = 50
Query = (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%pcwutl%" and Process.CommandLine like r"%LaunchApplication%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
RuleName = Execute Code with Pester.bat
EventType = Process.Start
Tag = proc-start-execute-code-with-pester.bat
RiskScore = 50
Query = ((Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%Pester%" and Process.CommandLine like r"%Get-Help%") or (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%pester%" and Process.CommandLine like r"%;%" and (Process.CommandLine like r"%help%" or Process.CommandLine like r"%_%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Attackers can use print.exe for remote file copy
RuleName = Abusing Print Executable
EventType = Process.Start
Tag = proc-start-abusing-print-executable
RiskScore = 50
Query = (((Process.Path like r"%\\print.exe") and (Process.CommandLine like r"print%") and (Process.CommandLine like r"%/D%") and (Process.CommandLine like r"%.exe%")) and not ((Process.CommandLine like r"%print.exe%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
RuleName = Suspicious Use of Procdump
EventType = Process.Start
Tag = proc-start-suspicious-use-of-procdump
RiskScore = 50
Query = (Process.CommandLine like r"% -ma %")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect ed user accept agreement execution in psexec commandline
RuleName = Psexec Accepteula Condition
EventType = Process.Start
Tag = proc-start-psexec-accepteula-condition
RiskScore = 50
Query = (Process.Path like r"%\\psexec.exe" and Process.CommandLine like r"%accepteula%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# The psr.exe captures desktop screenshots and saves them on the local machine
RuleName = Psr.exe Capture Screenshots
EventType = Process.Start
Tag = proc-start-psr.exe-capture-screenshots
RiskScore = 50
Query = (Process.Path like r"%\\Psr.exe" and Process.CommandLine like r"%/start%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
RuleName = PowerShell Script Run in AppData
EventType = Process.Start
Tag = proc-start-powershell-script-run-in-appdata
RiskScore = 50
Query = (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%\\AppData\\%" and (Process.CommandLine like r"%Local\\%" or Process.CommandLine like r"%Roaming\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
RuleName = Rar with Password or Compression Level
EventType = Process.Start
Tag = proc-start-rar-with-password-or-compression-level
RiskScore = 50
Query = (Process.CommandLine like r"% -hp%" and Process.CommandLine like r"% -m%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rasdial.exe
RuleName = Suspicious RASdial Activity
EventType = Process.Start
Tag = proc-start-suspicious-rasdial-activity
RiskScore = 50
Query = (Process.Path like r"%rasdial.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious command line activity on Windows systems
RuleName = Suspicious Reconnaissance Activity
EventType = Process.Start
Tag = proc-start-suspicious-reconnaissance-activity
RiskScore = 50
Query = Process.CommandLine in ["net group \"domain admins\" /domain", "net localgroup administrators", "net group \"enterprise admins\" /domain"]
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using register-cimprovider.exe to execute arbitrary dll file.
RuleName = DLL Execution Via Register-cimprovider.exe
EventType = Process.Start
Tag = proc-start-dll-execution-via-register-cimprovider.exe
RiskScore = 50
Query = (Process.Path like r"%\\register-cimprovider.exe" and Process.CommandLine like r"%-path%" and Process.CommandLine like r"%dll%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
RuleName = Capture Credentials with Rpcping.exe
EventType = Process.Start
Tag = proc-start-capture-credentials-with-rpcping.exe
RiskScore = 50
Query = ((Process.Path like r"%\\rpcping.exe" and (Process.CommandLine like r"%-s%" or Process.CommandLine like r"%/s%")) and ((Process.CommandLine like r"%-u%" and Process.CommandLine like r"%NTLM%") or (Process.CommandLine like r"%/u%" and Process.CommandLine like r"%NTLM%") or (Process.CommandLine like r"%-t%" and Process.CommandLine like r"%ncacn\_np%") or (Process.CommandLine like r"%/t%" and Process.CommandLine like r"%ncacn\_np%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process related to rundll32 based on arguments
RuleName = Suspicious Rundll32 Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-activity
RiskScore = 50
Query = ((Process.CommandLine like r"%javascript:%" or Process.CommandLine like r"%.RegisterXLL%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%OpenURLA%") or (Process.CommandLine like r"%url.dll%" and Process.CommandLine like r"%FileProtocolHandler%") or (Process.CommandLine like r"%zipfldr.dll%" and Process.CommandLine like r"%RouteTheCall%") or (Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%Control\_RunDLL%") or (Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%ShellExec\_RunDLL%") or (Process.CommandLine like r"%mshtml.dll%" and Process.CommandLine like r"%PrintHTML%") or (Process.CommandLine like r"%advpack.dll%" and Process.CommandLine like r"%LaunchINFSection%") or (Process.CommandLine like r"%advpack.dll%" and Process.CommandLine like r"%RegisterOCX%") or (Process.CommandLine like r"%ieadvpack.dll%" and Process.CommandLine like r"%LaunchINFSection%") or (Process.CommandLine like r"%ieadvpack.dll%" and Process.CommandLine like r"%RegisterOCX%") or (Process.CommandLine like r"%ieframe.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%shdocvw.dll%" and Process.CommandLine like r"%OpenURL%") or (Process.CommandLine like r"%syssetup.dll%" and Process.CommandLine like r"%SetupInfObjectInstallAction'%") or (Process.CommandLine like r"%setupapi.dll%" and Process.CommandLine like r"%InstallHinfSection%") or (Process.CommandLine like r"%pcwutl.dll%" and Process.CommandLine like r"%LaunchApplication%") or (Process.CommandLine like r"%dfshim.dll%" and Process.CommandLine like r"%ShOpenVerbApplication%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
RuleName = Suspicious Rundll32 Setupapi.dll Activity
EventType = Process.Start
Tag = proc-start-suspicious-rundll32-setupapi.dll-activity
RiskScore = 50
Query = (Process.Path like r"%\\runonce.exe" and Parent.Path like r"%\\rundll32.exe" and Parent.CommandLine like r"%setupapi.dll%" and Parent.CommandLine like r"%InstallHinfSection%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of powershell scripts via Runscripthelper.exe
RuleName = Suspicious Runscripthelper.exe
EventType = Process.Start
Tag = proc-start-suspicious-runscripthelper.exe
RiskScore = 50
Query = (Process.Path like r"%\\Runscripthelper.exe" and Process.CommandLine like r"%surfacecheck%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious process run from unusual locations
RuleName = Suspicious Process Start Locations
EventType = Process.Start
Tag = proc-start-suspicious-process-start-locations
RiskScore = 50
Query = ((Process.Path like r"%:\\RECYCLER\\%" or Process.Path like r"%:\\SystemVolumeInformation\\%") or (Process.Path like r"C:\\Windows\\Tasks\\%" or Process.Path like r"C:\\Windows\\debug\\%" or Process.Path like r"C:\\Windows\\fonts\\%" or Process.Path like r"C:\\Windows\\help\\%" or Process.Path like r"C:\\Windows\\drivers\\%" or Process.Path like r"C:\\Windows\\addins\\%" or Process.Path like r"C:\\Windows\\cursors\\%" or Process.Path like r"C:\\Windows\\system32\\tasks\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious file execution by wscript and cscript
RuleName = WSF/JSE/JS/VBA/VBE File Execution
EventType = Process.Start
Tag = proc-start-wsf/jse/js/vba/vbe-file-execution
RiskScore = 50
Query = ((Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%.jse%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.vba%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects process dump via legitimate sqldumper.exe binary
RuleName = Dumping Process via Sqldumper.exe
EventType = Process.Start
Tag = proc-start-dumping-process-via-sqldumper.exe
RiskScore = 50
Query = (Process.Path like r"%\\sqldumper.exe" and (Process.CommandLine like r"%0x0110%" or Process.CommandLine like r"%0x01100:40%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
RuleName = Sysprep on AppData Folder
EventType = Process.Start
Tag = proc-start-sysprep-on-appdata-folder
RiskScore = 50
Query = ((Process.Path like r"%\\sysprep.exe") and (Process.CommandLine like r"%\\AppData\\%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Access to Domain Group Policies stored in SYSVOL
RuleName = Suspicious SYSVOL Domain Group Policy Access
EventType = Process.Start
Tag = proc-start-suspicious-sysvol-domain-group-policy-access
RiskScore = 50
Query = (Process.CommandLine like r"%\\SYSVOL\\%" and Process.CommandLine like r"%\\policies\\%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a suspicious child process of userinit
RuleName = Suspicious Userinit Child Process
EventType = Process.Start
Tag = proc-start-suspicious-userinit-child-process
RiskScore = 50
Query = ((Parent.Path like r"%\\userinit.exe" and not (Process.CommandLine like r"%\\netlogon\\\*")) and not (Process.Path like r"%\\explorer.exe"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
RuleName = Detection of PowerShell Execution via Sqlps.exe
EventType = Process.Start
Tag = proc-start-detection-of-powershell-execution-via-sqlps.exe
RiskScore = 50
Query = ((Process.Path like r"%\\sqlps.exe" or Parent.Path like r"%\\sqlps.exe") or (Process.Name like r"\\sqlps.exe" and not (Parent.Path like r"%\\sqlagent.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
RuleName = SQL Client Tools PowerShell Session Detection
EventType = Process.Start
Tag = proc-start-sql-client-tools-powershell-session-detection
RiskScore = 50
Query = ((Process.Path like r"%\\sqltoolsps.exe" or Parent.Path like r"%\\sqltoolsps.exe") or (Process.Name like r"\\sqltoolsps.exe" and not (Parent.Path like r"%\\smss.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
RuleName = Malicious PE Execution by Microsoft Visual Studio Debugger
EventType = Process.Start
Tag = proc-start-malicious-pe-execution-by-microsoft-visual-studio-debugger
RiskScore = 50
Query = (Parent.Path like r"%\\vsjitdebugger.exe" and not ((Process.Path like r"%\\vsimmersiveactivatehelper%.exe" or Process.Path like r"%\\devenv.exe")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
RuleName = Suspicious VBoxDrvInst.exe Parameters
EventType = Process.Start
Tag = proc-start-suspicious-vboxdrvinst.exe-parameters
RiskScore = 50
Query = (Process.Path like r"%\\VBoxDrvInst.exe" and Process.CommandLine like r"%driver%" and Process.CommandLine like r"%executeinf%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
RuleName = Whoami Execution
EventType = Process.Start
Tag = proc-start-whoami-execution
RiskScore = 50
Query = (Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
RuleName = AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
EventType = Process.Start
Tag = proc-start-awl-bypass-with-winrm.vbs-and-malicious-wsmpty.xsl/wsmtxt.xsl
RiskScore = 50
Query = (Process.CommandLine like r"%winrm%" and (Process.CommandLine like r"%format:pretty%" or Process.CommandLine like r"%format:\"pretty\"%" or Process.CommandLine like r"%format:\"text\"%" or Process.CommandLine like r"%format:text%") and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects an attempt to execude code or create service on remote host via winrm.vbs.
RuleName = Remote Code Execute via Winrm.vbs
EventType = Process.Start
Tag = proc-start-remote-code-execute-via-winrm.vbs
RiskScore = 50
Query = (Process.Path like r"%\\cscript.exe" and Process.CommandLine like r"%winrm%" and Process.CommandLine like r"%invoke Create wmicimv2/Win32\_%" and Process.CommandLine like r"%-r:http%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects deinstallation of security products using WMIC utility
RuleName = Wmic Uninstall Security Product
EventType = Process.Start
Tag = proc-start-wmic-uninstall-security-product
RiskScore = 50
Query = (Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%product where name=%" and Process.CommandLine like r"%call uninstall%" and Process.CommandLine like r"%/nointeractive%" and (Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%Endpoint Security%" or Process.CommandLine like r"%Endpoint Detection%" or Process.CommandLine like r"%Crowdstrike Sensor%" or Process.CommandLine like r"%Windows Defender%" or Process.CommandLine like r"%VirusScan%" or Process.CommandLine like r"%Threat Protection%" or Process.CommandLine like r"%Endpoint Sensor%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects WMI executing suspicious commands
RuleName = Suspicious WMI Execution
EventType = Process.Start
Tag = proc-start-suspicious-wmi-execution
RiskScore = 50
Query = (Process.Path like r"%\\wmic.exe" and ((Process.CommandLine like r"%/NODE:%" and Process.CommandLine like r"%process%" and Process.CommandLine like r"%call%" and Process.CommandLine like r"%create %") or (Process.CommandLine like r"% path %" and (Process.CommandLine like r"%AntiVirus%" or Process.CommandLine like r"%Firewall%") and Process.CommandLine like r"%Product%" and Process.CommandLine like r"% get %")))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
RuleName = WSL Execution
EventType = Process.Start
Tag = proc-start-wsl-execution
RiskScore = 50
Query = ((Process.Path like r"%\\wsl.exe") and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% --exec %"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
RuleName = SyncAppvPublishingServer Execution to Bypass Powershell Restriction
EventType = Process.Start
Tag = proc-start-syncappvpublishingserver-execution-to-bypass-powershell-restriction
RiskScore = 50
Query = Process.Path like r"%\\SyncAppvPublishingServer.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
RuleName = Tap Installer Execution
EventType = Process.Start
Tag = proc-start-tap-installer-execution
RiskScore = 50
Query = Process.Path like r"%\\tapinstall.exe"
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
RuleName = Domain Trust Discovery
EventType = Process.Start
Tag = proc-start-domain-trust-discovery
RiskScore = 50
Query = ((Process.Path like r"%\\nltest.exe" and (Process.CommandLine like r"%domain\_trusts%" or Process.CommandLine like r"%all\_trusts%" or Process.CommandLine like r"%/dclist%")) or (Process.Path like r"%\\dsquery.exe" and Process.CommandLine like r"%trustedDomain%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects when verclsid.exe is used to run COM object via GUID
RuleName = Verclsid.exe Runs COM Object
EventType = Process.Start
Tag = proc-start-verclsid.exe-runs-com-object
RiskScore = 50
Query = (Process.Path like r"%\\verclsid.exe" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%/S%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects a JAVA process running with remote debugging allowing more than just localhost to connect
RuleName = Java Running with Remote Debugging
EventType = Process.Start
Tag = proc-start-java-running-with-remote-debugging
RiskScore = 50
Query = (Process.CommandLine like r"%transport=dt\_socket,address=%" and not (Process.CommandLine like r"%address=127.0.0.1%" or Process.CommandLine like r"%address=localhost%"))
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Detects Winword.exe loading of custmom dll via /l cmd switch
RuleName = Winword.exe Loads Suspicious DLL
EventType = Process.Start
Tag = proc-start-winword.exe-loads-suspicious-dll
RiskScore = 50
Query = (Process.Path like r"%\\winword.exe" and Process.CommandLine like r"%/l%")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP

[ActivityMonitoringRule]
# Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses
RuleName = XSL Script Processing
EventType = Process.Start
Tag = proc-start-xsl-script-processing
RiskScore = 50
Query = ((Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%/format%") or Process.Path like r"%\\msxsl.exe")
GenericProperty1 = Process.Hash.MD5
GenericProperty2 = Process.Hash.SHA1
GenericProperty3 = Process.Hash.SHA256
GenericProperty4 = Process.Hash.IMP


Leave a Reply

Your email address will not be published. Required fields are marked *