Default MITRE ATT&CK rules are provided to alert techniques from the MITRE ATT&CK Framework (https://attack.mitre.org/). There are 24 rules pertaining to adversarial behaviour and most of them are mapped to a particular MITRE technique. The
complete list of the rules is below.
-
Name Suspicious MS Office behavior
Clause (Event type = Follow Process and (Process Info - Exec Path doesn’t contain Windowssplwow64.exe ) and (Process Info - Exec Path
doesn’t contain
chrome.exe ) and (Process Info - Exec Path
doesn’t contain
msip.executionhost.exe ) and (Process Info - Exec Path
doesn’t contain
msip.executionhost32.exe ) and (Process Info - Exec Path
doesn’t contain
msosync.exe ) and (Process Info - Exec Path
doesn’t contain
ofccccaupdate.exe ) with ancestor (Process Info - Exec Path
contains
winword.exe or Process Info -Exec Path
contains
excel.exe or Process Info -Exec Path contains powerpnt.exe )
Description This rule alerts and records if Microsoft Office processes (WIN-WORD.exe/EXCEL.exe/POWERPNT.exe) create any child processes.
Based on our research we have allowed a few common child processes known to be created by these MS Office binaries, to reduce
the number of false positives.
-
Name T1015 - Accessibility features 1
Clause Event type = Follow Process (Process Info - Exec Path
contains
cmd.exe or Process Info -Exec Path
contains
powershell.exe or Process Info - Exec Path
contains
cscript.exe or Process Info - Exec Path
contains
wscript.exe) and (Follow Process - Parent Exec Path
contains
winlogon.exe or Follow Process - Parent Exec Path
contains
atbroker.exe or Follow Process - Parent Exec Path
contains
utilman.exe)
Description This rule alerts and records if any of the Accessibility features binaries (On-screen Keyboard, Magnifier, Sticky keys, and
so on.) are abused and are tricked into opening cmd/powershell/cscript/wscript. The invocation of accessibility binaries is
controlled by either winlogon, atbroker or utilman processes depending on from where they are invoked (from the logon screen
or after a user logs in). This rule captures suspicious child processes (cmd.exe, pow- ershell.exe, cscript.exe, wscript.exe)
of the accessibility processes (winlogon.exe, utilman.exe, and atbroker.exe). Use this with T1015 - Accessibility features 2 to also catch the additional child processes of these four suspicious child processes**.
-
Name T1015 - Accessibility features 2
Clause Event type = Follow Process with ancestor (( Process Info - Exec Path
contains
cmd.exe or Process Info - Exec Path
contains
powershell.exe or Process Info - Exec Path
contains
cscript.exe or Process Info - Exec Path
contains
wscript.exe) and (Follow Process - Parent Exec Path
contains
winlogon.exe or Follow Process - Parent Exec Path
contains
atbroker.exe or Follow Process - Parent Exec Path
contains
utilman.exe))
Description This rule alerts and records if any of the Accessibility features binaries (On-screen Keyboard, Magnifier, Sticky keys, and
so on.) are abused and are tricked into opening cmd.exe/powershell.exe/cscript.exe/wscript.exe. The invocation of accessibility
binaries is controlled by either winlogon, atbroker or utilman processes depending on from where they are invoked (from the
login screen or after a user logs in). This rule captures child processes of the suspicious child processes of these processes
(winlogon, utilman, and atbroker). One should use this with T1015 - Accessibility features 1 which alerts the suspicious child processes of accessibility binaries.
-
Name T1085 - rundll32
Clause (Event type = Follow Process and Process Info Exec Path
does not contain
msiexec.exe and Process Info Exec Path
does not contain
WindowsSystem32SystemPropertiesRemote.exe with ancestor (Process Info - Exec Path
contains
rundll32.exe and Follow Process - Parent Exec Path
does not contain
msiexec.exe and not ( Process Info -command string
contains
Windowssystem32shell32.dll or ( Process Info -command string
contains Windowssyswow64shell32.dll or ( Process Info -command string
contains
WindowsSystem32migrationWinInetPlugin.dll ))
Description This rule alerts and records if rundll32.exe creates child processes. This binary can be called to execute arbitrary binary/dll
or used by control.exe to install malicious control panel items. However, we have allowed if msiexec.exe is either the parent
or the descendant of rundll32.exe. We have also permitted some of the common rundll32 commands that make use of well-known
dlls.
-
Name T1118 - InstallUtil
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
installutil.exe
Description This rule alerts and records if InstallUtil.exe creates child processes.
-
Name T1121 - Regsvcs/Regasm
Clause Event type = Follow Process and ( Process Info - Exec path
does not contain
fondue.exe or Process Info - Exec path
does not contain
regasm.exe or Process Info - Exec path
does not contain
regsvr32.exe with ancestor (Process Info - Exec Path
contains
regasm.exe or Process Info - Exec Path
contains
regsvcs.exe)
Description This rule alerts and records if regsvcs.exe or regasm.exe create child processes. However, we have permitted if fondue.exe/regasm.exe/regsvr32.exe
is spawned by regasm.exe or regsvcs.exe to reduce the number of false positives.
-
Name T1127 - Trusted Developer Utilities - msbuild.exe
Clause ( Event type = Unseen Command with ancestor Process Info - Exec Path
contains
MSBuild.exe ) and ( Process Info - Exec Path
does not contain
Tracker.exe ) and ( Process Info -Exec Path
doesn’t contain
csc.exe ) and ( Process Info - Exec Path
does not contain
Microsoft Visual Studio ) and ( Process Info - Exec Path
does not contain
al.exe ) and ( Process Info - Exec Path
does not contain
lc.exe ) and ( Process Info - Exec Path
does not contain
dotnet.exe ) and ( Process Info - Exec Path
does not contain
cvtres.exe ) and ( Process Info - Exec Path
does not contain
conhost.exe ) and not ( Event type = Unseen Command with ancestor ( Process Info - Exec Path
contains
Tracker.exe or Process Info - Exec Path
contains csc.exe or Process Info - Exec Path contains Microsoft Visual Studio or Process Info - Exec Path
contains
al.exe or Process Info - Exec Path
contains
lc.exe or Process Info - Exec Path
contains
dotnet.exe or Process Info - Exec Path
contains
cvtres.exe ) )
Description This rule alerts and records if msbuild.exe creates child processes which do not belong to an allowlist of child processes
it usually creates. This rule is currently Unseen Command based, as opposed to Follow Process, since Follow Process does not
yet support allowing process subtrees. The current rule allows the following processes and their descendants: Tracker.exe,
csc.exe, any process from “Microsoft Visual Studio” path, al.exe, lc.exe, dotnet.exe and cvtres.exe. The rule also allows
conhost.exe. These processes can be seen during regular usage of MSBuild.exe (for example, compiling a project via Visual
Studio). All the other descendants (not usual behavior) of MSBuild.exe are alerted.
-
Name T1127 - Trusted Developer Utilities - rcsi.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
rcsi.exe
Description This rule alerts and records if rcsi.exe creates child processes.
-
Name T1127 - Trusted Developer Utilities - tracker.exe
Clause (Event type = Unseen Command with_ancestor Process Info - Exec Path
contains
tracker.exe) and not (Event type = Unseen Command with_ancestor Process Info - Exec Path
contains
MSBuild.exe)
Description This rule alerts and records if tracker.exe creates child processes and tracker itself is not a descendant of MSBuild.exe.
Thus legitimate invocations of tracker via Visual Studio are approved, but other invocations are alerted. One limitation with
the Tracker.exe and the previous MSBuild.exe rules is that if an attacker uses the MSBuild technique to create Tracker, and
then make Tracker create a malicious child, it would not be alerted by either of the rules since Tracker having MSBuild as
an ancestor is considered legitimate.
-
Name T1128 - Netsh Helper Dll
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
netsh.exe
Description This rule alerts and records if netsh.exe creates child processes.
-
Name T1136 - Create Account
Clause Event type = User Account
Description This rule alerts and records if a new user is created.
-
Name T1138 - Application Shimming
Clause Event type = Follow Process Info - Exec Path
contains
sdbinst.exe
Description This rule alerts and records if sdbinst.exe is invoked.
-
Name T1180 - Screensaver
Clause Event type = Follow Process AND with ancestor Process Info - Exec Path
contains
.scr
Description This rule alerts and records if a process is created with “.scr” in the exec path.
-
Name T1191 - CMSTP
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
cmstp.exe
Description This rule alerts and records if cmstp.exe creates child processes.
-
Name T1202 - Indirect Command Execution - forfiles.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
forfiles.exe
Description This rule alerts and records if forfiles.exe creates child processes.
-
Name T1202 - Indirect Command Execution - pcalua.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
pcalua.exe
Description This rule alerts and records if pcalua.exe creates child processes.
-
Name T1216 - Signed Script Proxy Execution - pubprn.vbs
Clause Event type = Follow Process with ancestor (( Process Info - Exec Path
contains
cscript.exe or Process Info - Exec Path
contains
wscript.exe) and Process Info - Command String
contains
.vbs and Process Info - Command String
contains
script )
Description This rule alerts and records if any vbs script is run using wscript.exe or cscript.exe, to create a new process, with a parameter
“script”. This technique could be used by an attacker to execute pubprn.vbs with a script parameter pointing to a malicious
sct file which then gives code execution.
-
Name T1218 - Signed Binary Proxy Execution - msiexec.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
msiexec.exe
Description This rule alerts and records if msiexec.exe creates child processes.
-
Name T1218 - Signed Binary Proxy Execution - odbcconf.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
odbcconf.exe
Description This rule alerts and records if odbcconf.exe creates child processes.
-
Name T1218 - Signed Binary Proxy Execution - Register-CimProvider
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
Register-CimProvider.exe
Description This rule alerts and records if Register-CimProvider.exe creates child processes.
-
Name T1220 - XSL Script Processing - msxsl.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
msxsl.exe
Description This rule alerts and records if msxsl.exe creates child processes.
-
Name T1220 - XSL Script Processing - wmic
Clause Event type = Follow Process and (Process Info - Exec Path
contains
wmic.exe and Process Info - Command String
contains
.xsl)
Description This rule alerts and records if an xsl script is used by wmic. This can be used to launch arbitrary binaries.
-
Name T1223 - Compiled HTML Files
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
hh.exe
Description This rule alerts and records if hh.exe creates child processes.
-
Name T1003 - Credential Dumping - Lsass
Clause Event type = Follow Process and Process Info - Exec Path
contains
procdump.exe and Process Info - Command String
contains
lsass
Description This rule alerts and records if procdump.exe is used to dump the memory of lsass processes.
-
Name T1140 - Deobfuscate/Decode Files or Information
Clause Event type = Follow Process and Process Info - Exec Path
contains
certutil.exe and (Process Info - Command String
matches
.*encode\s.* or Process Info - Command String
matches
.*decode\s.*
Description This rule alerts and records if certutil.exe is used to either encode or decode a file. This technique is often used by attackers
to decode their encoded payload on the victim machine.
-
Name T1076 - Remote Desktop Protocol
Clause Event type = Follow Process and Process Info - Exec Path
contains
tscon.exe
Description This rule alerts and records if tscon.exe is executed. Attackers can use tscon.exe to hijack existing RDP sessions.
-
Name T1197 - BITS Jobs - Powershell
Clause Event type = Follow Process and Process Info - Exec Path
contains
powershell.exe and Process Info - Command String
contains
Start-BitsTransfer
Description This rule alerts and records if the powershell.exe is used to run the cmdlet Start-BitsTransfer to copy/move files.
-
Name T1170 - MSHTA
Clause Event type = Follow Process with ancestor Process Info - Exec Path
contains
mshta.exe
Description This rule alerts and records if mshta.exe is used to run malicious HTA scripts that spawn child processes.
-
Name T1158 - Hidden Files and Directories
Clause Event type = Follow Process and (Process Info - Exec Path
contains
attrib.exe and Process Info - Command String
contains
+h)
Description This rule alerts and records if attrib.exe is used to set a file/directory as hidden.
-
Name T1114 - Email Collection
Clause Event type = Follow Process (Process Info - Command String
matches
.*.(ost|pst)(\s|"|’).* or Process Info - Command String
matches
.*.(ost|pst)$ ) Process Info - Exec Path
doesn’t contain
outlook.exe
Description This rule alerts and records if email files (.ost and .pst) are accessed from any other process other than outlook.exe.
-
Name T1070 - Indicator Removal on Host - Event Log
Clause Event type = Follow Process and Process Info - Exec Path
contains
wevtutil.exe and Process Info - Command String
matches
.*\s(cl|clear-log)\s.*
Description This rule alerts and records if wevtutil.exe is used to clear event logs.
-
Name T1070 - Indicator Removal on Host - USN
Clause Event type = Follow Process and Process Info - Exec Path
contains
fsutil.exe and Process Info - Command String
matches
.*\susn\s.* and Process Info - Command String
matches
.*\sdeletejournal.*
Description This rule alerts and records if fsutil.exe is used to delete USN journals.
-
Name T1053 - Scheduled Task
Clause Event type = Follow Process and Process Info - Exec Path
contains
schtasks.exe and Process Info - Command String
contains
create
Description This rule alerts and records if schtasks.exe is used to create new scheduled tasks.
-
Name T1003 - Credential Dumping - Vaultcmd
Clause Event type = Follow Process and Process Info - Exec Path
contains
vaultcmd.exe and Process Info - Command String
matches
.*\/list.*
Description This rule alerts and records if vaultcmd.exe is used access Windows Credentials vault.
-
Name T1003 - Credential Dumping - Registry
Clause Event type = Follow Process and Process Info - Exec Path
contains
reg.exe and ((Process Info - Command String
contains
save or Process Info - Command String
contains
export) and (Process Info - Command String
contains
hklm or Process Info - Command String
contains
hkey_local_machine) and (Process Info - Command String
contains
sam or Process Info - Command String
contains
security or Process Info - Command String
contains
system))
Description This rule alerts and records if reg.exe is used dump certain registry hives.
-
Name T1201 - Password Policy Discovery 1
Clause Event type = Follow Process and Process Info - Exec Path
contains
change and Process Info - Command String
contains
-l
Description This rule alerts and records if change utility is used to list the password policy (password age policy) on a linux machine.
-
Name T1081 - Credentials in Files - Linux
Clause Event type = Follow Process and (Process Info - Exec Path
contains
cat or Process Info - Exec Path
contains
grep) and (Process Info - Command String
contains
.bash_history or Process Info - Command String
contains
.password or Process Info - Command String
contains
.passwd)
Description This rule alerts and records if attempts are made to search for passwords stored in files on a linux machine.
-
Name T1081 - Credentials in Files - Windows
Clause Event type = Follow Process and Process Info - Exec Path
contains
findstr.exe and Process Info - Command String
contains
password
Description This rule alerts and records if attempts are made to search for passwords stored in files on a windows machine.
-
Name T1089 - Disabling Security Tools
Clause Event type = Follow Process and ( (Process Info - Exec Path
contains
fltmc.exe and Process Info - Command String
contains
unload sysmon) or (Process Info - Exec Path
contains
sysmon.exe and Process Info - Command String
contains
/u) )
Description This rule alerts and records if attempts are made to unload sysmon driver using fltmc.exe or sysmon.exe