LoFP LoFP / legitimate administrative activity

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

(
 event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and
   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and
                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))
)
or
(
 event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and
   winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and
   (message:WriteData or winlog.event_data.AccessList:*%%4417*)
)

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Sample rules

Startup/Logon Script added to Group Policy Object

Description

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Detection logic

(
 event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and
   winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and
                                      (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))
)
or
(
 event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and
   winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and
   (message:WriteData or winlog.event_data.AccessList:*%%4417*)
)

Split A File Into Pieces

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  Image|endswith: /split

System Shutdown/Reboot - MacOs

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: selection
selection:
  Image|endswith:
  - /shutdown
  - /reboot
  - /halt

Suspicious History File Operations

Description

Detects commandline operations on shell history files

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - .bash_history
  - .zsh_history
  - .zhistory
  - .history
  - .sh_history
  - fish_history

Access To ADMIN$ Network Share

Description

Detects access to ADMIN$ network share

Detection logic

condition: selection and not 1 of filter_*
filter_main_computer_account:
  SubjectUserName|endswith: $
selection:
  EventID: 5140
  ShareName: Admin$

User Added to Local Administrator Group

Description

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_main_computer_accounts:
  SubjectUserName|endswith: $
selection_eid:
  EventID: 4732
selection_group:
- TargetUserName|startswith: Administr
- TargetSid: S-1-5-32-544

USB Device Plugged

Description

Detects plugged/unplugged USB devices

Detection logic

condition: selection
selection:
  EventID:
  - 2003
  - 2100
  - 2102

Suspicious History File Operations - Linux

Description

Detects commandline operations on shell history files

Detection logic

condition: execve and history
execve:
  type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history

System Shutdown/Reboot - Linux

Description

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detection logic

condition: execve and (shutdowncmd or (init and initselection))
execve:
  type: EXECVE
init:
- init
- telinit
initselection:
- 0
- 6
shutdowncmd:
- shutdown
- reboot
- halt
- poweroff

Split A File Into Pieces - Linux

Description

Detection use of the command “split” to split files into parts and possible transfer.

Detection logic

condition: selection
selection:
  comm: split
  type: SYSCALL

Logging Configuration Changes on Linux Host

Description

Detect changes of syslog daemons configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/syslog.conf
  - /etc/rsyslog.conf
  - /etc/syslog-ng/syslog-ng.conf
  type: PATH

Auditing Configuration Changes on Linux Host

Description

Detect changes in auditd configuration files

Detection logic

condition: selection
selection:
  name:
  - /etc/audit/*
  - /etc/libaudit.conf
  - /etc/audisp/*
  type: PATH

Admin User Remote Logon

Description

Detect remote login by Administrator user (depending on internal pattern).

Detection logic

condition: selection
selection:
  AuthenticationPackageName: Negotiate
  EventID: 4624
  LogonType: 10
  TargetUserName|startswith: Admin