The following table lists the prebuilt supported correlation rules.
| Rule Name | Description | Use Case | MITRE tactics | Severity |
|---|---|---|---|---|
| Disable windows recovery mode with bcdedit ⚠ Overlaps with Advanced Analytics rule. |
Automatic windows recovery features have been disabled by modifying boot configuration | Ransomware | Impact | 2 |
| NTDS copied from shadow copy with a command. | A shadowcopy command was used to change the location of the NTDS database via copy.exe process. This is usually a sign of attempting to do a NTDS credentials dump. | Compromised Credentials | Credential Access | 3 |
| Disable UAC via the registry | User access control(UAC) has been disabled by modifying the corresponding registries | Privilege Escalation | Privilege Escalation | 2 |
| Arbitrary command assigned to a file association via the registry | Arbitrary command was assigned to a file association via the registry. Attackers can modify the command key values and cause arbitrary commands to execute during file access. | Privilege Escalation | Privilege Escalation | 2 |
| AWS CloudWatch log stream deleted | Attackers can delete AWS CloudWatch streams to stop logs from being sent to those streams, thus removing evidence of their presence in the system. | Audit Tampering | Defense Evasion | 1 |
| User added to sensitive active directory group | A user has been added to a sensitive active directory group | Account Manipulation | Persistence | 3 |
| SA-Src-Port - daily summary. | 4 or more src port for a day for share access events, indicates potential attempts to evade detection or unauthorized resource access. | Privilege Escalation | Privilege Escalation, Discovery | 3 |
| File added to the active setup registry key with the registry command tool | Active Setup is a Windows mechanism that is used to execute programs when a user logs in. Attacker can change the program list via the registry, gaining persistency by causing their own malicious programs to be executed at a logon. | Malware | Persistence | 1 |
| Modify RDP local port number through registry | Remote Desktop Protocol (RDP) local port has been modified via registry | Lateral Movement | Lateral Movement | 1 |
| Base64 encoded data with PowerShell in the command line ⚠ Overlaps with Advanced Analytics rule. |
Base64 is a basic encoding that can be used with PowerShell to edit malicious files. Encoded data can be used by attackers to hide their presence in the system and sneak by scans security services. | Evasion | Defense Evasion | 2 |
| XDG file edited | An XDG file has been edited which could indicate malware persistence | Malware | Persistence | 1 |
| UBA: Internet settings modified. | Internet settings were modified on the system. Modifying settings can allow attackers to gain unauthorized access to our computer or network. | Discovery | Discovery | 1 |
| SilentCleanup UAC bypass by manually activating the SilentCleanup task. | UAC bypass SilentCleanup was performed by manually activating the SilentCleanup task. The attacker abused the silentcleanup task schedule to gain high privilege execution bypassing the User control account. | Privilege Escalation | Privilege Escalation | 1 |
| Audit log has been cleared | An audit log has been cleared which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Shutdown UFC | The UFC (Uncomplicated Firewall) can be disabled through the command line, enabling potentially malicious network communications to be allowed into and out of the endpoint. | Evasion | Defense Evasion | 1 |
| NTDS copied from shadow copy. ⚠ Overlaps with Advanced Analytics rule. |
A shadowcopy command was used to change the location of the NTDS database via file activity. This activity may be an attempt at credential dumping. | Compromised Credentials | Credential Access | 3 |
| Azure event hub deleted. | Azure event hub was deleted. Attackers can delete Azure event hubs to stop logs from being sent to those hubs, thus removing evidence of their presence in the system. | Audit Tampering | Defense Evasion | 2 |
| IIS HTTP logging was disabled | IIS HTTP logging was disabled using command prompt. This can stop HTTP logs from being recorded by the server and allow for defense evasion and impaired defenses. | Audit Tampering | Defense Evasion | 1 |
| RC script file written. | RC scripts are script files that are used by the Unix system to manage custom services are are executed during startup. Attackers can modify these files (named 'rc.local' and 'rc.common') to gain persistency on in the system and cause malicious code to execute automatically. | Malware | Persistence | 1 |
| Lsass process dump | LSASS can store credentials and the memory can be dumped to harvest encrypted or plaintext passwords. | Compromised Credentials | Credential Access | 4 |
| Setup UAC bypass by modifying MS settings shell configuration in the registry with registry command tool | User access control(UAC) bypass has been set up by modifying MS settings shell configuration in the registry with registry command tool | Privilege Escalation | Privilege Escalation | 3 |
| Sensitive database copy with esentutl.exe | Sensitive database copy with esentutl.exe. | Compromised Credentials | Credential Access | 3 |
| High USB denials. | The user has high USB denials. | Data Exfiltration | Exfiltration | 2 |
| MMC Dll hijacking and UAC bypass via COR_PROFILER registry modification with the registry command tool | MMC Dll hijacking and UAC bypass via COR_PROFILER registry modification with the registry command tool. | Privilege Escalation | Privilege Escalation | 3 |
| UAC bypass via event viewer | User access control(UAC) bypass has been set up using event viewer | Privilege Escalation | Privilege Escalation | 1 |
| User added to a sensitive active directory group with net command | A user has been added to a sensitive active directory group using net command | Account Manipulation | Persistence | 3 |
| PsExec targeting remote endpoint | Using PsExec to access windows admin shares and move laterally through the network | Lateral Movement | Lateral Movement | 2 |
| Windows Defender service was disabled using the service console | The Windows Defender service was disabled using the service console. This causes all Defender operations to stop which could be an indication of defense evasion and impaired defenses. | Evasion | Defense Evasion | 2 |
| Hide users from the login screen by modifying the registry. ⚠ Overlaps with Advanced Analytics rule. |
The UserList registry key can be modified to hide specific users from the windows login screen, hiding the presence of malicious user accounts in the system. | Evasion | Defense Evasion | 1 |
| Passwd or Shadow file unshadowed. | Passwd or Shadow file was unshadowed. The Unshadow tool combines user account details and user's password details. | Compromised Credentials | Credential Access | 4 |
| Windows Defender service was disabled from booting by registry modification | The Windows Defender service was disabled from booting by modifying the registry to enable the 'DisableAntiSpyware' registry value. This causes all Defender operations to stop which could be an indication of defense evasion and impaired defenses. | Evasion | Defense Evasion | 2 |
| Powershell targeting remote endpoint | Using Windows Remote Management(WinRM) via Powershell to access remote endpoints | Lateral Movement | Lateral Movement | 1 |
| Windows logon script added to the registry with the registry command tool | The 'UserInitLogonScript' is a registry key that stores initialization scripts intended to execute when a user logins. Attackers can insert their own malicious script to this key, gaining persistence on the system. | Malware | Malware | 2 |
| Modify an ETW with logman.exe | ETWs (event tracing for Windows) are logging components that audit events for applications and services such as Microsoft Defender, PowerShell, and other event viewer logs. By executing the log manager process (logman.exe), attackers can disable any ETW, stopping logs from being audited and allowing them to sneak by detections. | Evasion | Defense Evasion | 1 |
| File added to port monitor registry key | A file has been added to port monitor registry key which could indicate malware persistence | Malware | Persistence | 2 |
| UAC bypass by masquerading trusted directories | User access control (UAC) bypass was setup by masquerading trusted directories which could be indication of elevation abuse and privilege escalation. | Privilege Escalation | Privilege Escalation | 2 |
| Add an 'allow' rule in Microsoft Defender firewall | The command line tool netsh.exe allows attackers do create Microsoft Defender firewall network rules, possibly enabling potentially malicious network communications to be allowed into and out of the endpoint. | Evasion | Defense Evasion | 1 |
| Edge login data file database access | User is trying to access encrypted credentials from Microsoft Edge browser | Compromised Credentials | Credential Access | 2 |
| Scheduled task creation on remote endpoint ⚠ Overlaps with Advanced Analytics rule. |
User created a scheduled task on a remote endpoint | Lateral Movement | Lateral Movement | 1 |
| Lsass process dump with rundll minidump library | LSASS can store credentials and the memory can be dumped to harvest encrypted or plaintext passwords. | Compromised Credentials | Credential Access | 4 |
| Sweep scan activity. ⚠ Overlaps with Advanced Analytics rule. |
Abnormal for asset to access 20 assets in 10 minutes. This may be an indication of sweep scan across the internal assets and hence noteworthy. | Discovery | Discovery | 2 |
| Scheduled task distribution through a GPO | Group policy objects(GPOs) are domain policies that can affect the configuration of endpoints and users. Attackers can modify the GPO to create and distribute malicious scheduled tasks that will execute on domain machines. | Privilege Escalation | Privilege Escalation | 2 |
| Windows system backup deletion with wbadmin | Windows system backup has been deleted using wbadmin | Ransomware | Impact | 2 |
| User added to local admin windows group with the net command | A user has been added to local admin windows group using net command | Account Manipulation | Persistence | 2 |
| Windows event viewer log disabled by modifying the audit policy using the audit policy CLI | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by using the 'auditpol.exe', which can directly disable or limit important event logs such as security. | Audit Tampering | Lateral Movement | 3 |
| AWS logging trail was deleted | A AWS logging trail was deleted which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Opera login data file database access | User is trying to access encrypted credentials from Opera browser | Compromised Credentials | Credential Access | 2 |
| Sysmon driver was unloaded using the minifilter management console ⚠ Overlaps with Advanced Analytics rule. |
A Sysmon driver was unloaded with the minifilter management console. This can cause Sysmon to stop functioning or from auditing logs which could be an indication of impaired defenses and defense evasion. | Audit Tampering | Defense Evasion | 2 |
| UBA: Kerberos account enumeration detected. | Requesting Kerberos authentication tickets using multiple user names from the same source IP is an indication of Kerberos account enumeration. | Abnormal Authentication Access | Credential Access | 2 |
| WMI targeting remote endpoint | User logged on to a remote endpoint using Windows Management Instrumentation (WMI) | Lateral Movement | Lateral Movement | 1 |
| SCF file created on a network share ⚠ Overlaps with Advanced Analytics rule. |
User created an scf file in a network share | Compromised Credentials | Credential Access | 2 |
| DLL added to authentication package registry key with registry command tool | A dll has been added to authentication package registry key using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| UBA: Multiple failed VPN login attempts from a single IP. | Multiple failed login attempts were detected from a single IP address via VPN accounts, which indicates brute-force attack. | Brute Force Attack | Credential Access | 3 |
| Allow RDP locally with netsh | Local Remote Desktop Protocol (RDP) port has been enabled using netsh command | Lateral Movement | Lateral Movement | 1 |
| Failed attempt to load an LSA plugin due to LSA protection | An LSA plugin attempt was made which could indicate malware persistence. However the attempt failed due to LSA protection. | Malware | Persistence | 1 |
| Windows event viewer was cleared using event viewer utility ⚠ Overlaps with Advanced Analytics rule. |
Windows event viewer was cleared using the Windows event viewer utility which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Recycle bin autostart persistence via registry modification | Recycle bin registry object has been modified which could indicate malware persistence | Malware | Persistence | 2 |
| Shadow copy creation with WMI. ⚠ Overlaps with Advanced Analytics rule. |
A Shadow Copy was created using operating systems utilities via the wmic.exe which could indicate possible credential theft. This process can be considered normal behavior but it is still notable to track such activity. | Compromised Credentials | Credential Access | 2 |
| System restore disabled through the registry with the registry command tool | System restore disabled through the registry with the registry command tool. | Ransomware | Impact | 2 |
| Bitsadmin remote download. | User downloaded BITSAdmin tool remotely. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | Evasion | Defense Evasion | 1 |
| Recycle bin autostart persistence via registry modification with registry command tool | Recycle bin registry object has been modified using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| Setup UAC bypass by modifying MSC shell configuration in the registry with registry command tool | User access control(UAC) bypass been set up by modifying MSC shell configuration in the registry using registry command tool | Privilege Escalation | Privilege Escalation | 3 |
| Disable Microsoft Defender firewall in the registry with the registry command tool. | Microsoft Defender firewall in the registry was disabled via the registry command tool. The Defender firewall registry value 'EnableFirewall' allows attackers to disable the Microsoft Defender firewall by setting it to 0, enabling potentially malicious network communications to be allowed into and out of the endpoint. | Evasion | Defense Evasion | 2 |
| Native windows network sniffing with netsh | Native windows network sniffing with netsh was performed which could be an indicator of credentials being compromised. | Compromised Credentials | Credential Access | 1 |
| User sent large amount of emails | A large amount of outgoing emails was sent by user. This is notable because email protocol can be leveraged in this manner by malicious actors to exfiltrate data. | Data Leak | Exfiltration | 2 |
| File added to the active setup registry key | Active Setup is a Windows mechanism that is used to execute programs when a user logs in. Attacker can change the program list via the registry, gaining persistency by causing their own malicious programs to be executed at a logon. | Malware | Persistence | 1 |
| Bitsadmin remote download with powershell. | User downloaded BITSAdmin tool remotely using Powershell. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | Evasion | Defense Evasion | 1 |
| ETW session disabled through the autorlogger registry path. | ETWs (event tracing for Windows) are logging components that audit events for applications and services such as Microsoft Defender, PowerShell, and other event viewer logs. By modifying keys under the 'AutoLogger' registry path, attackers can disable any ETW, stopping logs from being audited and allowing them to sneak by detections. | Evasion | Defense Evasion | 1 |
| Windows event viewer log disabled with Windows event viewer utility ⚠ Overlaps with Advanced Analytics rule. |
The Windows event viewer log was disabled using the Windows event viewer utility which can disable or limit important events logs such as security. This can limit information recorded by the system and could be an indication of defense evasion and impaired defenses. | Audit Tampering | Defense Evasion | 3 |
| UBA: Netcat process detected. | The netcat process was detected on a system. This can allow attackers to steal sensitive data from untrusted clients over the network. | Ransomware | Impact | 2 |
| Hide a file with setfile. ⚠ Overlaps with Advanced Analytics rule. |
The 'setfile' unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. | Evasion | Defense Evasion | 1 |
| Granting file permissions using 'icacls.exe' ⚠ Overlaps with Advanced Analytics rule. |
Attackers can use the 'icacls.exe' process to grant themselves permissions to desired directories and files, effectively disabling and evading ACLs and getting full control over the data. | Evasion | Defense Evasion | 1 |
| Setup UAC bypass by modifying sdclt.exe related shell configuration in the registry | User access control (UAC) bypass was setup by modifying sdclt.exe related shell configuration in the registry which could be indication of elevation abuse and privilege escalation. | Privilege Escalation | Privilege Escalation | 2 |
| Passwd or Shadow file read. | Passwd or Shadow file was read. This file stores essential information about the users on the system. | Compromised Credentials | Credential Access | 2 |
| Startup folder location changed via registry modification | The location of startup folder was changed via registry modification which could indicate malware persistence | Malware | Persistence | 2 |
| Failed logins to multiple endpoints for this user. | Failed logins have been observed to more than 10 unique destination endpoints for this user. These event suggests a potential brute-force attack or credential stuffing attempt. | [Brute Force Attack, lateral Movement](UseCases/uc_brute_force_attack, lateral_movement.md) | Credential Access | 3 |
| SilentCleanup UAC bypass by windir registry modification with the registry command tool | User access control(UAC) bypass has been set up by modifying the windir registry with the registry command tool. Bypassing UAC can be used to elevate privileges. | Privilege Escalation | Privilege Escalation | 3 |
| Windows event viewer service disabled using the service console | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by directly shutting down the event logging service, causing event viewer auditing operation to stop. | Audit Tampering | Defense Evasion | 3 |
| DLL added to authentication package registry key | A dll has been added to authentication package registry key which could indicate malware persistence | Malware | Persistence | 2 |
| Disable powershell command history | PowerShell automatically records command history and stores them in a system file. This configuration can be disabled with PowerShell command, allowing malicious command to avoid being tracked by the program. | Evasion | Defense Evasion | 1 |
| File added to registry run key | A file has been added to registry run key which could indicate malware persistence | Malware | Persistence | 2 |
| GCP bucket that contains logs was deleted. | A GCP bucket containing logs was deleted which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| File added to print processors registry key with registry command tool | A file has been added to print processors registry key using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| Large amount of failed connections from a user per app ⚠ Overlaps with Advanced Analytics rule. |
An application has received a large amount of failed login attempts from a single user. This could indicate a brute force password guessing attack is taking place. | Brute Force Attack | Credential Access | 3 |
| Setup UAC bypass by modifying MS settings shell configuration in the registry | User access control (UAC) bypass was setup by modifying MS settings shell configurations in the registry which could be indication of elevation abuse and privilege escalation. | Privilege Escalation | Privilege Escalation | 2 |
| Windows logon script added to the registry. | The 'UserInitLogonScript' is a registry key that stores initialization scripts intended to execute when a user logs in. Attackers can insert their own malicious script to this key, gaining persistence on the system. | Malware | Malware | 2 |
| Installation of a password filter DLL via the notification packages registry | A password filter DLL was installed via the notification packages registry. Attacks can use these password filters to get credentials from computers or domains. | Compromised Credentials | Credential Access | 2 |
| Disable history collection in Unix | History collection can be disabled in unix shells by modifying the history environment variables. With the history disabled, attackers can perform malicious commands that will not be tracked by the collector. | Evasion | Defense Evasion | 1 |
| Windows Defender service was stopped using the service console | The Windows Defender service was stopped using the service console. This causes all Defender operations to stop which could be an indication of defense evasion and impaired defenses. | Evasion | Defense Evasion | 2 |
| Create symbolic link for a shadow copy using mklink.exe ⚠ Overlaps with Advanced Analytics rule. |
Attacker can create symbolic link to shadow copy and used this symbolic link for access files in the shadow copy including sensitive files , System Boot Key and browser offline credentials. | Compromised Credentials | Credential Access | 2 |
| Windows event viewer audit policy reverted to default state using the audit policy CLI | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by using the 'auditpol.exe', which can clear the logging policy, stopping critical logs there were enabled beforehand from being recorded by the event viewer. | Audit Tampering | Defense Evasion | 1 |
| Sysmon service was stopped using the service console | Sysmon service was stopped using the service console. This can stop auditing logs from being recorded which could be an indication of defense evasion and impaired defenses. | Audit Tampering | Defense Evasion | 2 |
| User added to local admin windows group | A user has been added to local admin windows group | Account Manipulation | Persistence | 2 |
| Failed logins to multiple endpoints from this endpoint. | Failed logins have been observed to more than 10 unique destination endpoints from this endpoint. These events may indicate a brute-force attack or network reconnaissance. | [Brute Force Attack, lateral Movement](UseCases/uc_brute_force_attack, lateral_movement.md) | Credential Access | 3 |
| Disable Microsoft Defender firewall with powershell | The PowerShell command “Set-NetFirewallProfile” allows attackers do disable the Microsoft Defender firewall, enabling potentially malicious network communications to be allowed into and out of the endpoint. | Evasion | Evasion | 2 |
| AWS CloudWatch log group deleted | Attackers can delete AWS CloudWatch groups to stop logs from being sent to those groups, thus removing evidence of their presence in the system. | Audit Tampering | Defense Evasion | 1 |
| File added to winlogon helper dll autorun registry key with registry command tool ⚠ Overlaps with Advanced Analytics rule. |
A file has been added to winlogon helper dll autorun registry key using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| Remove an ETW through PowerShell | ETWs (event tracing for Windows) are logging components that audit events for applications and services such as Microsoft Defender, PowerShell, and other event viewer logs. By calling the PowerShell function 'Remove-EtwTraceProvider', attackers can disable any ETW, stopping logs from being audited and allowing them to sneak by detections. | Evasion | Defense Evasion | 1 |
| Bit job creation. | User created a bit job. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | Evasion | Defense Evasion | 1 |
| User added to RDP users windows group with net command | A user has been added to RDP users windows group using net command | Account Manipulation | Persistence | 2 |
| DLL added to security packages registry key with registry command tool | A dll has been added to security packages registry key using registry command tool which could indicate malware persistence | Malware | Persistence | 3 |
| Large number of failed logons to an application by user | A user has large number of failed login attempts to an application indicating a brute force password guessing attack | Brute Force Attack | Credential Access | 3 |
| Disable .Net ETW through the registry with the registry command tool. | The .NET framework maintains an ETW (event tracing for Windows) component that logs .NET related events. Disabling it through the 'ETWEnabled' registry value allows attackers to sneak by .NET detections. | Evasion | Defense Evasion | 2 |
| File association changed with 'assoc.exe' | File association was changed with 'assoc.exe'. Attackers can change the association of a file to cause execution of malicious code upon opening a normal file. | Privilege Escalation | Privilege Escalation | 1 |
| Enable WinRM with powershell | WinRM was enabled using powershell. Windows Remote Management (WinRM) allows users to interact with remove systems to run executables or modify services. It can be leverages by adversaries to act as a logged-on user. | Lateral Movement | Lateral Movement | 0 |
| UBA: Attempts bruteforce authentication. | A user has a large number of failed login attempts, indicates a brute force attack. | Brute Force Attack | Credential Access | 3 |
| UBA: Multiple VPN logins from single IP. | Multiple VPN login attempts were detected from a single IP address within a specific time frame. | Compromised Credentials | Credential Access | 2 |
| Windows Defender service was stopped | The Windows Defender service stopped causing all Defender operations to stop which could be an indication of defense evasion and impaired defenses. | Evasion | Defense Evasion | 2 |
| Bitsadmin 'setnotifycmdline' persistent task executed. | Bitsadmin setmodifycmdline persistence task was executed. Actors can use the BITS SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system. | Evasion | Defense Evasion, Persistence | 1 |
| 10 failed web access domains for user. ⚠ Overlaps with Advanced Analytics rule. |
User failed to access the web 10 times. It possibly pointing to network issues or unauthorized activity. | Compromised Credentials | Command and Control | 3 |
| Disable Windows Defender ETW through the registry. | Windows Defender maintains an ETW (event tracing for Windows) component that logs security event for the Defender application. Disabling it through the 'WINEVT' registry path hinders Defender's capabilities and allows attackers to sneak by its detections. | Evasion | Defense Evasion | 2 |
| Disable windows crash dumps through the registry with the registry command tool. | Windows crash dumps was disable through the registry via the registry command tool. Crash dumps are created whenever the system experiences a crash, and contain a dump of the its memory. Attackers can disable crash dumps through the 'CrashDumpEnabled' registry value, thus making sure no traces are left when or if a crash will occurs. | Evasion | Defense Evasion | 1 |
| DLL added to time providers registry key with registry command tool | A dll has been added to time providers registry key using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| Setup UAC bypass by modifying MSC shell configuration in the registry | User access control(UAC) bypass been set up by modifying MSC shell configuration in the registry | Privilege Escalation | Privilege Escalation | 2 |
| Firefox login data file database access | User is trying to access encrypted credentials from Firefox browser | Compromised Credentials | Credential Access | 2 |
| Login with remote command tools | User logged on to a remote endpoint using remote command tools | Lateral Movement | Lateral Movement | 1 |
| Large number of failed logons to a host by user | A user has large number of failed login attempts to a host indicating a brute force password guessing attack | Brute Force Attack | Credential Access | 3 |
| GCP instance logon script creation ⚠ Overlaps with Advanced Analytics rule. |
GCP instances can be assigned a logon script from the compute service by modifying the metadata keys of an instance. Attackers can leverage this feature to include their own malicious script and gain elevated permissions and persistency on the instance. | Malware | Persistence , Privilege Escalation | 2 |
| Bitsadmin remote download with powershell via the command line ⚠ Overlaps with Advanced Analytics rule. |
User downloaded BITSAdmin tool remotely using Powershell. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | Evasion | Defense Evasion | 2 |
| Sysmon service was stopped. | Sysmon service was stopped. This can stop auditing logs from being recorded which could be an indication of defense evasion and impaired defenses. | Audit Tampering | Defense Evasion | 2 |
| Large amount of outgoing emails sent to a single user | A large amount of outgoing emails was sent to a single user which could be an indication of data exfiltration. | Data Leak | Exfiltration | 2 |
| DLL added to security packages registry key | A dll has been added to security packages registry key which could indicate malware persistence | Malware | Persistence | 3 |
| SAM copied from shadow copy | A Security Accounts Manager(SAM) was copied from a shadow copy. SAM tables contain password hashes of users on the system and can be used in credential dumps to avoid file access defenses. | Compromised Credentials | Credential Access | 3 |
| Sysmon was uninstalled. | Sysmon was uninstalled. This stops auditing logs from being recorded which could be an indication of impaired defenses and defense evasion. | Audit Tampering | Defense Evasion | 1 |
| Bitsadmin persistency setup with setnotifycmdline | User setup Bitsadmin persistency using setnotifycmdline. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | Evasion | Defense Evasion | 2 |
| High number of critical commands executed by a new user in a sequence - daily summary. ⚠ Overlaps with Advanced Analytics rule. |
A relatively new user has executed at least 10 critical Windows commands in a sequence. This is similar to an attacker gaining a foothold on a victim machine, and could indicate an attacker on the network. | Malware | Execution | 3 |
| File added to winlogon helper dll autorun registry key | A file has been added to winlogon helper dll autorun registry key which could indicate malware persistence | Malware | Persistence | 2 |
| Domain controller SPN added to an endpoint object ⚠ Overlaps with Advanced Analytics rule. |
A new active directory object has been created indicating a brand new domain controller. When this occurs, all active directory information and secrets are copied to the new domain controller. This is notable as the specific events observed do not occur regularly. | Compromised Credentials | Credential Access | 2 |
| Process execution from an ADS | Alternate Data Streams (ADS) are a windows file system attribute that can be used to store hidden information inside a seemingly regular file. Attackers can use data streams to hide and execute malware. | Evasion | Defense Evasion | 3 |
| File added to print processors registry key | A file has been added to print processors registry key which could indicate malware persistence | Malware | Persistence | 2 |
| UBA: User access from multiple hosts. | A single user logged in from multiple devices. | Lateral Movement | Lateral Movement | 1 |
| CrowdStrike Falcon uninstallation process was initiated | The CrowdStrike Falcon uninstallation process was initiated. This can disable the EDR defenses on the system which could be an indication of defense evasion and impaired defenses. | Evasion | Defense Evasion | 2 |
| Disable UAC via the registry with registry command tool | User access control(UAC) has been disabled by modifying the corresponding registries using registry command tool | Privilege Escalation | Privilege Escalation | 3 |
| SAM registry hive download with a command. | SAM registry hive was downloaded via commandline arguments. SAM tables contain password hashes of users on the system and this activity could be an indication of credential dumping. | Compromised Credentials | Credential Access | 3 |
| Wreset UAC bypass by modifying shell configuration in the registry with the registry command tool | User access control(UAC) bypass has been set up by modifying shell configuration in the registry with the registry command tool. Bypassing UAC can be used to elevate privileges. | Privilege Escalation | Privilege Escalation | 3 |
| Shadow copy creation with vssadmin. ⚠ Overlaps with Advanced Analytics rule. |
A Shadow Copy was created using operating systems utilities which could indicate possible credential theft. This process can be considered normal behavior but it is still notable to track such activity. | Compromised Credentials | Credential Access | 2 |
| AWS root login without MFA | A user has logged in to AWS as root without Multi Factor Authentication(MFA) | Abnormal Authentication Access | Defense Evasion, Persistence, Privilege Escalation, Initial Access | 2 |
| Arbitrary command assigned to a file association via the registry with the registry command tool | Arbitrary command was assigned to a file association via the registry with the registry command tool. Attackers can modify the command key values and cause arbitrary commands to execute during file access. | Privilege Escalation | Privilege Escalation | 2 |
| Disabling the security log by creating the 'MiniNt' registry key. | Windows Security Log was disabled by creating the 'MiniNt' registry key. Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by creating the 'MiniNt' registry key. Creating this key causes Windows to malfunction and the system will stop auditing events to the security log. | Audit Tampering | Defense Evasion | 2 |
| Get direct access to a drive using PowerShell | Windows allows programs to directly access physical volumes and drives. By doing so with PowerShell, attackers can get direct access to the filesystem, bypassing ACLs and file monitoring applications. | Evasion | Defense Evasion | 1 |
| Windows event viewer service stopped | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by directly shutting down the event logging service, causing event viewer auditing operation to stop. | Audit Tampering | Defense Evasion | 3 |
| AWS instance logon script creation ⚠ Overlaps with Advanced Analytics rule. |
AWS instances can be assigned a logon script from the EC2 service by modifying the 'userdata' property in the instance attributes. Attackers can leverage this feature to include their own malicious script and gain elevated permissions and persistency on the instance. | Malware | Persistence , Privilege Escalation | 2 |
| Cached Credential Dump via Cmdkey ⚠ Overlaps with Advanced Analytics rule. |
Cmdkey.exe was used to look for cached credentials. Attackers may dump credentials to get account logins from the operation system and software to perform lateral movement. | Compromised Credentials | Credential Access | 2 |
| Multiple badge access failures detected on multiple doors. | Multiple badge access failures detected on multiple doors within a specified time frame. | Physical Security | Defense Evasion, Persistence, Privilege Escalation, Initial Access | 2 |
| TGT ticket obtained with weak encryption ⚠ Overlaps with Advanced Analytics rule. |
Weak encryption protocols are used to obtain kerberos tickets which indicates the tickets are vulnerable to offline brute force attacks and result in compromised credentials | Compromised Credentials | Credential Access | 2 |
| Lsass dump creation with taskmgr | LSASS can store credentials and the memory can be dumped to harvest encrypted or plaintext passwords. | Compromised Credentials | Credential Access | 4 |
| 5 user switch events observed on this endpoint for this user. | A user performed 5 user account switch events on the same endpoint. The rule does not necessarily indicate unique user accounts. It may suggests potential unauthorized account usage or privilege escalation attempts. | [Privilege Escalation, privilege Abuse](UseCases/uc_privilege_escalation, privilege_abuse.md) | Initial Access | 3 |
| Shadow copies deleted with vssadmin ⚠ Overlaps with Advanced Analytics rule. |
Volume shadow copies have been deleted using vssadmin process | Ransomware | Impact | 2 |
| Display web credentials access | User is trying to access the display web credentials stored in windows credential manager using vault command tool | Compromised Credentials | Credential Access | 3 |
| Vault file database access | User is trying to access the vault file database | Compromised Credentials | Credential Access | 2 |
| 'Show hidden' feature disabled through registry | Setting these registry values to 0 disables the ability for windows users to view hidden files, potentially ensuring the stealthiness of malicious files | Evasion | Defense Evasion | 2 |
| Powershell keylogging using SetWindowsHook API | User tried to access credentials from keylogging using Powershell SetWindowsHook API | Compromised Credentials | Credential Access | 3 |
| Passwd or Shadow file read via command. | Passwd or Shadow file was read via command. This file stores essential information about the users on the system. | Compromised Credentials | Credential Access | 3 |
| Startup folder location changed via registry modification with registry command tool ⚠ Overlaps with Advanced Analytics rule. |
The location of startup folder was changed via registry modification using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| GCP log sink deleted | Attackers can delete GCP log sinks to stop logs from being sent to those log sinks, thus removing evidence of their presence in the system. | Audit Tampering | Defense Evasion | 2 |
| Disable windows crash dumps through the registry. | Windows crash dumps was disabled through the registry. Crash dumps are created whenever the system experiences a crash, and contain a dump of the its memory. Attackers can disable crash dumps through the 'CrashDumpEnabled' registry value, thus making sure no traces are left when or if a crash will occurs. | Evasion | Defense Evasion | 1 |
| Activity from 2 or more different countries. ⚠ Overlaps with Advanced Analytics rule. |
This user has performed activity from 2 or more different countries. These events may indicate unauthorized access or credential compromise. | Compromised Credentials | Initial Access, Persistence | 4 |
| AWS role brute force. | An AWS role is assumed by user. Roles are used to delegate access to users or services and should not be easily granted to users. | Discovery | Discovery | 2 |
| UBA: Multiple kerberos authentication failures from same user. | The user has failed multiple times to authenticate the endpoint using the Kerberos protocol. | Brute Force Attack | Credential Access | 3 |
| Disable Microsoft Defender firewall in the registry. | Microsoft Defender firewall in the registry was disabled. The Defender firewall registry value 'EnableFirewall' allows attackers to disable the Microsoft Defender firewall by setting it to 0, enabling potentially malicious network communications to be allowed into and out of the endpoint. | Evasion | Defense Evasion | 2 |
| RC script file written to with a command. | RC scripts are script files that are used by the Unix system to manage custom services are are executed during startup. Attackers can modify these files (named 'rc.local' and 'rc.common') to gain persistency on in the system and cause malicious code to execute automatically. | Malware | Persistence | 1 |
| Modify RDP local port number through registry with registry command tool | Remote Desktop Protocol (RDP) local port has been modified via registry using registry command tool | Lateral Movement | Lateral Movement | 1 |
| Shadow copies deleted with wmic ⚠ Overlaps with Advanced Analytics rule. |
Volume shadow copies have been deleted using wmic process | Ransomware | Impact | 2 |
| AWS powerful policy creation. ⚠ Overlaps with Advanced Analytics rule. |
Policy was created with critical permissions. Policies in AWS are the documents that dictates what permissions are granted to identites and resources. By creating a new policy or modifying existing one, an attacker might provide himself arbitrary permissions and perform privilege escalation. | Account Manipulation | Persistence | 2 |
| System restore scheduled task disabled with the scheduled tasks command | System restore has been disabled using scheduled tasks | Ransomware | Impact | 2 |
| Disabling the security log by creating the 'MiniNt' registry key with the registry command tool. | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by creating the 'MiniNt' registry key. Creating this key causes Windows to malfunction and the system will stop auditing events to the security log. | Audit Tampering | Defense Evasion | 3 |
| Disable .Net ETW through the registry. | The .NET framework maintains an ETW (event tracing for Windows) component that logs .NET related events. Disabling it through the “ETWEnabled” registry value allows attackers to sneak by .NET detections. | Evasion | Defense Evasion | 2 |
| WMI powershell invocation on remote endpoint | User logged on to a remote endpoint by involving Windows Management Instrumentation (WMI) via Powershell | Lateral Movement | Lateral Movement | 1 |
| Windows event viewer was cleared using WMI ⚠ Overlaps with Advanced Analytics rule. |
Windows event viewer was cleared using WMI which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Windows event viewer service stopped using the service console | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by directly shutting down the event logging service, causing event viewer auditing operation to stop. | Audit Tampering | Defense Evasion | 3 |
| High file writes. | Large number of file write events for user. | Discovery | Discovery | 2 |
| Sysmon driver was unloaded | A Sysmon driver was unloaded. This can cause Sysmon to stop functioning or from auditing logs which could be an indication of impaired defenses and defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Powershell remote activation ⚠ Overlaps with Advanced Analytics rule. |
Activating Powershell on remote endpoints for lateral movement | Lateral Movement | Lateral Movement | 1 |
| Setup UAC bypass by modifying sdclt.exe related shell configuration in the registry with the registry command tool | User access control(UAC) bypass has been set up by modifying sdclt.exe related shell configuration in the registry with the registry command tool. Bypassing UAC can be used to elevate privileges. | Privilege Escalation | Privilege Escalation | 3 |
| Reduce the size of the security log through the registry with the registry command tool. | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by reducing the size of the security log file, causing incoming events to consistently overwrite older events or even to not be logged at all. | Audit Tampering | Defense Evasion | 2 |
| System restore disabled through the registry | System restore has been disabled by modifying registries | Ransomware | Impact | 2 |
| User added to RDP users windows group | A user has been added to RDP users windows group | Account Manipulation | Persistence | 2 |
| Shadow copies deleted with powershell | Volume shadow copies have been deleted using Powershell | Ransomware | Impact | 2 |
| UBA: Data exfiltration by e-mail. | User has sent over 13MB of data. This indicates possible exfiltration by email. | Data Exfiltration | Exfiltration | 3 |
| Plist startup file written. | Attacker can modify property list files (plist files) to execute their code, gaining persistence in the system. | Malware | Persistence | 1 |
| Bits job execution with windows desktop image downloader | User executed a BITS job using windows desktop image downloader. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | Evasion | Defense Evasion | 2 |
| WinRM network traffic | WinRM network traffic was seen. Windows Remote Management (WinRM) allows users to interact with remove systems to run executables or modify services. It can be leverages by adversaries to act as a logged-on user. | Lateral Movement | Lateral Movement | 0 |
| Execution of a remote compiled HTML file with 'hh.exe' ⚠ Overlaps with Advanced Analytics rule. |
Attackers can leverage compiled HTML ('.chm') files to hide malicious code in a compiled format and execute it using native Windows commands such as 'hh.exe'. | Evasion | Defense Evasion | 3 |
| SAM copied from shadow copy with a command | A Security Accounts Manager(SAM) was copied from a shadow copy via command line. SAM tables contain password hashes of users on the system and can be used in credential dumps to avoid file access defenses. | Compromised Credentials | Credential Access | 3 |
| AWS compute resource (snapshot\image) made public. ⚠ Overlaps with Advanced Analytics rule. |
AWS compute resources (snapshot or image) were modified to be public to every user. Now public resources can be read and downloaded by everyone. | Cloud Data Protection | Collection | 2 |
| Large amount of outgoing bytes sent from an IP | A large amount of bytes was sent out of this endpoint in a network communication. This could indicate an attempt at data exfiltration from the host | Data Exfiltration | Exfiltration | 2 |
| UBA: Data exfiltration by print. | A user sends a large amount of data for print. This indicates an attempt at data exfiltration by print. | Data Exfiltration | Exfiltration | 3 |
| Take ownership of a directory using 'takeown.exe' ⚠ Overlaps with Advanced Analytics rule. |
Attackers can use the 'takeown.exe' process to take ownership of desired directories, effectively disabling and evading ACLs and getting full control over the data. | Evasion | Defense Evasion | 1 |
| Disable Microsoft Defender firewall in the command line | The command line tool netsh.exe allows attackers do disable the Microsoft Defender firewall, enabling potentially malicious network communications to be allowed into and out of the endpoint. | Evasion | Evasion | 2 |
| File added to registry run key with registry command tool ⚠ Overlaps with Advanced Analytics rule. |
A file has been added to registry run key using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| File added to startup folder | A file has been added to a startup folder which could indicate malware persistence | Malware | Persistence | 2 |
| DLL added to time providers registry key | A dll has been added to time providers registry key which could indicate malware persistence | Malware | Persistence | 2 |
| Powershell kerberos ticket request | Powershell has requested a kerberos ticket which could indicate a forged ticket | Compromised Credentials | Credential Access | 1 |
| Multiple password resets by user. | Multiple password resets by user across multiple data sources. Password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment. | Abnormal Authentication Access | Persistence | 1 |
| Disable Windows Defender ETW through the registry with the registry command tool. | Windows Defender maintains an ETW (event tracing for Windows) component that logs security event for the Defender application. Disabling it through the 'WINEVT' registry path hinders Defender's capabilities and allows attackers to sneak by its detections. | Evasion | Defense Evasion | 2 |
| Windows hidden file creation using attrib.exe | The 'attrib.exe' windows process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users | Evasion | Defense Evasion | 2 |
| Azure diagnostic settings deleted. | Attackers can delete Azure diagnostic settings to reset the audit policy on certain resources. This activity allows them to disable certain activities from being recorded, thus removing evidence of their presence in the system. | Audit Tampering | Defense Evasion | 1 |
| MMC Dll hijacking via COR_PROFILER registry modification. | MMC Dll hijacking via COR_PROFILER registry modification. | Privilege Escalation | Privilege Escalation | 2 |
| Shadow copy creation with PowerShell | Shadow copy creation with PowerShell. | Compromised Credentials | Credential Access | 2 |
| Login hook file created. | A login hook is a file that points to a specific script to execute with root privileges upon user logon. Attackers can modify the login hook file ('com.apple.loginwindow.plist') to include their own malicious scripts in the login execution, gaining persistence in the system. | Malware | Persistence | 1 |
| File system utility journal was deleted ⚠ Overlaps with Advanced Analytics rule. |
A file system utility journal was deleted which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Windows backup catalog deletion with wbadmin ⚠ Overlaps with Advanced Analytics rule. |
Windows backup catalog has been deleted using wbadmin | Ransomware | Impact | 2 |
| Base64 executable file stored in the registry | Attackers can store raw executable files in the registry itself as a stealthy and effective method to access and later drop malware. A big indicator to this activity is if an entire executable header ("MZ") is written to a registry value. The string "TVqQA…" is a base64 encoded MZ header, and can be found typically when attackers hide their encoded malware in the system. | Evasion | Defense Evasion | 3 |
| Login hook file created with the defaults command. | Login hook file created with the defaults command. A login hook is a file that points to a specific script to execute with root privileges upon user logon. Attackers can modify the login hook file ('com.apple.loginwindow.plist') to include their own malicious scripts in the login execution, gaining persistence in the system. | Malware | Persistence | 2 |
| Hide a file with chflags. ⚠ Overlaps with Advanced Analytics rule. |
The 'chflags' unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. | Evasion | Defense Evasion | 1 |
| NTDS dump with ntds utility. | The ntds.dit was dumped via ntdsutil.exe. NTDS file acts as a database for Active Directory and stores all its data including all the credentials and this activity could be an indication of credentials dumping. | Compromised Credentials | Credential Access | 3 |
| Multiple failure reasons in endpoint login attempts for this user. | Multiple failure reasons have been observed in endpoint login attempts for this user. These could indicate bad user name or password, expired or disabled accounts, and a variety of other login failure reasons. | [Abnormal Authentication Access, compromised Credentials](UseCases/uc_abnormal_authentication_access, compromised_credentials.md) | Credential Access, Initial Access | 3 |
| AWS CloudTrail disabled | Attackers can disable AWS CloudTrail logging in a cloud account, stopping audit logs from that account from being recorded and allowing the attackers to evade detection. | Audit Tampering | Defense Evasion | 2 |
| AWS public access block was removed. | AWS public access block was removed from bucket. This allows public access to the bucket which can lead to leaked credentials, logs, or other cloud storage objects without proper permissions. | Cloud Data Protection | Collection | 2 |
| Chrome login data file database access | User is trying to access encrypted credentials from Google Chrome browser | Compromised Credentials | Credential Access | 2 |
| Windows Defender service was disabled | The Windows Defender service was disabled. This causes all Defender operations to stop which could be an indication of defense evasion and impaired defenses. | Evasion | Defense Evasion | 2 |
| LSA registry hive download with a command | LSA registry hive was downloaded via commandline arguments. LSA secrets can contain credential materials and this activity could be an indication of credential dumping. | Compromised Credentials | Credential Access | 2 |
| File added to port monitor registry key with registry command tool | A file has been added to port monitor registry key using registry command tool which could indicate malware persistence | Malware | Persistence | 2 |
| Windows event viewer was cleared using PowerShell ⚠ Overlaps with Advanced Analytics rule. |
Windows event viewer was cleared using PowerShell which could be an indication of defense evasion. | Audit Tampering | Defense Evasion | 2 |
| Failed logins from multiple endpoints for this user. | Failed logins have been observed from more than 10 unique source endpoints for this user. These event may indicates potential targeting by a distributed attack. | [Brute Force Attack, lateral Movement](UseCases/uc_brute_force_attack, lateral_movement.md) | Credential Access | 3 |