LoFP LoFP / legitimate administrative activities

Techniques

Sample rules

GCP Access Policy Deleted

Description

Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.

Detection logic

condition: selection
selection:
  data.protoPayload.authorizationInfo.granted: 'true'
  data.protoPayload.authorizationInfo.permission:
  - accesscontextmanager.accessPolicies.delete
  - accesscontextmanager.accessPolicies.accessLevels.delete
  - accesscontextmanager.accessPolicies.accessZones.delete
  - accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete
  data.protoPayload.serviceName: accesscontextmanager.googleapis.com

System Information Discovery Using System_Profiler

Description

Detects the execution of “system_profiler” with specific “Data Types” that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, “system_profiler” can also be used to determine if virtualization software is being run for defense evasion purposes.

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains:
  - SPApplicationsDataType
  - SPHardwareDataType
  - SPNetworkDataType
  - SPUSBDataType
selection_img:
- Image|endswith: /system_profiler
- CommandLine|contains: system_profiler

System Information Discovery Using sw_vers

Description

Detects the use of “sw_vers” for system information discovery

Detection logic

condition: all of selection_*
selection_image:
  Image|endswith: /sw_vers
selection_options:
  CommandLine|contains:
  - -buildVersion
  - -productName
  - -productVersion

System Information Discovery Using Ioreg

Description

Detects the use of “ioreg” which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Detection logic

condition: all of selection_*
selection_cmd1:
  CommandLine|contains:
  - -l
  - -c
selection_cmd2:
  CommandLine|contains:
  - AppleAHCIDiskDriver
  - IOPlatformExpertDevice
  - Oracle
  - Parallels
  - USB Vendor Name
  - VirtualBox
  - VMware
selection_img:
- Image|endswith: /ioreg
- CommandLine|contains: ioreg

ESXi Syslog Configuration Change Via ESXCLI

Description

Detects changes to the ESXi syslog configuration via “esxcli”

Detection logic

condition: selection
selection:
  CommandLine|contains: ' set'
  CommandLine|contains|all:
  - system
  - syslog
  - config
  Image|endswith: /esxcli