Command

Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.

Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system.

Monitor executed commands and arguments that may perform sudo caching and/or use the sudoers file to elevate privileges, such as the sudo command.

Monitor executed commands and arguments that may abuse or modify TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.^[3]

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.^[3]

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.^[3]

Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as net user, net account, net localgroup, Get-LocalUser, and dscl.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as net user /domain and net group /domain, dscacheutil -q groupon macOS, and ldapsearch on Linux.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as Get-AddressList, Get-GlobalAddressList, and Get-OfflineAddressBook.

Monitor logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor executed commands and arguments to modify the authorized_keys or /etc/ssh/sshd_config files.

Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots.

Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots.

Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Monitor executed commands and arguments that may abuse security support providers (SSPs) to execute DLLs when the system boots.

Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo ^[7] Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. ^[8] Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.^[9] Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package.

On macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.^[10][11][12]

Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.

Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.

Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Monitor executed commands and arguments for logon scripts

Monitor executed commands with arguments to install or modify login hooks.

Monitor executed commands and arguments for logon scripts

Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior

Monitor executed commands and arguments for logon scripts

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). ^[15] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.^[16] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session.

Analytic 1 - Look for unusual PowerShell execution.

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes"

Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Look for unusual execution of AppleScript.

sourcetype=macOS:Process| search process_name="osascript"| eval suspicious_cmd=if(like(command_line, "%-e%") OR like(command_line, "%path/to/script%"), "Yes", "No")| where suspicious_cmd="Yes"

Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for unusual command shell execution.

sourcetype=WinEventLog:Security| search (EventCode=4688 OR EventCode=4689) process_name="cmd.exe"| eval suspicious_cmd=if(like(command_line, "%/c%") OR like(command_line, "%.bat%") OR like(command_line, "%.cmd%"), "Yes", "No")| where suspicious_cmd="Yes"

Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation.

Analytic 1 - Unusual command execution

sourcetype="linux_logs" CommandLine="sh -c" AND (CommandLine="wget" OR CommandLine="curl" OR CommandLine="nc" OR CommandLine="perl")

Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.

Analytic 1 - Look for unusual VB execution.

sourcetype=wineventlog OR sourcetype=linux_secure OR sourcetype=macos_secure| search (command="cscript.exe" OR command="wscript.exe" OR command=".vbs" OR command=".vba" OR command=".vbe")| eval suspicious_cmd=if(like(command_line, "%.vbs" OR "%.vba" OR "%.vbe"), "Yes", "No")| where suspicious_cmd="Yes"

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.

Analytic 1 - Look for unusual Python execution.

OR sourcetype=wineventlog:security OR sourcetype=sysmonEventCode=4688 OR EventCode=1 | search (process_name="python.exe" OR process_name="python3" OR process_name="python")| eval suspicious_script=if(match(command_line, ". -c .|.exec.|.import os.|.eval.|.base64."), "True", "False")| where suspicious_script="True"| table _time, user, host, command_line, process_name, parent_process

Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.

Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. ^[17] Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.

Consider reviewing command history in either host machines or cloud audit logs to determine if unauthorized or suspicious commands were executed.

Cloud API activity logging is typically enabled by default and may be reviewed in sources like the Microsoft Unified Audit Log, AWS CloudTrail, and GCP Admin Activty logs. Review these sources for history of executed API commands. Host logs may also be reviewed to capture CLI commands or PowerShell module usage to invoke Cloud API functions.

Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of malicious execution. Compare recent invocations of AutoIt3.exe and AutoHotkey.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands).

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors such as using os.execute to execute operating system commands.

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, dscl -create, and kubectl create serviceaccount.

Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain.

Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.

Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.

Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present. ^[18]

Monitor for suspicious uses of the docker or podman command, such as attempts to mount the root filesystem of the host.

Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials.

Analytic 1 - Commands indicating credential searches in Keychain.

index=security sourcetype="macos_secure"(event_type="process" AND (command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain") OR command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain")))

Monitor executed commands and arguments that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

Analytic 1 - Commands indicating attempts to read securityd’s memory.

index=security sourcetype IN ("linux_secure", "macos_secure") event_type="process"(CommandLine IN ("gcore", "dbxutil", "vmmap", "gdb", "lldb", "memdump", "strings", "cat /proc//maps", "grep /proc//maps") OR CommandLine IN ("security find-generic-password", "security find-internet-password", "security dump-keychain"))

Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.^[19]

Analytic 1 - Commands indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "CryptUnprotectData", "security find-internet-password", "sqlcipher logins", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))

Monitor executed commands and arguments for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").^[20]

Analytic 1 - Commands indicating credential searches in Windows Credential Manager.

index=security sourcetype="Powershell" EventCode=4104(CommandLine IN ("vaultcmd.exe", "rundll32.exe keymgr.dll KRShowKeyMgr"))

Monitor executed commands and arguments that may acquire user credentials from third-party password managers. ^[21]

Analytic 1 - Commands indicating credential searches in password managers.

index=security sourcetype IN ("linux_secure", "macos_secure")(CommandLine IN ("keepass", "lastpass", "1password", "bitwarden", "dashlane", "passwordsafe", "login", "vault"))

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor executed commands and arguments that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor executed commands and arguments that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Monitor executed commands and arguments that may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.

Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.^[23] Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.^[25]

Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.

On Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.^[26][27]

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by a file type association.

Monitor executed commands and arguments of .scr files.

Monitor executed commands and arguments that can be used to register WMI persistence, such as the Register-WmiEvent PowerShell cmdlet ^[28]

Monitor executed commands and arguments that may establish persistence through executing malicious commands triggered by a user’s shell.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries.

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of Accessibility Features.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

Monitor executed commands and arguments for sdbinst.exe for potential indications of application shim abuse.

Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.

Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules.

Monitor executed commands and arguments that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on changes to COM registry keys, including HKCU\Software\Classes\CLSID*.

Monitor executed commands and arguments that may be related to abuse of installer packages, including malicious commands triggered by application installations.

Monitor executed commands and arguments that may gather the victim's physical location(s) that can be used during targeting. Detecting the use of environmental keying may be difficult depending on the implementation.

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.

Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.

Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device.

Monitor executed command and arguments that may exfiltrate data to a code repository rather than over their primary command and control channel.

Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

Monitor executed commands and arguments that may exfiltrate data to a webhook as a malicious command and control channel. Additionally, monitor commands that may create new webhook configurations in SaaS services - for example, gh webhook forward in Github or mgc subscriptions create in Office 365.^[29][30]

Monitor for executed commands and arguments for PowerShell cmdlets that can be used to retrieve or modify file and directory DACLs.

Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.^[31]

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.

Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens.

Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style.

The Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. ^[32] Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. ^{[33] [34]}

Consider monitoring for commands and arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).^[35] Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages "all"). Monitor for commands which enable hypervisors such as Hyper-V.

On Windows and Exchange systems, monitor for creation or modification of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.^[26][27][36]

Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.

Monitor executed commands and arguments, such as nohup, that may attempt to hide processes from interrupt signals.

Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data.

Extra scrutiny should be placed on suspicious modification of Registry keys such as COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH by command line tools like wmic.exe, setx.exe, and Reg. Monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection.

Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as Set-MpPreference-DisableScriptScanning 1 in Windows,sudo spctl --master-disable in macOS, and setenforce 0 in Linux. Furthermore, on Windows monitor for the execution of taskkill.exe or Net Stop commands which may deactivate antivirus software and other security systems.

Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, reg add, Set- or Stop-Service, Set- or New-ItemProperty, sc config, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.^[37][38][39]

Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. For network devices, monitor for missing or inconsistencies in Network Device CLI logging present in AAA logs as well as in specific RADIUS and TACAS+ logs.

Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes,ufw disable, and ufw logging off.

Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.

Monitor executed commands and arguments associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.^[40][41][42]

Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).

Command-line invocation of the auditctl utility may be unusual, depending on how systems are typically used in a particular environment. At runtime, look for commands to modify or create rules using the auditctl utility.

Monitor executed commands and arguments for actions that would delete Windows event logs (via PowerShell) such as Remove-EventLog -LogName Security.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on attempts to Clear Windows Event Logs. In particular, Powershell has a built-in Clear-EventLog cmdlet that allows for a specified log to be cleared.

Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.

Monitor executed commands and arguments for actions that could be taken to clear command history, such as Clear-History on Windows or clear logging / clear history via a Network Device CLI in AAA logs, or to disable writing command history, such as history -c in bash/zsh .

Analytic 1 - Powershell Commands

(source="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") (CommandLine="Clear-History" OR (CommandLine="Remove-Item" AND CommandLine="ConsoleHost_history.text*"))

Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.

Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares.

Monitor executed commands and arguments for actions that could be taken to alter generated artifacts on a host system (e.g., Timestomp.exe and SetMace.exe).

Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as Default.rdp or /var/log/.

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. In Exchange environments, monitor for PowerShell cmdlets that may create or alter transport rules, such as New-TransportRule and Set-TransportRule.^[27]

Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.

Monitor executed commands and arguments that may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.

Monitor for abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).

Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system.

Monitor executed commands and arguments that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

Monitor executed commands and arguments that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.^[45]

Monitor executed commands and arguments that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.^[45]

Monitor executed commands and arguments that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.^[45] This PowerShell script is ineffective in gathering rules with modified PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.^[47]

Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,^[48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 from the "Microsoft-Windows-PowerShell/Operational" log captures Powershell script blocks, whose contents can be further analyzed to determine if they’re performing LSASS dumping.

Analytic 1 - Unauthorized command execution of LSASS memory.

index=security sourcetype="Powershell" EventCode=4104Image="powershell.exe" CommandLine IN ("Invoke-Mimikatz", "procdump.exe -ma lsass", "rundll32.exe comsvcs.dll, MiniDump", "taskmgr.exe* /dump")

Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.

Analytic 1 - Unauthorized attempts to dump SAM database through command execution.

index=security sourcetype="Powershell" EventCode=4104 Image="powershell.exe" CommandLine IN ("Invoke-Mimikatz", "Invoke-SAMDump", "reg save hklm\sam", "reg.exe save hklm\sam*")

Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit.

Note: Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of commands and parameters being executed via creation of a new process. Event 800 (PowerShell) provides context of commands and parameters being executed via PowerShell. This detection is based on known Windows utilities commands and parameters that can be used to copy the ntds.dit file. It is recommended to keep the list of commands and parameters up to date.

Analytic 1 - Command line attempt to access or create a copy of ntds.dit file

((sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="800") AND((CommandLine LIKE "%ntds%" AND CommandLine LIKE "%ntdsutil%" AND CommandLine LIKE "%create%") OR (CommandLine LIKE "%vssadmin%" AND CommandLine LIKE "%create%" AND CommandLine LIKE "%shadow%") OR (CommandLine LIKE "%copy%" AND CommandLine LIKE "%ntds.dit%")))

Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,^[48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Analytic 1 - Suspicious access to LSA secrets.

index=security (sourcetype="Powershell" EventCode=4104) Image="powershell.exe" CommandLine IN ("Invoke-Mimikatz", "Invoke-LSADump*")

Monitor executed commands and arguments that may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.^[49]. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,^[48] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.Detection of compromised Valid Accounts in-use by adversaries may help as well.

Analytic 1 - Unusual access to cached domain credentials.

(index=security sourcetype="Powershell" EventCode=4104 Image="powershell.exe" CommandLine IN ("Invoke-Mimikatz", "Invoke-CachedCredentials"))OR(index=security sourcetype="linux_secure" (cmd IN ("mimikatz", "cachedump*")))

Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or /proc. For instance, adversaries may use regex patterns to search for process memory that may be exfiltrated or searched for credentials.^[50][51]

grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | grep -E 'heap|stack' | cut -d' ' -f 1

grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1

Analytic 1 - Unexpected access to /proc filesystem.

index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-] r' /proc//maps", "cat /proc//maps", "awk '{print $1}' /proc//maps")

Monitor executed commands and arguments that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.

Analytic 1 - Unexpected command execution involving /etc/passwd and /etc/shadow.

index=os sourcetype="linux_audit" command IN ("cat /etc/passwd", "cat /etc/shadow", "grep /etc/passwd", "grep /etc/shadow") | eval Command=command | eval TargetFile=case(match(Command, ".passwd."), "/etc/passwd", match(Command, ".shadow."), "/etc/shadow")

Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.

Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.

Monitor for executed commands and arguments that may attempt to find cloud groups and permission settings.

Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.

Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment.

monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to detect RDP session hijacking. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName.

Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.^[52]

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential connections and writing to remote shares.

Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.^[53]

Monitor executed commands and arguments that may indicate common cryptomining functionality.

Monitor executed commands and arguments that may indicate common proxyware functionality.

Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

Analytic 1 - Linux Command Execution

index=linux_logs sourcetype=syslog "at" | rex "user=(?\w+)"

Analytic 2 - Windows Command Execution index=windows_logs sourcetype=WinEventLog:System EventCode=4698 TaskName="at*"| where NOT (user="SYSTEM" AND TaskName="\Microsoft\Windows\Defrag\ScheduledDefrag")

Monitor execution of commands related to cron that are out of alignment with known software or administrative tasks. Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.

Analytic 1 - Suspicious Cron execution

index=linux_logs sourcetype=cron_logs | search "cron" AND (command="crontab -e" OR command="crontab -l" OR command=" * * * " OR command="/cron.d/")

Monitor for commands being executed via schtasks or other utilities related to task scheduling.

Analytic 1 - Look for schtasks.exe execution with arguments indicative of task creation/modification.

sourcetype=WinEventLog:Powershell (EventCode=4104 OR command="schtasks.exe")| stats count by user host process_name command_line| where Image="schtasks.exe" OR command_line="schtasks"

Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers.

Analytic 1 - Look for systemd-run execution with arguments indicative of timer creation.

sourcetype=linux_logs (command="systemctl" OR command="systemd-run")

Monitor executed commands and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Security Software Discovery.

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Monitor for commands, such as security add-trusted-cert (macOS) or certutil -addstore (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. ^[58] Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. ^[58] The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. ^[59]

Monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON. ^[60]

Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.^[61]

When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before Rundll32 is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter Rundll32 command, which may bypass detections and/or execution filters for control.exe.^[62]

Monitor executed commands and arguments that may gather information about the victim's hosts that can be used during targeting.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

Monitor executed commands and arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.

Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.

Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.

Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. ^[63]

Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is "rundll32.exe DllFile,EntryPoint" where DllFile is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file.

DLLs stored on SMB shares can similarly be called using the syntax of "rundll32.exe \\DllFile,EntryPoint" where is the IPv4 address of the host of the SMB share.

Rundll32 can also be used to execute arbitrary Javascript using the syntax "rundll32.exe javascript:<code_block>"where <code_block> is a string defining the Javascript code to be executed.

Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed.

Adversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.

Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting.

Monitor executed commands and arguments that may abuse Electron apps to execute malicious content. For example, analyze commands invoking teams.exe or chrome.exe to execute malicious or abnormal content.

Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Monitor executed commands and arguments that may check for Internet connectivity on compromised systems.

Monitor executed commands and arguments that may collect Wi-Fi information on compromised systems.

Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.

Monitor executed commands and arguments for scripts like Syncappvpublishingserver.vbs that may be used to proxy execution of malicious files.

Monitor the execution of the launchctl command, focusing on subcommands such as load, unload, and start that may be used by adversaries to load Launch Agents or Launch Daemons.

Note: This analytic monitors the execution of the launchctl command and its key subcommands. Exclude known administrative users to minimize false positives.

Analytic 1 - Suspicious Launchctl

sourcetype=macOS:unified OR sourcetype=osquery OR sourcetype=auditd| search command IN ("launchctl load", "launchctl unload", "launchctl start")

Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.

Analytic 1- Commands abusing Windows service control manager.

sourcetype=WinEventLog:Security OR sourcetype=Powershell OR sourcetype=Sysmon EventCode IN (1,4688,4104) | search command_line IN ("sc.exe", "net start", "net stop", "psexec.exe")| where user!="SYSTEM" // Exclude common system-level activities

Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

When executed from the command line, rundll32 is used to call the ClickOnce API functions (ex: rundll32.exe dfshim.dll,ShOpenVerbApplication file.appref-ms).

Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials).

Analytic 1 - Commands indicating credential searches in files.

(index=security sourcetype="Powershell" EventCode=4104 CommandLine="password" OR CommandLine="credential") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential" OR CommandLine="passwd" OR CommandLine="secret") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="password" OR CommandLine="credential" OR CommandLine="passwd" OR CommandLine="secret")

Monitor executed commands and arguments that may search the Registry on compromised systems for insecurely stored credentials.

Analytic 1 - Commands indicating credential searches in the registry.

(index=security sourcetype="powershell" EventCode=4104 ScriptBlockText="reg query /f password /t REG_SZ /s*")

While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

Analytic 1 - Commands accessing .bash_historythrough unexpected means.

(index=os sourcetype="linux_secure" action="open" filepath="/home//.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users//.bash_history")

Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials.

Analytic 1 - Commands indicating searches for private keys.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="private key" OR CommandLine="certificate" OR CommandLine IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc")) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="private key" OR CommandLine="certificate" OR CommandLine IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc")) OR(index=os sourcetype="linux_secure" action="execve" CommandLine="private key" OR CommandLine="certificate" OR CommandLine IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc")) OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="private key" OR CommandLine="certificate" OR CommandLine IN (".key", ".pgp", ".gpg", ".ppk", ".p12", ".pem", ".pfx", ".cer", ".p7b", ".asc"))

Monitor executed commands and arguments that may search for SYSVOL data and/or GPP XML files, especially on compromised domain controllers.

Analytic 1 - Commands indicating searches for GPP XML files.

(index=security sourcetype="Powershell" EventCode=4104 CommandLine="dir /s .xml*")

Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.

Analytic 1 - Unexpected API calls or access to Docker logs indicating credential access.

index=containers sourcetype IN ("docker:events", "kubernetes:api", "kubernetes:container") | search Command IN ("docker logs", "kubectl get secrets", "kubectl describe secret", "kubectl exec", "curl http[:]//169.254.169[.]254/latest/meta-data/iam/security-credentials/", "aws iam list-access-keys", "az ad sp list")

Monitor for suspicious commands related to image or container manipulation, especially commands run from users not typically associated with these tasks.

Analytic 1 - Unexpected command execution related to image files.

sourcetype=command_execution| search command IN ("docker pull", "docker run", "docker exec", "kubectl run", "gcloud container images list-tags", "aws ec2 run-instances")

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Monitor executed commands and arguments that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.