LoFP LoFP / legitimate administrative activity

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Potential Abuse of Linux Magic System Request Key

Description

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

Detection logic

condition: selection
selection:
  name|endswith:
  - /sysrq
  - /sysctl.conf
  - /sysrq-trigger
  type: PATH

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

System Info Discovery via Sysinfo Syscall

Description

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it’s a viable target.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_splunk:
  exe|endswith: /bin/splunkd
selection:
  syscall: sysinfo
  type: SYSCALL

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

any where host.os.type == "windows" and event.code in ("5136", "5145") and
(
  (
    winlog.event_data.AttributeLDAPDisplayName : (
      "gPCMachineExtensionNames",
      "gPCUserExtensionNames"
    ) and
    winlog.event_data.AttributeValue : "*42B5FAAE-6536-11D2-AE5A-0000F87571E3*" and
    winlog.event_data.AttributeValue : (
      "*40B66650-4972-11D1-A7CA-0000F87571E3*",
      "*40B6664F-4972-11D1-A7CA-0000F87571E3*"
    )
  ) or
  (
    winlog.event_data.ShareName : "\\\\*\\SYSVOL" and
    winlog.event_data.RelativeTargetName : ("*\\scripts.ini", "*\\psscripts.ini") and
    winlog.event_data.AccessList:"*%%4417*"
  )
)

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Potential Abuse of Linux Magic System Request Key

Description

Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.

Detection logic

condition: selection
selection:
  name|endswith:
  - /sysrq
  - /sysctl.conf
  - /sysrq-trigger
  type: PATH

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

System Info Discovery via Sysinfo Syscall

Description

Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it’s a viable target.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_splunk:
  exe|endswith: /bin/splunkd
selection:
  syscall: sysinfo
  type: SYSCALL

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Admin User Remote Logon

Description

Detect remote login by Administrator user (depending on internal pattern).

Detection logic

condition: selection
selection:
  AuthenticationPackageName: Negotiate
  EventID: 4624
  LogonType: 10
  TargetUserName|startswith: Admin