LoFP LoFP / legitimate administrative activity

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Potential Abuse of Linux Magic System Request Key

Description

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

Detection logic

condition: selection
selection:
  name|endswith:
  - /sysrq
  - /sysctl.conf
  - /sysrq-trigger
  type: PATH

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

System Info Discovery via Sysinfo Syscall

Description

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it’s a viable target.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_splunk:
  exe|endswith: /bin/splunkd
selection:
  syscall: sysinfo
  type: SYSCALL

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Windows Recovery Environment Disabled Via Reagentc

Description

Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: /disable
selection_img:
- Image|endswith: \reagentc.exe
- OriginalFileName: reagentc.exe

Password Set to Never Expire via WMI

Description

Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - useraccount
  - ' set '
  - passwordexpires
  - 'false'
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Potential Abuse of Linux Magic System Request Key

Description

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

Detection logic

condition: selection
selection:
  name|endswith:
  - /sysrq
  - /sysctl.conf
  - /sysrq-trigger
  type: PATH

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

System Info Discovery via Sysinfo Syscall

Description

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it’s a viable target.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_splunk:
  exe|endswith: /bin/splunkd
selection:
  syscall: sysinfo
  type: SYSCALL

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Windows Recovery Environment Disabled Via Reagentc

Description

Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: /disable
selection_img:
- Image|endswith: \reagentc.exe
- OriginalFileName: reagentc.exe

Password Set to Never Expire via WMI

Description

Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - useraccount
  - ' set '
  - passwordexpires
  - 'false'
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe

Admin User Remote Logon

Description

Detect remote login by Administrator user (depending on internal pattern).

Detection logic

condition: selection
selection:
  AuthenticationPackageName: Negotiate
  EventID: 4624
  LogonType: 10
  TargetUserName|startswith: Admin