Release 10 - Out-of-the-box alerts
- Former user (Deleted)
Our latest release brings us more alerts across various technologies, adding a total of 39 new Windows alerts, and one Office 365 alert.
The SciSec team has also made some progress in updating our older detections to match our current schema and documentation. You can see this in the the Updated Legacy Alert section.
These alerts have the same power as before but now integrate better with our other Devo products. If you use the MITRE Attack Advisor App, or like to edit your alerts in Loxcope, these detections can now seamlessly integrate with those products. They have also been updated to work better with our SecOps enrichments like the SecOpsAlertDescription lookup, and can now accurately show the MITRE tactics and techniques associated with the alerts.
Try them out, and let us know what you think. As always, all feedback is welcome and helps us to improve our content. For our next release, we will continue to update these alerts with the goal to complete the migration and use Q1 to assess the validity of all our alerts.
Alerts updated
Detection name | Detection description | Devo table/Data source | Changes made |
SecOpsAWSPermissionsBoundaryLiftedtoUser | A permission boundary has been lifted against an IAM user was detected. This action could be used by an attacker to escalate privileges within an AWS account. |
| Fixed unknown identifier |
SecOpsAWSIAMPolicyAppliedToGroup | A policy that had been attached to a group was detected. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources. |
| Fixed unknown identifier |
SecOpsWinSchtasksForcedReboot | Alerts when flags are passed to |
| Fixed installation failure |
SecOpsWinScheduledTaskCreation | Detects when a scheduled task is created in Windows. |
| Fixed installation failure, casting issue, fixed overall performance |
SecOpsFWTrafficForeignDestination | Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes. |
| Fixed installation failure |
SecOpsAwsDbSnapshotCreated | Creating a snapshot is a common technique utilized by malicious actors to download databases in a stealthy manner. This alert should be considered when other signals could indicate that an account has been compromised. |
| Fixed installation failure |
SecOpsFWExcessFirewallDenies | Detects excessive firewall blocks within a short time frame. The threshold should be adjusted in accordance with normal traffic patterns in an organization's environment. |
| Fixed casting issue |
SecOpsWinAttemptToAddCertificateToStore | Detects a user attempting to add a certificate to the store via |
| Corrected the description to show appropriate tags |
SecOpsAWSPermissionsBoundaryModifiedToUser | A permission boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role. |
| Reworked query filter |
New alerts
Detection name | Detection description | Devo table/Data source/category |
SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationPowershellLoggingDisabled | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinModifyShowCompressColorAndInfoTipRegistry | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationHideSCAVolume | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationHideSCAPower | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationHideSCANetwork | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationHideSCAHealth | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationHideClockGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinActivateNoSetTaskbarGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinActivateNoCloseGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinActivateNoFileMenuGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinActivateNoControlPanelGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationNoFindGroupPolicyFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationActivateNoRunGroupPolicy | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationNoDesktopGroupPolicy | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableLockWSFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableChangePasswdFeature | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableLogOffButton | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableShutdownButton | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableNotificationCenter | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableTaskmgr | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableCMDApp | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationDisableRegistryTool | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsBlackByteRansomwareRegChangesPowershell | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsBlackByteRansomwareRegistryChanges | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinPowershellSetExecutionPolicyBypass | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. |
|
SecOpsWinRegistryModificationIExplorerSecZone | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. |
|
SecOpsWinRegistryModificationNewTrustedSite | Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses. |
|
SecOpsWinRegistryModificationStoreLogonCred | An attacker may modify the Windows registry to force the WDigest to store credentials in plaintext the next time someone logs on to the target system. |
|
SecOpsWinRegistryModificationRunKeyAdded | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. |
|
SecOpsWinRegistryModificationGlobalFolderOptions | An adversary may attempt to change the global folder options to hide his actions. |
|
SecOpsWinFsutilDeleteChangeJournal | An adversary may attempt to delete the persistent logs of all changes made to files on a volume to hide his actions. |
|
SecOpsWinMimikatzLsadump | An adversary may attempt to dump credentials to obtain account login and credential material in the form of hashes or clear text passwords. |
|
SecOpsWinCredentialDumpingNppspy | An adversary may attempt to dump credentials to obtain account login and credential material in the form of clear text passwords. |
|
SecOpsWinShadowCopyDetected | Observes for Ntdsutil, Vssadmin, WMIC, or PowerShell creating shadow copies. This is another method to extract credentials. |
|
SecOpsO365SuspiciousAdminEmailForwarding | This detection is triggered when a user has configured several forwarding rules to the same email address. |
|
Updated legacy alerts
Detection name | Detection description | Devo table/Data source/Category |
SecOpsAwsEcrImageUpload | Detects users uploading new images to AWS Elastic Container Registry (ECR). |
|
SecOpsAwsS3EncryptWithKMSKey | Detects actions taken by users to encrypt S3 buckets using KMS keys. |
|
SecOpsIntegrityProblem | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. This behavior can be an indicator that the machine may be compromised. |
|
SecOpsHAFNIUMHashFoundFileTargetingExchangeServers | Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. |
|
SecOpsHAFNIUMNetworkActivityTargetingExchangeServers | Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. |
|
SecOpsRevilKaseyaNetworkActivity | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya. |
|
SecOpsREvilKaseyaHashFound | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya. |
|
SecOpsFWRDPExternalAccess | Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network. |
|
SecOpsWinUserAddedToLocalSecurityEnabledGroup | Attackers may attempt to escalate privileges to a user account by adding it to a local security enabled group. This could indicate privilege abuse or potential malicious activity. |
|
SecOpsWinWmiLaunchingShell | Detects WMI creating a child process of cmd.exe or PowerShell. An attacker can use WMI to launch a shell on the local or remote host to bypass application whitelisting, since WMI is a native Windows management tool. |
|
SecOpsMaliciousServiceInstallations | Monitor service creation through changes in the Registry and common utilities using command-line invocation. |
|
SecOpsHostDNSBasedCovertChannelIpv6Record | Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6 we can think there is a kind of cover-channel communication attempt. |
|
SecOpsWinSpoolsvExeAbnormalProcessSpawn | Detects Spoolsv.exe launching unexpected child processes. This activity may be related to behavior in CVE-2018-8440. |
|
SecOpsAwsVpcLargeOutboundTrafficBlock | Actions observed as blocked for sending large amounts of data from AWS out to the internet. |
|
SecOpsAPT29byGoogleUpdateServiceInstall | Monitor service creation through changes in the Registry and common utilities using command-line invocation ir order to detect Russian nation-state attackers APT29. |
|
SecOpsWinAdminShareSuspiciousUse | Detects when a user pivots to an internal host from another internal host via Windows Admin shares. |
|
SecOpsWinAnonymousAccountCreated | Detects the creation of suspicious user accounts similar to ANONYMOUS LOGON. These accounts can be created as a means to evade defenses and monitoring by masquerading as a third party service. |
|
SecOpsWinAttemptToAddCertificateToStore | Detects a user attempting to add a certificate to the store via certutil.exe -addstore. |
|
SecOpsWinAuditLogCleared | Detects attempts to clear the Windows Security event log, which is a known adversary defense evasion technique. |
|
SecOpsWinAuthLocalInteractiveLogin | Detects local logins from unallowed accounts or local logins to unallowed domains. Organizations must populate the permitted local accounts lookup and permitted domains lookup (case sensitive). |
|
SecOpsWinCmstpNetworkConnectionDetected | Detects CMSTP.exe creating external connections. Actors can bypass application control defenses by leveraging CMSTP to download and execute DLLs or scripts from remote servers. |
|
SecOpsWinCritServiceStopped | Detects various sc.exe or net.exe critical services being stopped via the command line. |
|
SecOpsWinDcShadowDetected | Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates. |
|
SecOpsWinDisableAntispywareRegistry | Detects users enabling the DisableAntiSpyware registry key. Attackers may utilize this technique for evasion. |
|
SecOpsWinDisableUac | Detects users modifying registry keys that control the enforcement of Windows User Account Control (UAC). |
|
SecOpsWinDomainTrustActivity | Detects when a user has attempted to gather information on the domain trust. |
|
SecOpsWinExcessiveKerberosSPNDowngrade | Detects excessive requests for Kerberos service tickets which may be indicative of Kerberoasting activity. The threshold should be adjusted per organizational needs. |
|
SecOpsWinExternalDeviceInstallationDenied | Detects hardware installation failures due to policy. Device installation logging must be configured (see logging related reference links). |
|
SecOpsWinLockoutsEndpoint | Multiple Windows account lockouts detected on same endpoint. |
|
SecOpsWinLsassKeyModification | Monitors for changes to lsass.exe-related registry keys that are often edited to enable or obfuscate activity related to dumping the process. |
|
SecOpsWinLsassMemDump | Monitors for changes to lsass.exe-related registry keys that are often edited to enable or obfuscate activity related to dumping the process. |
|
SecOpsWinNetworkShareCreated | Detects the creation of a new Windows network share. |
|
SecOpsWinPowershellProcessDiscovery | Detects the use of various Get-Process PowerShell commands to discover information about running processes. |
|
SecOpsWinRegistryQuery | Identifies queries to the registry. Adversaries often query the registry to gather information about the system, configuration, and installed software. |
|
SecOpsWinRegUtilityHiveExport | Detects the use of reg.exe to access Windows Registry SAM, system, or security hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks |
|
SecOpsWinScheduledTaskCreation | Detects when a scheduled task is created in Windows. |
|
SecOpsWinSchtasksRemoteSystem | Detects flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a remote system. |
|
SecOpsWinSmbAccessTempDirectory | Detects users attempting to remotely access files contained in the Windows temp directories of other systems. Remote systems do not typically pull logs from temp directories of other systems. |
|
SecOpsWinSpoolsvExeAbnormalProcessSpawn | Detects Spoolsv.exe launching unexpected child processes. This activity may be related to behavior in CVE-2018-8440. |
|
SecOpsWinSuspiciousExternalDeviceInstallation | Detects the installation of hardware that was previously denied by policy. Device installation logging must be configured (see logging related reference links). |
|
SecOpsWinUserAddedPrivlegedSecGroup | Alerts when an unprivileged account is added to a global security group like domain administrators. |
|
SecOpsWinUserAddedToLocalSecurityEnabledGroup | Attackers may attempt to escalate privileges to a user account by adding it to a local security enabled group. This could indicate privilege abuse or potential malicious activity. |
|
SecOpsWinUserCreationAbnormalNamingConvention | Detects new user accounts that do not match a user-specified naming convention. The `namePattern` selector value should be populated with a regular expression that matches the organization's naming convention. |
|
SecOpsWinUserCredentialDumpRegistry | Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. |
|
SecOpsWinWmiExecVbsScript | Detects suspicious file execution by wscript and cscript. Adversaries can use this mechanism to execute malicious code for persistence or privilege escalation. |
|
SecOpsWinWmiLaunchingShell | Detects WMI creating a child process of cmd.exe or PowerShell. An attacker can use WMI to launch a shell on the local or remote host to bypass application whitelisting, since WMI is a native Windows management tool. |
|
SecOpsWinWmiProcessCallCreate | Detects usage of WMI to create processes on local the local or remote hosts. WMI is a native Windows tool and can be used to bypass application whitelisting. |
|
SecOpsWinWmiprvseSpawningProcess | Detects child processes spawned by WMIPRVSE. Adversaries can use this to obscure parent-child relationships or launch cmd.exe or PowerShell. |
|
SecOpsWinWmiScriptExecution | Detects the WMI standard event consumer launching a script. Validate the running script as this is a rare occurrence in Windows environments. |
|
SecOpsWinRegistryQuery | Identifies queries to the registry. Adversaries often query the registry to gather information about the system, configuration, and installed software. |
|
SecOpsPossiblePortKnocking | Possible port knocking has been detected from an IP outside of the organization. |
|
SecOpsFWSMBTrafficOutbound | This alert detects SMB traffic from internal to external sources allowed through the firewall. |
|
SecOpsSuspicionOfPossibleDomainGenerationAlgorithm | Detected possible DGA or domain-generation algorithm which can be associated with Command & control (C&C) communication. |
|
SecOpsAWSDetectNewUserAWSConsoleLogin | This alert triggers when a user logs into the console for the first time in a year. |
|
SecOpsAWSUserSuccessfulLoginWithoutMFA | An AWS console successfully without MFA login was detected. AWS security best practices are recommended to enable this security measure for console access login. |
|
SecOpsTLDFromDomainNotInMozillaTLD | Detect a domain with a TLD, not in Mozilla TLD List. |
|
SecOpsTooLongDNSResponse | Monitor TXT and ANY responses to detect infiltrations or possible reflection attacks. |
|
SecOpsFWExcessFirewallDeniesOutbound | Detects excessive firewall blocks for outbound traffic from a single IP in a short period. This activity may be indicative of C2 traffic and should be reviewed. |
|
SecOpsDynamicDNSDetected | Dynamic DNS services should be associated in several cases with malware and fraud campaigns. Even could be part of a content filter bypass technique used by internal systems. |
|
SecOpsPortIntoURL | During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port can become suspicious behavior in combination with other factors. |
|
SecOpsSeveralError4xx | Client 4xx Errors in a web server can be an indicator of an attack occurring, authentication bypass, injection, etc. |
|
SecOpsAppInitDLLsLoaded | Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. |
|
SecOpsBypassUserAccountControl | Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. |
|
SecOpsDLLWithNonUsualPath | Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. |
|
SecOpsMaliciousPowerShellCommandletNames | Detects the creation of known PowerShell scripts for exploitation |
|
SecOpsMaliciousPowerShellPrebuiltCommandlet | Detects PowerShell script execution of known PowerShell scripts for exploitation. |
|
SecOpsPassTheHashActivityLoginBehaviour | Detected posible use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625. Triggered by $ProcessName from $entity_sourceIP . |
|
SecOpsRareServiceInstalls | Monitor service creation through changes in the Registry and common utilities using command-line invocation. |
|
SecOpsStoneDrillServiceInstall | Monitor service creation through changes in the Registry and common utilities using command-line invocation. |
|
SecOpsSuspiciousBehaviorAppInitDLL | Malware can insert the location of their malicious library under the Appinit_Dlls registry key to have another process load their library. |
|
SecOpsSuspiciousWMIExecution | Detects WMI executing suspicious commands. |
|
SecOpsTurlaPNGDropperService | Monitor service creation through changes in the Registry and common utilities using command-line invocation. |
|
SecOpsTurlaServiceInstall | Monitor service creation through changes in the Registry and common utilities using command-line invocation. |
|
SecOpsWinWmiprvseSpawningProcess | Detects child processes spawned by WMIPRVSE. Adversaries can use this to obscure parent-child relationships or launch cmd.exe or PowerShell. |
|
SecOpsActivityAnonymousIPAddressesO365 | This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent. |
|
SecOpsAnonymousConnection | Control over the navigation of the users and systems of the networks is considered essential to avoid risks. Access to anonymous navigation networks must be monitored. |
|