LoFP LoFP / legitimate administrative activity

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

Admin User Remote Logon

Description

Detect remote login by Administrator user (depending on internal pattern).

Detection logic

condition: selection
selection:
  AuthenticationPackageName: Negotiate
  EventID: 4624
  LogonType: 10
  TargetUserName|startswith: Admin