Document toolboxDocument toolbox

Release 10 - Out-of-the-box alerts

Our latest release brings us more alerts across various technologies, adding a total of 39 new Windows alerts, and one Office 365 alert.

The SciSec team has also made some progress in updating our older detections to match our current schema and documentation. You can see this in the the Updated Legacy Alert section.

These alerts have the same power as before but now integrate better with our other Devo products. If you use the MITRE Attack Advisor App, or like to edit your alerts in Loxcope, these detections can now seamlessly integrate with those products. They have also been updated to work better with our SecOps enrichments like the SecOpsAlertDescription lookup, and can now accurately show the MITRE tactics and techniques associated with the alerts.

Try them out, and let us know what you think. As always, all feedback is welcome and helps us to improve our content. For our next release, we will continue to update these alerts with the goal to complete the migration and use Q1 to assess the validity of all our alerts.

Alerts updated

Detection name

Detection description

Devo table/Data source

Changes made

SecOpsAWSPermissionsBoundaryLiftedtoUser

A permission boundary has been lifted against an IAM user was detected. This action could be used by an attacker to escalate privileges within an AWS account.

cloud.aws.cloudtrail

Fixed unknown identifier

SecOpsAWSIAMPolicyAppliedToGroup

A policy that had been attached to a group was detected. These kinds of events should be checked since they could be granting excessive access permissions to AWS services or resources.

cloud.aws.cloudtrail

Fixed unknown identifier

SecOpsWinSchtasksForcedReboot

Alerts when flags are passed to schtasks.exe on the command-line that indicate that a forced system reboot is scheduled.

box.all.win

Fixed installation failure

SecOpsWinScheduledTaskCreation

Detects when a scheduled task is created in Windows.

box.all.win

Fixed installation failure, casting issue, fixed overall performance

SecOpsFWTrafficForeignDestination

Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes.

firewall.all.traffic

Fixed installation failure

SecOpsAwsDbSnapshotCreated

Creating a snapshot is a common technique utilized by malicious actors to download databases in a stealthy manner. This alert should be considered when other signals could indicate that an account has been compromised.

cloud.aws.cloudtrail

Fixed installation failure

SecOpsFWExcessFirewallDenies

Detects excessive firewall blocks within a short time frame. The threshold should be adjusted in accordance with normal traffic patterns in an organization's environment.

firewall.all.traffic

Fixed casting issue

SecOpsWinAttemptToAddCertificateToStore

Detects a user attempting to add a certificate to the store via certutil.exe -addstore.

box.all.win

Corrected the description to show appropriate tags

SecOpsAWSPermissionsBoundaryModifiedToUser

A permission boundary has been modified for a role. This could allow granting all the actions in the permissions of the policies attached to that role.

cloud.aws.cloudtrail

Reworked query filter

New alerts

Detection name

Detection description

Devo table/Data source/category

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationPowershellLoggingDisabled

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinModifyShowCompressColorAndInfoTipRegistry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationHideSCAVolume

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationHideSCAPower

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationHideSCANetwork

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationHideSCAHealth

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationHideClockGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinActivateNoSetTaskbarGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinActivateNoCloseGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinActivateNoFileMenuGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinActivateNoControlPanelGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationNoFindGroupPolicyFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationActivateNoRunGroupPolicy

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationNoDesktopGroupPolicy

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableLockWSFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableChangePasswdFeature

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableLogOffButton

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableShutdownButton

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableNotificationCenter

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableTaskmgr

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableCMDApp

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationDisableRegistryTool

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsBlackByteRansomwareRegChangesPowershell

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsBlackByteRansomwareRegistryChanges

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinPowershellSetExecutionPolicyBypass

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

box.all.win

SecOpsWinRegistryModificationIExplorerSecZone

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

box.all.win

SecOpsWinRegistryModificationNewTrustedSite

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses.

box.all.win

SecOpsWinRegistryModificationStoreLogonCred

An attacker may modify the Windows registry to force the WDigest to store credentials in plaintext the next time someone logs on to the target system.

box.all.win

SecOpsWinRegistryModificationRunKeyAdded

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

box.all.win

SecOpsWinRegistryModificationGlobalFolderOptions

An adversary may attempt to change the global folder options to hide his actions.

box.all.win

SecOpsWinFsutilDeleteChangeJournal

An adversary may attempt to delete the persistent logs of all changes made to files on a volume to hide his actions.

box.all.win

SecOpsWinMimikatzLsadump

An adversary may attempt to dump credentials to obtain account login and credential material in the form of hashes or clear text passwords.

box.all.win

SecOpsWinCredentialDumpingNppspy

An adversary may attempt to dump credentials to obtain account login and credential material in the form of clear text passwords.

box.all.win

SecOpsWinShadowCopyDetected

Observes for Ntdsutil, Vssadmin, WMIC, or PowerShell creating shadow copies. This is another method to extract credentials.

box.all.win

SecOpsO365SuspiciousAdminEmailForwarding

This detection is triggered when a user has configured several forwarding rules to the same email address.

cloud.office365.management

Updated legacy alerts

Detection name

Detection description

Devo table/Data source/Category

SecOpsAwsEcrImageUpload

Detects users uploading new images to AWS Elastic Container Registry (ECR).

cloud.aws.cloudtrail

SecOpsAwsS3EncryptWithKMSKey

Detects actions taken by users to encrypt S3 buckets using KMS keys.

cloud.aws.cloudtrail

SecOpsIntegrityProblem

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. This behavior can be an indicator that the machine may be compromised.

box.all.win

SecOpsHAFNIUMHashFoundFileTargetingExchangeServers

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.

edr.all.threats

SecOpsHAFNIUMNetworkActivityTargetingExchangeServers

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.

firewall.all.traffic

SecOpsRevilKaseyaNetworkActivity

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya.

firewall.all.traffic

SecOpsREvilKaseyaHashFound

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya.

edr.all.threats

SecOpsFWRDPExternalAccess

Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network.

firewall.all.traffic

SecOpsWinUserAddedToLocalSecurityEnabledGroup

Attackers may attempt to escalate privileges to a user account by adding it to a local security enabled group. This could indicate privilege abuse or potential malicious activity.

box.all.win

SecOpsWinWmiLaunchingShell

Detects WMI creating a child process of cmd.exe or PowerShell. An attacker can use WMI to launch a shell on the local or remote host to bypass application whitelisting, since WMI is a native Windows management tool.

box.all.win

SecOpsMaliciousServiceInstallations

Monitor service creation through changes in the Registry and common utilities using command-line invocation.

box.all.win

SecOpsHostDNSBasedCovertChannelIpv6Record

Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6 we can think there is a kind of cover-channel communication attempt.

network.dns

SecOpsWinSpoolsvExeAbnormalProcessSpawn

Detects Spoolsv.exe launching unexpected child processes. This activity may be related to behavior in CVE-2018-8440.

box.all.win

SecOpsAwsVpcLargeOutboundTrafficBlock

Actions observed as blocked for sending large amounts of data from AWS out to the internet.

vpc.aws.flow

SecOpsAPT29byGoogleUpdateServiceInstall

Monitor service creation through changes in the Registry and common utilities using command-line invocation ir order to detect Russian nation-state attackers APT29.

box.all.win

SecOpsWinAdminShareSuspiciousUse

Detects when a user pivots to an internal host from another internal host via Windows Admin shares.

box.all.win

SecOpsWinAnonymousAccountCreated

Detects the creation of suspicious user accounts similar to ANONYMOUS LOGON. These accounts can be created as a means to evade defenses and monitoring by masquerading as a third party service.

box.all.win

SecOpsWinAttemptToAddCertificateToStore

Detects a user attempting to add a certificate to the store via certutil.exe -addstore.

box.all.win

SecOpsWinAuditLogCleared

Detects attempts to clear the Windows Security event log, which is a known adversary defense evasion technique.

box.all.win

SecOpsWinAuthLocalInteractiveLogin

Detects local logins from unallowed accounts or local logins to unallowed domains. Organizations must populate the permitted local accounts lookup and permitted domains lookup (case sensitive).

box.all.win

SecOpsWinCmstpNetworkConnectionDetected

Detects CMSTP.exe creating external connections. Actors can bypass application control defenses by leveraging CMSTP to download and execute DLLs or scripts from remote servers.

box.all.win

SecOpsWinCritServiceStopped

Detects various sc.exe or net.exe critical services being stopped via the command line.

box.all.win

SecOpsWinDcShadowDetected

Detects usage of Mimikatz LSADUMP::DCShadow module. Attackers can temporarily set a computer to be a domain controller and make active directory updates.

box.all.win

SecOpsWinDisableAntispywareRegistry

Detects users enabling the DisableAntiSpyware registry key. Attackers may utilize this technique for evasion.

box.all.win

SecOpsWinDisableUac

Detects users modifying registry keys that control the enforcement of Windows User Account Control (UAC).

box.all.win

SecOpsWinDomainTrustActivity

Detects when a user has attempted to gather information on the domain trust.

box.all.win

SecOpsWinExcessiveKerberosSPNDowngrade

Detects excessive requests for Kerberos service tickets which may be indicative of Kerberoasting activity. The threshold should be adjusted per organizational needs.

box.all.win

SecOpsWinExternalDeviceInstallationDenied

Detects hardware installation failures due to policy. Device installation logging must be configured (see logging related reference links).

box.all.win

SecOpsWinLockoutsEndpoint

Multiple Windows account lockouts detected on same endpoint.

box.all.win

SecOpsWinLsassKeyModification

Monitors for changes to lsass.exe-related registry keys that are often edited to enable or obfuscate activity related to dumping the process.

box.all.win

SecOpsWinLsassMemDump

Monitors for changes to lsass.exe-related registry keys that are often edited to enable or obfuscate activity related to dumping the process.

box.all.win

SecOpsWinNetworkShareCreated

Detects the creation of a new Windows network share.

box.all.win

SecOpsWinPowershellProcessDiscovery

Detects the use of various Get-Process PowerShell commands to discover information about running processes.

box.all.win

SecOpsWinRegistryQuery

Identifies queries to the registry. Adversaries often query the registry to gather information about the system, configuration, and installed software.

box.all.win

SecOpsWinRegUtilityHiveExport

Detects the use of reg.exe to access Windows Registry SAM, system, or security hives containing credentials. Adversaries may use this technique to export registry hives for offline credential access attacks

box.all.win

SecOpsWinScheduledTaskCreation

Detects when a scheduled task is created in Windows.

box.all.win

SecOpsWinSchtasksRemoteSystem

Detects flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a remote system.

box.all.win

SecOpsWinSmbAccessTempDirectory

Detects users attempting to remotely access files contained in the Windows temp directories of other systems. Remote systems do not typically pull logs from temp directories of other systems.

box.all.win

SecOpsWinSpoolsvExeAbnormalProcessSpawn

Detects Spoolsv.exe launching unexpected child processes. This activity may be related to behavior in CVE-2018-8440.

box.all.win

SecOpsWinSuspiciousExternalDeviceInstallation

Detects the installation of hardware that was previously denied by policy. Device installation logging must be configured (see logging related reference links).

box.all.win

SecOpsWinUserAddedPrivlegedSecGroup

Alerts when an unprivileged account is added to a global security group like domain administrators.

box.all.win

SecOpsWinUserAddedToLocalSecurityEnabledGroup

Attackers may attempt to escalate privileges to a user account by adding it to a local security enabled group. This could indicate privilege abuse or potential malicious activity.

box.all.win

SecOpsWinUserCreationAbnormalNamingConvention

Detects new user accounts that do not match a user-specified naming convention. The `namePattern` selector value should be populated with a regular expression that matches the organization's naming convention.

box.all.win

SecOpsWinUserCredentialDumpRegistry

Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials.

box.all.win

SecOpsWinWmiExecVbsScript

Detects suspicious file execution by wscript and cscript. Adversaries can use this mechanism to execute malicious code for persistence or privilege escalation.

box.all.win

SecOpsWinWmiLaunchingShell

Detects WMI creating a child process of cmd.exe or PowerShell. An attacker can use WMI to launch a shell on the local or remote host to bypass application whitelisting, since WMI is a native Windows management tool.

box.all.win

SecOpsWinWmiProcessCallCreate

Detects usage of WMI to create processes on local the local or remote hosts. WMI is a native Windows tool and can be used to bypass application whitelisting.

box.all.win

SecOpsWinWmiprvseSpawningProcess

Detects child processes spawned by WMIPRVSE. Adversaries can use this to obscure parent-child relationships or launch cmd.exe or PowerShell.

box.all.win

SecOpsWinWmiScriptExecution

Detects the WMI standard event consumer launching a script. Validate the running script as this is a rare occurrence in Windows environments.

box.all.win

SecOpsWinRegistryQuery

Identifies queries to the registry. Adversaries often query the registry to gather information about the system, configuration, and installed software.

box.all.win

SecOpsPossiblePortKnocking

Possible port knocking has been detected from an IP outside of the organization.

netstat.netflow.all

SecOpsFWSMBTrafficOutbound

This alert detects SMB traffic from internal to external sources allowed through the firewall.

firewall.all.traffic

SecOpsSuspicionOfPossibleDomainGenerationAlgorithm

Detected possible DGA or domain-generation algorithm which can be associated with Command & control (C&C) communication.

secops.entities.system

SecOpsAWSDetectNewUserAWSConsoleLogin

This alert triggers when a user logs into the console for the first time in a year.

cloud.aws.cloudtrail

SecOpsAWSUserSuccessfulLoginWithoutMFA

An AWS console successfully without MFA login was detected. AWS security best practices are recommended to enable this security measure for console access login.

cloud.aws.cloudtrail

SecOpsTLDFromDomainNotInMozillaTLD

Detect a domain with a TLD, not in Mozilla TLD List.

domains.all

SecOpsTooLongDNSResponse

Monitor TXT and ANY responses to detect infiltrations or possible reflection attacks.

network.dns

SecOpsFWExcessFirewallDeniesOutbound

Detects excessive firewall blocks for outbound traffic from a single IP in a short period. This activity may be indicative of C2 traffic and should be reviewed.

firewall.all.traffic

SecOpsDynamicDNSDetected

Dynamic DNS services should be associated in several cases with malware and fraud campaigns. Even could be part of a content filter bypass technique used by internal systems.

proxy.all.access

SecOpsPortIntoURL

During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port can become suspicious behavior in combination with other factors.

proxy.all.access

SecOpsSeveralError4xx

Client 4xx Errors in a web server can be an indicator of an attack occurring, authentication bypass, injection, etc.

web.all.access

SecOpsAppInitDLLsLoaded

Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.

box.all.win

SecOpsBypassUserAccountControl

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings.

box.all.win

SecOpsDLLWithNonUsualPath

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

box.all.win

SecOpsMaliciousPowerShellCommandletNames

Detects the creation of known PowerShell scripts for exploitation

box.all.win

SecOpsMaliciousPowerShellPrebuiltCommandlet

Detects PowerShell script execution of known PowerShell scripts for exploitation.

box.all.win

SecOpsPassTheHashActivityLoginBehaviour

Detected posible use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625. Triggered by $ProcessName from $entity_sourceIP .

box.all.win

SecOpsRareServiceInstalls

Monitor service creation through changes in the Registry and common utilities using command-line invocation.

box.all.win

SecOpsStoneDrillServiceInstall

Monitor service creation through changes in the Registry and common utilities using command-line invocation.

box.all.win

SecOpsSuspiciousBehaviorAppInitDLL

Malware can insert the location of their malicious library under the Appinit_Dlls registry key to have another process load their library.

box.all.win

SecOpsSuspiciousWMIExecution

Detects WMI executing suspicious commands.

box.all.win

SecOpsTurlaPNGDropperService

Monitor service creation through changes in the Registry and common utilities using command-line invocation.

box.all.win

SecOpsTurlaServiceInstall

Monitor service creation through changes in the Registry and common utilities using command-line invocation.

box.all.win

SecOpsWinWmiprvseSpawningProcess

Detects child processes spawned by WMIPRVSE. Adversaries can use this to obscure parent-child relationships or launch cmd.exe or PowerShell.

box.all.win

SecOpsActivityAnonymousIPAddressesO365

This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent.

cloud.office365.siem_agent_alert

SecOpsAnonymousConnection

Control over the navigation of the users and systems of the networks is considered essential to avoid risks. Access to anonymous navigation networks must be monitored.

firewall.all.traffic