MITRE ATT&CK® Ransomware Module User Guide

This guide is meant to be used as a day-to-day reference for the MITRE ATT&CK content. All the content included in this module is listed here along with a detailed explanation, suggested response, and configuration and tuning notes.

Suppression Multiple: The Suppression Multiple in conjunction with the Suppression Period defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.

Environmental Dependence Factor: EDF is a high-level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.

False Positive Probability: The False Positive Probability is used in Risk-Based Priority (RBP) calculation for AI Engine Rules. It estimates how likely the rule is to generate a false positive response. A value of low indicates the pattern the rule matches is almost always a true positive. However, a value of high indicates the pattern the rule matches is very likely to be a false positive.

Options range from 0 to 9 with:

• 0 indicating the pattern the rule matched is almost always a true positive 
• 9 indicating the pattern the rule matched is very likely to be a false positive
  

T1003:OS Credential Dumping

AIE Rule ID: 1449

MITRE Tactic: Credential Access

Rule Description: T1003:OS Credential Dumping

Common Event: AIE:T1003:OS Credential Dumping

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Credential Access
Technique: OS Credential Dumping
Rule Created: 2/8/2019
Rule Updated: 1/5/2021

AIE Rule

T1007:System Service Discovery

AIE Rule ID: 1452

MITRE Tactic: Discovery

Rule Description: T1007:System Service Discovery

Common Event: AIE:T1007:System Service Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: System Service Discovery
Rule Created: 2/4/2019
Rule Updated: 1/5/2021

AIE Rule

T1012:Query Registry

AIE Rule ID: 1453

MITRE Tactic: Discovery

Rule Description: T1012:Query Registry

Common Event: AIE:T1012:Query Registry

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: Query Registry
Rule Created: 2/4/2019
Rule Updated: 1/5/2021

AIE Rule

T1016:System Network Configuration Discovery

AIE Rule ID: 1454

MITRE Tactic: Discovery

Rule Description: T1016:System Network Configuration Discovery

Common Event: AIE:T1016:System Network Configuration Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: System Network Configuration Discovery
Rule Created: 2/7/2019
Rule Updated: 1/5/2021

AIE Rule

T1033:System Owner-User Discovery

AIE Rule ID: 1455

MITRE Tactic: Discovery

Rule Description: T1033:System Owner-User Discovery

Common Event: AIE:T1033:System Owner-User Discovery

Classification: Security/Reconnaissance

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic: Discovery
Technique: System Owner/User Discovery
Rule Created: 2/8/2019
Rule Updated: 1/5/2021

AIE Rule

T1048:Exfiltration Over Alternative Protocol

AIE Rule ID: 1456

MITRE Tactic: Exfiltration

Rule Description: T1048:Exfiltration Over Alternative Protocol

Common Event: AIE:T1048:Exfiltration Over Alternative Protocol

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Exfiltration
Technique: Exfiltration Over Alternative Protocol
Rule Created:2/9/2019
Rule Updated: 1/5/2021

AIE Rule

T1018:Remote System Discovery

AIE Rule ID: 1457

MITRE Tactic: Discovery

Rule Description: T1018:Remote System Discovery

Common Event: AIE:T1018:Remote System Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: Remote System Discovery
Rule Created: 2/27/2019
Rule Updated: 1/5/2021

AIE Rule

T1543.003:Windows Service

AIE Rule ID: 1459

MITRE Tactic: Persistence, Privilege Escalation

Rule Description: T1543.003:Windows Service

Common Event: AIE:T1543.003:Windows Service

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactics: Persistence, Privilege Escalation
Technique: Windows Service
Rule Created: 2/20/2019
Rule Updated: 1/5/2021

AIE Rule

T1547.001:Registry Run Keys/Startup Folder

AIE Rule ID: 1460

MITRE Tactic: Persistence

Rule Description: T1547.001:Registry Run Keys/Startup Folder

Common Event: AIE:T1547.001:Registry Run Keys/Startup Folder

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Persistence
Technique: Registry Run Keys/Startup Folder
Rule Created:2/9/2019
Rule Updated: 1/5/2021

AIE Rule

T1059:Command and Scripting Interpreter

AIE Rule ID: 1461

MITRE Tactic: Execution

Rule Description: T1059:Command and Scripting Interpreter

Common Event: AIE:T1059:Command and Scripting Interpreter

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Execution
Technique: Command and Scripting Interpreter
Rule Created: 2/11/2019
Rule Updated: 1/5/2021

AIE Rule

T1021.002:SMB/Windows Admin Shares

AIE Rule ID: 1462

MITRE Tactic: Lateral Movement

Rule Description: T1021.002:SMB/Windows Admin Shares

Common Event: AIE:T1021.002:SMB/Windows Admin Shares

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Lateral Movement
Technique: SMB/Windows Admin Shares
Rule Created: 2/15/2019
Rule Updated: 1/5/2021

AIE Rule

T1082:System Information Discovery

AIE Rule ID: 1463

MITRE Tactic: Discovery

Rule Description: T1082:System Information Discovery

Common Event: AIE:T1082:System Information Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: System Information Discovery
Rule Created: 2/25/2019
Rule Updated: 1/5/2021

AIE Rule

T1059.001:PowerShell

AIE Rule ID: 1464

MITRE Tactic: Execution

Rule Description: T1059.001:PowerShell

Common Event: AIE:T1059.001:PowerShell

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic(s): Execution
Technique: PowerShell
Rule Created: 2/25/2019
Rule Updated: 2/4/2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1059/001/

AIE Rule

T1189:Drive-By Compromise

AIE Rule ID: 1466

MITRE Tactic: Initial Access

Rule Description: T1189:Drive-By Compromise

Common Event: AIE:T1189:Drive-By Compromise

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Initial Access
Technique: Drive-by Compromise
Rule Created: 2/14/2019
Rule Updated: 1/5/2021

AIE Rule

T1057:Process Discovery

AIE Rule ID: 1467

MITRE Tactic: Discovery

Rule Description: T1057:Process Discovery

Common Event: AIE:T1057:Process Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: Process Discovery
Rule Created: 3/4/2019
Rule Updated: 1/5/2021

AIE Rule

T1047:Windows Management Instrumentation

AIE Rule ID: 1468

MITRE Tactic: Execution

Rule Description: T1047:Windows Management Instrumentation

Common Event: AIE:T1047:Windows Management Instrumentation

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Execution
Technique: Windows Management Instrumentation
Rule Created: 3/6/2019
Rule Updated: 1/5/2021

AIE Rule

T1070.006:Timestomp

AIE Rule ID: 1469

MITRE Tactic: Defense Evasion

Rule Description: T1070.006:Timestomp

Common Event: AIE:T1070.006:Timestomp

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Defense Evasion
Technique: Timestomp
Rule Created: 3/8/2019
Rule Updated: 1/5/2021

AIE Rule

T1069:Permission Groups Discovery

AIE Rule ID: 1477

MITRE Tactic: Discovery

Rule Description: T1069:Permission Groups Discovery

Common Event: AIE:T1069:Permission Groups Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: Permission Groups Discovery
Rule Created: 4/8/2019
Rule Updated: 1/5/2021

AIE Rule

T1087:Account Discovery

AIE Rule ID: 1478

MITRE Tactic: Discovery

Rule Description: T1087:Account Discovery

Common Event: AIE:T1087:Account Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Discovery
Technique: Account Discovery
Rule Created: 4/12/2019
Rule Updated: 1/5/2021

AIE Rule

T1083:File and Directory Discovery

AIE Rule ID: 1479

MITRE Tactic: Discovery

Rule Description: T1083:File and Directory Discovery

Common Event: AIE:T1083:File and Directory Discovery

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s): Discovery

Technique: File and Directory Discovery

Rule Created: 4/9/2019

Rule Updated: 12/7/2021

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:

https://attack.mitre.org/techniques/T1083/

Notes:

Log Source Types:

MS Windows Event Logging - PowerShell
MS Windows Event Logging XML - PowerShell
MS Windows Event Logging XML - Security (v1 & v2)
MS Windows Event Logging XML - Sysmon (v1 & v2)
MS Windows Event Logging XML - Sysmon 8/9/10

Configuration:

PowerShell Module logging must be enabled
Windows process and common-line auditing must be enabled
Microsoft Sysmon's configuration for Event ID 1: Process creation  must include (or not exclude) cmd.exe and tree.com

Please refer to Logging and Monitoring Configuration section of the MITRE ATT&CK Module Deployment Guide for more information: https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module#MITREATT&CK%C2%AEDeploymentGuide%E2%80%93ImportandSynchronizetheModule-LoggingandMonitoringConfiguration

Tuning:
Exclude accounts from trusted backup/scanning utilities such as vulnerability scanners or backup software that frequently perform file and directory scanning.

AIE Rule

T1218.011:Rundll32

AIE Rule ID: 1480

MITRE Tactic: Defense Evasion

Rule Description: T1218.011:Rundll32

Common Event: AIE:T1218.011:Rundll32

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Defense Evasion
Technique: Rundll32
Rule Created: 4/15/2019
Rule Updated: 1/5/2021

AIE Rule

T1569.002:Service Execution

AIE Rule ID: 1481

MITRE Tactic: Execution

Rule Description: T1569.002:Service Execution

Common Event: AIE:T1569.002:Service Execution

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Execution
Technique: Service Execution
Rule Created: 12/10/2018
Rule Updated: 1/5/2021

AIE Rule

T1090.001:Proxy

AIE Rule ID: 1482

MITRE Tactic: C2

Rule Description: T1090.001:Proxy

Common Event: AIE:T1090.001:Proxy

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactics: Command and Control
Technique: Internal Proxy
Rule Created: 4/22/2019
Rule Updated:1/5/2021

AIE Rule

T1105:Ingress Tool Transfer

AIE Rule ID: 1483

MITRE Tactic: Multiple

Rule Description: T1105:Ingress Tool Transfer

Common Event: AIE:T1105:Ingress Tool Transfer

Classification: Security/Activity

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactics: Command and Control
Technique: Ingress Tool Transfer
Rule Created: 4/9/2019
Rule Updated: 1/5/2021

AIE Rule

T1218.010:Regsvr32

AIE Rule ID: 1484

MITRE Tactic: Multiple

Rule Description: T1218.010:Regsvr32

Common Event: AIE:T1218.010:Regsvr32

Classification: Security/Activity

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Defense Evasion
Technique: Regsvr32
Rule Created: 4/18/2019
Rule Updated: 1/5/2021

AIE Rule

T1036.003:Rename System Utilities

AIE Rule ID: 1492

MITRE Tactic: Defense Evasion

Rule Description: T1036.003:Rename System Utilities

Common Event: AIE:T1036.003:Rename System Utilities

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 2

AIE Rule Additional Details

Tactic: Defense Evasion
Technique: Rename System Utilities
Rule Created: 11/4/2019
Rule Updated: 1/5/2021

AIE Rule

T1566.001:Spearphishing Attachment

AIE Rule ID: 1493

MITRE Tactic: Initial Access

Rule Description: T1566.001:Spearphishing Attachment

Common Event: AIE:T1566.001:Spearphishing Attachment

Classification: Security/Suspicious

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic: Initial Access
Technique: Spearphishing Attachment
Rule Created: 11/19/2019
Rule Updated: 1/5/2021

AIE Rule

T1550.002:Pass the Hash

AIE Rule ID: 1494

MITRE Tactic: Lateral Movement

Rule Description: T1550.002:Pass the Hash

Common Event: AIE:T1550.002:Pass the Hash

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

AIE Rule Additional Details

Tactic: Lateral Movement
Technique: Pass the Hash
Rule Created: 12/24/2019
Rule Updated: 1/5/2021

AIE Rule

T1550.003:Pass the Ticket

AIE Rule ID: 1495

MITRE Tactic: Lateral Movement

Rule Description: T1550.003:Pass the Ticket

Common Event: AIE:T1550.003:Pass the Ticket

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 3

AIE Rule Additional Details

Tactics: Defense Evasion, Lateral Movement
Technique: Pass the Ticket
Rule Created: 1/10/2020
Rule Updated: 1/5/2021

AIE Rule

T1053:Scheduled Task/Job

AIE Rule ID: 1497

MITRE Tactic: Execution, Persistence, Privilege Escalation

Rule Description: T1053:Scheduled Task/Job

Common Event: AIE:T1053:Scheduled Task/Job

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactics: Execution, Persistence, Privilege Escalation
Technique: Scheduled Task/Job
Rule Created: 1/30/2020
Rule Update: 1/5/2021

AIE Rule

T1136.003:Cloud Account

AIE Rule ID: 1499

MITRE Tactic: Persistence

Rule Description: T1136.003:Cloud Account

Common Event: AIE:T1136.003:Cloud Account

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic: Persistence
Technique: Cloud Account
Rule Created: 4/20/2020
Rule Updated: 1/5/2021

AIE Rule

T1098:Account Manipulation

AIE Rule ID: 1500

MITRE Tactic: Credential Access, Persistence

Rule Description: T1098:Account Manipulation

Common Event: AIE:T1098:Account Manipulation

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic: Persistence
Technique: Account Manipulation
Rule Created: 4/20/2020
Rule Updated: 1/5/2021

AIE Rule

T1566.002:Spearphishing Link

AIE Rule ID: 1501

MITRE Tactic: Initial Access

Rule Description: T1566.002:Spearphishing Link

Common Event: AIE:T1566.002:Spearphishing Link

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic: Initial Access
Technique: Phishing: Spearphishing Link
Rule Created: 4/15/2020
Rule Updated: 1/5/2021

AIE Rule

T1534:Internal Spearphishing

AIE Rule ID: 1502

MITRE Tactic: Lateral Movement

Rule Description: T1534:Internal Spearphishing

Common Event: AIE:T1534:Internal Spearphishing

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 1

AIE Rule Additional Details

Tactic: Lateral Movement
Technique: Internal Spearphishing
Rule Created: 4/27/2020
Rule Updated: 3/25/2021

AIE Rule

T1114.003:Email Forwarding Rule

AIE Rule ID: 1503

MITRE Tactic: Collection

Rule Description: T1114.003:Email Forwarding Rule

Common Event: AIE:T1114.003:Email Forwarding Rule

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic: Collection
Technique: Email Forwarding Rule
Rule Created:4/19/2020
Rule Updated: 8/24/2021

Notes:
The API - Office 365 Management Activity log that triggers this rule can be generated by several different user actions. Search the API - Office 365 Management Activity log for command = set-mailbox, new-inboxrule, updateinboxrule, or set-inboxrule to find the offending rule name and information.

Log Source Types:
API - Office 365 Management Activity

Configuration:
In the Microsoft 365 compliance center, the default policy "Creation of forwarding/redirect rule" must be enabled. For more information, see Managing Alerts in the Alert Policies in Microsoft 365 topic for more information.

AIE Rule

T1566.002:Spearphishing Link:O365

AIE Rule ID: 1504

MITRE Tactic: Initial Access

Rule Description: T1566.002:Spearphishing Link:O365

Common Event: AIE:T1566.002:Spearphishing Link:O365

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 1

AIE Rule Additional Details

Tactic: Initial Access
Technique: Phishing: Spearphishing Link
Rule Created: 4/15/2020
Rule Updated: 1/5/2021

AIE Rule

T1190:Exploit Public-Facing Application:SQL Injection

AIE Rule ID: 1505

MITRE Tactic: Initial Access

Rule Description: T1190:Exploit Public-Facing Application:SQL Injection

Common Event: AIE:T1190:Exploit Public-Facing Application:SQL Injection

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s):  Initial Access
Technique: Exploit Public-Facing Application
Rule Created: 3/31/2021
Rule Updated: N/A

For further guidance on this Tactic:Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1190/

Notes:

Log Source Types:
API - Cisco IDS/IPS
API - Sourcefire eStreamer
Flat File - McAfee Foundstone
Flat File - Snort Fast Alert File
OPSEC LEA - Checkpoint Firewall
OPSEC LEA - Checkpoint Log Server
Syslog - Apcon Network Monitor
Syslog - Cisco FirePOWER
Syslog - Cisco FireSIGHT
Syslog - Citrix Netscaler
Syslog - Dell SecureWorks iSensor IPS
Syslog - Enterasys Dragon IDS
Syslog - F5 BIG-IP ASM v12
Syslog - F5 Big-IP LTM
Syslog - Fortinet FortiAnalyzer
Syslog - Fortinet FortiGate v4.0
Syslog - IBM WebSphere DataPower Integration
Syslog - Imperva Incapsula CEF
Syslog - Imperva SecureSphere
Syslog - Juniper Firewall
Syslog - Juniper IDP
Syslog - Juniper NSM
Syslog - NetScreen Firewall
Syslog - OSSEC Alerts
Syslog - Sguil
Syslog - Snort IDS
Syslog - Sourcefire IDS 3D
Syslog - Symantec Endpoint Server
Syslog - Tipping Point IPS
Syslog - Trend Micro Deep Security CEF
Syslog - Trustwave Web Application Firewall
UDLA - ISS Proventia SiteProtector - IPS

Configuration:
This rule must be tuned before enabling. Configure rule with expected log source types by adding to the Log Source Criteria tab in the rule block. This rule should only evaluate logs associated with web applications, and that are public facing. Log source types that would be applicable to this rule include, and are not limited to those listed above in "Log Source Types".

Tuning:
This rule is specifically looking for logs that would be applicable to the detection of "SQL Injection". If false positives occur, consider tuning the log source logic.

AIE Rule

T1199:Trusted Relationship

AIE Rule ID: 1513

MITRE Tactic: Initial Access

Rule Description: T1199:Trusted Relationship

Common Event: AIE:T1199:Trusted Relationship

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s): Initial Access
Technique: Trusted Relationship
Rule Created: 6/15/2021
Rule Updated: N/A

For further guidance on this Tactic:Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1199/

Notes:

Log Source Types:
LogRhythm AI Engine

Configuration:
This rule must be tuned before enabling. Populate the “MA: Third Party Accounts” list with a list of user or service accounts used by 3rd parties to access your company’s network, applications, services, etc.

Tuning:
This rule is specifically looking for matches between AI Engine (AIE) Events and users or service accounts in the “MA: Third Party Accounts” list. This rule is considered a “Feedback” rule, meaning that another AIE rule evented containing the user listed in “MA: Third Party Accounts” list. The AIE rule that evented causing this feedback rule to event should be the focus area for tuning.

You may also tune this rule by creating an exception. If a number of exceptions are needed involving the same 3rd party company, you may create two additional lists for user, and Host, then adding to the exceptions tab a rule to exclude the user list and the host list you created.

You may also leverage the “CCF: Third Party Accounts” list by adding the list to the include filter.

AIE Rule

T1078.001:Default Accounts

AIE Rule ID: 1522

MITRE Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access

Rule Description: T1078.001:Default Accounts

Common Event: AIE:T1078.001:Default Accounts

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 0

AIE Rule Additional Details

Tactic(s): Defense Evasion, Persistence, Privilege Escalation, Initial Access
Technique: Default Accounts
Rule Created: 7/19/2021
Rule Updated: N/A

For further guidance on this Tactic: Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1078/001/

Notes:

Log Source Types:
LogRhythm AI Engine

Configuration:
This rule must be tuned before enabling. Populate the “MA: Default Accounts” list with a list of default accounts applicable to your company’s network, applications, services, etc.

Tuning:
This rule specifically looks for matches between AI Engine (AIE) Events and users or service accounts in the “MA: Default Accounts” list. This rule is considered a “Feedback” rule, meaning that another AIE rule evented containing the user listed in “MA: Default Accounts” list. The AIE rule that evented causing this feedback rule to event should be the focus area for tuning.

You may also tune this rule by creating an exception. If a number of exceptions are needed involving the same account, you may create two additional lists for user and host, then adding to the exceptions tab a rule to exclude the user list and the host list you created.

You may also leverage other similar lists already in your LogRhythm deployment. First, identify if the existing list is a good fit, and if so, add the list to the "MA: Default Accounts" list as a nested list.

AIE Rule

T1078.002:Domain Accounts

AIE Rule ID: 1523

MITRE Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access

Rule Description: T1078.002:Domain Accounts

Common Event: AIE:T1078.002:Domain Accounts

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 0

AIE Rule Additional Details

Tactic(s): Defense Evasion, Persistence, Privilege Escalation, Initial Access
Technique: Local Accounts
Rule Created: 7/19/2021
Rule Updated: N/A

For further guidance on this Tactic: Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1078/002/

Notes:

Log Source Types:
LogRhythm AI Engine

Configuration:
This rule must be tuned before enabling. Populate the “MA: Domain Accounts” list with a list of domain accounts applicable to your company’s network, applications, services, etc.

Tuning:
This rule specifically looks for matches between AI Engine (AIE) Events and users or service accounts in the “MA: Domain Accounts” list. This rule is considered a “Feedback” rule, meaning that another AIE rule evented containing the user listed in “MA: Domain Accounts” list. The AIE rule that evented causing this feedback rule to event should be the focus area for tuning.

You may also tune this rule by creating an exception. If a number of exceptions are needed involving the same account, you may create two additional lists for user and host, then adding to the exceptions tab a rule to exclude the user list and the host list you created.

You may also leverage other similar lists already in your LogRhythm deployment. First, identify if the existing list is a good fit, and if so, add the list to the "MA: Domain Accounts" list as a nested list. For example, if you have already populated "CCF: Default Account List", then you may want to add this list as a nested list to the "MA: Default Accounts" by opening the "MA: Default Accounts", clicking on the "List Items" tab, then clicking on "Add List...", and selecting the "CCF: Default Account List".

AIE Rule

T1078.003:Local Accounts

AIE Rule ID: 1524

MITRE Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access

Rule Description: T1078.003:Local Accounts

Common Event: AIE:T1078.003:Local Accounts

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 0

AIE Rule Additional Details

Tactic(s): Defense Evasion, Persistence, Privilege Escalation, Initial Access
Technique: Local Accounts
Rule Created: 7/19/2021
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1078/003/

Notes:

Log Source Types:
LogRhythm AI Engine

Configuration:
This rule must be tuned before enabling. Populate the “MA: Local Accounts” list with a list of local accounts applicable to your company’s network, applications, services, etc.

Tuning:
This rule specifically looks for matches between AI Engine (AIE) Events and users or service accounts in the “MA: Local Accounts” list. This rule is considered a “Feedback” rule, meaning that another AIE rule evented containing the user listed in “MA: Local Accounts” list. The AIE rule that evented causing this feedback rule to event should be the focus area for tuning.

You may also tune this rule by creating an exception. If a number of exceptions are needed involving the same account, you may create two additional lists for user and host, then adding to the exceptions tab a rule to exclude the user list and the host list you created.

You may also leverage other similar lists already in your LogRhythm deployment. First, identify if the existing list is a good fit, and if so, add the list to the "MA: Local Accounts" list as a nested list. For example, if you have already populated "CCF: Default Account List", then you may want to add this list as a nested list to the "MA: Default Accounts" by opening the "MA: Default Accounts", clicking on the "List Items" tab, then clicking on "Add List...", and selecting the "CCF: Default Account List".

AIE Rule

T1078.004:Cloud Accounts

AIE Rule ID: 1525

MITRE Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access

Rule Description: T1078.004:Cloud Accounts

Common Event: AIE:T1078.004:Cloud Accounts

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 0

AIE Rule Additional Details

Tactic(s): Defense Evasion, Persistence, Privilege Escalation, Initial Access
Technique: Cloud Accounts
Rule Created: 7/19/2021
Rule Updated: N/A

For further guidance on this Tactic: Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1078/004/

Notes:

Log Source Types:
LogRhythm AI Engine

Configuration:
This rule must be tuned before enabling. Populate the “MA: Cloud Accounts” list with a list of cloud accounts applicable to your company’s network, applications, services, etc.

Tuning:
This rule specifically looks for matches between AI Engine (AIE) Events and users or service accounts in the “MA: Cloud Accounts” list. This rule is considered a “Feedback” rule, meaning that another AIE rule evented containing the user listed in “MA: Cloud Accounts” list. The AIE rule that evented causing this feedback rule to event should be the focus area for tuning.

You may also tune this rule by creating an exception. If a number of exceptions are needed involving the same account, you may create two additional lists for user and host, then adding to the exceptions tab a rule to exclude the user list and the host list you created.

You may also leverage similar other lists already in your LogRhythm deployment. First, identify if the existing list is a good fit, and if so, add the list to the "MA: Cloud Accounts" list as a nested list. For example, if you have already populated "CCF: Default Account List", then you may want to add this list as a nested list to the "MA: Default Accounts" by opening the "MA: Default Accounts", clicking on the "List Items" tab, then clicking on "Add List...", and selecting the "CCF: Default Account List".

AIE Rule

T1606.002:SAML Tokens:O365 and ADFS

AIE Rule ID: 1526

MITRE Tactic: Credential Access

Rule Description: T1606.002:SAML Tokens:O365 and ADFS

Common Event: AIE:T1606.002:SAML Tokens:O365 and ADFS

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s): Credential Access
Technique: SAML Tokens
Rule Created: 2/24/2021

Rule Updated: N/A

For further guidance on this Tactic: Technique, visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1606/002/

Notes:

Log Source Types:
API - Office 365 Management Activity or Syslog - Open Collector - Azure Event Hub
Microsoft Windows Event Logging XML - Security

Configuration:
LogRhythm TrueIdentity must be configured and the users monitored must have identities defined, including their User Principal Name (user@domain.com) and their AD logon (user).
For more information about LogRhythm TrueIdentity, see TrueIdentity.

ADFS auditing must be enabled: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging

AIE Rule

T1606.002:SAML Tokens:O365 and ADFS

AIE Rule ID: 1527

MITRE Tactic:  Defense Evasion, Privilege Escalation

Rule Description: T1484.002:Domain Trust Modification

Common Event: AIE:T1484.002:Domain Trust Modification

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 2

AIE Rule Additional Details

Tactic(s): Defense Evasion, Privilege Escalation
Technique: Domain Trust Modification
Rule Created: 3/11/2021

For further guidance on this Tactic: Technique, visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1484/002/

Notes:

Log Source Types:
API - Office 365 Management Activity
Syslog - Open Collector - Azure Event Hub
MS Windows Event Logging - PowerShell

Configuration:
PowerShell Module Logging must be enabled in order for the PowerShell criteria to be met: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_group_policy_settings
Collect Azure AD logs either through the API - Office 365 Management Activity log source type (https://docs.logrhythm.com/docs/devices/api-log-sources/api-office-365-management-activity-microsoft) or the Syslog - Open Collector - Azure Event Hub log source type (https://docs.logrhythm.com/docs/OCbeats/azure-event-hubs-beat-6-0-2).

AIE Rule

T1552.004:Private Keys

AIE Rule ID: 1540

MITRE Tactic:  Credential Access

Rule Description: T1552.004:Private Keys

Common Event: AIE:T1552.004:Private Keys

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 3

AIE Rule Additional Details

Tactic(s): Credential Access
Technique: Unsecured Credentials: Private Keys
Rule Created: 03/18/2021

Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1552/004/

Note: Additional exclusions may need to be made for processes that legitimately use the "\microsoft##wid\tsql\query" named pipe .

AIE Rule

T1489:Service Stop

AIE Rule ID: 1541

MITRE Tactic:  Impact

Rule Description: T1489:Service Stop

Common Event: AIE:T1489:Service Stop

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic(s): Impact
Technique: Service Stop
Rule Created: 09/13/2021

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1489/

AIE Rule

T1059.003:Windows Command Shell

AIE Rule ID: 1542

MITRE Tactic:  Execution

Rule Description: T1059.003:Windows Command Shell

Common Event: AIE:T1059.003:Windows Command Shell

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 7

AIE Rule Additional Details

Tactic(s): Execution
Technique: Windows Command Shell
Rule Created: 08/02/2021

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1059/003/

AIE Rule

T1490:Inhibit System Recovery

AIE Rule ID: 1544

MITRE Tactic:  Impact

Rule Description: T1490:Inhibit System Recovery

Common Event: AIE:T1490:Inhibit System Recovery

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 1

AIE Rule Additional Details

Tactic(s): Impact
Technique: Inhibit System Recovery
Rule Created: 2/4/2019

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1490/

AIE Rule

T1562.001:Disable or Modify Tools:Windows Defender

AIE Rule ID: 1545

MITRE Tactic:  Defense Evasion

Rule Description: T1562.001:Disable or Modify Tools:Windows Defender

Common Event: AIE:T1562.001:Disable or Modify Tools:Windows Defender

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s): Defense Evasion
Technique:Disable or Modify Tools
Rule Created: 11/15/2021
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1562/001

Notes: 

Log Source Types:
Microsoft Windows Event Logging XML - Security
Microsoft Windows Event Logging - PowerShell
Microsoft Windows Event Logging XML - Sysmon
Microsoft Windows Event Logging XML - Windows Defender

Configuration:
This rule detects attempts to stop, disable or reconfigure Windows Defender in order to evade detection. 

PowerShell module and script block logging must be enabled. Configuration steps can be found in the Logging and Monitoring Configuration section of the MITRE ATT&CK® Module Deployment Guide at https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module

Process and command line monitoring logs can be gathered via the Microsoft Windows Event Logging XML - Security or Microsoft Windows Event Logging XML - Sysmon. Configuration steps can be found in the Logging and Monitoring Configuration section of the MITRE ATT&CK® Module Deployment Guide at https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module

Tuning:
If alarming will be turned on for this rule it is recommended to enable the following AIE Summary Fields in the rule block so that more context is provided with the alarm:
Command
Common Event
Host(Impacted)
Host(Origin)
MPE Rule Name
Reason
Subject
Threat Name
User (Origin)

AIE Rule

T1106:Native API

AIE Rule ID: 1546

MITRE Tactic:  Execution

Rule Description: T1106:Native API

Common Event: AIE:T1106:Native API

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 6

AIE Rule Additional Details

Tactic(s): Execution
Technique: Native API
Rule Created: 12/07/2021
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1106/

Notes: 
This rule contains two different observations. One is primarily looking for processes started (Common Event: Process/Service Started) with command line auditing enabled, and an indicator that the process was started by an API call by evidence of the Command field being populated with the process name without quotes, and without arguments. The other is primarily looking for files being accessed (Common Event: Object Accessed) when “Read data/traverse directory” file auditing is enabled and where Kernel32, Kernelbase, or NTDll are involved indicating that an API call was made to the file.

Log Source Types:
MS Windows Event Logging XML - Security
MS Windows Event Logging XML - Sysmon
MS Windows Event Logging XML - Sysmon 8/9/10

Configuration:
Please refer to the configuration guidance section in the “MITRE ATT&CK® Deployment Guide – Import and Synchronize the Module”.

Tuning:
To reduce the frequency of events of known Windows API calls that are part of normal operations, you may do one or more of the following:
•    Common Event: Process/Service Started: Determine if the process involved is “Known good” by verifying the hash against a popular known malware database. If known good, you may wish to exclude the following from the rule: User Origin, Process Name, and Host Impacted.
•    Common Event: Object Accessed: First, determine if the process involved is “Known good” by verifying the hash against a popular known malware database. Next, verify the User Origin involved is “System” (either “System” or computer name ending in “$”). If both are known good, you may wish to exclude the following from the rule: User Origin, Process Name, and Object Name.

AIE Rule

T1027:Obfuscated Files or Information

AIE Rule ID: 1547

MITRE Tactic:  Defense Evasion

Rule Description: T1027:Obfuscated Files or Information

Common Event: AIE:T1027:Obfuscated Files or Information

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s): Defense Evasion
Technique: Obfuscated Files or Information
Rule Created: 1/21/2021
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1027/

Notes: 
This rule is primarily evaluating the presence of base64 encoding.

Log Source Types:
MS Windows Event Logging - PowerShell
MS Windows Event Logging XML - Security
MS Windows Event Logging XML - Sysmon
MS Windows Event Logging XML - Sysmon 8/9/10
MS Windows Event Logging XML – System

Configuration:
Please refer to the configuration guidance section in the “MITRE ATT&CK® Deployment Guide – Import and Synchronize the Module”.

Tuning:
To reduce the frequency of events of known obfuscation (base64) that are part of normal operations, you may exclude based on:
•    Common Event: Process/Service Started: Determine if the process involved is “Known good” by verifying the hash against a popular known malware database. If known good, you may wish to exclude the following from the rule: User Origin, Process Name, Parent Process Name, and Host Impacted.

AIE Rule

T1059.001:PowerShell:ProviderLifeCycle

AIE Rule ID: 1548

MITRE Tactic:  Execution

Rule Description: T1059.001:PowerShell:ProviderLifeCycle

Common Event: AIE:T1059.001:PowerShell:ProviderLifeCycle

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details

Tactic(s): Execution
Technique: PowerShell
Rule Created: 1/26/2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1059/001/

Log Source Types:
MS Windows Event Logging - PowerShell

Configuration:
PowerShell Audit logging must be enabled and the Windows PowerShell channel in the Windows Event Log must be collected. Please see the section titled "Configure PowerShell Logging" in the MITRE ATT&CK Deployment Guide for more information: https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module

Tuning:
It is not recommended to set this rule to alarm as it is triggered by the use of PowerShell on an endpoint. Potential tuning approaches include creating an include filter containing a list of endpoints that should rarely, if ever, run PowerShell.

AIE Rule

T1621:MFA Request Generation:Okta Push from Non-Whitelisted Location

AIE Rule ID: 1550

MITRE Tactic:  Credential Access

Rule Description: T1621:MFA Request Generation:Okta Push from Non-Whitelisted Location

Common Event: AIE:T1621:MFARequest:OktaPushBadLocation

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 2

AIE Rule Additional Details:

Tactic(s): Credential Access
Technique: Multi-Factor Authentication Request Generation:Okta Push from Non-Whitelisted Location
Rule Created: 8 Nov 2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1621/

Log Source Types:
API - Okta Event. Note that this rule is speciifc to logs from the Okta Classic Engine product. If your deployment includes other Okta MFA products such as Okta Indentity Engine you may need to adjust the criteria accordingly.

Configuration:
This rule depends on the CCF: Whitelisted Regions list included with the Consolidated Compliance Framework (CCF) Module (https://docs.logrhythm.com/docs/kb/compliance/consolidated-compliance-framework-ccf-module). If necessary, enable this module in your LogRhythm deployment and populate the list with approved regions. If it is not desired to use the CCF Module, clone the rule and create a custom list for approved regions.

Tuning:
No tuning required.

T1621:MFA Request Generation:Rapid Okta AD Authentication Success

AIE Rule ID: 1551

MITRE Tactic:  Credential Access

Rule Description: T1621:MFA Request Generation:Rapid Okta AD Authentication Success

Common Event: AIE:T1621:MFARequest:RapidOktaADAuthSuccess

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 2

AIE Rule Additional Details:

Tactic(s): Credential Access
Technique: Multi-Factor Authentication Request Generation:Rapid Okta AD Authentication Success
Rule Created: 8 Nov 2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1621/

Log Source Types:
API - Okta Event

Configuration:
Note that threshold adjustments may be overwritten depending on your KB advanced synchronization setting. This rule can be cloned to avoid having the threshold overwritten.

Tuning:
Investigate your environment to determine the normal authentication success rate per-user and adjust the threshold if it exceeds 5 per 10 minutes.

T1621:MFA Request Generation:Repeated OKTA Push Denies

AIE Rule ID: 1552

MITRE Tactic:  Credential Access

Rule Description: T1621:MFA Request Generation:Repeated OKTA Push Denies

Common Event: AIE:T1621:MFARequest:RepeatOKTAPushDeny

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 1

AIE Rule Additional Details:

Tactic(s): Credential Access
Technique: Multi-Factor Authentication Request Generation:Repeated OKTA Push Denies
Rule Created: 8 Nov 2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1621/

Log Source Types:
API - Okta Event

Configuration:
Note that threshold adjustments may be overwritten depending on your KB advanced synchronization setting. This rule can be cloned to avoid having the threshold overwritten.

Tuning:
Investigate your environment to determine the normal push deny rate per-user and adjust the threshold if it exceeds 5 per 10 minutes.

T1621:MFA Request Generation:Repeated OKTA Push Denies then Allow

AIE Rule ID: 1553

MITRE Tactic:  Credential Access

Rule Description: T1621:MFA Request Generation:Repeated OKTA Push Denies then Allow

Common Event: AIE:T1621:MFARequest:RepeatOKTAPushDenyAndAllow

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 2

AIE Rule Additional Details:

Tactic(s): Credential Access
Technique: Multi-Factor Authentication Request Generation:Repeated OKTA Push Denies
Rule Created: 8 Nov 2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1621/

Log Source Types:
API - Okta Event

Configuration:
Note that threshold adjustments may be overwritten depending on your KB advanced synchronization setting. This rule can be cloned to avoid having the threshold overwritten.

Tuning:
Investigate your environment to determine the normal push deny rate per-user and adjust the threshold if it exceeds 5 per 10 minutes.

T1558.003:Kerberoasting:Invoke-Kerberoast

AIE Rule ID: 1554

MITRE Tactic:  Credential Access

Rule Description: T1558.003:Kerberoasting:Invoke-Kerberoast

Common Event: AIE:T1558.003:Kerberoasting:Invoke-Kerberoast

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 3

AIE Rule Additional Details:

Tactic(s): Credential Access
Technique: Kerberoasting
Rule Created: 20 Nov 2020
Rule Updated: 18 Nov 2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1558/003/

Notes: 

Log Source Types:

Microsoft Windows Event Logging XML - Security
Microsoft Windows Event Logging - PowerShell
Microsoft Windows Event Logging XML - Sysmon

Configuration:
PowerShell Module Logging must be enabled in order for the PowerShell criteria to be met: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_group_policy_settings
Process Monitoring must be enabled for the process criteria with Microsoft Windows Event Logging XML - Security and Microsoft Windows Event Logging XML - Sysmon to be met: https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module

Tuning:

T1558.003:Kerberoasting:TGS Requests for Multiple Services

AIE Rule ID: 1555

MITRE Tactic:  Credential Access

Rule Description: T1558.003:Kerberoasting:TGS Requests for Multiple Services

Common Event: AIE:T1558.003:Kerberoasting:TGSReqMultServices

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 3

AIE Rule Additional Details:

Tactic(s): Credential Access
Technique: Kerberoasting
Rule Created: 20 Nov 2022
Rule Updated: 18 Nov 2022

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1558/003/

Notes: 

Log Source Types:

Microsoft Windows Event Logging XML - Security
Microsoft Windows Event Logging - PowerShell
Microsoft Windows Event Logging XML - Sysmon

Configuration:

Kerberos Service Ticket Operations must be audited in order for Windows Security Logs with Event ID 4769 to be generated:  https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations

Tuning:

T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete

AIE Rule ID: 1556

MITRE Tactic:  Impact

Rule Description: T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete

Common Event: T1486: DataEncrypted:FeedbackSource

Suppression Multiple: 1

Alarm on Event Occurrence: No

Forward AIE Event to Platform Manager: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details:

Tactic(s): Impact
Rule Created:2023 Jan 31
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1486

Notes: 

Log Source Types:
MS Windows Event Logging XML - Security

Configuration:

***Use on LogRhythm version 7.9.0 and later***

This rule provides observations for two AIE feeback rules: "T1486: Data Encrypted for Impact: Rate" (Rule ID 1557) and "T1486:Data Encrypted for Impact:Threshold" (Rule ID 1558). Please enable one or both of the feedback rules along with this rule. When this rule triggers it will not produce an event in the LogRhythm Events database and thus will not be searchable or viewable in the LogRhythm Web Console. It is simply used to feed observations into the feedback rules.

File monitoring, especially when file reads are audited, can be an extremely high-volume log source. Before configuring and enabling this rule, consider which directories on your file servers and workstations contain mission-critical data that should be monitored for encryption activity.

Once the in-scope directories have been identified:
1) Enable Windows Object Access auditing in Group Policy under Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access. Enable auditing of Success events for the Audit FileSytem subcategory.
2) Go to the Advanced Security Settings of the in-scope directories, choose the Auditing item and add an Auditing item (for Everyone) which includes the Read and Delete permissions.
3) Add the in-scope directory paths as an Include Filter to this rule. The Include Filter will be for the field Object Name and contain the path(s) you would like to monitor.

For more detailed instructions please search in LogRhythm Community (https://community.logrhythm.com) for the post titled "Configuration and Use of the T1486:Data Encrypted for Impact Rules"

T1486:Data Encrypted for Impact: Rate

AIE Rule ID: 1557

MITRE Tactic:  Impact

Rule Description: T1486:Data Encrypted for Impact: Rate

Common Event: T1486:Data Encrypted for Impact: Rate

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details:

Tactic(s): Impact
Rule Created:2023 Jan 31
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1486

Notes: 

Use Case:
Ransomware is encrypting the user directories of a workstation or data-bearing directories on a file server.

Log Source Types:
LogRhythm AI Engine

Configuration:

***Use on LogRhythm version 7.9.0 and later***

The AIE Engine rule "T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete" must be configured and enabled for this rule to function. This rule triggers based on the rate and volume of events generated per-host by the T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete AIE rule.

For more detailed instructions please search in LogRhythm Community (https://community.logrhythm.com) for the post titled "Configuration and Use of the T1486:Data Encrypted for Impact Rules"

Tuning:
The volume and rate of events required to trigger this rule can be adjusted to reflect modern ransomware encryption speeds. It is recommended to test rate assumptions against ransomware simulators.

False Positive Considerations:
Other activities could produce a high volume of file reads and deletes, such as archive backups or a high volume of file moves. Consider tuning the feeder rule (T1486: Data Encrypted for Impact: Feedback Source: File Read and Delete) to exclude known processes that exhibit such behaviors.

T1486:Data Encrypted for Impact:Threshold

AIE Rule ID: 1558

MITRE Tactic:  Impact

Rule Description: T1486:Data Encrypted for Impact:Threshold

Common Event: T1486:Data Encrypted for Impact:Threshold

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details:

Tactic(s): Impact
Rule Created: 25 Jan 2023
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1486

Notes: 

Use Case:
Ransomware is encrypting the user directories of a workstation or data-bearing directories on a file server.

Log Source Types:
LogRhythm AI Engine

Configuration:

***Use on LogRhythm version 7.9.0 and later***

The AIE Engine rule "T1486: Data Encrypted for Impact: feedback source:file read and delete" must be configured and enabled for this rule to function. This rule triggers based on the rate and volume of events generated per-host by the T1486: Data Encrypted for Impact: feedback source: file read and delete AIE rule.

For more detailed instructions please search in LogRhythm Community (https://community.logrhythm.com) for the post titled "Configuration and Use of the T1486:Data Encrypted for Impact Rules"

Tuning:
The volume and rate of events required to trigger this rule can be adjusted to reflect modern ransomware encryption speeds. It is recommended to test rate assumptions against ransomware simulators.

False Positive Considerations:
Other activities could produce a high volume of file reads and deletes, such as archive backups or a high volume of file moves. Consider tuning the feeder rule (T1486: Data Encrypted for Impact: file read and delete) to exclude known processes that exhibit such behaviors.

1562.002: Impair Defenses: Disable Windows Event Logging

AIE Rule ID: 1559

MITRE Tactic:  Defense Evasion

Rule Description: 1562.002: Impair Defenses: Disable Windows Event Logging

Common Event: AIE: 1562.002:ImpairDefenses:DisableWinEvtLog

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: None

False Positive Probability: 5

AIE Rule Additional Details:

Tactic(s):Defense Evasion
Technique:  Disable Windows Event Logging
Rule Created:10 Jan 2023
Rule Updated: N/A

For further guidance on this Tactic : Technique, please visit the MITRE ATT&CK website:
https://attack.mitre.org/techniques/T1562/002

Notes: 

Log Source Types:

Microsoft Windows Event Logging XML - Security
Microsoft Windows Event Logging - PowerShell
Microsoft Windows Event Logging XML - Sysmon

Configuration:

Command line logging and PowerShell logging must be enabled. Please see the sections titled "Configure Command Line Parameter Logging" and "Configure PowerShell Logging" in the MITRE ATT&CK Deployment Guide for more information: https://docs.logrhythm.com/docs/kb/threat-detection/mitre-att-ck-module/mitre-att-ck-module-deployment-guide/mitre-att-ck-deployment-guide-import-and-synchronize-the-module

The Microsoft Sysmon configuration for Event ID 13 should include HKLM\System\CurrentControlSet\Control. Please see https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon for more information.

It is recommeded to enable Alarming for this rule and to enable the following AIE Summary Fields in the rule block so that the AIE Event contains more contextual information:
Policy
Process
Command
Object Name
Subject

Tuning: