LoFP / admin activity

Techniques

• t1033
• t1059
• t1059.004
• t1070
• t1070.001
• t1136
• t1136.001
• t1485
• t1505
• t1505.003
• t1546
• t1546.001
• t1562
• t1562.002
• t1562.004

Sample rules

Fsutil Suspicious Invocation

• source: sigma
• technicques:
  • t1070
  • t1485

Description

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - deletejournal
  - createjournal
  - setZeroData
selection_img:
- Image|endswith: \fsutil.exe
- OriginalFileName: fsutil.exe

Whoami Utility Execution

• source: sigma
• technicques:
  • t1033

Description

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Detection logic

condition: selection
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe

Whoami.EXE Execution Anomaly

• source: sigma
• technicques:
  • t1033

Description

Detects the execution of whoami.exe with suspicious parent processes.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_known_parents:
  ParentImage|endswith:
  - \cmd.exe
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
filter_main_parent_empty:
  ParentImage: ''
filter_main_parent_null:
  ParentImage: null
filter_optional_ms_monitoring_agent:
  ParentImage|endswith: :\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe

Suspicious Eventlog Clearing or Configuration Change Activity

• source: sigma
• technicques:
  • t1070
  • t1070.001
  • t1562
  • t1562.002

Description

Detects the clearing or configuration tampering of EventLog using utilities such as “wevtutil”, “powershell” and “wmic”. This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Detection logic

condition: 1 of selection_* and not 1 of filter_*
filter_msiexec:
  CommandLine|contains: ' sl '
  ParentImage:
  - C:\Windows\SysWOW64\msiexec.exe
  - C:\Windows\System32\msiexec.exe
selection_other_ps:
  CommandLine|contains:
  - 'Clear-EventLog '
  - 'Remove-EventLog '
  - 'Limit-EventLog '
  - 'Clear-WinEvent '
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
selection_other_wmi:
  CommandLine|contains: ClearEventLog
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
selection_wevtutil:
  CommandLine|contains:
  - 'clear-log '
  - ' cl '
  - 'set-log '
  - ' sl '
  - 'lfn:'
  Image|endswith: \wevtutil.exe

Change Default File Association Via Assoc

• source: sigma
• technicques:
  • t1546
  • t1546.001

Description

Detects file association changes using the builtin “assoc” command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: assoc
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe

Webshell Remote Command Execution

• source: sigma
• technicques:
  • t1505
  • t1505.003

Description

Detects possible command execution by web application/web shell

Detection logic

condition: selection
selection:
  key: detect_execve_www
  syscall: execve
  type: SYSCALL

Suspicious Commands Linux

• source: sigma
• technicques:
  • t1059
  • t1059.004

Description

Detects relevant commands often related to malware or hacking activity

Detection logic

cmd1:
  a0: chmod
  a1: 777
  type: EXECVE
cmd2:
  a0: chmod
  a1: u+s
  type: EXECVE
cmd3:
  a0: cp
  a1: /bin/ksh
  type: EXECVE
cmd4:
  a0: cp
  a1: /bin/sh
  type: EXECVE
condition: 1 of cmd*

System Owner or User Discovery - Linux

• source: sigma
• technicques:
  • t1033

Description

Detects the execution of host or user discovery utilities such as “whoami”, “hostname”, “id”, etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Detection logic

condition: selection
selection:
  a0:
  - hostname
  - id
  - last
  - users
  - w
  - who
  - whoami
  type: EXECVE

Disable System Firewall

• source: sigma
• technicques:
  • t1562
  • t1562.004

Description

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Detection logic

condition: selection
selection:
  type: SERVICE_STOP
  unit:
  - firewalld
  - iptables
  - ufw

Creation Of An User Account

• source: sigma
• technicques:
  • t1136
  • t1136.001

Description

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Detection logic

condition: 1 of selection_*
selection_add_user_record_type:
  type: ADD_USER
selection_syscall_record_type:
  exe|endswith: /useradd
  type: SYSCALL