Vendor: Cisco
June 14, 2023 · View on GitHub
Product: NPE
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 69 | 8 | 41 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| process-created | T1012 - Query Registry ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-EPA-REG-Query-F: First execution of process with req query arguments for windows policies on this asset ↳ A-EPA-REG-Query-A: Abnormal execution of process with req query arguments for windows policies on this asset ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments ↳ ATP-REG-Password: Scanning registry hives via Reg Utility T1047 - Windows Management Instrumentation ↳ WINCMD-WmiObject: Powershell WMI object to enumerate network adapter was used ↳ ATP-WMIC-Antivirus: Antivirus detection using windows utility msbuild. T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild ↳ ATP-WMIC-Antivirus: Antivirus detection using windows utility msbuild. T1518.001 - T1518.001 ↳ ATP-WMIC-Antivirus: Antivirus detection using windows utility msbuild. T1059.001 - Command and Scripting Interperter: PowerShell ↳ A-Powershell-Exec-DLL: PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll on this asset. ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ A-EPA-DLL: Dll loaded from a temp folder via PowerShell on this asset ↳ WINCMD-WmiObject: Powershell WMI object to enumerate network adapter was used ↳ Powershell-Exec-DLL: PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments ↳ EPA-DLL: Dll loaded from a temp folder via PowerShell T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-RunDll32-ControlPanel: RunDll32.exe run from the control panel on this asset ↳ A-Powershell-Exec-DLL: PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll on this asset. ↳ A-EPA-DLL: Dll loaded from a temp folder via PowerShell on this asset ↳ RunDll32-ControlPanel: RunDll32.exe run from control panel ↳ Powershell-Exec-DLL: PowerShell Strings applied to rundllas.exe seen in PowerShdll.dll ↳ EPA-DLL: Dll loaded from a temp folder via PowerShell T1218.003 - Signed Binary Proxy Execution: CMSTP ↳ A-UAC-Bypass-COM-OBJECT: Windows UAC bypass using COM object access on this asset ↳ A-Bypass-UAC-CMSTP: Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line on this asset. ↳ UAC-Bypass-COM-OBJECT: Windows UAC bypass using COM object access ↳ Bypass-UAC-CMSTP: Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line. T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control ↳ A-UAC-Bypass-COM-OBJECT: Windows UAC bypass using COM object access on this asset ↳ A-UAC-Bypass-Fodhelper: UAC Bypass using fodhelper.exe on this asset ↳ A-UAC-Bypass-Wsreset: UAC Bypass using wsreset.exe on this asset ↳ A-Bypass-UAC-CMSTP: Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line on this asset. ↳ UAC-Bypass-COM-OBJECT: Windows UAC bypass using COM object access ↳ UAC-Bypass-Fodhelper: UAC Bypass using fodhelper.exe ↳ UAC-Bypass-Wsreset: UAC Bypass using wsreset.exe ↳ Bypass-UAC-CMSTP: Child process of automatically elevated instance of Microsoft Connection Manager Profile Installer (cmstp.exe) was created via command line. T1027 - Obfuscated Files or Information ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments T1036.004 - T1036.004 ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments T1059.003 - T1059.003 ↳ A-SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object on this asset ↳ A-Operation-Wocao-Activity: Possible Operation-Wocao APT activity on this asset, suspicious command line arguments ↳ SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object ↳ Operation-Wocao-Activity: Possible Operation-Wocao APT activity, suspicious command line arguments T1547.002 - T1547.002 ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 T1574 - Hijack Execution Flow ↳ A-SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object on this asset ↳ SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object ↳ DLL-SideLoading: DLL sideloading malware used, known artifact of APT27 T1082 - System Information Discovery ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ A-NET-EXE-Recon: Enumeration and reconnaissance activities were performed on this asset ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ EPA-OH-HENUM-F: Host running host enumeration tool for the first time ↳ EPA-OH-HENUM-A: Abnormal for this host to run host enumeration tool ↳ NET-EXE-Recon: Enumeration and reconnaissance activities were performed T1087 - Account Discovery ↳ A-NET-EXE-Recon: Enumeration and reconnaissance activities were performed on this asset ↳ NET-EXE-Recon: Enumeration and reconnaissance activities were performed T1482 - Domain Trust Discovery ↳ A-DomainTrust-Discovery: Enumeration of Windows Domain Trusts identified on this asset ↳ DomainTrust-Discovery: Enumeration of Windows Domain Trusts identified T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification ↳ A-File-Folder-Perm-Mod: The permissions of a file or folder were modified on this asset. ↳ File-Folder-Perm-Mod: The permissions of a file or folder were modified. T1574.002 - Hijack Execution Flow: DLL Side-Loading ↳ A-Sus-GUP-Usage: Execution of the Notepad++ updater in a suspicious directory on this asset. ↳ PlugX-DLL-Sideloading: DLL loaded from suspicous location typically seen by the PlugX malware family ↳ Sus-GUP-Usage: Execution of the Notepad++ updater in a suspicious directory. T1027.004 - Obfuscated Files or Information: Compile After Delivery ↳ CSC-Suspicious-Folder: Csc.exe spawned from suspicious folder T1218.010 - Signed Binary Proxy Execution: Regsvr32 ↳ A-DLL-AppData: DLL loaded from 'AppData(slash)Local' path on this asset ↳ DLL-AppData: DLL loaded from 'AppData(slash)Local' path T1484.001 - T1484.001 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1552.006 - T1552.006 ↳ OG-SYSVOL-F: Suspicious SYSVOL Domain Group Policy Access for the first time for this peer group ↳ OG-SYSVOL-A: Abnormal SYSVOL Domain Group Policy Access for thjis peer group T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ A-POSS-SPN-ENUMERATION: Possible SPN Enumeration on this asset ↳ POSS-SPN-ENUMERATION: Possible SPN Enumeration T1003 - OS Credential Dumping ↳ A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset ↳ ShadowCP-SymLink: Shadow Copies Access via Symlink T1543.003 - Create or Modify System Process: Windows Service ↳ A-New-Service: New windows service created using sc.exe on this asset ↳ New-Service: New windows service created T1053.005 - Scheduled Task/Job: Scheduled Task ↳ A-PrivEsc-SchedTask-LegacyDACL: Possible privilege escalation using a legacy task file on this asset ↳ PrivEsc-SchedTask-LegacyDACL: Possible privilege escalation using a legacy task file T1574.011 - T1574.011 ↳ A-Possible-PrivEsc-SvcPerms: Possible privilege escalation using weak service permissions on this asset ↳ Possible-PrivEsc-SvcPerms: Possible privilege escalation using weak service permissions T1134.001 - Access Token Manipulation: Token Impersonation/Theft ↳ Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem T1134.002 - T1134.002 ↳ Suspicious-GetSystem-Usage: Possible Meterpeter/Cobalt Strike usage of GetSystem T1053.002 - Scheduled Task/Job: At (Windows) ↳ A-INTERACTIVE-JOB: Interactive job from the 'at' program seen on this asset ↳ INTERACTIVE-JOB: Interactive job from the 'at' program T1068 - Exploitation for Privilege Escalation ↳ A-UAC-IE-INVOKE: Windows UAC consent dialogue was used to invoke an Internet Explorer process running as Local SYSTEM ↳ A-APT-Hurricane-Panda: Artifacts used by the APT group 'Hurricane Panda' have been observed on this asset ↳ A-SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object on this asset ↳ APT-Hurricane-Panda: Artifacts used by the APT group 'Hurricane Panda' have been observed ↳ SETUPCOMPLETE-PRIV-ESC: Privilege escalation attempt using the SetupComplete.cmd object T1087.001 - Account Discovery: Local Account ↳ A-EPA-OH-CENUM-F: Asset running credential enumeration tool for the first time ↳ A-EPA-OH-CENUM-A: Abnormal for this asset to run credential enumeration tool ↳ A-AccountDiscovery: Local accounts were enumerated on this asset ↳ EPA-OU-CENUM-F: First user running credential enumeration tool ↳ EPA-OU-CENUM-A: Abnormal for this user to run credential enumeration tool ↳ EPA-OH-CENUM-F: Host running credential enumeration tool for the first time ↳ EPA-OH-CENUM-A: Abnormal for this host to run credential enumeration tool T1087.002 - Account Discovery: Domain Account ↳ A-EPA-OH-CENUM-F: Asset running credential enumeration tool for the first time ↳ A-EPA-OH-CENUM-A: Abnormal for this asset to run credential enumeration tool ↳ EPA-OU-CENUM-F: First user running credential enumeration tool ↳ EPA-OU-CENUM-A: Abnormal for this user to run credential enumeration tool ↳ EPA-OH-CENUM-F: Host running credential enumeration tool for the first time ↳ EPA-OH-CENUM-A: Abnormal for this host to run credential enumeration tool T1007 - System Service Discovery ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ EPA-OH-HENUM-F: Host running host enumeration tool for the first time ↳ EPA-OH-HENUM-A: Abnormal for this host to run host enumeration tool T1018 - Remote System Discovery ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ EPA-OH-HENUM-F: Host running host enumeration tool for the first time ↳ EPA-OH-HENUM-A: Abnormal for this host to run host enumeration tool T1049 - System Network Connections Discovery ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ EPA-OH-HENUM-F: Host running host enumeration tool for the first time ↳ EPA-OH-HENUM-A: Abnormal for this host to run host enumeration tool T1057 - Process Discovery ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ EPA-OH-HENUM-F: Host running host enumeration tool for the first time ↳ EPA-OH-HENUM-A: Abnormal for this host to run host enumeration tool T1135 - Network Share Discovery ↳ A-EPA-OH-HENUM-F: Asset running host enumeration tool for the first time ↳ A-EPA-OH-HENUM-A: Abnormal for this asset to run host enumeration tool ↳ EPA-OU-HENUM-F: First user running host enumeration tool ↳ EPA-OU-HENUM-A: Abnormal for this user to run host enumeration tool ↳ EPA-OH-HENUM-F: Host running host enumeration tool for the first time ↳ EPA-OH-HENUM-A: Abnormal for this host to run host enumeration tool T1016 - System Network Configuration Discovery ↳ WINCMD-Arp: 'Arp' program used ↳ WINCMD-WmiObject: Powershell WMI object to enumerate network adapter was used T1033 - System Owner/User Discovery ↳ A-WHOAMI-SYSTEM: Whoami commanded executed by LOCAL SYSTEM ↳ A-AccountDiscovery: Local accounts were enumerated on this asset T1218.002 - Signed Binary Proxy Execution: Control Panel ↳ A-RunDll32-ControlPanel: RunDll32.exe run from the control panel on this asset | • EPA-OG-SYSVOL: SYSVOL domain group policy access by group in the organization • EPA-OH-CENUM: Hosts on which credential enumeration tools are run • EPA-OU-CENUM: Users running credential enumeration tools • EPA-OH-HENUM: Hosts on which host enumeration tools are run • EPA-OU-HENUM: Users running host enumeration tools • A-EPA-REG-WU: Models reg query activity for windows update on the assets. • A-EPA-OH-CENUM: Assets on which credential enumeration tools are run • A-EPA-OH-HENUM: Assets on which host enumeration tools are run |