Skip to content

[Security Content] Basic EDR Setup Guides - Phase 1 #4492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

[Security Content] Basic EDR Setup Guides - Phase 1 #4492

wants to merge 4 commits into from

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Feb 24, 2025

Issue

Resolves the "Brief Guides" section of https://github.com/elastic/ia-trade-team/issues/205

Summary

This adds the config guides information for Elastic Defend and 3rd party EDRs. This doesn't include Setup information for Windows Security Logs or Sysmon, I plan to add these in another PR.

Note: This Detection Rule supports multiple datasets, but only one is required. Listed indexes and integrations should be interpreted as an OR condition, meaning any of them are supported.

I'm adding this note because users have frequently reached out via the community or SDHs with misconceptions about this.

Rendered example:

imagem

@w0rk3r
[Security Content] Basic EDR Setup Guides - Phase 1
f3e82b4 
[Security Content] Basic EDR Setup Guides - Phase 1
@w0rk3r w0rk3r self-assigned this Feb 24, 2025
@tradebot-elastic
Copy link

tradebot-elastic commented Feb 24, 2025
edited
Loading

⛔️ Tests failed:

  • ✅ Potential Credential Access via Windows Utilities (eql)
  • ✅ System Shells via Services (eql)
  • ❌ Process Created with an Elevated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Ransomware Note File Dropped via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Potential Escalation via Vulnerable MSI Repair (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
  • ✅ Conhost Spawned By Suspicious Parent Process (eql)
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Termination followed by Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ✅ Execution of File Written or Modified by Microsoft Office (eql)
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Cmd Execution via WMI (eql)
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - High count of Readme files by System (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of File Written or Modified by PDF Reader (eql)
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUNBURST Command and Control Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Lateral Movement via Startup Folder (eql)
  • ❌ Persistence via Update Orchestrator Service Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Shell Detection: Script Process Child of Common Web Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
  • ❌ Potential Foxmail Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Access via Direct System Call (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Wireless Credential Dumping using Netsh Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a Hidden Local User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Bypass UAC via Event Viewer (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious MS Outlook Child Process (eql)
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ✅ Suspicious ImagePath Service Creation (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ✅ NTDS or SAM Database File Copied (eql)
  • ❌ ScreenConnect Server Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via Named Pipe Impersonation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Control Panel Process with Unusual Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ✅ Potential Local NTLM Relay via HTTP (eql)
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ✅ Execution via MSSQL xp_cmdshell Stored Procedure (eql)
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via TSClient Mountpoint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement with MMC (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Deleting Backup Catalogs with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via InstallerFileTakeOver (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Download via a Headless Browser (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Incoming DCOM Lateral Movement via MSHTA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Registry Hive Access via RegBack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ✅ Persistence via TelemetryController Scheduled Task Hijack (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ First Time Seen Commonly Abused Remote Access Tool Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via WMI Standard Registry Provider (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Creation - Alternate Data Stream (eql)
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Modification of Accessibility Binaries (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Privilege Escalation via Rogue Named Pipe Impersonation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Remote Desktop Tunneling Detected (eql)
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious File Renamed via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious LSASS Access via MalSecLogon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Remote Credential Access via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ✅ Unusual Child Process of dns.exe (eql)
  • ❌ Potential SharpRDP Behavior (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Credential Access via LSASS Memory Dump (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ✅ Microsoft Build Engine Started by a Script Process (kuery)
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Potential Credential Access via Trusted Developer Utility (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious MS Office Child Process (eql)
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Credential Acquisition via Registry Hive Dumping (eql)
  • ❌ Persistence via Hidden Run Key Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Veeam Backup Library Loaded by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Outlook Home Page Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPS Office Exploitation via DLL Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Suspicious Managed Code Hosting Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Volume Shadow Copy Deleted or Resized via VssAdmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Creation or Modification of Domain Backup DPAPI private key (eql)
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Kirbi File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Print Spooler Point and Print DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft IIS Connection Strings Decryption (eql)
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Potential Remote Desktop Shadowing Activity (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Microsoft Build Engine Started by an Office Application (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Modification by dns.exe (eql)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Startup Shell Folder Modification (eql)
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Privilege Escalation via Windir Environment Variable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Modification of WDigest Security Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Volume Shadow Copy Deletion via PowerShell (eql)
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Volume Shadow Copy Deletion via WMIC (eql)
  • ❌ Suspicious Execution from INET Cache (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install Kali Linux via WSL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Process from a System Virtual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential privilege escalation via CVE-2022-38028 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution via Microsoft Common Console File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Installation of Security Support Provider (eql)
  • ❌ Host Files System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Executable File Creation by a System Critical Process (eql)
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Mimikatz Memssp Log File Detected (eql)
  • ✅ IIS HTTP Logging Disabled (eql)
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPAD Service Exploit (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Child Processes of RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ LSASS Memory Dump Creation (eql)
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Office AddIns (eql)
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Exchange Worker Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of AmsiEnable Registry Key (eql)
  • ❌ Untrusted DLL Loaded by Azure AD Sync Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Antimalware Scan Interface DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Windows Defender Tampering (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Feb 24, 2025
edited
Loading

⛔️ Tests failed:

  • ✅ Potential Credential Access via Windows Utilities (eql)
  • ✅ System Shells via Services (eql)
  • ❌ Process Created with an Elevated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Ransomware Note File Dropped via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Potential Escalation via Vulnerable MSI Repair (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
  • ✅ Conhost Spawned By Suspicious Parent Process (eql)
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Termination followed by Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ✅ Execution of File Written or Modified by Microsoft Office (eql)
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Cmd Execution via WMI (eql)
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - High count of Readme files by System (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of File Written or Modified by PDF Reader (eql)
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUNBURST Command and Control Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Lateral Movement via Startup Folder (eql)
  • ❌ Persistence via Update Orchestrator Service Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Shell Detection: Script Process Child of Common Web Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
  • ❌ Potential Foxmail Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Access via Direct System Call (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Wireless Credential Dumping using Netsh Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a Hidden Local User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Bypass UAC via Event Viewer (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious MS Outlook Child Process (eql)
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ✅ Suspicious ImagePath Service Creation (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ✅ NTDS or SAM Database File Copied (eql)
  • ❌ ScreenConnect Server Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via Named Pipe Impersonation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Control Panel Process with Unusual Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ✅ Potential Local NTLM Relay via HTTP (eql)
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ✅ Execution via MSSQL xp_cmdshell Stored Procedure (eql)
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via TSClient Mountpoint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement with MMC (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Deleting Backup Catalogs with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via InstallerFileTakeOver (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Download via a Headless Browser (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Incoming DCOM Lateral Movement via MSHTA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Registry Hive Access via RegBack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ✅ Persistence via TelemetryController Scheduled Task Hijack (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ First Time Seen Commonly Abused Remote Access Tool Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via WMI Standard Registry Provider (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Creation - Alternate Data Stream (eql)
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Modification of Accessibility Binaries (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Privilege Escalation via Rogue Named Pipe Impersonation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Remote Desktop Tunneling Detected (eql)
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious File Renamed via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious LSASS Access via MalSecLogon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Remote Credential Access via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ✅ Unusual Child Process of dns.exe (eql)
  • ❌ Potential SharpRDP Behavior (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Credential Access via LSASS Memory Dump (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ✅ Microsoft Build Engine Started by a Script Process (kuery)
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Potential Credential Access via Trusted Developer Utility (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious MS Office Child Process (eql)
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Credential Acquisition via Registry Hive Dumping (eql)
  • ❌ Persistence via Hidden Run Key Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Veeam Backup Library Loaded by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Outlook Home Page Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPS Office Exploitation via DLL Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Suspicious Managed Code Hosting Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Volume Shadow Copy Deleted or Resized via VssAdmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Creation or Modification of Domain Backup DPAPI private key (eql)
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Kirbi File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Print Spooler Point and Print DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft IIS Connection Strings Decryption (eql)
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Potential Remote Desktop Shadowing Activity (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Microsoft Build Engine Started by an Office Application (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Modification by dns.exe (eql)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Startup Shell Folder Modification (eql)
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Privilege Escalation via Windir Environment Variable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Modification of WDigest Security Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Volume Shadow Copy Deletion via PowerShell (eql)
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Volume Shadow Copy Deletion via WMIC (eql)
  • ❌ Suspicious Execution from INET Cache (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install Kali Linux via WSL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Process from a System Virtual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential privilege escalation via CVE-2022-38028 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution via Microsoft Common Console File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Installation of Security Support Provider (eql)
  • ❌ Host Files System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Executable File Creation by a System Critical Process (eql)
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Mimikatz Memssp Log File Detected (eql)
  • ✅ IIS HTTP Logging Disabled (eql)
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPAD Service Exploit (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Child Processes of RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ LSASS Memory Dump Creation (eql)
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Office AddIns (eql)
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Exchange Worker Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of AmsiEnable Registry Key (eql)
  • ❌ Untrusted DLL Loaded by Azure AD Sync Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Antimalware Scan Interface DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Windows Defender Tampering (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Feb 24, 2025
edited
Loading

⛔️ Tests failed:

  • ✅ Potential Credential Access via Windows Utilities (eql)
  • ✅ System Shells via Services (eql)
  • ❌ Process Created with an Elevated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Credential Access via DuplicateHandle in LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Ransomware Note File Dropped via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ High Number of Process and/or Service Terminations (kuery)
  • ❌ Potential Escalation via Vulnerable MSI Repair (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Microsoft Antimalware Service Executable (eql)
  • ✅ Conhost Spawned By Suspicious Parent Process (eql)
  • ❌ Enumerating Domain Trusts via DSQUERY.EXE (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Evasion via Filter Manager (eql)
  • ✅ Remote Desktop Enabled in Windows Firewall by Netsh (eql)
  • ❌ Local Account TokenFilter Policy Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Removable Device (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Termination followed by Deletion (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Establish VScode Remote Tunnel (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Peripheral Device Discovery (eql)
  • ✅ Execution of File Written or Modified by Microsoft Office (eql)
  • ❌ MsBuild Making Network Connections (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential DLL Side-Loading via Trusted Microsoft Programs (eql)
  • ❌ UAC Bypass via Windows Firewall Snap-In Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Third-party Backup Files Deleted via Unexpected Process (eql)
  • ❌ Suspicious Lsass Process Access (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Exploitation of an Unquoted Service Path Vulnerability (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Cmd Execution via WMI (eql)
  • ✅ Persistence via Scheduled Job Creation (eql)
  • ❌ Potential Ransomware Behavior - High count of Readme files by System (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Office Test Registry Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Persistence via Time Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution from a Removable Media with Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Download via Desktopimgdownldr Utility (eql)
  • ❌ Component Object Model Hijacking (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Persistence via a Windows Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Renamed Utility Executed with Short Program Name (eql)
  • ❌ Script Execution via Microsoft HTML Application (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of COM object via Xwizard (eql)
  • ❌ User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Created with a Duplicated Token (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via WinRM Remote Shell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Download via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ UAC Bypass via DiskCleanup Scheduled Task Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Inter-Process Communication via Outlook (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Execution of File Written or Modified by PDF Reader (eql)
  • ✅ Unusual Network Activity from a Windows System Binary (eql)
  • ✅ Suspicious .NET Code Compilation (eql)
  • ✅ Creation or Modification of Root Certificate (eql)
  • ❌ Werfault ReflectDebugger Persistence (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Full User-Mode Dumps Enabled System-Wide (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUNBURST Command and Control Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Lateral Movement via Startup Folder (eql)
  • ❌ Persistence via Update Orchestrator Service Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privileges Elevation via Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming Execution via PowerShell Remoting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Account Discovery Command via SYSTEM Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Windows Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Web Shell Detection: Script Process Child of Common Web Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Adobe Hijack Persistence (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Windows Defender Exclusions Added via PowerShell (eql)
  • ✅ Suspicious Microsoft Diagnostics Wizard Execution (eql)
  • ❌ Potential Foxmail Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command and Scripting Interpreter via Windows Scripts (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Process Access via Direct System Call (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Wireless Credential Dumping using Netsh Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Curl for Windows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Renamed AutoIt Scripts Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Creation of a Hidden Local User Account (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Folder Persistence via Unsigned Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Defender Disabled via Registry Modification (eql)
  • ❌ Bypass UAC via Event Viewer (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Program Files Directory Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious MS Outlook Child Process (eql)
  • ❌ Remote File Download via PowerShell (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Port Forwarding Rule Addition (eql)
  • ✅ Unusual Parent-Child Relationship (eql)
  • ✅ Suspicious ImagePath Service Creation (eql)
  • ❌ Downloaded Shortcut Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Outlook VBA (eql)
  • ✅ Potential DNS Tunneling via NsLookup (eql)
  • ❌ Suspicious Module Loaded by LSASS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Parent Process for cmd.exe (eql)
  • ✅ NTDS or SAM Database File Copied (eql)
  • ❌ ScreenConnect Server Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Remote File Execution via MSIEXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Privilege Escalation via Named Pipe Impersonation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Command Execution via ForFiles (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Persistence via Services Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Control Panel Process with Unusual Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Startup Persistence by a Suspicious Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Encrypting Files with WinRar or 7z (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Adding Hidden File Attribute via Attrib (eql)
  • ✅ Potential Local NTLM Relay via HTTP (eql)
  • ✅ Microsoft Exchange Server UM Spawning Suspicious Processes (eql)
  • ❌ Remote XSL Script Execution via COM (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Disable Windows Firewall Rules via Netsh (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Process Execution Path - Alternate Data Stream (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disable Windows Event and Security Logs Using Built-in Tools (eql)
  • ✅ Execution via MSSQL xp_cmdshell Stored Procedure (eql)
  • ❌ Suspicious Script Object Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via TSClient Mountpoint (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Registry Persistence via AppCert DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Service DACL Modification via sc.exe (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Incoming DCOM Lateral Movement with MMC (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Network Connection via RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious PDF Reader Child Process (eql)
  • ❌ Uncommon Registry Persistence Change (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Network Logon Provider Registry Modification (eql)
  • ❌ PsExec Network Connection (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ DNS Global Query Block List Modified or Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Deleting Backup Catalogs with Wbadmin (eql)
  • ✅ RDP Enabled via Registry (eql)
  • ❌ Potential Lateral Tool Transfer via SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via InstallerFileTakeOver (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Privileged IFileOperation COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Secure File Deletion via SDelete Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious PrintSpooler Service Executable File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via PowerShell profile (eql)
  • ✅ Suspicious Execution via Scheduled Task (eql)
  • ❌ Unsigned DLL loaded by DNS Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Download via a Headless Browser (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Process Network Connection (eql)
  • ❌ Incoming DCOM Lateral Movement via MSHTA (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Sensitive Registry Hive Access via RegBack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Signed Binary (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MsiExec Service Child Process With Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Connection to Commonly Abused Web Services (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Image File Execution Options Injection (eql)
  • ✅ Persistence via TelemetryController Scheduled Task Hijack (eql)
  • ❌ Scheduled Task Created by a Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass via ICMLuaUtil Elevated COM Interface (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of Boot Configuration (eql)
  • ✅ Unusual Service Host Child Process - Childless Service (eql)
  • ✅ Exporting Exchange Mailbox via PowerShell (eql)
  • ✅ Microsoft Exchange Server UM Writing Suspicious Files (eql)
  • ❌ First Time Seen Commonly Abused Remote Access Tool Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Error Manager Masquerading (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Persistence via WMI Standard Registry Provider (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Creation - Alternate Data Stream (eql)
  • ✅ Suspicious RDP ActiveX Client Loaded (eql)
  • ❌ Suspicious JetBrains TeamCity Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Modification of Accessibility Binaries (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Privilege Escalation via Rogue Named Pipe Impersonation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Remote Desktop Tunneling Detected (eql)
  • ✅ Enumeration Command Spawned via WMIPrvSE (eql)
  • ❌ Suspicious ScreenConnect Client Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious File Renamed via SMB (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Loaded by Svchost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution of a Downloaded Windows Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential File Transfer via Certreq (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious LSASS Access via MalSecLogon (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Management Console File from Unusual Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ File with Right-to-Left Override Character (RTLO) Created/Executed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious WMIC XSL Script Execution (eql)
  • ✅ PowerShell Script Block Logging Disabled (eql)
  • ❌ Suspicious Windows Powershell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumerating Domain Trusts via NLTEST.EXE (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Remote Credential Access via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious PowerShell Engine ImageLoad (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Enumeration of Administrator Accounts (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious WMI Image Load from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kerberos Traffic from Unusual Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Command Prompt Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution from a Mounted Device (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable File Creation with Multiple Extensions (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Enable Host Network Discovery via Netsh (eql)
  • ✅ Unusual Child Process of dns.exe (eql)
  • ❌ Potential SharpRDP Behavior (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential WSUS Abuse for Lateral Movement (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Monitor or Print Processor Registration Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious SolarWinds Child Process (eql)
  • ❌ Encoded Executable Stored in the Registry (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Group Policy Discovery via Microsoft GPResult Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Scheduled Task Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Zoom Child Process (eql)
  • ❌ Startup or Run Key Registry Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Credential Access via LSASS Memory Dump (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Explorer Child Process (eql)
  • ✅ Scheduled Tasks AT Command Enabled (eql)
  • ✅ Persistence via WMI Event Subscription (eql)
  • ❌ Potential Enumeration via Active Directory Web Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Command Shell Activity Started via RunDLL32 (eql)
  • ✅ Microsoft Build Engine Started by a Script Process (kuery)
  • ✅ Microsoft Build Engine Started by a System Process (eql)
  • ✅ Microsoft Build Engine Using an Alternate Name (eql)
  • ✅ Potential Credential Access via Trusted Developer Utility (eql)
  • ✅ Microsoft Build Engine Started an Unusual Process (kuery)
  • ✅ InstallUtil Process Making Network Connections (eql)
  • ❌ Windows Subsystem for Linux Distribution Installed (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ DNS-over-HTTPS Enabled via Registry (eql)
  • ❌ Execution via local SxS Shared Module (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Registry File Creation in SMB Share (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious MS Office Child Process (eql)
  • ❌ Suspicious Print Spooler SPL File Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Credential Acquisition via Registry Hive Dumping (eql)
  • ❌ Persistence via Hidden Run Key Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remotely Started Services via RPC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Veeam Backup Library Loaded by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote Execution via File Shares (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious WerFault Child Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Outlook Home Page Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPS Office Exploitation via DLL Hijack (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Command and Control via Internet Explorer (eql)
  • ❌ Suspicious Managed Code Hosting Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Signed Proxy Execution via MS Work Folders (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Communication App Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Execution via Microsoft Office Add-Ins (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Local Scheduled Task Creation (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Netsh Helper DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Remote File Copy via TeamViewer (eql)
  • ❌ Network Connection via Compiled HTML File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Endpoint Security Parent Process (eql)
  • ❌ Code Signing Policy Modification Through Built-in tools (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Clearing Windows Console History (eql)
  • ❌ Volume Shadow Copy Deleted or Resized via VssAdmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Script Interpreter Executing Process via WMI (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Veeam Credential Access Command (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation via Service ImagePath Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Creation or Modification of Domain Backup DPAPI private key (eql)
  • ❌ Network Connection via MsXsl (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Kirbi File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface (eql)
  • ❌ SolarWinds Process Disabling Services via Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Image Load (taskschd.dll) from MS Office (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Print Spooler Point and Print DLL (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Execution via Windows Command Debugging Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Searching for Saved Credentials via VaultCmd (eql)
  • ✅ Suspicious DLL Loaded for Persistence or Privilege Escalation (eql)
  • ❌ Creation or Modification of a new GPO Scheduled Task or Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Microsoft IIS Connection Strings Decryption (eql)
  • ❌ Mshta Making Network Connections (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Persistence via BITS Job Notify Cmdline (eql)
  • ✅ Mounting Hidden or WebDav Remote Shares (eql)
  • ✅ Suspicious Print Spooler File Deletion (eql)
  • ✅ Potential Remote Desktop Shadowing Activity (eql)
  • ✅ Installation of Custom Shim Databases (eql)
  • ✅ Microsoft Build Engine Started by an Office Application (eql)
  • ✅ Remote File Download via MpCmdRun (eql)
  • ❌ Unusual Network Connection via DllHost (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual File Modification by dns.exe (eql)
  • ❌ SMB Connections via LOLBin or Untrusted Process (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Parent Process PID Spoofing (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Startup Shell Folder Modification (eql)
  • ✅ Disabling Windows Defender Security Settings via PowerShell (eql)
  • ❌ Potential Masquerading as Communication Apps (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unsigned DLL Side-Loading from a Suspicious Folder (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Downloaded URL Files (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ New ActiveSyncAllowedDeviceID Added via PowerShell (eql)
  • ✅ Execution from Unusual Directory - Command Line (eql)
  • ✅ Registry Persistence via AppInit DLL (eql)
  • ❌ Expired or Revoked Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Disabling User Account Control via Registry Modification (eql)
  • ✅ Clearing Windows Event Logs (eql)
  • ❌ Privilege Escalation via Windir Environment Variable (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Service Command Lateral Movement (eql)
  • ❌ Modification of WDigest Security Provider (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Command Execution via SolarWinds Process (eql)
  • ❌ Untrusted Driver Loaded (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NTDS Dump via Wbadmin (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Volume Shadow Copy Deletion via PowerShell (eql)
  • ❌ Suspicious Windows Command Shell Arguments (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Code Signing Policy Modification Through Registry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network-Level Authentication (NLA) Disabled (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Execution via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Volume Shadow Copy Deletion via WMIC (eql)
  • ❌ Suspicious Execution from INET Cache (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Attempt to Install Kali Linux via WSL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NullSessionPipe Registry Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Child Process from a System Virtual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen Driver Loaded (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential privilege escalation via CVE-2022-38028 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Windows Subsystem for Linux Enabled via Dism Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious Process Execution via Renamed PsExec Executable (eql)
  • ✅ Process Activity via Compiled HTML File (eql)
  • ✅ Connection to Commonly Abused Free SSL Certificate Providers (eql)
  • ✅ Execution of Persistent Suspicious Program (eql)
  • ❌ Suspicious WMI Event Subscription Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Windows Session Hijacking via CcmExec (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution via Microsoft Common Console File (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Service Control Spawned via Script Interpreter (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Installation of Security Support Provider (eql)
  • ❌ Host Files System Changes via Windows Subsystem for Linux (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Unusual Executable File Creation by a System Critical Process (eql)
  • ❌ Potential LSA Authentication Package Abuse (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ Mimikatz Memssp Log File Detected (eql)
  • ✅ IIS HTTP Logging Disabled (eql)
  • ❌ Process Execution from an Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ WPAD Service Exploit (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ AdFind Command Activity (eql)
  • ❌ ImageLoad via Windows Update Auto Update Client (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Print Spooler Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Whoami Process Activity (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Unusual Child Processes of RunDLL32 (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious HTML File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SIP Provider Modification (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ✅ LSASS Memory Dump Creation (eql)
  • ❌ WMI Incoming Lateral Movement (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Remote Desktop File Opened from Suspicious Path (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Persistence via Microsoft Office AddIns (eql)
  • ✅ Windows Script Executing PowerShell (eql)
  • ❌ Rare SMB Connection to the Internet (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Windows Firewall Disabled via PowerShell (eql)
  • ✅ Delete Volume USN Journal with Fsutil (eql)
  • ❌ Persistent Scripts in the Startup Directory (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Exchange Worker Spawning Suspicious Processes (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Modification of AmsiEnable Registry Key (eql)
  • ❌ Untrusted DLL Loaded by Azure AD Sync Service (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Ingress Transfer via Windows BITS (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Browser Extension Install (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Remote File Copy to a Hidden Share (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Suspicious Antimalware Scan Interface DLL (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection via Registration Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Potential Application Shimming via Sdbinst (eql)
  • ✅ Suspicious CertUtil Commands (eql)
  • ❌ Svchost spawning Cmd (kuery)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Microsoft Windows Defender Tampering (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Potential Masquerading as Business App Installer (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ MS Office Macro Security Registry Modifications (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ LSASS Process Access via Windows API (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Alternate Data Stream Creation/Execution at Volume Root Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r w0rk3r marked this pull request as draft March 4, 2025 20:28
@w0rk3r
Copy link
Contributor Author

w0rk3r commented Mar 4, 2025

I am marking this as a Draft until we discuss the rule size issue with D&R

@botelastic
Copy link

botelastic bot commented May 14, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label May 14, 2025
@botelastic
Copy link

botelastic bot commented May 21, 2025

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this May 21, 2025
@Mikaayenson Mikaayenson reopened this May 21, 2025
@botelastic botelastic bot removed the stale 60 days of inactivity label May 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aegrah Aegrah Aegrah approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@imays11 imays11 Awaiting requested review from imays11

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

At least 2 approving reviews are required to merge this pull request.

Assignees

@w0rk3r w0rk3r

Labels
backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@w0rk3r @tradebot-elastic @Aegrah @Mikaayenson @terrancedejesus