attack.t1569.002

RunXCmd Tool Execution As System
level
status experimental

Detects the use of RunXCmd tool for command execution

NSudo Tool Execution As System
level
status experimental

Detects the use of NSudo tool for command execution

NirCmd Tool Execution As LOCAL SYSTEM
level
status experimental

Detects the use of NirCmd tool for command execution as SYSTEM user

NirCmd Tool Execution
level
status experimental

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Remote Server Service Abuse for Lateral Movement
level
status experimental

Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR

DNS Events Related To Mining Pools
level
status experimental

Identifies clients that may be performing DNS lookups associated with common currency mining pools.

DNS RCE CVE-2020-1350
level
status test

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

PSExec and WMI Process Creations Block
level
status experimental

Detects blocking of process creations originating from PSExec and WMI commands

Service Execution
level
status test

Detects manual service execution (start) via system utilities.

PsExec Service Start
level
status test

Detects a PsExec service start

smbexec.py Service Installation
level
status test

Detects the use of smbexec.py tool by detecting a specific service installation

PsExec Tool Execution
level
status experimental

Detects PsExec service installation and execution events (service and Sysmon)

Rundll32 Without Parameters
level
status experimental

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

ProcessHacker Privilege Elevation
level
status experimental

Detects a ProcessHacker tool that elevated privileges to a very high level

PowerShell Scripts Installed as Services
level
status experimental

Detects powershell script installed as a Service

PowerShell as a Service in Registry
level
status experimental

Detects that a powershell code is written to the registry as a service.

MITRE BZAR Indicators for Execution
level
status test

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Credential Dumping Tools Service Execution
level
status experimental

Detects well-known credential dumping tools execution via service execution events

CobaltStrike Service Installations in Registry
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.

CobaltStrike Service Installations
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.