Correlates unexpected modifications to WMI event filters, scheduled task triggers, or registry autorun keys with subsequent execution of non-standard binaries by SYSTEM-level processes.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | WinEventLog:Security | EventCode=4698 |
| WMI Creation (DC0008) | WinEventLog:WMI | Creation or modification of __EventFilter, __FilterToConsumerBinding, or CommandLineEventConsumer |
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| UserContext | Filters triggering on SYSTEM or LOCAL SERVICE vs. user-initiated triggers |
| TimeWindow | Correlates trigger definition and execution timing (e.g., within 5 minutes) |
| PathAnomalyThreshold | Process or binary path deviation scoring for execution anomalies |
Detects inotify or auditd configuration changes that monitor system files coupled with execution of script interpreters or binaries by cron or systemd timers.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | auditd:SYSCALL | Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/ |
| Scheduled Job Creation (DC0001) | linux:syslog | Execution of non-standard script or binary by cron |
| Command Execution (DC0064) | auditd:SYSCALL | Execution of script interpreters by systemd timer (ExecStart) |
| Field | Description |
|---|---|
| ExecutablePathRegex | Regex defining suspicious binary/script paths triggered by cron/systemd |
| WatchTargetPaths | Paths monitored by auditd/inotify for suspicious event registration |
Correlates launchd plist modifications with subsequent unauthorized script execution or anomalous parent-child process trees involving user agents.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Modification of ~/Library/LaunchAgents or /Library/LaunchDaemons plist |
| Process Creation (DC0032) | macos:unifiedlog | Execution of launchctl with suspicious arguments |
| Field | Description |
|---|---|
| PlistNamePattern | Regex pattern matching known rogue or unrecognized launchd plist names |
| ParentProcessBaseline | Expected parent-child relationships during plist-triggered execution |
Monitors cloud function creation triggered by specific audit log events (e.g., IAM changes, object creation), followed by anomalous behavior from new service accounts.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | CreateFunction |
| Command Execution (DC0064) | AWS:CloudTrail | InvokeFunction |
| Field | Description |
|---|---|
| TriggerEventType | Specific cloud event (e.g., PutObject, CreateRole) that causes function invocation |
| ServiceAccountRole | Expected permissions for roles used in function execution |
Correlates Power Automate or similar logic app workflows triggered by SaaS file uploads or email rules with data forwarding or anomalous access patterns.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | m365:unified | Creation of Power Automate flow triggered by OneDrive or Exchange event |
| Command Execution (DC0064) | m365:unified | Automated forwarding or file sync initiated by a logic app |
| Field | Description |
|---|---|
| TriggerCondition | Event types that initiate SaaS automation (e.g., file add, new email) |
| AppIdentityScope | Scopes/permissions granted to automation app accounts |
Detects macros or VBA triggers set to execute on document open or close events, often correlating with embedded payloads or C2 traffic shortly after execution.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | m365:office | VBA auto_open, auto_close, or document_open events |
| Network Traffic Content (DC0085) | m365:office | External HTTP/DNS connection from Office binary shortly after macro trigger |
| Field | Description |
|---|---|
| MacroFunctionNames | Names of event-bound functions like Auto_Open that initiate execution |
| TimeDeltaMacroToC2 | Time threshold to correlate macro execution with outbound connections |