Detection Rules
12 rules found
| Control | ML | Level | Title | Log Source | FP Rate | |
|---|---|---|---|---|---|---|
| E8-01 | ML2 | high |
LOLBAS Proxy Execution Bypassing Application Control (E8-01)
attack.t1218
attack.t1218.005
attack.t1218.010
+1
|
windows / process_creation | low | |
| E8-01 | ML1 | medium |
Executable Launched from User-Writable Path (E8-01 Application Control Bypass)
attack.t1036.005
|
windows / process_creation | medium | |
| E8-02 | ML1 | high |
Browser Spawns Shell Process - Possible Unpatched App Exploitation (E8-02)
attack.t1203
|
windows / process_creation | low | |
| E8-03 | ML1 | high |
Microsoft Office Application Spawns Shell or Script Process (E8-03)
attack.t1566.001
attack.t1059
|
windows / process_creation | low | |
| E8-03 | ML1 | high |
Microsoft Office Writes Executable or Script to Disk (E8-03)
attack.t1566.001
attack.t1105
|
windows / file_event | low | |
| E8-04 | ML1 | high |
WScript or CScript Executes Remote or Suspicious Script (E8-04)
attack.t1059.005
attack.t1059.007
|
windows / process_creation | low | |
| E8-04 | ML1 | medium |
PowerShell Encoded Command Execution (E8-04 User App Hardening)
attack.t1059.001
attack.t1027
|
windows / process_creation | medium | |
| E8-05 | ML1 | high |
New Local Administrator Account Created (E8-05 Restrict Admin Privileges)
attack.t1136.001
|
windows / security | low | |
| E8-05 | ML2 | medium |
Pass-the-Hash NTLM Lateral Movement Indicator (E8-05)
attack.t1550.002
|
windows / security | medium | |
| E8-06 | ML2 | medium |
Suspicious Token Impersonation or SeDebugPrivilege Abuse (E8-06)
attack.t1134
attack.t1134.001
|
windows / security | medium | |
| E8-07 | ML2 | high |
MFA Fatigue Attack - Repeated Authentication Requests Denied (E8-07)
attack.t1621
|
azure / signinlogs | low | |
| E8-08 | ML1 | critical |
Volume Shadow Copy Deletion via VSSAdmin or WMIC (E8-08 Backups)
attack.t1490
|
windows / process_creation | low |