Security Content c2402.1 Changelog
March 11, 2025 · View on GitHub
This Changelog document includes updates to Correlation Rules from content package c2304.1_63.6 to c2402.1.
- This log lists updates to the available correlation rules. It includes the name of the rule that changed, the date of the change, and a description of the modification.
Correlation Rules
| Correlation Rule | Description | Change Status | Change Date | Activity Type |
|---|---|---|---|---|
| UBA: User access from multiple hosts. | A single user logged in from multiple devices. | Updated | 2025-02-03 | |
| Suspicious Improbable Travel | A user logins from two or more geographically distant locations within a short timeframe, making it physically impossible to travel between those locations | Updated | 2024-10-08 | |
| High number of critical commands executed by a new user in a sequence - daily summary. | A relatively new user has executed at least 10 critical Windows commands in a sequence. This is similar to an attacker gaining a foothold on a victim machine, and could indicate an attacker on the network. | New | 2024-06-20 | process-create |
| 5 user switch events observed on this endpoint for this user. | A user performed 5 user account switch events on the same endpoint. The rule does not necessarily indicate unique user accounts. It may suggests potential unauthorized account usage or privilege escalation attempts. | New | 2024-06-20 | user-switch |
| SA-Src-Port - daily summary. | 4 or more src port for a day for share access events, indicates potential attempts to evade detection or unauthorized resource access. | New | 2024-06-20 | share-access |
| 10 failed web access domains for user. | User failed to access the web 10 times. It possibly pointing to network issues or unauthorized activity. | New | 2024-06-20 | |
| Failed logins to multiple endpoints from this endpoint. | Failed logins have been observed to more than 10 unique destination endpoints from this endpoint. These events may indicate a brute-force attack or network reconnaissance. | New | 2024-06-19 | endpoint-login |
| Multiple failure reasons in endpoint login attempts for this user. | Multiple failure reasons have been observed in endpoint login attempts for this user. These could indicate bad user name or password, expired or disabled accounts, and a variety of other login failure reasons. | New | 2024-06-19 | endpoint-login |
| Failed logins to multiple endpoints for this user. | Failed logins have been observed to more than 10 unique destination endpoints for this user. These event suggests a potential brute-force attack or credential stuffing attempt. | New | 2024-06-19 | endpoint-login |
| Failed logins from multiple endpoints for this user. | Failed logins have been observed from more than 10 unique source endpoints for this user. These event may indicates potential targeting by a distributed attack. | New | 2024-06-19 | endpoint-login |
| Activity from 2 or more different countries. | This user has performed activity from 2 or more different countries. These events may indicate unauthorized access or credential compromise. | New | 2024-06-18 | |
| Passwd or Shadow file unshadowed. | Passwd or Shadow file was unshadowed. The Unshadow tool combines user account details and user's password details. | New | 2024-03-06 | process-create |
| Passwd or Shadow file read. | Passwd or Shadow file was read. This file stores essential information about the users on the system. | New | 2024-03-06 | file-read |
| MMC Dll hijacking via COR_PROFILER registry modification. | MMC Dll hijacking via COR_PROFILER registry modification. | New | 2024-03-06 | |
| Plist startup file written. | Attacker can modify property list files (plist files) to execute their code, gaining persistence in the system. | New | 2024-01-29 | file-write |
| AWS compute resource (snapshot\image) made public. | AWS compute resources (snapshot or image) were modified to be public to every user. Now public resources can be read and downloaded by everyone. | New | 2024-01-29 | |
| Disable Windows Defender ETW through the registry with the registry command tool. | Windows Defender maintains an ETW (event tracing for Windows) component that logs security event for the Defender application. Disabling it through the 'WINEVT' registry path hinders Defender's capabilities and allows attackers to sneak by its detections. | New | 2024-01-25 | process-create |
| RC script file written. | RC scripts are script files that are used by the Unix system to manage custom services are are executed during startup. Attackers can modify these files (named 'rc.local' and 'rc.common') to gain persistency on in the system and cause malicious code to execute automatically. | New | 2024-01-25 | file-write |
| ETW session disabled through the autorlogger registry path. | ETWs (event tracing for Windows) are logging components that audit events for applications and services such as Microsoft Defender, PowerShell, and other event viewer logs. By modifying keys under the 'AutoLogger' registry path, attackers can disable any ETW, stopping logs from being audited and allowing them to sneak by detections. | New | 2024-01-25 | |
| Disable Windows Defender ETW through the registry. | Windows Defender maintains an ETW (event tracing for Windows) component that logs security event for the Defender application. Disabling it through the 'WINEVT' registry path hinders Defender's capabilities and allows attackers to sneak by its detections. | New | 2024-01-08 | registry-create |
| RC script file written to with a command. | RC scripts are script files that are used by the Unix system to manage custom services are are executed during startup. Attackers can modify these files (named 'rc.local' and 'rc.common') to gain persistency on in the system and cause malicious code to execute automatically. | New | 2024-01-08 | process-create |
| Login hook file created. | A login hook is a file that points to a specific script to execute with root privileges upon user logon. Attackers can modify the login hook file ('com.apple.loginwindow.plist') to include their own malicious scripts in the login execution, gaining persistence in the system. | New | 2024-01-08 | file-write |
| Azure diagnostic settings deleted. | Attackers can delete Azure diagnostic settings to reset the audit policy on certain resources. This activity allows them to disable certain activities from being recorded, thus removing evidence of their presence in the system. | New | 2024-01-08 | |
| High file writes. | Large number of file write events for user. | New | 2023-12-08 | file-write |
| High USB denials. | The user has high USB denials. | New | 2023-12-08 | |
| UBA: Multiple kerberos authentication failures from same user. | The user has failed multiple times to authenticate the endpoint using the Kerberos protocol. | New | 2023-12-08 | endpoint-authentication |
| AWS powerful policy creation. | Policy was created with critical permissions. Policies in AWS are the documents that dictates what permissions are granted to identites and resources. By creating a new policy or modifying existing one, an attacker might provide himself arbitrary permissions and perform privilege escalation. | Updated | 2023-11-30 | policy-create |
| Multiple password resets by user. | Multiple password resets by user across multiple data sources. Password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment. | New | 2023-11-01 | user-password-reset |
| UBA: Netcat process detected. | The netcat process was detected on a system. This can allow attackers to steal sensitive data from untrusted clients over the network. | New | 2023-11-01 | process-create |
| Multiple badge access failures detected on multiple doors. | Multiple badge access failures detected on multiple doors within a specified time frame. | New | 2023-11-01 | physical_location-access |
| UBA: Attempts bruteforce authentication. | A user has a large number of failed login attempts, indicates a brute force attack. | New | 2023-11-01 | |
| UBA: Data exfiltration by print. | A user sends a large amount of data for print. This indicates an attempt at data exfiltration by print. | New | 2023-10-11 | printer-activity |
| UBA: Data exfiltration by e-mail. | User has sent over 13MB of data. This indicates possible exfiltration by email. | New | 2023-10-11 | email-send |
| UBA: Multiple VPN logins from single IP. | Multiple VPN login attempts were detected from a single IP address within a specific time frame. | New | 2023-10-10 | vpn-login |
| UBA: Internet settings modified. | Internet settings were modified on the system. Modifying settings can allow attackers to gain unauthorized access to our computer or network. | New | 2023-10-10 | |
| Disabling the security log by creating the 'MiniNt' registry key. | Windows Security Log was disabled by creating the 'MiniNt' registry key. Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by creating the 'MiniNt' registry key. Creating this key causes Windows to malfunction and the system will stop auditing events to the security log. | New | 2023-09-04 | registry-create |
| SilentCleanup UAC bypass by manually activating the SilentCleanup task. | UAC bypass SilentCleanup was performed by manually activating the SilentCleanup task. The attacker abused the silentcleanup task schedule to gain high privilege execution bypassing the User control account. | New | 2023-09-04 | process-create |
| Windows logon script added to the registry. | The 'UserInitLogonScript' is a registry key that stores initialization scripts intended to execute when a user logs in. Attackers can insert their own malicious script to this key, gaining persistence on the system. | New | 2023-09-04 | registry-create |
| Azure event hub deleted. | Azure event hub was deleted. Attackers can delete Azure event hubs to stop logs from being sent to those hubs, thus removing evidence of their presence in the system. | New | 2023-09-04 | |
| Disable windows crash dumps through the registry with the registry command tool. | Windows crash dumps was disable through the registry via the registry command tool. Crash dumps are created whenever the system experiences a crash, and contain a dump of the its memory. Attackers can disable crash dumps through the 'CrashDumpEnabled' registry value, thus making sure no traces are left when or if a crash will occurs. | New | 2023-07-31 | registry-create |
| Disable windows crash dumps through the registry. | Windows crash dumps was disabled through the registry. Crash dumps are created whenever the system experiences a crash, and contain a dump of the its memory. Attackers can disable crash dumps through the 'CrashDumpEnabled' registry value, thus making sure no traces are left when or if a crash will occurs. | New | 2023-07-31 | process-create |
| Bitsadmin remote download with powershell. | User downloaded BITSAdmin tool remotely using Powershell. BITS jobs could be used for persisting or evading detection after executing malicious payloads. | New | 2023-07-03 | script-execute |
| AWS role brute force. | An AWS role is assumed by user. Roles are used to delegate access to users or services and should not be easily granted to users. | New | 2023-07-03 | role-assume |
| NTDS copied from shadow copy with a command. | A shadowcopy command was used to change the location of the NTDS database via copy.exe process. This is usually a sign of attempting to do a NTDS credentials dump. | New | 2023-07-03 | process-create |
| NTDS copied from shadow copy. | A shadowcopy command was used to change the location of the NTDS database via file activity. This activity may be an attempt at credential dumping. | New | 2023-07-03 | file-copy |
| Cached Credential Dump via Cmdkey | Cmdkey.exe was used to look for cached credentials. Attackers may dump credentials to get account logins from the operation system and software to perform lateral movement. | New | 2023-06-01 | process-create |
| SAM copied from shadow copy | A Security Accounts Manager(SAM) was copied from a shadow copy. SAM tables contain password hashes of users on the system and can be used in credential dumps to avoid file access defenses. | New | 2023-06-01 | file-copy |
| Domain controller SPN added to an endpoint object | A new active directory object has been created indicating a brand new domain controller. When this occurs, all active directory information and secrets are copied to the new domain controller. This is notable as the specific events observed do not occur regularly. | New | 2023-06-01 | |
| GCP instance logon script creation | GCP instances can be assigned a logon script from the compute service by modifying the metadata keys of an instance. Attackers can leverage this feature to include their own malicious script and gain elevated permissions and persistency on the instance. | New | 2023-05-31 | |
| Remove an ETW through PowerShell | ETWs (event tracing for Windows) are logging components that audit events for applications and services such as Microsoft Defender, PowerShell, and other event viewer logs. By calling the PowerShell function 'Remove-EtwTraceProvider', attackers can disable any ETW, stopping logs from being audited and allowing them to sneak by detections. | New | 2023-05-30 | script-execute |
| Modify an ETW with logman.exe | ETWs (event tracing for Windows) are logging components that audit events for applications and services such as Microsoft Defender, PowerShell, and other event viewer logs. By executing the log manager process (logman.exe), attackers can disable any ETW, stopping logs from being audited and allowing them to sneak by detections. | New | 2023-05-30 | process-create |
| Shutdown UFC | The UFC (Uncomplicated Firewall) can be disabled through the command line, enabling potentially malicious network communications to be allowed into and out of the endpoint. | New | 2023-05-30 | process-create |
| Add an 'allow' rule in Microsoft Defender firewall | The command line tool netsh.exe allows attackers do create Microsoft Defender firewall network rules, possibly enabling potentially malicious network communications to be allowed into and out of the endpoint. | New | 2023-05-30 | process-create |
| Disable powershell command history | PowerShell automatically records command history and stores them in a system file. This configuration can be disabled with PowerShell command, allowing malicious command to avoid being tracked by the program. | New | 2023-05-30 | script-execute |
| Disable history collection in Unix | History collection can be disabled in unix shells by modifying the history environment variables. With the history disabled, attackers can perform malicious commands that will not be tracked by the collector. | New | 2023-05-29 | process-create |
| Windows event viewer service stopped | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by directly shutting down the event logging service, causing event viewer auditing operation to stop. | New | 2023-05-29 | service-stop |
| Windows event viewer audit policy reverted to default state using the audit policy CLI | Windows event logs can be disabled by attackers to limit the information that's being recorded by the system and used for detections. One way to achieve this is by using the 'auditpol.exe', which can clear the logging policy, stopping critical logs there were enabled beforehand from being recorded by the event viewer. | New | 2023-05-29 | process-create |
| Shadow copies deleted with powershell | Volume shadow copies have been deleted using Powershell | Updated | 2023-04-12 | script-execute |
| Recycle bin autostart persistence via registry modification with registry command tool | Recycle bin registry object has been modified using registry command tool which could indicate malware persistence | Updated | 2023-04-12 | process-create |
| Recycle bin autostart persistence via registry modification | Recycle bin registry object has been modified which could indicate malware persistence | Updated | 2023-04-12 | registry-create |
| Hide a file with chflags. | The 'chflags' unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. | New | 2023-04-08 | process-create |
| Hide users from the login screen by modifying the registry. | The UserList registry key can be modified to hide specific users from the windows login screen, hiding the presence of malicious user accounts in the system. | New | 2023-04-08 | |
| Sensitive database copy with esentutl.exe | Sensitive database copy with esentutl.exe. | New | 2023-03-29 | process-create |
| Large amount of failed connections from a user per app | An application has received a large amount of failed login attempts from a single user. This could indicate a brute force password guessing attack is taking place. | New | 2023-03-29 | |
| Enable WinRM with powershell | WinRM was enabled using powershell. Windows Remote Management (WinRM) allows users to interact with remove systems to run executables or modify services. It can be leverages by adversaries to act as a logged-on user. | New | 2023-03-22 | script-execute |
| Lsass process dump with rundll minidump library | LSASS can store credentials and the memory can be dumped to harvest encrypted or plaintext passwords. | New | 2023-03-22 | process-create |
| Lsass dump creation with taskmgr | LSASS can store credentials and the memory can be dumped to harvest encrypted or plaintext passwords. | New | 2023-03-22 | file-write |
| File added to the active setup registry key | Active Setup is a Windows mechanism that is used to execute programs when a user logs in. Attacker can change the program list via the registry, gaining persistency by causing their own malicious programs to be executed at a logon. | New | 2023-03-22 | registry-create |
| WinRM network traffic | WinRM network traffic was seen. Windows Remote Management (WinRM) allows users to interact with remove systems to run executables or modify services. It can be leverages by adversaries to act as a logged-on user. | New | 2023-03-22 | |
| Arbitrary command assigned to a file association via the registry | Arbitrary command was assigned to a file association via the registry. Attackers can modify the command key values and cause arbitrary commands to execute during file access. | New | 2023-02-10 | registry-modify |
| Arbitrary command assigned to a file association via the registry with the registry command tool | Arbitrary command was assigned to a file association via the registry with the registry command tool. Attackers can modify the command key values and cause arbitrary commands to execute during file access. | New | 2023-02-10 | process-create |
| Large amount of outgoing emails sent to a single user | A large amount of outgoing emails was sent to a single user which could be an indication of data exfiltration. | New | 2023-02-10 | email-send |
| Setup UAC bypass by modifying sdclt.exe related shell configuration in the registry | User access control (UAC) bypass was setup by modifying sdclt.exe related shell configuration in the registry which could be indication of elevation abuse and privilege escalation. | New | 2023-02-10 | registry-create:success |