Process

Monitor newly executed processes, such as eventvwr.exe and sdclt.exe, that may bypass UAC mechanisms to elevate process privileges on system.

Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using "reg.exe", a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.

Analytic 1 - UAC Bypass

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") IntegrityLevel=High|search (ParentCommandLine="\"c:\windows\system32\dism.exe\""".xml" AND Image!="c:\users\\appdata\local\temp\\dismhost.exe") OR ParentImage=c:\windows\system32\fodhelper.exe OR (CommandLine="\"c:\windows\system32\wusa.exe\"/quiet" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\windows\system32\ AND ParentImage!=c:\windows\explorer.exe) OR CommandLine=".exe\"cleanmgr.exe /autoclean" OR (ParentImage="c:\windows\dccw.exe" AND Image!="c:\windows\system32\cttune.exe") OR Image="c:\program files\windows media player\osk.exe" OR ParentImage="c:\windows\system32\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\windows\system32\dism.exe%"), "UACME #23", like(lower(Image),"c:\program files\windows media player\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\windows\system32\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\windows\system32\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\windows\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\windows\system32\slui.exe"), "UACME #45")

Analytic 2 - Disable UAC

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ParentImage="C:\Windows\System32\cmd.exe" CommandLine="reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemREG_DWORD /d 0*""

Monitor newly executed processes that may perform sudo caching and/or use the sudoers file to elevate privileges.

Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

Monitor for abnormal processes executing under applications with elevated access.

Monitor for newly constructed processes and/or command-lines that may abuse mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.^[56] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). - For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including /etc/passwd. - For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as id and groups.

Analytic 1 - Net Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" OR Image="net1.exe"

Monitor for processes that can be used to enumerate domain accounts and groups, such as net.exe and net1.exe, especially when executed in quick succession.^[56] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor for newly executed processes, such as Windows Management Instrumentation and PowerShell , with arguments that can be used to enumerate email addresses and accounts.

Monitor for suspicious processes modifying the authorized_keys or /etc/ssh/sshd_config files.

Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "* a *". This is helpful, as adversaries may change program names.

Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.

Analytic 1 - Command Line Usage of Archiving Software

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine=" a "

Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.

Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.

Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe

Analytic 1 - Reg.exe called from Command Shell

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"]

Monitor newly executed processes, such as the W32tm.exe utility. ^[57] The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. ^[58]

Monitor for the execution of processes that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Analytic 1 - Modification of the Winlogon Registry Key

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where (CommandLine LIKE "%Microsoft\Windows NT\CurrentVersion\Winlogon%" AND (CommandLine LIKE "%Userinit%" OR CommandLine LIKE "%Shell%" OR CommandLine LIKE "%Notify%")) AND (CommandLine LIKE "%reg%" OR CommandLine LIKE "%add%" OR CommandLine LIKE "%/d%" OR CommandLine LIKE "%Set-ItemProperty%" OR CommandLine LIKE "%New-ItemProperty%" CommandLine LIKE "%-value%")

Monitor for newly created processes that may modify the kernel to automatically execute programs on system boot.

Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login.

Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.

Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Monitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior, such as establishing network connections.

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Analytic 1 - Boot or Logon Initialization Scripts

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"

Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks.

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.

Monitor for newly constructed processes and/or command-lines that execute during the boot up process to check for unusual or unknown applications and behavior

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.

Analytic 1 - Non-interactive Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"

Analytic 2 - Remote Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"

Analytic 3 - Powershell Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName

Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Look for unusual AppleScript process creation.

sourcetype=macOS:Process| search (parent_process_name="osascript" OR parent_process_name="NSAppleScript" OR parent_process_name="OSAScript")

Analytic 2 - Untrusted Locations

source="Osquery:" EventCode="process_added" AND Path LIKE "/Users//Downloads/" OR Path LIKE "/tmp/*"

Analytic 3 - Parent/Child Process Relationship

source="Osquery:" EventCode="process_added" AND ParentImage= "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" AND Image LIKE "osascript"

Monitor for newly executed processes that may abuse the Windows command shell for execution.

Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd.  It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.

Analytic 1 - Unusual Command Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="cmd.exe" AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ \/k.*")

Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.

Analytic 1 - Look for unusual Unix shell process creation.

sourcetype=linux_secure OR sourcetype=macos_secure| search (command="sh" OR command="bash" OR command="zsh")| eval suspicious_process=if(like(command_line, "%.sh" OR "%.bash" OR "%.zsh"), "Yes", "No")| where suspicious_process="Yes"

Monitor for the creation of processes related to VBScript and VBA execution. Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Note: This query monitors for the creation of processes like cscript.exe, wscript.exe, excel.exe, and winword.exe, which are commonly used to execute VB scripts. It highlights instances where these processes are initiated, providing insight into potential VB script execution.

Analytic 1 - Look for unusual VB process creation.

sourcetype=windows_security OR sourcetype=wineventlog OR sourcetype=linux_secure OR sourcetype=macos_secure| search (process="cscript.exe" OR process="wscript.exe" OR process="excel.exe" OR process="winword.exe")| eval suspicious_process=if(like(process, "cscript.exe" OR "wscript.exe" OR "excel.exe" OR "winword.exe"), "Yes", "No")| where suspicious_process="Yes"

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution.

Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts

Monitor and analyze the execution and arguments of the AutoIt3.exe and AutoHotkey.exe interpreters. Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if AutoHotkey.exe is the parent process for additional suspicious processes and activity.

Monitor newly executed processes associated with account creation, such as net.exe

Analytic 1 - Create local admin accounts using net.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= C:\Windows\System32\net.exe OR Image= C:\Windows\System32\net1.exe ) AND CommandLine = * -exportPFX * )

Monitor newly executed processes associated with account creation, such as net.exe

Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default.

Note: Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services. Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search.

Analytic 2 - Services launching CMD

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="1") OR (sourcetype=WinEventLog:Security EventCode="4688") Image="cmd.exe" and ParentImage="services.exe"

Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.

Monitor processes spawned by command line utilities to manipulate keychains directly, such as security, combined with arguments to collect passwords, such as dump-keychain -d.

Analytic 1 - New processes with parameters indicating attempts to manipulate keychains.

index=security sourcetype="macos_secure" event_type="process"(CommandLine IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain", "security delete-keychain", "security set-keychain-settings", "security add-internet-password", "security add-generic-password", "security import", "security export"))

Monitor newly executed processes for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").^[61]

Analytic 1 - New processes with parameters indicating credential searches in Windows Credential Manager.

index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1(CommandLine IN ("vaultcmd.exe", "rundll32.exe keymgr.dll KRShowKeyMgr"))

Monitor newly executed processes that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor newly executed processes that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor for newly executed processes that may establish persistence by executing malicious content triggered by a file type association.

Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - HKCU\Control Panel\Desktop registry key

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%reg%" AND CommandLine LIKE "%add%" AND CommandLine LIKE "%HKCU\Control Panel\Desktop\%"

Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).

Note: Windows Event ID 4688 (A new process has been created) and Sysmon Event ID 1 (Process creation) can be used to alert on processes created by WMI event subscription triggers by filtering on events with a parent process name of WmiPrvSe.exe.

Monitor for execution of mofcomp.exe as a child of a suspicious shell or script running utility – \powershell.exe or \cmd.exe – or by having a suspicious path in the command line, such as %temp%.^[62][63] Adversaries may compile modified MOF files using mofcomp.exe to create malicious WMI event subscriptions.

Monitor newly executed processes that may establish persistence through executing malicious commands triggered by a user’s shell.

Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal.

Monitor processes for those that may be used to modify binary headers.

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior.

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.

An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe.

Several accessibility programs can be run using the Ease of Access center

• sethc.exe handles StickyKeys
• utilman.exe is the Ease of Access menu
• osk.exe runs the On-Screen Keyboard
• narrator.exe reads screen text over audio
• magnify.exe magnifies the view of the screen near the cursor

One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.

The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic example looks for any creation of common accessibility processes such as sethc.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the parent process) that helps reduce false positives.

Analytic 2 could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.

Analytic 1 - Command Launched from Winlogon

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ParentImage="winlogon.exe" AND Image="cmd.exe"AND (CommandLine="sethc.exe"OR CommandLine="utilman.exe"OR CommandLine="osk.exe" OR CommandLine="narrator.exe" OR CommandLine="*magnify.exe"

Analytic 2 - Debuggers for Accessibility Applications

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where CommandLine match "$. .(sethcutilmanosknarratormagnify).exe"

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

Note: Sysmon Event ID 1 (process create) and Windows Security Log Event ID 4688 (a new process has been created) can be used to detect new reg.exe processes that modify the AppInit DLL registry keys since the registry keys are specified as a command-line parameter.

Monitor newly executed processs for sdbinst.exe for potential indications of application shim abuse. There are several public tools available that will detect shims that are currently available ^[64]:* Shim-Process-Scanner - checks memory of every running process for any shim flags* Shim-Detector-Lite - detects installation of custom shim databases* Shim-Guard - monitors registry for any shim installations* ShimScanner - forensic tool to find active shims in memory* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)

Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. ^[65]

Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.

Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

Monitor newly executed processes that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

Monitor processes with arguments that may be related to abuse of installer packages, including malicious, likely elevated processes triggered by application installations.

Monitor the creation of new processes that are children of systemd-udevd.service at the process tree level.^[66]

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of environmental keying may be difficult depending on the implementation.

Monitor for newly executed processes when removable media is mounted

Monitor for newly constructed processes and/or command-lines that can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders.

Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.^[67][68]

Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms.

Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens.

Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users. For example, monitor suspicious windows explorer execution – such as an additional explorer.exe holding a handle to an unknown desktop – that may be used for hidden malicious activity via hVNC.^[69]

Monitor for process execution that may use NTFS file attributes to hide their malicious data in order to evade detection.

Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\powershell.exe" | regex CommandLine= "Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.\b(\w+(.\w+)?):(\w+(.\w+)?)|-ep bypass\s+-\s+<.\b(\w+(.\w+)?):(\w+(.\w+)?)|-command.Get-Content.-Stream.Set-Content.start-process .(\w+(.\w+)?)"

Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wmic.exe" | regex CommandLine= "process call create.\"(\w+(.\w+)?):(\w+(.\w+)?)"

Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\rundll32.exe" | regex CommandLine= "\"?(\w+(.\w+)?):(\w+(.\w+)?)?\"?,\w+\|(advpack.dll\|ieadvpack.dll),RegisterOCX\s+(\w+.\w+):(\w+(.\w+)?)\|(shdocvw.dll\|ieframe.dll),OpenURL.(\w+.\w+):(\w+(.\w+)?)"

Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wscript.exe" OR Image= "C:\Windows\\cscript.exe)" | regex CommandLine= "(?<!\/)\b\w+(.\w+)?:\w+(.\w+)?$"

Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).

Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.

Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for Process Hollowing, which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.^[70][71]

Monitor newly created processes for artifacts, such as nohup or PowerShell -ErrorAction SilentlyContinue, that may attempt to hide processes from interrupt signals.

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs.

Monitor for newly constructed processes to match an existing service executables.

Monitor for newly executed processes for unusual activity (e.g., a process that does not use the network begins to do so).

Monitor for newly executed processes for process executable paths that are named for partial directories.

Monitor for newly executed processes for process executable paths that are named for partial directories.

Monitor for newly executed processes that may execute their own malicious payloads by hijacking vulnerable file path references.

Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services.

Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data.

Monitor for newly executed processes, such as setx.exe, that may abuse of the COR_PROFILER variable, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.^[72]

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the loading of unexpected .NET resources.

In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using "sc" [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

Note: Though this analytic is utilizing Event ID 1 for process creation, the arguments are specifically looking for the use of service control for querying or trying to stop Windows Defender.

Analytic 1 - Detecting Tampering of Windows Defender Command Prompt

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )

Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits.

Analytic 1 - Disable Windows Event Logging

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="New-Item" OR CommandLine="reg add") CommandLine="MiniNt") OR (CommandLine="Stop-Service" CommandLine="EventLog") OR (CommandLine="EventLog" (CommandLine="Set-Service" OR CommandLine="reg add" OR CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty" OR CommandLine="sc config")) OR (CommandLine="auditpol" (CommandLine="/set" OR CommandLine="/clear" OR CommandLine="/revove")) OR (CommandLine="wevtutil" (CommandLine="sl" OR CommandLine="set-log"))

Monitor for executed processes that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.

Analytic 1 - Indicator Blocking - Driver Unloaded

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "fltmc.exe" AND CommandLine= "unload"

Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses.

Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.

Consider monitoring for suspicious processes that may be spoofing security tools and monitoring messages.

Monitor for newly executed processes that may clear Windows Event Logs to hide the activity of an intrusion. In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using "wevtutil", a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

Note: This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.

Analytic 1 - Clearing Windows Logs with Wevtutil

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image=wevtutil CommandLine=cl (CommandLine=System OR CommandLine=Security OR CommandLine=Setup OR CommandLine=Application) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)

Monitor for the suspicious execution of processes that may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Analytic 1 - Clear Powershell Console Command History

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (CommandLine="rm (Get-PSReadlineOption).HistorySavePath" OR CommandLine="del (Get-PSReadlineOption).HistorySavePath" OR CommandLine="Set-PSReadlineOption –HistorySaveStyle SaveNothing" OR CommandLine="Remove-Item (Get-PSReadlineOption).HistorySavePath" OR (CommandLine="del" AND CommandLine="Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt"))

Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for various methods of removing network shares via the command line, which is otherwise a rare event.

Analytic 1- Network Share Connection Removal

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= "C:\Windows\System32\net.exe" AND CommandLine= "delete") OR CommandLine="Remove-SmbShare" OR CommandLine="Remove-FileShare" )

Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values.

Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails.

Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system.

Monitor for newly executed processes

Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.

Monitor for newly executed processes that may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Analytic 1 - Unusual Child Process spawned using DDE exploit

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image=".exe" (ParentImage="excel.exe" OR ParentImage="word.exe" OR ParentImage="outlook.exe")

Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.

Note: With process monitoring, hunt for processes matching these criteria:

• process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.
• process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples (true positive):C:\Users\administrator\svchost.exe

To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe

Analytic 1 - Common Windows Process Masquerading

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")

Monitor for the abnormal creation of background processes as well as processes executing from abnormal locations, such as /dev/shm.

Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

In Linux systems, monitor for newly executed processes from shared memory directories such as /dev/shm, /run/shm, /var/run, and /var/lock.^[73]

Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Outlook forms to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Outlook rules to obtain persistence on a compromised system.

Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Try monitoring for Sysmon Event ID 1 and/or Windows Security Event ID 4688 for process activity.

Note: - Rundll32/MiniDump has a different command-line syntax than that of Procdump, in that the process being dumped is specified via process ID instead of name (as with Procdump). Therefore, because the LSASS process ID is non-deterministic, the MiniDump detection isn’t specific to LSASS dumping and may need to be tuned to help reduce false positives.- When monitoring for .dll functions on the command-line be sure to also check for the ordinal associated with the function.

Analytic 1 - Unexpected process creation related to LSASS memory dumping.

index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("procdump.exe", "rundll32.exe", "taskmgr.exe", "powershell.exe") CommandLine IN (" -ma lsass", "rundll32.exe comsvcs.dll, MiniDump", "taskmgr.exe /dump", "powershell.exe -Command Get-Process lsass | Out-MemoryDump")

Monitor newly executed processes that may attempt to find local system groups and permission settings.

Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives.

Analytic 1 - Local Permission Group Discovery

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" AND ( CommandLine="net user" OR CommandLine="net group" OR CommandLine="net localgroup" OR CommandLine="get-localgroup" OR CommandLine="get-ADPrincipalGroupMembership*" )

Monitor newly executed processes that may attempt to find domain-level groups and permission settings.

For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as ldapsearch.

For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as dscacheutil -q group.

Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created).

Analytic 1 - Local Permission Group Discovery - Net

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= "net.exe" OR Image= "net1.exe") AND CommandLine="group/domain*")

Monitor newly executed processes that may attempt to find cloud groups and permission settings.

Monitor newly executed processes that may hijack a legitimate user's SSH session to move laterally within an environment.

Consider monitoring processes for tscon.exe usage. Using tscon.exe to hijack an RDP session requires SYSTEM level permissions. Therefore, we recommend also looking for Privilege Escalation techniques that may be used for this purpose in conjunction with RDP Session Hijacking.

In addition to tscon.exe, mstsc.exe can similarly be used to hijack existing RDP sessions. In this case, we recommend looking for the command-line parameters of /noconsentPrompt and /shadow:, which allow for stealthy hijacking of an RDP session with no prompt and without kicking off the existing session.

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

Analytic 1 - Unusual processes associated with RDP sessions

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 | search (parent_process="mstsc.exe" OR parent_process="rdpclip.exe")| table _time, host, user, process_name, parent_process, command_line| where process_name!="expected_processes"

Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named "Wmiprvse.exe".

The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network.

Analytic 1 - Basic

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ParentImage="*wmiprvse.exe" AND TargetLogonID="0x3e7"

Monitor for newly executed processes associated with DCOM activity, especially those invoked by a user different than the one currently logged on. Enumeration of COM objects, via Query Registry or PowerShell, may also precede malicious use.^[74][75]

The Microsoft Management Console (mmc.exe) can be by used by threat actors used to spawn arbitrary processes through DCOM. The typical process tree for this method looks like: svchost.exe —> mmc.exe —> .exe.

Accordingly, look for process creation events of mmc.exe in conjunction with the -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc.

Similar to the Microsoft Management Console, Excel can also be used to execute processes through DCOM. In this case, the typical process tree looks like: svchost.exe —> excel.exe —> .exe.

Look for process creation events of excel.exe in conjunction with the /automation -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc.

Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.^[76]

For Linux systems, the Audit framework (auditd) can be used to monitor for the creation of SSH related processes such as ssh.

For macOS systems (10.12+), the above command can be used to look through the Unified Logs for SSH connection activity, though we also recommend including the "—debug" parameter to ensure that all relevant data is returned: log show --info --debug --predicate 'process = "ssh" or eventMessage contains "ssh"'

Monitor for newly executed processes that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems the screensharingd process may be related to VNC connection activity.^[76]

Monitor for newly executed processes that may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as wmiprvse.exe on destination hosts.

Monitor for common cryptomining software process names that may indicate compromise and resource usage.

Monitor for common proxyware software process names that may indicate compromise and resource usage.

Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from svchost.exe or the Windows Task Scheduler taskeng.exe for older OS versions. ^[77] Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Instances of the process at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.

Analytic 1 - Scheduled Task

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="*at.exe"

Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data.

Analytic 1 - Unusual Cron Job Creation

index=os_logs sourcetype=process_creation (process_name="cron" OR process_name="/usr/sbin/cron")

Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. ^[77] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Look for instances of schtasks.exe running as processes. The command_line field is necessary to disambiguate between types of schtasks commands. These include the flags /create , /run, /query, /delete, /change, and /end.

Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.

Analytic 1 - New processes whose parent processes are svchost.exe or taskeng.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (ParentImage="svchost.exe" OR ParentImage="taskeng.exe")

Analytic 2 - Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths

( (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine="SCHTASKS" (CommandLine="/CREATE" OR CommandLine="/CHANGE") ) ( ( CommandLine=".cmd" OR CommandLine=".ps1" OR CommandLine=".vbs" OR CommandLine=".py" OR CommandLine=".js" OR CommandLine=".exe" OR CommandLine=".bat" ) OR ( CommandLine="javascript" OR CommandLine="powershell" OR CommandLine="wmic" OR CommandLine="rundll32" OR CommandLine="cmd" OR CommandLine="cscript" OR CommandLine="wscript" OR CommandLine="regsvr32" OR CommandLine="mshta" OR CommandLine="bitsadmin" OR CommandLine="certutil" OR CommandLine="msiexec" OR CommandLine="javaw" ) OR ( CommandLine="%APPDATA%" OR CommandLine="\AppData\Roaming" OR CommandLine="%PUBLIC%" OR CommandLine="C:\Users\Public" OR CommandLine="%ProgramData%" OR CommandLine="C:\ProgramData" OR CommandLine="%TEMP%" OR CommandLine="\AppData\Local\Temp" OR CommandLine="\Windows\PLA\System" OR CommandLine="\tasks" OR CommandLine="\Registration\CRMLog" OR CommandLine="\FxsTmp" OR CommandLine="\spool\drivers\color" OR CommandLine="\tracing" ) )

Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

Note: This query looks for processes spawned by systemd (parent process systemd, with a PID of 1). These processes should be examined for anomalous behavior, particularly when running as the root user.

Analytic 1 - Look for processes with parent process systemdand unusual parameters.

sourcetype=linux_process_creation parent_process_name="systemd"

Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: ^[78]

<?php @evaI($_P0ST['password']);>

Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.^[79]

A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.

Analytic 1 - Webshell-Indicative Process Tree

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (ParentImage="C:\Windows\System32\w3wp.exe" OR ParentImage="httpd.exe" OR ParentImage="tomcat.exe" OR ParentImage="nginx.exe")(Image="C:\Windows\System32\cmd.exe OR Image="C:\Windows\SysWOW64\cmd.exe" OR Image="C:\Windows\System32\\powershell.exe OR Image="C:\Windows\SysWOW64\\powershell.exe OR Image="C:\Windows\System32\net.exe" OR Image="C:\Windows\System32\hostname.exe" OR Image="C:\Windows\System32\whoami.exe" OR Image="systeminfo.exe OR Image="C:\Windows\System32\ipconfig.exe")

Monitor processes with arguments that may potentially highlight adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Monitor for processes, such as certmgr.exe (macOS) or certutil.exe (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. ^[80] Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. ^[80] The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. ^[81]

Analytic 1 - Attempt to Add Certificate to Untrusted Store

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="C:\Windows\System32\certutil.exe" CommandLine="-addstore"

Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON. ^[82]

Monitor and analyze the execution and arguments of hh.exe. ^[83] Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for the creation of any HTML Help Executable ( hh.exe ) processes. Adversaries may hide malicious code in .chm compiled help files; whenever a user tries to open one of these files, Windows executes the HTML Help Executable. Therefore, if there are legitimate uses of compiled help files in your environment, this analytic may lead to false positives and will require additional tuning.

Analytic 1 - Compiled HTML Access

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\syswow64\hh.exe" OR Image="C:\Windows\system32\hh.exe"

Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.^[84]

Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: ^[85]* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe* Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).

Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity

Use process monitoring to monitor the execution and arguments of mshta.exe.

Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files.

Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). - Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic.- Analytic 2 is around "Squiblydoo", which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet).- Analytic 3 This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).- Analytic 4 This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting).

Analytic 1 - Generic Regsvr32

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe | search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe*"

Analytic 2 - Squiblydoo

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"

Analyt 3 - New Items since last month

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-d@d latest=now() regsvr32.exe | search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" | search NOT [search (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-60d@d latest=-30d@d regsvr32.exe | search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" | dedup CommandLine | fields CommandLine ]

Analytic 4 - Spawning Child Processes

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") (ParentImage="C:\Windows\System32\regsvr32.exe" OR ParentImage="C:\Windows\SysWOW64\regsvr32.exe") AND Image!="C:\Windows\System32\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\regsvr32.exe" AND Image!="C:\WINDOWS\System32\regsvr32.exe" AND Image!="C:\WINDOWS\SysWOW64\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\WerFault.exe" AND Image!="C:\Windows\System32\wevtutil.exe" AND Image!="C:\Windows\System32\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image

Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments.

Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives.

Analytic 1 - RunDLL32.exe Monitoring

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "rundll32.exe"

Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.

Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.

Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious.

Monitor processes and command-line parameters for binaries associated with Electron apps that may be used to proxy execution of malicious content. Compare recent invocations of these binaries with prior history of known good arguments to determine anomalous and potentially adversarial activity.

Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Monitor for executed processes (such as tracert or ping) that may check for Internet connectivity on compromised systems.

Monitor script processes, such as `cscript that may be used to proxy execution of malicious files.

Monitor script processes, such as wscript.exe, that may be used to proxy execution of malicious files.

Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.

Analytic 1 - Executable path is in unusual directories

sourcetype=osquery OR sourcetype=auditd| search parent_process="launchctl" AND process_path IN ("/tmp/", "/Shared/")

Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads.

Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection.

This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment.

In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process.

Analytic 1 - Service Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | WHERE Image LIKE "services.exe" AND Image LIKE "cmd.exe"

Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.^[86]

Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.

Analytic 1 - MSBuild and msxsl

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(Image="C:\Program Files (x86)\Microsoft Visual Studio\\bin\MSBuild.exe" OR Image="C:\Windows\Microsoft.NET\Framework\msbuild.exe" OR Image="C:\users\\appdata\roaming\microsoft\msxsl.exe") ParentImage!="\Microsoft Visual Studio*")

Monitor for newly executed child processes of dfsvc.exe that may be indicative of malicious ClickOnce applications.

Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"

Monitor newly executed processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"

Analytic 2 - New processes with parameters indicating credential searches.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="reg query /f password /t REG_SZ /s") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="reg query /f password /t REG_SZ /s")

Monitor for processes spawned after opening a suspicious file. Common applications that might be exploited are Microsoft Word, PDF readers, or compression utilities.

Analytic 1 - Processes created from malicious files.

(sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1)| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")| stats count by process_name parent_process_name command_line user| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe")

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system.

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may perform sudo caching and/or use the sudoers file to elevate privileges.

Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.^[90]

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.^[91]

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

Monitor for process memory inconsistencies compared to DLL files on disk by checking memory ranges against a known copy of the legitimate module.^[92]

Evaluate Event Tracing for Windows (ETW) telemetry associated with ClickOnce deployment execution.

Monitor processes for unexpected termination related to security tools/services. Specifically, before execution of ransomware, monitor for rootkit tools, such as GMER, PowerTool or TDSSKiller, that may detect and terminate hidden processes and the host antivirus software.