LoFP LoFP / legitimate administration activities

Techniques

Sample rules

Local Groups Discovery - MacOs

Description

Detects enumeration of local system groups

Detection logic

condition: 1 of selection*
selection_1:
  CommandLine|contains|all:
  - -q
  - group
  Image|endswith: /dscacheutil
selection_2:
  CommandLine|contains: /etc/group
  Image|endswith: /cat
selection_3:
  CommandLine|contains|all:
  - -list
  - /groups
  Image|endswith: /dscl

Macos Remote System Discovery

Description

Detects the enumeration of other remote systems.

Detection logic

condition: 1 of selection*
selection_1:
  CommandLine|contains: -a
  Image|endswith: /arp
selection_2:
  CommandLine|contains:
  - ' 10.'
  - ' 192.168.'
  - ' 172.16.'
  - ' 172.17.'
  - ' 172.18.'
  - ' 172.19.'
  - ' 172.20.'
  - ' 172.21.'
  - ' 172.22.'
  - ' 172.23.'
  - ' 172.24.'
  - ' 172.25.'
  - ' 172.26.'
  - ' 172.27.'
  - ' 172.28.'
  - ' 172.29.'
  - ' 172.30.'
  - ' 172.31.'
  - ' 127.'
  - ' 169.254.'
  Image|endswith: /ping

System Integrity Protection (SIP) Enumeration

Description

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

Detection logic

condition: selection
selection:
  CommandLine|contains: status
  Image|endswith: /csrutil

System Network Discovery - macOS

Description

Detects enumeration of local network configuration

Detection logic

condition: 1 of selection*
selection1:
  Image|endswith:
  - /netstat
  - /ifconfig
  - /socketfilterfw
  - /networksetup
  - /arp
selection2:
  CommandLine|contains|all:
  - read
  - /Library/Preferences/com.apple.alf
  Image: /usr/bin/defaults

Local System Accounts Discovery - MacOs

Description

Detects enumeration of local systeam accounts on MacOS

Detection logic

condition: 1 of selection*
selection_1:
  CommandLine|contains|all:
  - list
  - /users
  Image|endswith: /dscl
selection_2:
  CommandLine|contains|all:
  - -q
  - user
  Image|endswith: /dscacheutil
selection_3:
  CommandLine|contains: '''x:0:'''
selection_4:
  CommandLine|contains:
  - /etc/passwd
  - /etc/sudoers
  Image|endswith: /cat
selection_5:
  Image|endswith: /id
selection_6:
  CommandLine|contains: -u
  Image|endswith: /lsof

Network Sniffing - MacOs

Description

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /tcpdump
  - /tshark

User Added To Admin Group Via DseditGroup

Description

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' -o edit '
  - ' -a '
  - ' -t user'
  - admin
  Image|endswith: /dseditgroup

Creation Of A Local User Account

Description

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Detection logic

condition: 1 of selection_*
selection_dscl:
  CommandLine|contains: create
  Image|endswith: /dscl
selection_sysadminctl:
  CommandLine|contains: addUser
  Image|endswith: /sysadminctl

User Added To Admin Group Via Sysadminctl

Description

Detects attempts to create and add an account to the admin group via “sysadminctl”

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' -addUser '
  - ' -admin '
  Image|endswith: /sysadminctl

Credentials from Password Stores - Keychain

Description

Detects passwords dumps from Keychain

Detection logic

condition: 1 of selection*
selection1:
  CommandLine|contains:
  - find-certificate
  - ' export '
  Image: /usr/bin/security
selection2:
  CommandLine|contains:
  - ' dump-keychain '
  - ' login-keychain '

Scheduled Cron Task/Job - MacOs

Description

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Detection logic

condition: selection
selection:
  CommandLine|contains: /tmp/
  Image|endswith: /crontab

Hidden User Creation

Description

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Detection logic

condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration
  and ishidden_option_confirmation)
dscl_create:
  CommandLine|contains: create
  Image|endswith: /dscl
id_below_500:
  CommandLine|contains: UniqueID
  CommandLine|re: ([0-9]|[1-9][0-9]|[1-4][0-9]{2})
ishidden_option_confirmation:
  CommandLine|contains:
  - 'true'
  - 'yes'
  - '1'
ishidden_option_declaration:
  CommandLine|contains: IsHidden

Indicator Removal on Host - Clear Mac System Logs

Description

Detects deletion of local audit logs

Detection logic

condition: selection1 and 1 of selection_cli*
selection1:
  Image|endswith:
  - /rm
  - /unlink
  - /shred
selection_cli_1:
  CommandLine|contains: /var/log
selection_cli_2:
  CommandLine|contains|all:
  - /Users/
  - /Library/Logs/

Suspicious MacOS Firmware Activity

Description

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

Detection logic

condition: selection1
selection1:
  CommandLine|contains:
  - setpasswd
  - full
  - delete
  - check
  Image: /usr/sbin/firmwarepasswd

MacOS Network Service Scanning

Description

Detects enumeration of local or remote network services.

Detection logic

condition: (selection_1 and not filter) or selection_2
filter:
  CommandLine|contains: l
selection_1:
  Image|endswith:
  - /nc
  - /netcat
selection_2:
  Image|endswith:
  - /nmap
  - /telnet

User Added To Admin Group Via Dscl

Description

Detects attempts to create and add an account to the admin group via “dscl”

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' -append '
  - ' /Groups/admin '
  - ' GroupMembership '
  Image|endswith: /dscl

MacOS Emond Launch Daemon

Description

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Detection logic

condition: 1 of selection_*
selection_1:
  TargetFilename|contains: /etc/emond.d/rules/
  TargetFilename|endswith: .plist
selection_2:
  TargetFilename|contains: /private/var/db/emondClients/

Startup Items

Description

Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.

Detection logic

condition: selection
selection:
- TargetFilename|contains: /Library/StartupItems/
- TargetFilename|endswith: .plist

Detected Windows Software Discovery

Description

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - query
  - \software\
  - /v
  - svcversion
  Image|endswith: \reg.exe

Detected Windows Software Discovery - PowerShell

Description

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - get-itemProperty
  - \software\
  - select-object
  - format-table

ESXi System Information Discovery Via ESXCLI

Description

Detects execution of the “esxcli” command with the “system” flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - ' get'
  - ' list'
selection_img:
  CommandLine|contains: system
  Image|endswith: /esxcli

Suspicious Package Installed - Linux

Description

Detects installation of suspicious packages using system installation utilities

Detection logic

condition: 1 of selection_tool_* and selection_keyword
selection_keyword:
  CommandLine|contains:
  - nmap
  - ' nc'
  - netcat
  - wireshark
  - tshark
  - openconnect
  - proxychains
selection_tool_apt:
  CommandLine|contains: install
  Image|endswith:
  - /apt
  - /apt-get
selection_tool_dpkg:
  CommandLine|contains:
  - --install
  - -i
  Image|endswith: /dpkg
selection_tool_rpm:
  CommandLine|contains: -i
  Image|endswith: /rpm
selection_tool_yum:
  CommandLine|contains:
  - localinstall
  - install
  Image|endswith: /yum

Setuid and Setgid

Description

Detects suspicious change of file privileges with chown and chmod commands

Detection logic

condition: all of selection_*
selection_perm:
  CommandLine|contains:
  - ' chmod u+s'
  - ' chmod g+s'
selection_root:
  CommandLine|contains: chown root

ESXi Storage Information Discovery Via ESXCLI

Description

Detects execution of the “esxcli” command with the “storage” flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - ' get'
  - ' list'
selection_img:
  CommandLine|contains: storage
  Image|endswith: /esxcli

Local Groups Discovery - Linux

Description

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Detection logic

condition: 1 of selection*
selection_1:
  Image|endswith: /groups
selection_2:
  CommandLine|contains: /etc/group
  Image|endswith:
  - /cat
  - /head
  - /tail
  - /more

ESXi Account Creation Via ESXCLI

Description

Detects user account creation on ESXi system via esxcli

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - 'system '
  - 'account '
  - 'add '
  Image|endswith: /esxcli

ESXi VSAN Information Discovery Via ESXCLI

Description

Detects execution of the “esxcli” command with the “vsan” flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - ' get'
  - ' list'
selection_img:
  CommandLine|contains: vsan
  Image|endswith: /esxcli

Process Discovery

Description

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

Detection logic

condition: selection
selection:
  Image|endswith:
  - /ps
  - /top

ESXi VM List Discovery Via ESXCLI

Description

Detects execution of the “esxcli” command with the “vm” flag in order to retrieve information about the installed VMs.

Detection logic

condition: selection
selection:
  CommandLine|contains: vm process
  CommandLine|endswith: ' list'
  Image|endswith: /esxcli

Local System Accounts Discovery - Linux

Description

Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Detection logic

condition: 1 of selection*
selection_1:
  Image|endswith: /lastlog
selection_2:
  CommandLine|contains: '''x:0:'''
selection_3:
  CommandLine|contains:
  - /etc/passwd
  - /etc/shadow
  - /etc/sudoers
  Image|endswith:
  - /cat
  - /head
  - /tail
  - /more
selection_4:
  Image|endswith: /id
selection_5:
  CommandLine|contains: -u
  Image|endswith: /lsof

Disabling Security Tools

Description

Detects disabling security tools

Detection logic

condition: 1 of selection*
selection_carbonblack_1:
  CommandLine|contains|all:
  - cbdaemon
  - stop
  Image|endswith: /service
selection_carbonblack_2:
  CommandLine|contains|all:
  - cbdaemon
  - 'off'
  Image|endswith: /chkconfig
selection_carbonblack_3:
  CommandLine|contains|all:
  - cbdaemon
  - stop
  Image|endswith: /systemctl
selection_carbonblack_4:
  CommandLine|contains|all:
  - cbdaemon
  - disable
  Image|endswith: /systemctl
selection_crowdstrike_1:
  CommandLine|contains|all:
  - stop
  - falcon-sensor
  Image|endswith: /systemctl
selection_crowdstrike_2:
  CommandLine|contains|all:
  - disable
  - falcon-sensor
  Image|endswith: /systemctl
selection_firewall_1:
  CommandLine|contains|all:
  - firewalld
  - stop
  Image|endswith: /systemctl
selection_firewall_2:
  CommandLine|contains|all:
  - firewalld
  - disable
  Image|endswith: /systemctl
selection_iptables_1:
  CommandLine|contains|all:
  - iptables
  - stop
  Image|endswith: /service
selection_iptables_2:
  CommandLine|contains|all:
  - ip6tables
  - stop
  Image|endswith: /service
selection_iptables_3:
  CommandLine|contains|all:
  - iptables
  - stop
  Image|endswith: /chkconfig
selection_iptables_4:
  CommandLine|contains|all:
  - ip6tables
  - stop
  Image|endswith: /chkconfig
selection_selinux:
  CommandLine|contains: '0'
  Image|endswith: /setenforce

System Network Discovery - Linux

Description

Detects enumeration of local network configuration

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains: /etc/resolv.conf
selection_img:
  Image|endswith:
  - /firewall-cmd
  - /ufw
  - /iptables
  - /netstat
  - /ss
  - /ip
  - /ifconfig
  - /systemd-resolve
  - /route

Description

Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance

Detection logic

condition: all of selection*
selection:
  Image|endswith:
  - /cat
  - /head
  - /tail
  - /more
selection_history:
- CommandLine|contains:
  - /.bash_history
  - /.zsh_history
- CommandLine|endswith:
  - _history
  - .history
  - zhistory

Connection Proxy

Description

Detects setting proxy configuration

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - http_proxy=
  - https_proxy=

System Information Discovery

Description

Detects system information discovery commands

Detection logic

condition: selection
selection:
  Image|endswith:
  - /uname
  - /hostname
  - /uptime
  - /lspci
  - /dmidecode
  - /lscpu
  - /lsmod

Install Root Certificate

Description

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

Detection logic

condition: selection
selection:
  Image|endswith:
  - /update-ca-certificates
  - /update-ca-trust

Linux Base64 Encoded Shebang In CLI

Description

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - IyEvYmluL2Jhc2
  - IyEvYmluL2Rhc2
  - IyEvYmluL3pza
  - IyEvYmluL2Zpc2
  - IyEvYmluL3No

Linux Base64 Encoded Pipe to Shell

Description

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Detection logic

condition: all of selection_*
selection_base64:
  CommandLine|contains: 'base64 '
selection_exec:
- CommandLine|contains:
  - '| bash '
  - '| sh '
  - '|bash '
  - '|sh '
- CommandLine|endswith:
  - ' |sh'
  - '| bash'
  - '| sh'
  - '|bash'

ESXi Admin Permission Assigned To Account Via ESXCLI

Description

Detects execution of the “esxcli” command with the “system” and “permission” flags in order to assign admin permissions to an account.

Detection logic

condition: selection
selection:
  CommandLine|contains: system
  CommandLine|contains|all:
  - ' permission '
  - ' set'
  - Admin
  Image|endswith: /esxcli

Linux Remote System Discovery

Description

Detects the enumeration of other remote systems.

Detection logic

condition: 1 of selection*
selection_1:
  CommandLine|contains: -a
  Image|endswith: /arp
selection_2:
  CommandLine|contains:
  - ' 10.'
  - ' 192.168.'
  - ' 172.16.'
  - ' 172.17.'
  - ' 172.18.'
  - ' 172.19.'
  - ' 172.20.'
  - ' 172.21.'
  - ' 172.22.'
  - ' 172.23.'
  - ' 172.24.'
  - ' 172.25.'
  - ' 172.26.'
  - ' 172.27.'
  - ' 172.28.'
  - ' 172.29.'
  - ' 172.30.'
  - ' 172.31.'
  - ' 127.'
  - ' 169.254.'
  Image|endswith: /ping

Disable Or Stop Services

Description

Detects the usage of utilities such as ‘systemctl’, ‘service’…etc to stop or disable tools and services

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - stop
  - disable
  Image|endswith:
  - /service
  - /systemctl
  - /chkconfig

Scheduled Cron Task/Job - Linux

Description

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Detection logic

condition: selection
selection:
  CommandLine|contains: /tmp/
  Image|endswith: crontab

Scheduled Task/Job At

Description

Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code

Detection logic

condition: selection
selection:
  Image|endswith:
  - /at
  - /atd

ESXi Network Configuration Discovery Via ESXCLI

Description

Detects execution of the “esxcli” command with the “network” flag in order to retrieve information about the network configuration.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - ' get'
  - ' list'
selection_img:
  CommandLine|contains: network
  Image|endswith: /esxcli

File Deletion

Description

Detects file deletion using “rm”, “shred” or “unlink” commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

Detection logic

condition: selection
selection:
  Image|endswith:
  - /rm
  - /shred
  - /unlink

Linux Network Service Scanning Tools Execution

Description

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

Detection logic

condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
filter_main_netcat_listen_flag:
  CommandLine|contains:
  - ' --listen '
  - ' -l '
selection_netcat:
  Image|endswith:
  - /nc
  - /ncat
  - /netcat
  - /socat
selection_network_scanning_tools:
  Image|endswith:
  - /autorecon
  - /hping
  - /hping2
  - /hping3
  - /naabu
  - /nmap
  - /nping
  - /telnet

Clear Linux Logs

Description

Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - /var/log
  - /var/spool/mail
  Image|endswith:
  - /rm
  - /shred
  - /unlink

ESXi VM Kill Via ESXCLI

Description

Detects execution of the “esxcli” command with the “vm” and “kill” flag in order to kill/shutdown a specific VM.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - vm process
  - kill
  Image|endswith: /esxcli

Cat Sudoers

Description

Detects the execution of a cat /etc/sudoers to list all users that have sudo rights

Detection logic

condition: selection
selection:
  CommandLine|contains: ' /etc/sudoers'
  Image|endswith:
  - /cat
  - grep
  - /head
  - /tail
  - /more

Linux Recon Indicators

Description

Detects events with patterns found in commands used for reconnaissance on linux systems

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ' -name .htpasswd'
  - ' -perm -4000 '

History File Deletion

Description

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

Detection logic

condition: all of selection*
selection:
  Image|endswith:
  - /rm
  - /unlink
  - /shred
selection_history:
- CommandLine|contains:
  - /.bash_history
  - /.zsh_history
- CommandLine|endswith:
  - _history
  - .history
  - zhistory

Remote File Copy

Description

Detects the use of tools that copy files from or to remote systems

Detection logic

condition: tools and filter
filter:
- '@'
- ':'
tools:
- 'scp '
- 'rsync '
- 'sftp '

Disabling Security Tools - Builtin

Description

Detects disabling security tools

Detection logic

condition: keywords
keywords:
- stopping iptables
- stopping ip6tables
- stopping firewalld
- stopping cbdaemon
- stopping falcon-sensor

Password Policy Discovery

Description

Detects password policy discovery commands

Detection logic

condition: 1 of selection_*
selection_chage:
  a0: chage
  a1:
  - --list
  - -l
  type: EXECVE
selection_files:
  name:
  - /etc/pam.d/common-password
  - /etc/security/pwquality.conf
  - /etc/pam.d/system-auth
  - /etc/login.defs
  type: PATH
selection_passwd:
  a0: passwd
  a1:
  - -S
  - --status
  type: EXECVE

Linux Network Service Scanning - Auditd

Description

Detects enumeration of local or remote network services.

Detection logic

condition: selection
selection:
  exe|endswith:
  - /telnet
  - /nmap
  - /netcat
  - /nc
  - /ncat
  - /nc.openbsd
  key: network_connect_4
  type: SYSCALL

System and Hardware Information Discovery

Description

Detects system information discovery commands

Detection logic

condition: selection
selection:
  name:
  - /sys/class/dmi/id/bios_version
  - /sys/class/dmi/id/product_name
  - /sys/class/dmi/id/chassis_vendor
  - /proc/scsi/scsi
  - /proc/ide/hd0/model
  - /proc/version
  - /etc/*version
  - /etc/*release
  - /etc/issue
  type: PATH