LoFP / legitimate administrator activity

Techniques

• t1021
• t1021.002
• t1021.004
• t1046
• t1490
• t1505
• t1505.004
• t1562
• t1562.002
• t1569
• t1569.002

Sample rules

PUA - SoftPerfect Netscan Execution

• source: sigma
• technicques:
  • t1046

Description

Detects usage of SoftPerfect’s “netscan.exe”. An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.

Detection logic

condition: selection
selection:
- Image|endswith: \netscan.exe
- Product: Network Scanner
- Description: Application for scanning networks

PUA - Nmap/Zenmap Execution

• source: sigma
• technicques:
  • t1046

Description

Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

Detection logic

condition: selection
selection:
- Image|endswith:
  - \nmap.exe
  - \zennmap.exe
- OriginalFileName:
  - nmap.exe
  - zennmap.exe

PUA - NimScan Execution

• source: sigma
• technicques:
  • t1046

Description

Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.

Detection logic

condition: selection
selection:
- Image|endswith: \NimScan.exe
- Hashes|contains:
  - IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C
  - IMPHASH=B1B6ADACB172795480179EFD18A29549
  - IMPHASH=0D1F896DC7642AD8384F9042F30279C2

PUA - RemCom Default Named Pipe

• source: sigma
• technicques:
  • t1021
  • t1021.002
  • t1569
  • t1569.002

Description

Detects default RemCom pipe creation

Detection logic

condition: selection
selection:
  PipeName|contains: \RemCom

PUA - CSExec Default Named Pipe

• source: sigma
• technicques:
  • t1021
  • t1021.002
  • t1569
  • t1569.002

Description

Detects default CSExec pipe creation

Detection logic

condition: selection
selection:
  PipeName|contains: \csexecsvc

ETW Logging/Processing Option Disabled On IIS Server

• source: sigma
• technicques:
  • t1505
  • t1505.004
  • t1562
  • t1562.002

Description

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_etw_added:
  NewValue|contains: ETW
selection:
  Configuration|endswith: '@logTargetW3C'
  EventID: 29
  OldValue|contains: ETW

Previously Installed IIS Module Was Removed

• source: sigma
• technicques:
  • t1505
  • t1505.004
  • t1562
  • t1562.002

Description

Detects the removal of a previously installed IIS module.

Detection logic

condition: selection
selection:
  Configuration|contains: /system.webServer/modules/remove
  EventID: 29

New Module Module Added To IIS Server

• source: sigma
• technicques:
  • t1505
  • t1505.004
  • t1562
  • t1562.002

Description

Detects the addition of a new module to an IIS server.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_builtin:
  NewValue:
  - AnonymousAuthenticationModule
  - CustomErrorModule
  - DefaultDocumentModule
  - DirectoryListingModule
  - FileCacheModule
  - HttpCacheModule
  - HttpLoggingModule
  - ProtocolSupportModule
  - RequestFilteringModule
  - StaticCompressionModule
  - StaticFileModule
  - TokenCacheModule
  - UriCacheModule
filter_main_remove:
  NewValue: ''
selection:
  Configuration|contains: /system.webServer/modules/add
  EventID: 29

OpenSSH Server Listening On Socket

• source: sigma
• technicques:
  • t1021
  • t1021.004

Description

Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

Detection logic

condition: selection
selection:
  EventID: 4
  payload|startswith: 'Server listening on '
  process: sshd

New File Exclusion Added To Time Machine Via Tmutil - MacOS

• source: sigma
• technicques:
  • t1490

Description

Detects the addition of a new file or path exclusion to MacOS Time Machine via the “tmutil” utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains: addexclusion
selection_img:
- Image|endswith: /tmutil
- CommandLine|contains: tmutil

Time Machine Backup Disabled Via Tmutil - MacOS

• source: sigma
• technicques:
  • t1490

Description

Detects disabling of Time Machine (Apple’s automated backup utility software) via the native macOS backup utility “tmutil”. An attacker can use this to prevent backups from occurring.

Detection logic

condition: all of selection_*
selection_cmd:
  CommandLine|contains: disable
selection_img:
- Image|endswith: /tmutil
- CommandLine|contains: tmutil