Core Threat Detection User Guide – AI Engine Rules
Compromise: Distributed Brute Force
Gaining access to an internal account is often the first step in a malicious actor's efforts to pilfer an organization. Because software frequently uses default logins and many users have inadequate passwords, this is an extraordinarily effective method (change your default passwords!!). This rule detects a successful brute force authentication from an external source -- it first tracks multiple failed authentication attempts from different external hosts against the same host and account, and then connects that with a following successful authentication.
AIE Rule ID: 3
Attack Lifecycle: Initial Compromise
Rule Description
A successful brute force authentication -- multiple failed authentication attempts from different external hosts to the same host using the same origin login, followed by an authentication success.
Common Event: AIE: Compromise: Distributed Brute Force
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1
Log Sources (minimum)
AD/LDAP
Log Sources (recommended)
AD/LDAP, Host
Actions
This rule fires when the attacker was able to compromise at least one account. In this case, it is vital to quickly contain the compromise by disconnecting infected hosts, disabling the compromised account, and blocking the attacker's access -- organizations should have an incident response plan for a compromise. Also, after stopping the active attack, forensics will need to be conducted to insure that an implant isn't hidden in the network, information wasn't stolen, or other accounts were compromised.
Use Case
An attacker knows a login ID to a specific host and repeatedly attempts to authenticate using various passwords from different origin hosts in an attempt to mask the password guessing activity, and eventually successfully authenticates.
Recon: Failed Distributed Account Probe
Gaining access to an internal account is often the first step in a malicious actor's efforts to pilfer an organization. Because software frequently uses default logins and many users have inadequate passwords, this is an extraordinarily effective method (change your default passwords!!). This rule detects an unsuccessful account probe from an external source with the idea that an attacker knows a username and password but not a host that the account has access to -- it first tracks multiple failed authentication attempts from the same account but not the same impacted host. It looks for 5 or more failed authentications against different impacted hosts. If an authentication success is not seen within 15 minutes, the rule will fire.
AIE Rule ID: 9
Attack Lifecycle: Recon
Rule Description
The same external account unsuccessfully attempts to authenticate to multiple hosts within a short period of time.
Common Event: AIE: Recon: Failed Distributed Account Probe
Classification: Reconnaissance
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1
Log Sources (minimum)
AD/LDAP
Log Sources (recommended)
AD/LDAP, Host
Actions
Responses to 'failure' alarms should include hardening the potential victim host and account and blocking the attacker. It is also useful to determine if the attack is a determined effort to compromise the network or just a passing probe. Perform follow-up investigations for additional logs generated by the attacker and victim. Remember that a failure alarm may mean that the attacker was still successful in other attempts.
Use Case
A malicious individual finds a "sticky note" with a username and password. The attacker then attempts to use these credentials on several different hosts, with no successful authentication observed.
Lateral: External Attack then Account Creation
By itself, a single attack event can easily be a false positive or an inconsequential probe, and most large organizations can expect a significant number of these events every day. However, if that attack event is followed by a second, security-related event on the same host, such as a new account being created, it should be a major cause for concern. This is an indicator that the attack was successful and that the malicious actor has begun moving deeper into their attack cycle.
AIE Rule ID: 17
Attack Lifecycle: Lateral Movement
Rule Description
Attack or compromise event from an external source followed by an account creation on the same host.
Common Event: AIE: Lateral: External Attack then Acct Creation
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1
Log Sources (minimum)
IDS/IPS
Log Sources (recommended)
IDS/IPS
Actions
The cost and recovery time of a compromise grows exponentially with each stage of the attack cycle, so it is imperative to stop the attack as early as possible. These rules indicate that the attacker has moved past the initial stages and is consolidating their beachhead. After the attack is stopped, it is very important to do a full sweep of the network for other signs of continued infection.
Use Case
A savvy hacker successfully attacked a machine to gain access. Once in the exploited machine the hacker now created an account to use for future use and exploitation.
Attainment: Log Cleared
By itself, a single attack event can easily be a false positive or an inconsequential probe, and most large organizations can expect a significant number of these events every day. However, if that attack event is followed by a second, security-related event on the same host, such as a log being erased, it should be a major cause for concern. This is an indicator that the attack was successful and that the malicious actor has begun moving deeper into their attack cycle.
AIE Rule ID: 19
Attack Lifecycle: Target Attainment
Rule Description
A compromise event from an external source followed by the audit log being cleared on the same compromised host. ETD CTD
Common Event: AIE: Attainment: Log Cleared
Classification: Security: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 3
Log Sources (minimum)
Host Security Logs/AV/IDS/IPS
Log Sources (recommended)
NextGen Firewall
List
Not applicable
Actions
Run investigations for the impacted host and user that performed the activity. Check what process cleared the audit log and make sure it is legitimate.
Use Case
An attacker compromises a host and clears the audit log to cover their tracks.
Lateral: Privilege Escalation after Attack
By itself, a single attack event can easily be a false positive or an inconsequential probe, and most large organizations can expect a significant number of these events every day. However, if that attack event is followed by a second, security-related event on the same host, such as an account gaining new rights on the target, it should be a major cause for concern. This is an indicator that the attack was successful and that the malicious actor has begun moving deeper into their attack cycle.
AIE Rule ID: 29
Attack Lifecycle: Lateral Movement
Rule Description
A compromised host event is followed by a new account created or an account modified on the same host.
Common Event: AIE: Lateral: Privilege Escalation after Attack
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 1
Log Sources (minimum)
IDS/Security/AD/LDAP
Log Sources (recommended)
IDS/Security/AD/LDAP
Actions
The cost and recovery time of a compromise grows exponentially with each stage of the attack cycle, so it is imperative to stop the attack as early as possible. These rules indicate that the attacker has moved past the initial stages and is consolidating their beachhead. After the attack is stopped, it is very important to do a full sweep of the network for other signs of continued infection.
Use Case
An IDS has detected some sort of hacking activity from an external host. Later, the same external host is seen successfully authenticating with an internal host, indicating a successful network penetration.
Lateral: Internal Attack then Account Creation
Attacks that originate from inside the network are particularly troubling -- an attacker has solidified their foothold on an infected machine is spreading laterally through the organization's network. This rule will track attacks from a malicious actor against other hosts within the network that are followed by a second security event. If a new account is created on a target host, the malicious actor has successfully begun to move laterally throughout the network
AIE Rule ID: 52
Attack Lifecycle: Lateral Movement
Rule Description
Attack or compromise event from an internal host followed by an account creation on the victim host.
Common Event: AIE: Lateral: Internal Attack then Acct Creation
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 4
Log Sources (minimum)
IDS/Security/AD/LDAP
Log Sources (recommended)
IDS/Security/AD/LDAP
Actions
Because the attack has already progressed to an advanced stage, it is imperative to stem the damage and stop the attack as early as possible. These rules indicate that the attacker has moved past the initial stages, is spreading throughout the network, and likely has already begun to pillage. After the attack is stopped, use the logs from the alarm to help with a full sweep of the network for other signs of continued infection.
Use Case
A system is successfully attacked, and the attacker then creates a new account on the system in order to maintain access.
Compromise: Malware Outbreak
Several malware events emanating from different hosts within the organization may be an indication that malware has begun to spread throughout the network. It may also mean those hosts are falling victim to an external zero-day exploit or other similar, external security event. In any case, an outbreak is more threatening than an isolated infection and should be treated accordingly.
AIE Rule ID: 72
Attack Lifecycle: Initial Compromise
Rule Description
Multiple observed malware detections or failed malware detections within a given period on different impacted hosts - grouped by Common Event and Threat Name. ETD CTD
Common Event: AIE: Compromise: Malware Outbreak
Classification: Compromise
Suppression Period: 2
Environmental Dependence Factor: 1
False Positive Probability: 3
Log Sources (minimum)
AV/IDS/IPS
Log Sources (recommended)
NextGen Firewall ListN/A
Actions
Not applicable
Use Case
Not applicable
C2: Outbound IRC
IRC ports have been associated with botnet communication channels. If more than three different external hosts communicate with internal ones, this might be a sign of a peer botnet.
AIE Rule ID: 79
Attack Lifecycle: C2
Rule Description
An internal host is seen communicating using IRC ports.
Common Event: AIE: C2: Malware: Outbound IRC
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 7
Log Sources (minimum)
Firewall or Network Flow Data (internal/egress)
Log Sources (recommended)
LogRhythm Network Monitor, Next Gen Firewall (internal/egress)
Actions
Investigate the Origin IP if it’s a known host and service and quarantine or remove it from the network if unknown. Block the Impacted and Origin IP from inbound and outbound on the perimeter Firewall. Determine if Origin IP was compromised and remediate as necessary otherwise add Impacted IP to a Watch List to determine if Attack was successful.
Use Case
An internal host has been compromised and is now part of a botnet, typically controlled via IRC.
Lateral: Internal Recon then Account Creation
A malicious actor with access to an internal host will be in an ideal position for laterally moving to other hosts within the network. This can be detected when an internal host begins to scan other hosts for vulnerable ports. If it was able to create an account on a victim host, the attack was obviously successful.
AIE Rule ID: 86
Attack Lifecycle: Lateral Movement
Rule Description
Internal reconnaissance event followed by an account creation on the same target host, indicating a possible compromise.
Common Event: AIE: Lateral: Internal Recon then Account Creation
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1
Log Sources (minimum)
IDS/Sec Evt, AD, LDAP
Log Sources (recommended)
Host
Actions
Since an internal host is already compromised, follow incident response procedures. Investigate the attacking host to see if it was able to access any additional hosts. Investigate the created account to see what actions it was able to take.
Use Case
An attacker scans a machine for open ports. The IDS then misses the actual attack, but shortly after the scan is detected a new account is created on the target machine, indicating some sort of attempt to maintain access.
Recon: Excessive HTTP Errors
As an attacker probes web applications for vulnerabilities, the web servers may generate dozens or hundreds of HTTP errors. This rule looks for an origin host logging 20 or more unique HTTP errors in 2 minutes. In addition to preemptively detecting potential attacks, tracking HTTP errors can also find broken links and other problems with web servers affecting normal use.
AIE Rule ID: 89
Attack Lifecycle: Recon
Rule Description
Excessive HTTP Error Codes seen on the same Impacted Host, originating from the same Origin Host, indicating some sort of automated scanning activity.
Common Event: AIE: Recon: Excessive HTTP Errors
Classification: Reconnaissance
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 4
Log Sources (minimum)
Web Server
Log Sources (recommended)
Web Server
Actions
Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on the perimeter Firewall and determine what the Attacker was looking for to aid in evaluating if a compromise was successful. Determine if the Impacted IP Host and Application are known and quarantine if a compromise is found or add to the Watch List for further compromise assessment.
Use Case
An attacker has written a script that attempts to access various default phpmyadmin access directories on a given website. The attacker is running the script against a web server.
Recon: Metasploit Activity Observed
Metasploit has a default port for launching attacks. This rule will detect the use of the default port originating from within the organization's network.
AIE Rule ID: 111
Attack Lifecycle: Recon
Rule Description
Observed traffic on port 4444, the default port for most Metasploit attack vectors.
Common Event: AIE: Recon: Metasploit Activity Observed
Classification: Reconnaissance
Suppression Period: 1 Environmental
Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
Firewall or Network Flow Data (internal)
Log Sources (recommended)
LogRhythm Network Monitor, Next Gen Firewall (internal)
Actions
Investigate the Origin IP if it’s a known host and should be added to the Vulnerability Scanner List, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on perimeter Firewall. Determine if the Impacted IP Host and Application are known and quarantine if the compromise is found or add to the Watch List for further compromise assessment.
Use Case
An attacker is using Metasploit to launch an attack without changing the default port.
Compromise: Inbound RDP/VNC
RDP connections without a VPN are a security risk, and thus it is useful to identify when the protocol is used.
AIE Rule ID: 473
Attack Lifecycle: Initial Compromise
Rule Description
Remote Desktop Protocol (RDP) or VNC connection from an external to internal host.
Common Event: AIE: Compromise: Inbound RDP/VNC
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 3
Log Sources (minimum)
Firewall or Network Flow Data (perimeter)
Log Sources (recommended)
LogRhythm Network Monitor, Next Gen Firewall (perimeter)
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
Valuable in detecting compromised hosts and network/policy abuse.
C2: Excessive Outbound Firewall Denies
A spike in firewall denial can indicate any number of issues -- malware beaconing from infected machines, users running non-standard services, to accidental blocking of updates. This rule alerts security analysts to begin investigating this suspicious behaviour.
AIE Rule ID: 475
Attack Lifecycle: C2
Rule Description
An excessive number (400) of network denied events from an internal host within 5 minutes.
Common Event: AIE: C2: Excessive Outbound Firewall Denies
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
Firewall or Network Flow Data (perimeter)
Log Sources (recommended)
LogRhythm Network Monitor, Next Gen Firewall (perimeter)
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
An internally compromised host is attempting communication via the blocked protocol.
Lateral: Password Modified by Admin
Tracking administrator actions is useful for both auditing potential privilege abuse and for security monitoring. This rule will alarm when a user account (defined in your LogRhythm list "Privileged users") changes the password of another user.
AIE Rule ID: 510
Attack Lifecycle: Lateral Movement
Rule Description
Privileged user changes the password of another account.
Common Event: AIE: Lateral: Password Modified by Admin
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 8
Log Sources (minimum)
AD/LDAP
Log Sources (recommended)
Host
Actions
Verify the change control procedure has been followed and that this user's password was reset according to standards and guidelines.
Use Case
A privileged user changes the password of another user.
Lateral: Admin Password Modified
Tracking administrator actions is useful for both auditing potential privilege abuse and for security monitoring. This rule will alarm when a user account (defined in your LogRhythm list "Privileged users") has its password modified by another user.
AIE Rule ID: 511
Attack Lifecycle: Lateral Movement
Rule Description
The user changes the password of a different privileged user account.
Common Event: AIE: Lateral: Admin Password Modified
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 3
Log Sources (minimum)
AD/LDAP
Log Sources (recommended)
Host
Privilege Users
-2091
Actions
Verify the admin was aware of the password change. Also, verify change control procedure has been followed and that this user's password was reset according to standards and guidelines.
Use Case
A user's password has been changed by a privileged user.
Recon: Multiple Lockouts
Account lockouts are a fairly normal occurrence -- a user may forget their password or type it incorrectly several times. However, if the same account is having multiple lockouts per hour, then it may be a sign of brute force authentication attempts.
AIE Rule ID: 546
Attack Lifecycle: Recon
Rule Description
An account is locked out 2 or more times per hour.
Common Event: AIE: Recon: Multiple Lockouts
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
AD/LDAP
Log Sources (recommended)
Host
Actions
Accounts under attack should be temporarily disabled while under investigation. Attack sources should be blocked via a firewall or other security devices.
Use Case
In large companies, it sometimes can be daunting and tedious to sift through the "noise" of potential operational events of interest. This alarm alerts when accounts are locked out 2 or more times in an hour instead of every time an account is locked out.
Compromise: Attack then Outbound Connection
Attack events that are followed by an external connection might be a sign of a malicious implant beaconing back to a control server.
AIE Rule ID: 711
Attack Lifecycle: C2
Rule Description
An observed external attack or compromise followed by data leaving the system and going to the attacker.
Common Event: AIE: C2: Attack then Outbound Connection
Classification: Attack
Suppression Period: 24
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
IDS/IPS and Firewall or Network Flow Data
Log Sources (recommended)
LogRhythm Network Monitor, Next-Gen Firewall
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
An attacker is looking for sensitive financial information. The attacker successfully compromises a host and is able to copy the information to the attacker's host.
Corruption: Audit Disabled by Admin
After achieving privilege escalation, a malicious actor will attempt to hide their tracks. This means removing data from logs, hiding malicious files, and disabling audits. Fortunately, LogRhythm collects logs in real-time, meaning that these events can be tracked.
AIE Rule ID: 713
Attack Lifecycle: Exfiltration, Corruption
Rule Description
Login by an administrator followed by disabling of an audit process.
Common Event: AIE: Corruption: Audit Disabled by Admin
Classification: Compromise
Suppression Period: 8
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
AD/LDAP, Host Logs
Log Sources (recommended)
AD/LDAP, Host Logs
Privilege Users
-2091
Actions
If audits are being disabled, it is highly likely that malicious activity is taking place. Immediately launch LogRhythm investigations on the Log Source where this is occurring.
Use Case
A disgruntled administrator plans on malicious activity and disables auditing beforehand to ensure the activity isn't logged.
Configuration
An include filter where Origin Login = list of privileged user IDs must be entered into RB1.
Lateral: Locally Created and Used
Local accounts can sometimes be used as an effective method for avoiding security restrictions and detection. This rule looks for a user creating a local account followed by the same user logging into that account.
AIE Rule ID: 715
Attack Lifecycle: Lateral Movement
Rule Description
An account is created on a host and then used shortly thereafter on the same host. ETD CTD
Common Event: AIE: Lateral: Locally Created and Used
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs
Log Sources (recommended)
Single Sign-On Logs ListN/A
Actions
Not applicable
Use Case
Not applicable
Exfil: Lateral Movement then Exfil
Attacks that originate from inside the network are particularly troubling --an attacker has solidified their foothold on an infected machine and is spreading laterally through the organization's network. This rule will track attacks from a malicious actor against other hosts within the network that are followed by a second security event. If a large amount of traffic leaves the target host, the malicious actor has successfully begun to exfiltrate data from the target.
AIE Rule ID: 716
Attack Lifecycle: Exfil
Rule Description
Attack or compromise event from an internal host followed by data leaving the victim host. ETD CTD
Common Event: AIE: Exfil: Lateral Movement then Exfil
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs/AV/IDS/IPS
Log Sources (recommended)
NextGen Firewall ListN/A
Actions
Not applicable
Use Case
Not applicable
C2: Port Misuse: 53
In order to hide command and control communication among legitimate traffic, malicious implants may use standard protocol ports even if their covert channels don't conform to protocol standards. Because LogRhythm Network Monitor can accurately identify protocols without relying solely on ports, it can detect port misuse by such malware.
AIE Rule ID: 739
Attack Lifecycle: C2
Rule Description
Traffic not using DNS over the common DNS port (53).
Common Event: AIE: C2: Port Misuse: 53
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 6
Log Sources (minimum)
LogRhythm Network Monitor
Log Sources (recommended)
LogRhythm Network Monitor
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
Detection of local hosts tunnelling traffic over port 53. This would typically be a violation of network policy and a security risk.
Exfiltration: Large Outbound Transfer
Most hosts in an organization will be data sinks, meaning that they should receive much more data than they send. For the most part, it will be rare for a typical host to upload 1GB of data in a single, 30-minute-long session. If doing so, this might be a sign of data exfiltration.
AIE Rule ID: 742
Attack Lifecycle: Exfiltration
Rule Description
A single host is seen sending a lot of data, within the same 30-minute-long session, out of the network.
Common Event: AIE: Exfiltration: Large Outbound Transfer
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 2
Log Sources (minimum)
Firewall or Network Flow Data
Log Sources (recommended)
LogRhythm Network Monitor, Next-Gen Firewall
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
A disgruntled employee is exfiltrating Intellectual Property out of the network.
Recon: Excessive Inbound Firewall Denies
A spike of inbound firewall denies can indicate any number of issues -- external scans, improper port use, or even malware command and control.
AIE Rule ID: 744
Attack Lifecycle: Recon
Rule Description
For this rule, we look for an excessive number (400) of network denied events from a host within 5 minutes.
Common Event: AIE: Recon: Excessive Inbound Firewall Denies
Classification: Reconnaissance
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 9
Log Sources (minimum)
Firewall or Network Flow Data (perimeter)
Log Sources (recommended)
LogRhythm Network Monitor, Next Gen Firewall (perimeter)
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
An external compromised host is attempting communication via a blocked protocol.
Compromise: Repeated Attacks Against Host
This AI Engine rule looks for 10 or more attacks, malware, or other security activity logs in a short time span. Such redundancy reduces the chance of being bogged down by one-off false positives. Using the Vendor Message ID field as the Group By value will focus on devices like IDSs that assign signature values.
AIE Rule ID: 770
Attack Lifecycle: Initial Compromise
Rule Description
The same security event is detected on the same host multiple times within a short window.
Common Event: AIE: Compromise: Repeated Attacks Against Host
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
IDS/IPS
Log Sources (recommended)
Next-Gen Firewall
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
A Snort IDS deployment is firing repeatedly because an infected host is attempting to spread on the network.
C2: External DNS Server Used
For security reasons, an organization might want all DNS requests to go through its own DNS server. If a host is circumventing this system, it might be a sign of malware infection or possibly misconfiguration.
AIE Rule ID: 776
Attack Lifecycle: C2
Rule Description
Internal hosts use an external DNS server.
Common Event: AIE: C2: External DNS Server Used
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 4
Log Sources (minimum)
Firewall or Network Flow Data
Log Sources (recommended)
LogRhythm Network Monitor, Next-Gen Firewall
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
A network host has been infected with malware and is using a compromised external DNS server.
Compromise: Malware Not Cleaned
In some cases, a malware removal tool will quarantine or delete malware only for it to pop back from memory or another hiding place. This rule will find instances where a malware cleaning event is followed by a malware detection event on the same host.
AIE Rule ID: 783
Attack Lifecycle: Initial Compromise
Rule Description
A malware removal event from a host is followed immediately (within 1 hour) by another malware event. This indicates that the malware was not completely removed. ETD CTD
Common Event: AIE: Compromise: Malware Not Cleaned
Classification: Malware
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs/Host Application Logs/AV/IDS/IPS
Log Sources (recommended)
NextGen Firewall ListN/A
Actions
Not applicable
Use Case
Not applicable
Progression: to Initial Compromise
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
AIE Rule ID: 1003
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning are followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Command and Control
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
AIE Rule ID: 1004
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Lateral Movement
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
AIE Rule ID: 1005
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Target Attainment
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
AIE Rule ID: 1006
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, or Disruption with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Exfiltration, Corruption, Disruption
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, or Disruption with the same user or host.
AIE Rule ID: 1007
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Exfil, Corruption, Disruption
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Initial Compromise
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
AIE Rule ID: 1008
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Command and Control
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
AIE Rule ID: 1009
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, or Disruption with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Lateral Movement
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
AIE Rule ID: 1010
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Target Attainment
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
AIE Rule ID: 1011
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Exfiltration, Corruption, Disruption
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, or Disruption with the same user or host.
AIE Rule ID: 1012
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Exfiltration, Corruption, Disruption
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Initial Compromise
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
AIE Rule ID: 1013
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Command and Control
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
AIE Rule ID: 1014
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Lateral Movement
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
AIE Rule ID: 1015
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Target Attainment
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
AIE Rule ID: 1016
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Progression: to Exfiltration, Corruption, Disruption
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, or Disruption with the same user or host.
AIE Rule ID: 1017
Attack Lifecycle: Progression
Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, or Disruption with the same user or host.
Common Event: AIE: Progression: to Exfil, Corruption, Disruption
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1
Log Sources (minimum)
Not applicable
Log Sources (recommended)
Not applicable
Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Use Case
Not applicable
Compromise: Obsolete SSL/TLS Version
Vulnerabilities are known in older versions of SSL/TLS and may be exploited by attackers. Visibility into devices using this protocol can help organizations identify systems that need to be upgraded.
AIE Rule ID: 1180
Attack Lifecycle: Initial Compromise
Rule Description
SSL/TLS Vulnerable Versions Detected.
Common Event: AIE: Compromise: Obsolete SSL/TLS Version
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 3
Log Sources (minimum)
Firewall or Network Flow Data
Log Sources (recommended)
LogRhythm Network Monitor, Next-Gen Firewall
Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, and block the Origin IP from inbound and outbound on the perimeter Firewall. Determine if the Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on the perimeter Firewall if unknown or add to the Watch List for further assessment.
Use Case
Older versions of SSL/TLS protocols pose a risk for Man In The Middle (MITM), where encrypted data can be read by unintended recipients. Many web servers and browsers are configured to "Fall Back" to an older and most likely vulnerable version of SSL/TLS if unable to negotiate at the recommended version at the time.