Excessive Usage Of Cacls App: endpointEndpointrisk_score:802024-12-06version:5
The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.
Disable Windows App Hotkeys: endpointEndpointrisk_score:402024-12-08version:8
The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.
Deleting Of Net Users: endpointEndpointrisk_score:252024-09-30version:5
The following analytic detects the use of net.exe or net1.exe command-line to delete a user account on a system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. This activity is significant as it may indicate an attempt to impair user accounts or cover tracks during lateral movement. If confirmed malicious, this could lead to unauthorized access removal, disruption of legitimate user activities, or concealment of adversarial actions, complicating incident response and forensic investigations.
Excessive Usage Of Net App: endpointEndpointrisk_score:282024-09-30version:4
The following analytic detects excessive usage of `net.exe` or `net1.exe` within a one-minute interval. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This behavior is significant as it may indicate an adversary attempting to create, delete, or disable multiple user accounts rapidly, a tactic observed in Monero mining incidents. If confirmed malicious, this activity could lead to unauthorized user account manipulation, potentially compromising system integrity and enabling further malicious actions.
Download Files Using Telegram: endpointEndpointrisk_score:492024-09-30version:3
The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.
Process Kill Base On File Path: endpointEndpointrisk_score:562024-09-30version:4
The following analytic detects the use of `wmic.exe` with the `delete` command to remove an executable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because it often indicates the initial stages of an adversary setting up malicious activities, such as cryptocurrency mining, on an endpoint. If confirmed malicious, this behavior could allow an attacker to disable security tools or other critical processes, facilitating further compromise and persistence within the environment.
Modify ACL permission To Files Or Folder: endpointEndpointrisk_score:322024-12-06version:5
The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.
Hide User Account From Sign-In Screen: endpointEndpointrisk_score:722024-12-08version:8
The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" with a value of "0x00000000". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.
Excessive Attempt To Disable Services: endpointEndpointrisk_score:802024-09-30version:4
The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used with parameters like "config" or "Disabled" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.
XMRIG Driver Loaded: endpointEndpointrisk_score:802024-09-30version:3
The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.
Suspicious Process File Path: endpointEndpointrisk_score:352024-11-28version:5
The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.
Attacker Tools On Endpoint: endpointEndpointrisk_score:642024-11-28version:6
The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
Executables Or Script Creation In Suspicious Path: endpointEndpointrisk_score:202024-11-28version:5
The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
Excessive Service Stop Attempt: endpointEndpointrisk_score:802024-09-30version:5
The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture.
ICACLS Grant Command: endpointEndpointrisk_score:492024-12-06version:4
The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to manipulate file permissions, potentially leading to unauthorized access, data exfiltration, or further system compromise.
Schtasks Run Task On Demand: endpointEndpointrisk_score:482024-09-30version:3
The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.
Disabling Net User Account: endpointEndpointrisk_score:422024-09-30version:5
The following analytic detects the use of the `net.exe` utility to disable a user account via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant as it may indicate an adversary's attempt to disrupt user availability, potentially as a precursor to further malicious actions. If confirmed malicious, this could lead to denial of service for legitimate users, aiding the attacker in maintaining control or covering their tracks.
Icacls Deny Command: endpointEndpointrisk_score:722024-12-06version:5
The following analytic detects instances where an adversary modifies security permissions of a file or directory using commands like "icacls.exe", "cacls.exe", or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and impede access to critical files. If confirmed malicious, this could allow attackers to maintain persistence and hinder incident response efforts.
Suspicious Driver Loaded Path: endpointEndpointrisk_score:632024-09-30version:3
The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.
Enumerate Users Local Group Using Telegram: endpointEndpointrisk_score:802024-11-28version:6
The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.
Excessive Usage Of Taskkill: endpointEndpointrisk_score:282024-09-30version:4
The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system.
