LoFP LoFP / likely

Techniques

Sample rules

New PowerShell Instance Created

Description

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

Detection logic

condition: selection
selection:
  PipeName|startswith: \PSHost

DNS Server Discovery Via LDAP Query

Description

Detects DNS server discovery via LDAP query requests from uncommon applications

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_defender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\Platform\
  Image|endswith: \MsMpEng.exe
filter_main_generic:
  Image|contains:
  - :\Program Files\
  - :\Program Files (x86)\
  - :\Windows\
filter_main_null:
  Image: null
filter_main_unknown:
  Image: <unknown process>
filter_optional_azure:
  Image|startswith: C:\WindowsAzure\GuestAgent
filter_optional_browsers:
  Image|endswith:
  - \chrome.exe
  - \firefox.exe
  - \opera.exe
selection:
  QueryName|startswith: _ldap.

PowerShell Module File Created

Description

Detects the creation of a new PowerShell module “.psm1”, “.psd1”, “.dll”, “.ps1”, etc.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  TargetFilename|contains:
  - \WindowsPowerShell\Modules\
  - \PowerShell\7\Modules\

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

Description

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Detection logic

condition: not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_floppy:
  Device|contains: floppy
filter_main_generic:
  Image|contains:
  - :\$WINDOWS.~BT\
  - :\Program Files (x86)\
  - :\Program Files\
  - :\Windows\CCM\
  - :\Windows\explorer.exe
  - :\Windows\servicing\
  - :\Windows\SoftwareDistribution\
  - :\Windows\System32\
  - :\Windows\SystemApps\
  - :\Windows\uus\
  - :\Windows\WinSxS\
filter_main_microsoft_appdata:
  Image|contains|all:
  - :\Users\
  - \AppData\
  - \Microsoft\
filter_main_null:
  Image: null
filter_main_ssd_nvme:
  Image|contains: :\Windows\Temp\
  Image|endswith:
  - \Executables\SSDUpdate.exe
  - \HostMetadata\NVMEHostmetadata.exe
filter_main_system_images:
  Image:
  - Registry
  - System
filter_main_systemsettings:
  Image|endswith: :\Windows\ImmersiveControlPanel\SystemSettings.exe
filter_main_windefender:
  Image|contains: :\ProgramData\Microsoft\Windows Defender\Platform\
  Image|endswith: \MsMpEng.exe
filter_optional_Keybase:
  Image|contains: \AppData\Local\Keybase\upd.exe
filter_optional_github_desktop:
  Image|contains: \AppData\Local\GitHubDesktop\app-
  Image|endswith: \resources\app\git\mingw64\bin\git.exe
filter_optional_nextron:
  Image|contains: :\Windows\Temp\asgard2-agent\
  Image|endswith: \thor.exe

Compressed File Creation Via Tar.EXE

Description

Detects execution of “tar.exe” in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Detection logic

condition: all of selection_*
selection_create:
  CommandLine|contains:
  - -c
  - -r
  - -u
selection_img:
- Image|endswith: \tar.exe
- OriginalFileName: bsdtar

File And SubFolder Enumeration Via Dir Command

Description

Detects usage of the “dir” command part of Widows CMD with the “/S” command line flag in order to enumerate files in a specified directory and all subdirectories.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|windash: dir*-s
selection_cmd:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe

Compressed File Extraction Via Tar.EXE

Description

Detects execution of “tar.exe” in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Detection logic

condition: all of selection_*
selection_extract:
  CommandLine|contains: -x
selection_img:
- Image|endswith: \tar.exe
- OriginalFileName: bsdtar

External Disk Drive Or USB Storage Device Was Recognized By The System

Description

Detects external disk drives or plugged-in USB devices.

Detection logic

condition: all of selection_*
selection_eid:
  EventID: 6416
selection_field:
- ClassName: DiskDrive
- DeviceDescription: USB Mass Storage Device

Locked Workstation

Description

Detects locked workstation session events that occur automatically after a standard period of inactivity.

Detection logic

condition: selection
selection:
  EventID: 4800

PowerShell Script Execution Policy Enabled

Description

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts

New ODBC Driver Registered

Description

Detects the registration of a new ODBC driver.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_sqlserver:
  Details: '%WINDIR%\System32\SQLSRV32.dll'
  TargetObject|contains: \SQL Server\
filter_optional_office_access:
  Details|endswith: \ACEODBC.DLL
  Details|startswith: C:\Progra
  TargetObject|contains: '\Microsoft Access '
filter_optional_office_excel:
  Details|endswith: \ACEODBC.DLL
  Details|startswith: C:\Progra
  TargetObject|contains: \Microsoft Excel Driver
selection:
  TargetObject|contains: \SOFTWARE\ODBC\ODBCINST.INI\
  TargetObject|endswith: \Driver

System Information Discovery - Auditd

Description

Detects System Information Discovery commands

Detection logic

condition: 1 of selection_*
selection_1:
  name:
  - /etc/lsb-release
  - /etc/redhat-release
  - /etc/issue
  type: PATH
selection_2:
  a0:
  - uname
  - uptime
  - lsmod
  - hostname
  - env
  type: EXECVE
selection_3:
  a0: grep
  a1|contains:
  - vbox
  - vm
  - xen
  - virtio
  - hv
  type: EXECVE
selection_4:
  a0: kmod
  a1: list
  type: EXECVE