LoFP LoFP / administrative activity

Techniques

Sample rules

User Added to Remote Desktop Users Group

Description

Detects addition of users to the local Remote Desktop Users group via “Net” or “Add-LocalGroupMember”.

Detection logic

condition: all of selection_*
selection_group:
  CommandLine|contains:
  - Remote Desktop Users
  - "Utilisateurs du Bureau \xE0 distance"
  - Usuarios de escritorio remoto
selection_main:
- CommandLine|contains|all:
  - 'localgroup '
  - ' /add'
- CommandLine|contains|all:
  - 'Add-LocalGroupMember '
  - ' -Group '

PUA - 3Proxy Execution

Description

Detects the use of 3proxy, a tiny free proxy server

Detection logic

condition: 1 of selection_*
selection_img:
  Image|endswith: \3proxy.exe
selection_params:
  CommandLine|contains: .exe -i127.0.0.1 -p
selection_pe:
  Description: 3proxy - tiny proxy server

Suspicious SYSTEM User Process Creation

Description

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Detection logic

condition: all of selection* and not 1 of filter_*
filter_config_mgr:
  ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_java:
  CommandLine|contains: ' -ma '
  Image|contains:
  - :\Program Files (x86)\Java\
  - :\Program Files\Java\
  Image|endswith: \bin\jp2launcher.exe
  ParentImage|contains:
  - :\Program Files (x86)\Java\
  - :\Program Files\Java\
  ParentImage|endswith: \bin\javaws.exe
filter_ping:
  CommandLine: ping 127.0.0.1 -n 5
filter_vs:
  Image|endswith: \PING.EXE
  ParentCommandLine|contains: \DismFoDInstall.cmd
selection:
  IntegrityLevel: System
  User|contains:
  - AUTHORI
  - AUTORI
selection_special:
- Image|endswith:
  - \calc.exe
  - \wscript.exe
  - \cscript.exe
  - \hh.exe
  - \mshta.exe
  - \forfiles.exe
  - \ping.exe
- CommandLine|contains:
  - ' -NoP '
  - ' -W Hidden '
  - ' -decode '
  - ' /decode '
  - ' /urlcache '
  - ' -urlcache '
  - ' -e* JAB'
  - ' -e* SUVYI'
  - ' -e* SQBFAFgA'
  - ' -e* aWV4I'
  - ' -e* IAB'
  - ' -e* PAA'
  - ' -e* aQBlAHgA'
  - vssadmin delete shadows
  - reg SAVE HKLM
  - ' -ma '
  - Microsoft\Windows\CurrentVersion\Run
  - .downloadstring(
  - .downloadfile(
  - ' /ticket:'
  - 'dpapi::'
  - event::clear
  - event::drop
  - id::modify
  - 'kerberos::'
  - 'lsadump::'
  - 'misc::'
  - 'privilege::'
  - 'rpc::'
  - 'sekurlsa::'
  - 'sid::'
  - 'token::'
  - vault::cred
  - vault::list
  - ' p::d '
  - ;iex(
  - MiniDump
  - 'net user '

Suspicious Scheduled Task Creation Involving Temp Folder

Description

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' /create '
  - ' /sc once '
  - \Temp\
  Image|endswith: \schtasks.exe

Scheduled Task Creation Via Schtasks.EXE

Description

Detects the creation of scheduled tasks by user accounts via the “schtasks” utility.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_system_user:
  User|contains:
  - AUTHORI
  - AUTORI
selection:
  CommandLine|contains: ' /create '
  Image|endswith: \schtasks.exe

Potential RDP Session Hijacking Activity

Description

Detects potential RDP Session Hijacking activity on Windows systems

Detection logic

condition: all of selection_*
selection_img:
- Image|endswith: \tscon.exe
- OriginalFileName: tscon.exe
selection_integrity:
  IntegrityLevel: SYSTEM

Suspicious Key Manager Access

Description

Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - keymgr
  - KRShowKeyMgr
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE

New Process Created Via Taskmgr.EXE

Description

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
  Image|endswith:
  - :\Windows\System32\mmc.exe
  - :\Windows\System32\resmon.exe
  - :\Windows\System32\Taskmgr.exe
selection:
  ParentImage|endswith: \taskmgr.exe

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Description

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

Detection logic

condition: all of selection_*
selection_cmdlet:
  CommandLine|contains: 'Get-LocalGroupMember '
selection_group:
  CommandLine|contains:
  - domain admins
  - ' administrator'
  - ' administrateur'
  - enterprise admins
  - Exchange Trusted Subsystem
  - Remote Desktop Users
  - "Utilisateurs du Bureau \xE0 distance"
  - Usuarios de escritorio remoto

Suspicious SYSVOL Domain Group Policy Access

Description

Detects Access to Domain Group Policies stored in SYSVOL

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - \SYSVOL\
  - \policies\

Firewall Configuration Discovery Via Netsh.EXE

Description

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - 'config '
  - 'state '
  - 'rule '
  - name=all
  CommandLine|contains|all:
  - 'netsh '
  - 'show '
  - 'firewall '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

Suspicious Recursive Takeown

Description

Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - '/f '
  - /r
  Image|endswith: \takeown.exe

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Description

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Detection logic

condition: selection_img and ((all of selection_group_* and not filter_group_add)
  or all of selection_accounts_*)
filter_group_add:
  CommandLine|contains: ' /add'
selection_accounts_flags:
  CommandLine|contains: ' /do'
selection_accounts_root:
  CommandLine|contains: ' accounts '
selection_group_flags:
  CommandLine|contains:
  - domain admins
  - ' administrator'
  - ' administrateur'
  - enterprise admins
  - Exchange Trusted Subsystem
  - Remote Desktop Users
  - "Utilisateurs du Bureau \xE0 distance"
  - Usuarios de escritorio remoto
  - ' /do'
selection_group_root:
  CommandLine|contains:
  - ' group '
  - ' localgroup '
selection_img:
- Image|endswith:
  - \net.exe
  - \net1.exe
- OriginalFileName:
  - net.exe
  - net1.exe

Potential Reconnaissance Activity Via GatherNetworkInfo.VBS

Description

Detects execution of the built-in script located in “C:\Windows\System32\gatherNetworkInfo.vbs”. Which can be used to gather information about the target machine

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: gatherNetworkInfo.vbs
selection_img:
- Image|endswith:
  - \cscript.exe
  - \wscript.exe
- OriginalFileName:
  - cscript.exe
  - wscript.exe

User Added to Local Administrators Group

Description

Detects addition of users to the local administrator group via “Net” or “Add-LocalGroupMember”.

Detection logic

condition: all of selection_*
selection_group:
  CommandLine|contains:
  - ' administrators '
  - ' administrateur'
selection_main:
- CommandLine|contains|all:
  - 'localgroup '
  - ' /add'
- CommandLine|contains|all:
  - 'Add-LocalGroupMember '
  - ' -Group '

Suspicious IIS Module Registration

Description

Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors

Detection logic

condition: selection_parent and 1 of selection_cli_*
selection_cli_1:
  CommandLine|contains: appcmd.exe add module
selection_cli_2:
  CommandLine|contains: ' system.enterpriseservices.internal.publish'
  Image|endswith: \powershell.exe
selection_cli_3:
  CommandLine|contains|all:
  - gacutil
  - ' /I'
selection_parent:
  ParentImage|endswith: \w3wp.exe

Suspicious Interactive PowerShell as SYSTEM

Description

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

Detection logic

condition: selection
selection:
  TargetFilename:
  - C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
  - C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Description

Detects enabling of the “AllowAnonymousCallback” registry value, which allows a remote connection between computers that do not have a trust relationship.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|contains: \Microsoft\WBEM\CIMOM\AllowAnonymousCallback

Outlook Security Settings Updated - Registry

Description

Detects changes to the registry values related to outlook security settings

Detection logic

condition: selection
selection:
  TargetObject|contains|all:
  - \SOFTWARE\Microsoft\Office\
  - \Outlook\Security\

Curl Usage on Linux

Description

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Detection logic

condition: selection
selection:
  Image|endswith: /curl

Suspicious Curl Change User Agents - Linux

Description

Detects a suspicious curl process start on linux with set useragent options

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ' -A '
  - ' --user-agent '
  Image|endswith: /curl

Privileged User Has Been Created

Description

Detects the addition of a new user to a privileged group such as “root” or “sudo”

Detection logic

condition: all of selection_*
selection_new_user:
- new user
selection_uids_gids:
- GID=0
- UID=0
- GID=10
- GID=27