EXPLORE DETECTIONS
Windows File and Directory Permissions Enable Inheritance
The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.
Windows File and Directory Permissions Remove Inheritance
The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.
Windows File Collection Via Copy Utilities
The following analytic detects the use of Windows command-line copy utilities, such as xcopy, to systematically collect files from user directories and consolidate them into a centralized location on the system. This activity is often indicative of malicious behavior, as threat actors frequently use such commands to gather sensitive information, including documents with .doc, .docx, and .pdf extensions. The detection focuses on identifying recursive copy operations targeting user folders, such as Documents, Desktop, or other directories that commonly store personal or organizational files. Malware that performs this behavior typically attempts to evade detection by using legitimate Windows utilities, executing commands through cmd.exe or other scripting hosts, and writing the collected files to directories like C:\ProgramData or temporary storage locations. Once collected, the information may be staged for exfiltration, used for lateral movement, or leveraged for further compromise of the environment. By monitoring for these types of file collection patterns, security teams can identify suspicious activity early, differentiate between normal administrative tasks and potentially malicious scripts, and prevent sensitive data from being exfiltrated. This analytic is particularly relevant for environments where confidential documents are present and attackers may attempt to harvest them using built-in Windows tools.
Windows File Download Via CertUtil
The following analytic detects the use of `certutil.exe` to download files using the `-URL`, `-urlcache` or '-verifyctl' arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.
Windows File Download Via PowerShell
The following analytic detects the use of PowerShell's download methods such as "DownloadString" and "DownloadData" from the WebClient class or Invoke-WebRequest and it's aliases "IWR" or "Curl". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity can be significant such methods and functions are commonly used in malicious PowerShell scripts to fetch and execute remote code. If confirmed malicious, this behavior could allow an attacker to download and run arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected system.
Windows File Share Discovery With Powerview
The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.
Windows File Transfer Protocol In Non-Common Process Path
The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like "Program Files" or "Windows\System32". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.
Windows File Without Extension In Critical Folder
This analytic detects the creation of files without extensions in critical Windows system and driver-related directories, including but not limited to System32\Drivers, Windows\WinSxS, and other known Windows driver storage and loading paths. The detection has been expanded to comprehensively cover all commonly abused and legitimate Windows driver folder locations, increasing visibility into attempts to stage or deploy kernel-mode components. The analytic leverages telemetry from the Endpoint.Filesystem data model, with a focus on file creation events and file path analysis. File creation activity in these directories—particularly involving extensionless files—is highly suspicious, as it may indicate the presence of destructive or stealthy malware. This behavior is consistent with malware families such as HermeticWiper, which deploy kernel driver components into trusted Windows driver directories to obtain low-level access and execute destructive payloads. If confirmed malicious, this activity can result in severe system compromise, including the deployment of malicious drivers, boot-sector or filesystem destruction, and ultimately system inoperability and irreversible data loss.
Windows Files and Dirs Access Rights Modification Via Icacls
The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment.
Windows Find Domain Organizational Units with GetDomainOU
The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.
Windows Find Interesting ACL with FindInterestingDomainAcl
The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.
Windows Findstr GPP Discovery
The following analytic detects the use of the findstr command to search for unsecured credentials in Group Policy Preferences (GPP). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving findstr.exe with references to SYSVOL and cpassword. This activity is significant because it indicates an attempt to locate and potentially decrypt embedded credentials in GPP, which could lead to unauthorized access. If confirmed malicious, this could allow an attacker to escalate privileges or gain access to sensitive systems and data within the domain.
Windows Firewall Rule Added
This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.
Windows Firewall Rule Deletion
This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls or malware disabling protections for persistence and command-and-control communication. The event logs details such as the deleted rule name, protocol, port, and the user responsible for the action. Security teams should monitor for unexpected deletions, correlate with related events, and investigate anomalies to prevent unauthorized access and maintain network security posture.
Windows Firewall Rule Modification
This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity.
Windows Forest Discovery with GetForestDomain
The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.
Windows Gather Victim Host Information Camera
The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.
Windows Gather Victim Identity SAM Info
The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.
Windows Gather Victim Network Info Through Ip Check Web Services
The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.
Windows Gdrive Binary Activity
The following analytic detects the execution of the 'gdrive' tool on a Windows host. This tool allows standard users to perform tasks associated with Google Drive via the command line. This is used by actors to stage tools as well as exfiltrate data. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. If confirmed malicious, this could lead to compromise of systems or sensitive data being stolen.
Windows Get Local Admin with FindLocalAdminAccess
The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.
Windows Get-AdComputer Unconstrained Delegation Discovery
The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Windows Global Object Access Audit List Cleared Via Auditpol
The following analytic identifies the execution of `auditpol.exe` with the "/resourceSACL" flag, and either the "/clear" or "/remove" command-line arguments used to remove or clear the global object access audit policy. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity can be significant as it indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.
Windows Group Discovery Via Net
The following analytic identifies the execution of `net.exe` with command-line arguments used to query global, local and domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local or domain groups, which is a common step in Active Directory or privileged accounts discovery. If confirmed malicious, this behavior could allow attackers to gain insights into the domain structure, aiding in further attacks such as privilege escalation or lateral movement.