Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event
Mục lục bài viết
Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event
Technical Articles ID:
KB82925
Last Modified: 2023-02-27 21:38:06 Etc/GMT
Environment
Solution 1:
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
Threat Intelligence Exchange (TIE) Server 3.x, 2.x
Solution 2:
Threat Intelligence Exchange Module (TIEm) for VirusScan Enterprise (VSE)
TIE Server 3.x, 2.x
VSE 8.x
Summary
- Identify the Rule ID and name for a given ENS ATP event
- View the ATP events
- Change the rule state in ATP
- Change the security posture of a managed client
- Identify the Rule ID and name for a given TIEm for VSE event
- Update the TIE content on the TIEm for a VSE client from ePO
Recent updates to this article
Date
Update
June 13, 2022
Updated the rules for ENS ATP for JTI Rules version 1717.
February 17, 2022
Updated the rules for ENS ATP for JTI Rules version 1672.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
This article describes how to perform the following:
Solution
1
Use this solution for ENS ATP.
Contents
Click to expand the section you want to view:
How to identify which ATP rule triggers an event in ENS ATP
Workstation
If you have access only to the workstation where the event is generated, follow the steps below:
- Open the AdaptiveThreat_Protection_Debug.log file using Notepad.exe.
NOTE: You can find the log file in the following location: %deflogdir%\
- Find the relevant entry for the detection in the log file.
- Locate the RuleID in the value for RuleID in the same record.
Example:
09/04/2018 02:16:35.222 AM mfeatp(4468.10224) Orchestrator.JTI.Debug: Process C:\WINDOWS\SYSTEM32\WSCRIPT.EXE JTI reputation 1 rule 300 threat name JTI/Suspect.327980!4b52c6c614bd , JCM reputation 1, IsFinal 0
09/04/2018 02:20:19.558 AM mfeatp(4468.10220) Orchestrator.JTI.Debug: Process C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE JTI reputation 1 rule 300 threat name JTI/Suspect.327980!ff59ef734601 , JCM reputation 1, IsFinal 0
Interpretation:
The RuleID that triggers the detection for WSCRIPT.EXE is RuleID=300 and the Rule identifier value is 327980. This value corresponds to a detection using DocumentProcessEnvelope_OfficeApps_defaultOn. This detection is described as “Attempts to prevent office applications from being abused to deliver malicious payloads.”
The RuleID that triggers the detection for POWERSHELL.EXE is RuleID=300. This value corresponds to a detection using DocumentProcessEnvelope_OfficeApps_defaultOn, which is described as “Attempts to prevent office applications from being abused to deliver malicious payloads.”
All Rule IDs and descriptions are provided in the table below.
ePolicy Orchestrator (ePO)
If you have access only to the ePO console, follow the steps below:
- Log on to the ePO console.
- Select either the report under Dashboards or click Menu, Reporting.
- Under Reporting, select Adaptive Threat Protection Events.
NOTE:
If the RuleID isn’t displayed on the report, perform the following steps:
- In the Select Pivot Point drop-down list, select Pivot by Rule.
- Click the rule name. The Rule ID and other details display.
How to set an ATP rule to Enabled, Disabled, or Observe
- Log on to the ePO console.
- Go to Menu, Configuration, Server Settings.
- Select Adaptive Threat Protection, and select the desired Security Posture (Productivity, Balanced, or Security).
- Click Edit.
- Select the Rule ID option.
- From the Actions drop-down list, select the desired option (Enabled, Disabled, or Observe).
- Click Save.
How to change the security posture of a managed client
- Log on to the ePO console.
- Go to Menu, Systems, System Tree.
- Select a managed client.
- Select the Assigned Policies tab.
- From the Product drop-down list, select Endpoint Security Adaptive Threat Protection.
- Select Options under the Category Column and click My Default.
- From the Rule Assignment drop-down list, select the desired Security Posture (Productivity, Balanced, or Security).
- Click Save.
Rule IDs and corresponding rule names and descriptions
The following table is provided for reference only. The details in the table might become out of date as we release rule updates. To view the latest details, access the ePO console as follows:
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Select Adaptive Threat Protection.
NOTE: Rule Reputation –1 means that the score value is dynamic.
Rule
ID
Rule Identifier
Rule Version
Repu- tation
Name
Description
Long Description
0
0
0
-1
Not Applicable
No rule affects this reputation.
No rule affects this reputation.
1
589825
9
-1
Use certificate reputation to identify trusted or malicious files
Determines if a file is trusted or malicious based on the GTI or Enterprise reputation of the signing certificate.
This rule determines if a file is trusted or malicious based on the GTI or Enterprise reputation of the signing certificate. The certificate reputation must be Known Malicious, Known Trusted, Most Likely Malicious, or Most Likely Trusted.
2
196610
3
-1
Use Enterprise file reputation to identify trusted or malicious files
Determines if a file is trusted or malicious based on the file’s Enterprise reputation.
This rule determines if a file is trusted or malicious based on the file’s Enterprise reputation. The reputation must be at least Known Malicious, Known Trusted, Most Likely Malicious, or Most Likely Trusted.
3
65539
1
0
Bypass Lookup for files based on selection criteria
Bypass GTI lookup for files based on selection criteria that are likely to be clean or unknown to GTI.
Bypass GTI lookup for files based on selection criteria that are likely to be clean or unknown to GTI.
4
196612
3
-1
Use GTI file reputation to identify trusted or malicious files
Determines if a file is trusted or malicious based on the file’s GTI reputation.
This rule determines if a file is trusted or malicious based on the file’s GTI reputation. The reputation must be at least Known Malicious, Known Trusted, Most Likely Malicious, or Most Likely Trusted.
5
327685
5
-1
Use GTI URL reputation to identify trusted or malicious processes
Mitre-T1204. Determines if a process is trusted or malicious based on the GTI URL reputation.
Tactic: Execution – Technique: T1204. This rule determines if a process is trusted or malicious based on the GTI URL reputation.
10
262154
4
100
Identify that a file is the main component of a trusted installer using the file’s attributes, certificate reputation, and file reputation.
Determines whether a file is a trusted installer based on the file’s attributes, file name, and the GTI or Enterprise certificate and file reputation.
This rule determines if file is a trusted installer based on the file’s GTI or Enterprise reputation. It also looks at the file name, company name, and other similar attributes to determine if it’s an updater or installer component that can be trusted.
12
131084
2
100
Identify that a file is the main component of a trusted installer based on a specific file identified by hash
Determines whether a file is a trusted installer based on the file hash and the GTI or Enterprise reputation.
This rule determines if the file is a trusted installer based on the file’s hash and GTI or Enterprise file reputation to determine if it’s an updater or installer component that can be trusted.
20
131092
2
-1
Identify trusted files with McAfee Privileges
Identifies trusted files using certificates or hashes that are distributed in the AV DAT files.
This rule identifies trusted files using certificates or hashes that are distributed in the AV DAT files and can also have elevated privileges with McAfee processes and drivers.
34
131106
2
1
SFv3 Verification
Identifies a test sample that can be used for SFv3 validation
This rule identifies a test sample by hash that can be used for verification of the SFv3 framework.
35
196643
3
1
Installation Verification
Identifies a test sample that can be used for installation verification.
This rule identifies a test sample that can be used for installation verification.
36
65572
1
1
Installation Verification with no TIE Server
Identifies a test sample that can be used for installation verification in a configuration with no TIE Server.
This rule identifies a test sample that can be used for installation verification in a configuration with no TIE Server.
38
131110
2
1
SFv3 Verification Rule disabled in cloud
A test rule that is disabled in cloud for SFv3 validation
This rule identifies a test sample by hash and is disabled in cloud for verification of the SFv3 framework.
50
65586
1
85
Identify trusted files from a trusted creator
Identifies trusted files that were created by a fully trusted updater.
This rule identifies trusted files that were created by a fully trusted updater and haven’t been modified.
51
131123
2
-1
Identify files marked as trusted installers by the Trust Scanner
Identifies files that are marked as trusted by the Trust scanner which is based off the dat file.
This rule identifies files that are marked as trusted installer files by Trust scanner based on the information available in the dat file and isn’t cloud dependent.
55
131127
2
99
Identify certificates needing reputation correction
Identifies certificates from Tier1 vendors that need a correction to their reputation level.
This rule identifies certificates from Tier1 vendors that need a correction to their reputation level.
57
262201
4
-1
Use GTI file reputation to identify files that Might be Trusted or Might be Malicious
Determines files which Might be Trusted or Might be Malicious based on GTI file reputation.
This rule identifies files which are less conclusive in their GTI reputation such as Might be Trusted and Might be Malicious.
58
196878
3
70
Identify trust for files executed on network shares
This rule identifies trust for files executed on network shares using file attributes and other related information like prevalence.
This rule identifies trust for files executed on network shares using scanner results and file attributes to indicate trust.
60
131132
2
0
Attribute setting rule to aid in identifying interesting files
Identifies items launched by an interesting actor or is an internet facing item.
Identifies files that are launched by an interesting actor or has special characteristics such as self-signed cert.
61
262205
4
0
Identify internet facing applications
Identify popular internet facing applications such as a web browser or email client.
This rule identifies internet facing applications such as a web browser or email client by using identifiable attributes such as file name and certificate.
62
196670
3
0
Identify an application which reads content files
Identifies an application that reads content files such as PDF documents, Microsoft Office documents, and videos.
This rule identifies the main executable file of popular applications which read content such as PDF documents, Microsoft Office documents, and videos.
95
131167
2
85
Identify files that are signed by certificate of known clean reputation and mark them Most Likely Trusted when offline
Identifies files that are signed by certificate of known clean reputation and mark them Most Likely Trusted when offline.
Identifies files that are signed by certificate of known clean reputation and mark them Most Likely Trusted when in No connectivity mode.
96
65632
1
0
Intelligent Prompt
Suppress prompting for library loads for trusted applications other than Internet browsers.
This rule suppresses prompting for library loads for trusted applications other than Internet browsers.
97
262241
4
70
Trust files while offline unless highly suspicious for JTI Scanner versions released after June 2018
Determines that files with no suspicious characteristics are trusted when the system is offline (disconnected from TIE and GTI).
This rule treats files that have no suspicious characteristics as trusted when the system is disconnected from the TIE server and from GTI. This rule uses less rigorous criteria for determining trust to help mitigate issues with large numbers of Unknown files while disconnected from the TIE Server or GTI. This Rule applies to JTI Scanner version 2.1.4.1590 and above, released June 2018.
98
262242
4
70
Trust files while offline unless highly suspicious for JTI Scanner versions released prior to June 2018.
Determines that files with no suspicious characteristics are trusted when the system is offline (disconnected from TIE and GTI).
This rule treats files that have no suspicious characteristics as trusted when the system is disconnected from the TIE server and from GTI. This rule uses less rigorous criteria for determining trust to help mitigate issues with large numbers of Unknown files while disconnected from the TIE Server or GTI. This Rule applies to JTI Scanner versions below 2.1.4.1590, released June 2018.
99
196707
3
50
Trust files based on Low Change Systems security level when offline
Determines that files with no suspicious characteristics are unknown when the system is offline (disconnected from the TIE server and from GTI).
Treats files with no suspicious characteristics as unknown when the system is disconnected from the TIE server and from GTI. This is the last rule to execute.
125
262269
4
85
Identify files marked as Trusted Windows AppStore Applications
Identifies files that are marked as trusted Windows AppStore Applications, which are based off the file and process attributes.
This rule identifies files that are marked as trusted Windows AppStore Applications based on the file attributes, file location, and process attributes.
126
393342
6
85
Identify trusted signed applications
Identifies files that are signed and located in paths commonly used for installing programs. They also can have a Start menu entry.
This rule identifies files that are signed and have a valid non self-signed certificate. File location is considered along with environmental attributes such as Start menu entry.
127
196735
3
85
Identify trusted Help resource libraries
Identifies signed resource libraries that are used by trusted software.
This rule identifies resource libraries that are used by trusted software. The files are signed and don’t have a malicious certificate reputation. They have characteristics indicating it’s a resource library, such as no imports or exports and a few Portable Executable (PE) Sections.
128
196736
3
85
Identify trusted help resource libraries
Identifies signed resource libraries that are used by trusted software. These libraries are generally used as part of Help documentation.
This rule identifies signed resource libraries that are used by trusted software. The libraries are generally used as part of the application Help documentation. They’re signed and don’t have a malicious certificate reputation. They have characteristics indicating it’s a resource library such as no imports or exports and a few Portable Executable (PE) Sections. They’re also located in application installation folders.
129
262273
4
85
Identify trusted signed utility applications
Identifies utility applications that are signed and the certificate isn’t distrusted. These files don’t launch on startup and have characteristics that suggest they’re utility programs.
This rule identifies utility applications that are signed and the certificate isn’t distrusted. These files don’t launch on startup. They’re located in a folder which is indicative of a tool or installed program (example: %programfiles%\subfolder) and import APIs and have other characteristics that are consistent with trusted utility applications.
130
327810
5
85
Identify trusted signed drivers
Identifies device drivers that are signed and installed on the local system.
This rule identifies device drivers that are signed and installed on the local system. They use the native subsystem and are located in the %windir%\system32\drivers or driverstore folders.
131
327811
5
85
Identify trusted signed Digital Rights Management (DRM) libraries
Identifies signed trusted Digital Rights Management libraries used by Windows.
This rule identifies trusted Digital Rights Management libraries that are signed and whose certificate is trusted. These files are in the Windows DRM and DRM cache folders.
132
262276
4
85
Identify trusted signed files
Identifies files that are signed and trusted, and whose certificate reputation is trusted.
This rule identifies files that are signed and trusted, and whose certificate is also trusted.
133
262277
4
70
Identify trusted files on the disk
Identifies files that are present on the disk and aren’t suspicious before installing the TIE module.
This rule identifies files that are on the disk and aren’t suspicious before installing the TIE module. They haven’t been tampered with as identified by the NTFS file journaling.
134
327814
5
85
Identify trusted files on the disk that were prevalent in the enterprise prior to installing the TIE module.
Identifies files that are present on the disk and aren’t suspicious before installing the TIE module and have been seen in the enterprise.
This rule identifies files that are on the disk and aren’t suspicious before installing the TIE module. They haven’t been tampered with as identified by the NTFS file journaling. The files must also have been seen in the enterprise.
136
327816
5
85
Identify unsigned NativeImage Files that Might Be Trusted
Detects NativeImage Files that aren’t signed with a known trusted certificate. These files are often low prevalence and may be unique to a system.
This rule detects precompiled binary files that Might Be Trusted that have been installed into the NativeImages folder and don’t contain suspicious attributes.
137
196745
3
85
Identify unsigned DOTNet assemblies that Might Be Trusted
Detects DOTNet assemblies that aren’t signed with a known trusted certificate. These files are often low prevalence and may be unique to a system.
This rule detects files that Might Be Trusted that have been installed into the global assembly cache folders and don’t contain suspicious attributes. These files are often on few systems in the network and may include pre-compiled DOTNet native image files and similar assemblies.
138
393354
6
85
Identify trusted unsigned Microsoft DOTNet assemblies
Detects Microsoft DOTNet assemblies that aren’t signed with a known trusted certificate. These files may not be present on many machines within the enterprise.
This rule detects Microsoft-provided files that have CLR code (DOTNet), have been installed into the global assembly cache folders, and don’t contain suspicious attributes. The files may or may not be found on multiple machines within the enterprise, which could include just-in-time compiled assemblies.
139
327819
5
85
Identify trusted DOTNet assemblies
Detects DOTNet assemblies that have been installed into the global assembly cache and are present on multiple machines.
This rule detects files that have CLR code (DOTNet) and have been installed into the global assembly cache folders. The files are present on multiple machines within the enterprise, indicating they aren’t just-in-time compiled assemblies.
140
196748
3
85
Identify trusted prevalent files
Detects files that have been present in the enterprise for a long time and are prevalent across multiple machines.
This rule detects files that are trusted because they’re widespread and well known. The files are present on multiple machines within the enterprise and have been known for more than 3 months.
151
196759
3
70
Identify web installers
Identifies web installers that are signed and whose certificate isn’t distrusted. It also identifies the company, product, and version.
This rule identifies web installers that are signed and whose certificate isn’t distrusted. It also identifies the web installer’s company, product, and version.
152
327832
5
70
Identify safe files extracted by Windows Installer
Identifies safe files extracted by Windows Installer installer based on the actor process, certificate, and cloud reputation.
This rule identifies safe files extracted by Windows Installer based on actor process, certificate, and cloud reputation. If anything is suspicious about the installer dropped file, the rule doesn’t yield a clean reputation.
153
131225
2
70
Identify files that ATD doesn’t report as suspicious
Identifies files that Advanced Threat Defense doesn’t report as suspicious.
This rule identifies files that have been assessed by Advanced Threat Defense and aren’t reported as suspicious.
205
262349
4
30
Identify suspicious files that have odd creation dates and are likely not packed
Identifies suspicious files that are likely not packed, have odd creation dates, and are in locations such as the Temp or Downloads folders.
This rule identifies suspicious files in locations such as the Temp or Downloads folders. These files are likely not packed and there’s evidence that the date properties have been tampered.
206
65742
1
30
Identify suspicious files that have odd creation dates and are likely packed
Identifies suspicious files anywhere on the system. The files are likely packed and show evidence that the date has been tampered.
This rule identifies suspicious files located anywhere on the system. These files are identified as packed and there’s evidence that the date properties have been tampered.
207
196815
3
15
Identify suspicious files executing from the Recycle bin
Identifies suspicious files that are executed from the Recycle bin.
This rule identifies suspicious files that reside in and are executed from the Recycle bin.
208
65744
1
15
Identify suspicious files executing from the roaming folder
Identifies suspicious files that are executed or loaded from the user’s roaming folder.
This rule identifies suspicious files that are executed or loaded from the user’s roaming folder (%userprofile%\appdata\roaming) in an incorrect way.
209
196817
3
15
Identify suspicious files that are hidden from the user
Identifies suspicious files that are executed or loaded while hidden from the user.
This rule identifies suspicious files that are executed or loaded, and are hidden from the using a mechanism such as a file attribute. These files appear to be critical operating system files but aren’t.
211
65747
1
15
Identify suspicious files created by an untrusted process
Identifies suspicious files created with a process that has a suspicious or known malicious reputation.
This rule identifies a file that is suspicious because the process that created it has a reputation of Might be Malicious to Known Malicious at the time of creation. The file also hasn’t been modified since its creation.
213
131285
2
30
Identify a file as suspicious based on how it’s packed
Identifies a packed or encrypted file as suspicious and the packer not used by legitimate software.
This rule identifies a file as suspicious when it’s determined to be packed or encrypted, and there are features in the file that aren’t commonly found in legitimate software.
214
65750
1
30
Identify a suspicious keylogger
Identifies a file as suspicious when it has features that aren’t used by legitimate software and looks like a keylogger.
This rule identifies a file as suspicious when it has features that aren’t used by legitimate software. The file has suspicious characteristics such as importing APIs which are used to monitor keystrokes, and has missing version information.
217
131289
2
15
Identify a suspicious password stealer
Identifies files that have been incorrectly installed into the user’s roaming profile and has suspicious characteristics.
This rule identifies a file that has been incorrectly installed into the user’s roaming profile and has suspicious characteristics. The file imports APIs that are used for monitoring keystrokes, capturing screenshots, or checking for active debuggers.
218
65754
1
30
Identify a suspicious file that hides its age
Identifies files that modify the presented age of the file. The files contain suspicious characteristics and don’t look like installed programs.
This rule identifies files that modify the presented age of the file. The files contain suspicious characteristics such as being packed, missing version information, tagged as a system file, or importing suspicious APIs. They aren’t present in a path typically used for installed programs.
219
393435
6
15
Identify a suspicious file that hides in a secure location
Identifies files in secure locations, such as folders reserved for system drivers. These files aren’t consistent with other files in that location and have suspicious characteristics.
This rule identifies files that are in secured locations, such as folders reserved for system drivers. The files don’t use the native subsystem, and have suspicious characteristics such as missing or incorrect version information, or a file type that doesn’t match the extension.
220
196828
2
30
Identify new suspicious files
Identifies files that are new to the system and contain suspicious characteristics such as modified section names or modified code at the entry point of the binary.
This rule identifies files that have a creation date in the last 30 days and contain suspicious characteristics. These include modified section names or modified code at the entry point of the binary.
222
131294
2
15
Identify a suspicious keylogger hiding as an installed program
Detects files that import keylogging APIs and hide in locations used by an installed program. They have suspicious characteristics such as a few imports and being new to the system, while not looking like a legitimate application.
This rule detects files that import keylogging APIs and hide in program file folders or subfolders. The files aren’t registered as a service or in add/remove programs. They have registry keys that launch at startup, and suspicious characteristics such as a few imports or Portable Executable (PE) Sections.
234
65770
1
15
Identify files that ATD reports as suspicious
Identifies files that Advanced Threat Defense reports as suspicious.
This rule identifies files that Advanced Threat Defense reports as suspicious.
235
65771
1
30
Identify suspicious files from the Internet that might be malicious based on GTI reputation
Identifies files that come from the internet which might be malicious based on GTI reputation.
This rule identifies files that came from an untrusted URL. They’re malicious and have suspicious characteristics such as being packed, are less than 15 days old, and appear on less than 10 systems or 1% of the enterprise.
237
196845
3
15
Find suspicious files signed with a revoked certificate
Detects files that have an embedded revoked certificate. They’re newly discovered files and are seen on a few systems.
This rule detects files with an embedded certificate that has been revoked. The files have been in the environment for less than 5 days and are seen on less than 1% of machines.
238
655598
10
-1
Identify abuse of common process’s spawned from non-standard locations in Observe mode.
Mitre-T1036: Files may masquerade as legitimate files by hiding in non-standard locations. This rule detects against the suspicious running of common processes if spawned from non-standard locations in Observe mode.
Tactic: Defense Evasion – Technique: T1036. Identifies the suspicious running of common process’s if spawned from non-standard locations. The rule takes a more aggressive approach to rule ID 267 and is by default observe only. It needs to be manually set to enabled in any rule group assignment you want to use it in.
239
1179887
18
-1
Identify suspicious command parameter execution
Mitre-T1059: Identifies the suspicious execution of an application through command-line parameters.
Tactic: Execution – Technique: T1059. This rule targets suspicious invocations of command and script interpreters.
240
65776
1
30
Identify suspicious files with characteristics that have been predominantly seen in ransomware
Identify suspicious files with characteristics that have been predominantly seen in ransomware and are in uncommonly used locations.
Identify suspicious files with characteristics that have been predominantly seen in ransomware and are in uncommonly used locations.
243
1769715
27
-1
Identify and block suspicious process executions
Mitre-T1059: blocks suspicious use of command and script interpreters. Similar to rule ID 239 but must be manually enabled.
Tactic: Execution – Technique: T1059. This rule takes a more aggressive approach than the default on rule ID 239 so it is in observe by default in all rule group assignments. It needs to be manually enabled if you want to use it.
250
131322
2
-1
Elevate trust of a file which got scanned multiple times without detection
Elevate trust of a file based on local age on disk when the file has been scanned multiple times.
Elevate trust of a file based on local age on disk when the file has been scanned multiple times and has no suspicious characteristics.
251
65787
1
15
Identify files that MWG reports as suspicious
Identifies files that McAfee Web Gateway reports as Known Malicious or Most Likely Malicious and issues a Most Likely Malicious reputation.
This rule identifies files that McAfee Web Gateway reports as Known Malicious or Most Likely Malicious and issues a Most Likely Malicious reputation. This rule doesn’t issue a reputation for files that McAfee Web Gateway determines Might Be Malicious.
252
131324
2
15
Identify files that CTD reports as suspicious
Identifies files that Cloud Threat Detection reports as High or Very High and issues a Most Likely Malicious reputation.
This rule identifies files that Cloud Threat Detection reports with High or Very High trust score and issues a Most Likely Malicious reputation. This rule doesn’t issue a reputation for files that CTD determines with Medium trust score.
253
65789
1
-1
Identify malicious or safe files based on Third-party Reputation Provider scores
Detect or Trust files considering Third-Party Reputation Provider scores.
Detect or Trust files considering Third-Party Reputation Provider scores connected on the DXL.
255
590079
9
-1
Detect potentially obfuscated command-line parameters
Mitre-T1027: Trigger on command-line arguments that are highly obfuscated.
Tactic: Defense Evasion – Technique: T1027. This rule is designed to analyze command-line parameters passed to programs to alert on potentially obfuscated strings that could indicate malicious behavior.
256
393472
6
-1
Detect use of long -encodedcommand PowerShell
Mitre-T1059: Command and Scripting Interpreter. Alerts on the usage of -encodedcommand [base64] in PowerShell.
Tactic: Execution – Technique: T1059. Attempts to look for suspicious usage of the -encodedcommand option in PowerShell. Malware can use this technique to evade static detections of command-line parameters. When this alert is triggered, you should inspect the decoded base64 command to make sure that it’s expected behavior.
257
393473
6
15
Detect potentially malicious usage of WMI
Mitre-T1047: Looks for common usage of wmi to either execute code, move laterally or persist.
Tactic: Execution, Lateral Movement – Technique: T1047. WMI provides a way of discovery, executing code, moving laterally or even persisting in an environment.
258
983298
15
15
Detect most likely masqueraded files which can result in suspicious process launches
Mitre-T1036: Detects files masquerading as legitimate binaries to evade detections.
Tactic: Defense Evasion – Technique: T1036. This rule is similar to the default on masqueraded file rule ID 259 but includes a different set of files that might trigger false positives.
259
590083
9
15
Detect masqueraded files or process launches
Mitre-T1036: Alerts on if a common system file is renamed or dropped in a non-standard location.
Tactic: Defense Evasion – Technique: T1036. This rule looks for scenarios where files have been renamed such as script interpreters.
260
327940
5
15
Detect AMSI bypass techniques
Mitre-T1562: Detect the techniques which are used to bypass Antimalware Scan Interface (AMSI).
Tactic: Defense Evasion – Technique: T1562. This rule is designed to prevent different techniques used to bypass Antimalware Scan Interface (AMSI).
262
262406
4
-1
Identify suspicious command parameter execution for Security rule group assignments
Mitre-T1059 Identifies the suspicious execution of an application through command-line parameters for Security rule group assignments.
Tactic: Execution – Technique: T1059. This rule identifies suspicious execution of an application through execution parameters for Security rule group assignments. It needs to be manually enabled for Productivity and Balanced rule group assignments.
263
917767
14
-1
Detect processes accessing suspicious URLs
Mitre-T1204. Detect processes accessing suspicious URLs which are used to download malicious content.
Tactic: Execution – Technique: T1204. This rule is designed to detect processes having suspicious URLs in command parameters used to download malicious payload.
264
393480
6
15
Inspect EncodedCommand PowerShell
Mitre-T1059, T1140: Base64 decode -encodedcommand usage in PowerShell to inspect for suspicious commands.
Tactics: Execution, Defense Evasion – Techniques: T1059, T1140. This rule decodes base64 encoded commands to check for potential download cradles or other malicious PowerShell usage.
265
524553
8
15
Look for executable files with non-standard extensions
Mitre-T1564: Identify files that are executable (PE) but don’t end in a standard extension.
Tactic: Defense Evasion – Techniques: Mitre-T1564. This rule looks to remove any files identified as a PE file but contains a non-standard extension as identified when running cmd /c assoc.
266
786698
12
30
Identify target process launching nonstandard extensions or launched by non-standard actor
Mitre-T1036, T1059: Attempts to prevent processes trying to launch non-standard extensions or being launched by non-standard actor.
Tactics: Execution, Defense Evasion – Techniques: T1036, T1059. Detects target process launching non-standard extensions like CScript is launching a txt file.
267
262411
4
-1
Protect against abuse of common process’s spawned from non-standard locations in security rule group assignments
Mitre-T1036: Files may masquerade as legitimate files by hiding in non-standard locations. This rule protects against the suspicious running of common process’s if spawned from non-standard locations in Security rule group assignments.
Tactic: Defense Evasion – Technique: T1036. Protect against the suspicious running of common process’s if spawned from non-standard locations in Security rule group assignment. It needs to be changed from observe to enabled in Balanced and Productivity rule group assignments.
268
262412
4
-1
Protect against abuse of common process’s spawned from non-standard locations
Mitre-T1036: Files may masquerade as legitimate files by hiding in non-standard locations. This rule protects against the suspicious running of common process’s if spawned from non-standard locations.
Tactic: Defense Evasion – Technique: T1036. Protect against the suspicious running of common process’s if spawned from non-standard locations.
269
196877
3
15
Detect potentially malicious usage of WMI service to achieve persistence
Mitre-T1047: Looks for common usage of wmi service to execute code and persist.
Tactic: Execution, Lateral Movement – Technique: T1047. WMI provides a way of discovery, executing code, moving laterally or even persisting in an environment.
270
262414
4
-1
Identify and block suspicious command parameters which are manipulated to bypass detection
Mitre-T1059: blocks suspicious use of command and script interpreters. It blocks patterns which are manipulated to bypass detections.
Tactic: Execution – Technique: T1059. This rule targets suspicious invocations of command and script interpreters where commands are manipulated to bypass detection. It needs to be manually enabled if you want to use it.
300
655660
10
-1
Prevent office applications from launching child processes that can execute script commands
Mitre-T1566: Prevent office applications from launching children processes that can execute scripts like PowerShell and cscript.
Tactic: Initial Access, Execution, Defense Evasion – Techniques: T1566, T1059. Attempts to prevent office applications from being abused to deliver malicious payloads.
301
590125
9
-1
Blocks cmd.exe from being spawned by office applications
Mitre-T1566: Prevents any office application from launching cmd.exe.
Tactic: Initial Access, Execution, Defense Evasion – Techniques: T1566, T1059. It’s uncommon for cmd.exe to be launched via office documents and can be a sign of malicious behavior. It’s recommended you enable this rule if your workflows allow for it.
303
327983
5
-1
Identify highly suspicious payloads targeting Browser-related applications
Identify highly suspicious payloads targeting Browser-related applications like Firefox, Chrome, Edge, and others.
Identify highly suspicious payloads including unknown binaries targeting Browser applications like Firefox, Chrome, Edge, and others.
304
459056
7
-1
Prevent browsers from launching dual use tools such as script editors and cmd
Prevent browsers from launching dual use tools such as script editors and cmd.
Prevent browsers from launching dual use tools such as script editors and cmd.
306
327986
5
-1
Identify highly suspicious payloads targeting Network related services or applications
Identifies highly suspicious payloads targeting Network-related services or applications and doesn’t allow launch of tools that indicate suspicious behavior.
Identifies highly suspicious payloads targeting Network-related services or applications and doesn’t allow launch of tools that indicate suspicious behavior.
307
590131
9
-1
Prevent wmiprvse.exe and netsh.exe from launching script interpreters or other dual use tools
Prevent wmiprvse.exe and netsh.exe from launching script interpreters or other dual use tools.
Script interpreters such as PowerShell when invoked via WMI can cause the process wmiprvse.exe to spawn the process making detection harder. Some legitimate processes may use this but it’s recommended that you enable this rule if possible to test for false positives.
309
590133
9
-1
Block processes trying to launch from office applications. Rule enabled only in high security policies
Mitre-T1566: Prevent office applications from launching suspect processes. Rule is enabled by default only on the Security rule group assignment.
Tactic: Initial Access, Execution, Defense Evasion – Techniques: T1566, T1059. Attempts to prevent office applications from being abused to deliver malicious payloads when it’s enabled to systems with high security policies.
310
131382
2
-1
Prevent email applications from launching child processes that can execute script commands
Mitre-T1204. Prevent email programs from launching processes that can execute script commands.
Tactic: Execution – Technique: T1204. Attempts to prevent email applications from being used to further spawn processes that can execute scripts.
311
131383
2
-1
Prevent email applications from launching child processes that can execute script commands in Security rule group assignments only
Mitre-T1204. Prevent email programs from launching processes that can execute script commands only in Security rule group assignments.
Tactic: Execution – Technique: T1204. Attempts to prevent email applications from being used to further spawn processes that can execute scripts.
312
131384
2
-1
Prevent email applications such as Outlook from spawning script editors and dual use tools
Mitre-T1204. Prevent email applications such as Outlook* from spawning script editors and dual use tools.
Tactic: Execution – Technique: T1204. This rule helps prevent applications such as Outlook* from spawning potentially abusable tools. Some environments may do this legitimately, so it’s recommended that you baseline your environment before enabling.
313
262457
4
-1
Prevent several text editors like Notepad and Wordpad from spawning processes that can execute script commands in all rule group assignments
Mitre-T1204: Prevent text editors from spawning new processes that can further be used to execute scripting commands.
Tactic: Execution – Technique: T1204. Prevent text editors from being used to spawn processes like cmd or PowerShell.
314
262458
4
-1
Prevent several text editors like Notepad and Wordpad from spawning processes that can execute script commands in Security rule group assignment
Mitre-T1204: Prevent text editors from spawning new processes that can further be used to execute scripting commands in the Security rule group assignment.
Tactic: Execution – Technique: T1204. Prevent text editors from being used to spawn script interpreters. This rule is only on by default in the Security rule group assignment. It needs to be manually enabled if you’re using Balanced or Productivity rule group assignments.
315
262459
4
-1
Aggressively blocks processes with unknown reputations from being spawned by text editors
Mitre-T1204: Aggressively blocks processes with unknown reputations from being spawned by text editors.
Tactic: Execution – Technique: T1204. Similar to rule ID 313 but takes a more aggressive approach. It’s set to observe only by default and needs to be enabled in the rule group assignment.
316
262460
4
-1
Prevent PDF readers from launching processes that can execute scripts in all rule group assignments
Mitre-T1204: Prevent PDF readers from launching processes that can execute scripts.
Tactic: Execution – Technique: T1204. Prevent PDF readers from launching processes that can execute scripts.
317
262461
4
-1
Prevent PDF readers from launching processes that can execute scripts in Security rule group assignments only
Mitre-T1204: Prevent PDF readers from launching processes that can execute scripts in Security rule group assignments only.
Tactic: Execution – Technique: T1204. Prevent PDF readers from launching processes that can execute scripts in Security rule group assignments only.
318
262462
4
-1
Prevent PDF readers from launching cmd.exe
Mitre-T1204: Prevent PDF readers from launching cmd.exe
Tactic: Execution – Technique: T1204. Prevent PDF readers from launching cmd.exe
319
196927
3
-1
Prevent cmd.exe from launching other script interpreters such as cscript or PowerShell in all rule group assignments
Mitre-T1059: Attempts to keep cmd.exe from launching other instances that could indicate a malicious payload.
Tactic: Execution – Technique: T1059. Block dual use tools from being launched by cmd.exe that are commonly used in attacks.
320
131392
2
-1
Prevent cmd.exe from launching other script interpreters such as cscript or PowerShell by default only in Security rule group assignments
Mitre-T1059: Identify suspicious payloads invoking command shell in the security rule group assignments.
Tactic: Execution – Technique: T1059. Identify suspicious payloads invoking command shell. This rule is only enabled by default in the Security rule group assignment. It needs to be manually enabled if you’re using any other rule group assignment.
321
459073
7
-1
Prevent cmd.exe from launching script interpreters
Mitre-T1059: Attempts to prevent suspicious process chains by keeping cmd from further spawning script interpreting processes.
Tactic: Execution – Technique: T1059. Attempts to prevent suspicious process chains by keeping cmd from further spawning script interpreting processes.
322
459074
7
-1
Prevent mshta from being launched by any process for all rule group assignments
Mitre-T1218: Prevent mshta from being used as a signed binary to proxy code execution through.
Tactic: Initial Access, Defense Evasion, Execution – Technique: T1218, T1204. mshta.exe is a common tool used to deliver a payload. This rule prevents it from being used.
323
459075
7
-1
Prevent mshta from being launched as a child process
Mitre-T1218: Prevent mshta from being launched by any process for Security rule group assignments only.
Tactic: Intial Access, Defense Evasion, Execution – Technique: T1218, T1204. Prevent mshta.exe from being launched by any process. Only on by default in the Security rule group assignment. It needs to be enabled if using Balanced or Productivity rule group assignments.
324
655684
10
-1
Prevent mshta from launching suspicious process
Mitre-T1218: Prevent mshta from launching suspicious application.
Tactic: Initial Access, Defense Evasion, Execution – Technique: T1218, T1204. This rule takes a more aggressive approach to preventing code executed via mshta.exe and as such is in observe by default in all 3 rule group assignments. It’s possible that it could generate false positives and will need to be enabled manually.
325
196933
3
-1
Identify suspicious payloads invoking Rundll32 process
Mitre-T1218: Identify suspicious payloads proxying code execution through the Rundll32 process
Tactic: Defense Evasion, Execution – Technique: T1218. Identify suspicious payloads proxying code execution through the Rundll32 process.
326
328006
5
-1
Identify suspicious payloads invoking Rundll32 in high change systems
Mitre-T1218: Identify suspicious payloads proxying code execution through the Rundll32 process.
Tactic: Defense Evasion, Execution – Technique: T1218. Identify suspicious payloads invoking Rundll32. This rule is only on by default in the Security rule group assignment and is set to observe in Balanced and Productivity group assignments.
327
328007
5
-1
Identify most probable suspicious payloads invoking Rundll32 process
Mitre-T1218: Identify most probable suspicious payloads invoking Rundll32 process.
Tactic: Defense Evasion, Execution – Technique: T1218. This rule is by default in observe only in all 3 rule group assignments. It takes a more aggressive approach to blocking code executed with rundll32 and could generate false positives. It needs to be manually enabled in all rule group assignments.
329
393545
6
-1
Identify and block suspicious usage of Scheduled Tasks in high change systems
Mitre-T1053: Looks for any potentially malicious invoking of schedule tasks and blocks them before being added in high change systems.
Tactics: Execution, Persistence, Privilege Escalation – Technique: T1053. Looks for any potentially malicious invoking of schedule tasks and blocks them before being added in high change systems. This attempts to cut off malware persistence mechanism.
330
262474
4
-1
Identify and block probably suspicious invoking of system process SvcHost and hence preventing it from abuse
Mitre-T1055: Looks for any potentially malicious invoking of SvcHost system process and blocks it from undesired process injections.
Tactic: Defense Evasion – Technique: T1055. Looks for any potentially malicious invoking of SvcHost system process and blocks it from undesired process injections from unknown actor processes.
331
196939
3
-1
Identify and block probably suspicious invoking of system process SvcHost for Security rule group assignments
Mitre-T1055. Looks for any potentially malicious invoking of SvcHost system process and blocks it from undesired process injections for security posture.
Tactic: Defense Evasion – Technique: T1055. Looks for any potentially malicious invoking of SvcHost system process and blocks it from undesired process injections from unknown actor process’s for security posture.
332
393548
6
-1
Prevent certutil.exe from downloading or decoding files with suspect extensions
Mitre-T1140: Blocks certutil from downloading remote files or decoding files disguised as something else
Tactics: Defense Evasion – Techniques: T1140, T1218. CertUtil is a binary that can be abused by attackers to fetch or decode payloads. This rule prevents certutil.exe from fetching payloads or decoding staged files. Certutil also belongs to a group of dual-use tools in the Mitre technique T1218
333
917837
14
-1
Identify probably suspicious process chains
Mitre-T1574: Identify interesting process chains and block them if behavior is suspicious.
Tactics: Persistence, Privilege Escalation, Defense Evasion – Technique: T1574. Identify interesting process chains and block them if behavior isn’t desirable or suspicious.
334
262478
4
-1
Identify registry modifications to suspect locations
Mitre-T1547: Malware can sometimes maintain persistence by adding or modifying registry keys to instruct a service or binary to launch.
Tactic: Persistence – Technique: T1547. Identifies and blocks registry modifications to suspicious locations.
335
328015
5
-1
Prevent the use of common windows utilities from launching processes in an attempt to bypass UAC
Mitre-T1548: Attempt to prevent common elevation techniques such as UAC bypasses
Tactics: Privilege Escalation, Defense Evasion – Technique: T1548. This rule tries to mitigate some common UAC bypass techniques in windows
336
196944
3
-1
Detect suspicious payloads targeting Network related services or applications
Detect suspicious payloads targeting Network related services or applications in security rule group assignments.
Detect suspicious payloads targeting Network related services or applications via several dual use tools or script interpreters.
337
196945
3
-1
Prevent browsers from launching script interpreters or dual use tools in Security rule group assignments
Detect patterns where browsers trying to launch script editors or dual use tools in security posture.
Detect patterns where browsers trying to launch script editors or dual use tools and is work as default in security rule group assignments.
338
196946
3
15
Detects and Blocks process hollowing attempts for processes that were triggered from an unknown actor
Mitre-T1055. Detects and Blocks any process hollowing try identified using initial thread state
Tactics: Defense Evasion, Privilege Escalation – Technique: T1055. Detects and Blocks any process hollowing attempt identified using initial thread state and other relevant process information holders
339
131411
2
-1
Prevent .NET utilities to register assemblies from being ran
Mitre-T1218: Prevent Regsvcs.exe and Regasm.exe from registering and running .NET Assemblies.
Tactic: Defense Evasion – Technique: T1218. Prevent Regsvcs.exe and Regasm.exe from registering and running .NET Assemblies which can be used to proxy code execution.
340
131412
2
-1
Identify and block probably suspicious invocations by SearchProtocolHost and hence preventing it from abuse
Mitre-T1055: Looks for any potentially malicious invoking of processes by SearchProtocolHost and prevents it from undesired process injections.
Tactic: Defense Evasion – Technique: T1055. Looks for any potentially malicious invoking of processes by SearchProtocolHost system process and prevents it from undesired process injections.
341
196949
3
-1
Identify and block patterns being used in Ransomware attacks in security rule group assignments.
Looks for any potentially malicious invoking of patterns which are common in Ransomware attacks. It takes more aggressive approach than Rule 342 and works in security rule group assignments.
Looks for any potentially malicious invoking of patterns which are common in Ransomware attacks and blocks the execution. It takes more aggressive approach than Rule 342 and works in security rule group assignments.
342
131414
2
-1
Identify and block patterns being used in Ransomware attacks
Looks for any potentially malicious invoking of patterns which are common in Ransomware attacks
Looks for any potentially malicious invoking of patterns which are common in Ransomware attacks and blocks the execution.
343
131415
2
-1
Prevent abusable windows binaries from launching cmd.exe as part of a UAC bypass
Mitre-T1548: Attempt to prevent common elevation techniques such as UAC bypasses
Tactics: Privilege Escalation, Defense Evasion – Technique: T1548. This rule attempts to mitigate some common UAC bypass techniques in windows
344
196952
3
-1
Identify suspicious process chains for Security rule group assignments
Mitre-T1574: Identify interesting process chains and block them if behavior is suspicious. The rule applies only for Security rule group assignments.
Tactics: Persistence, Privilege Escalation, Defense Evasion – Technique: T1574. Identify interesting process chains and block them if behavior isn’t desirable or suspicious. The rules apply only for Security rule group assignments.
345
65881
1
-1
Identify suspicious process execution chains. This is determined by the uncommon occurrence of the process in a specific process chain
Mitre-T1574: Identify interesting process chains and block them if behavior is suspicious.
Tactics: Persistence, Privilege Escalation, Defense Evasion – Technique: T1574. Identify interesting process chains and block them if behavior isn’t desirable or suspicious.
346
196954
3
-1
Prevent certutil.exe from downloading or decoding any file
Mitre-T1140: Blocks certutil from downloading remote files or decoding files. This rule differs from Rule ID 332 in that it provides more general coverage of certutil abusable parameters.
Tactics: Defense Evasion – Techniques: T1140, T1218. CertUtil is a binary that can be abused by attackers to fetch or decode payloads. This rule prevents certutil.exe from fetching payloads or decoding staged files. Certutil also belongs to a group of dual-use tools in the Mitre technique T1218.
347
393563
6
-1
Prevent actor processes from repeatedly trying to run successive commands
Mitre-T1059: Command and Scripting. Prevent unknown processes from repeatedly launching commands to stop services or perform other scripted items in a row.
This is common with recon toolsets and scripts for a process to repeatedly run cmd, PowerShell, wmic, net, etc. to perform quick recon of a system or to stop critical services and processes.
349
65885
1
15
Detect potentially malicious usage of BITSAdmin
Mitre-T1197: Looks for suspicious usage of BITSAdmin tool to download a file in non-standard location or from malicious sites
Tactic: Defence Evasion, Persistence – Technique: T1197. Looks for suspicious usage of BITSAdmin tool to download a file in non-standard location or from malicious sites
350
65886
1
15
Detect suspicious usage of data transfer tools
Mitre-T1537, T1567: Looks for suspicious usage of tools which can be used to transfer data to an external network
Tactic: Exfiltration, Technique: T-1537, T-1567. This rule targets to detect data exfiltration by detecting suspicious usage of common data transfer tools. Network traffic related to the tool should be reviewed in case the rule triggers.
500
197108
3
15
Block lateral movement from other windows machines in the network
Mitre-T1570: Lateral Tool Transfer. Blocks use of tools that allow for lateral movement of files to this client.
Tactic: Lateral Movement – Technique: T1570. This rule blocks lateral movement from Windows Clients. A network data source that monitors traffic may need to be reviewed to make sure this is expected activity. This rule should only be turned on for systems that are in highly restrictive environments as it may generate many false positives.
501
131573
2
15
Block lateral movement from other Linux machines in the network
Mitre-T1570. Blocks all lateral movement to this client from other Linux machines in the network
Tactic: Lateral Movement – Technique: T1570. This rule blocks lateral movement from Linux Clients. It should only be turned on for systems that are in highly restrictive environments as it may generate many false positives.
502
131574
2
15
Detect new service creation
Mitre-T1543: Prevent new services from being created via sc.exe or powershell.exe.
Tactic: Persistence, Privilege Escalation – Technique: T1543. New service creation, although common, can be a potential indicator of malicious behavior. New services should be monitored and their underlying execution investigated to make sure it’s expected behavior. Services can also be named to masquerade as legitimate services so just the name isn’t sufficient to tell legitimate vs malicious services.
503
131575
2
15
Detect binaries signed with Suspicious Certs
Mitre-T1553: Prevent execution of binaries signed with a suspicious cert
Tactic: Defense Evasion – Technique: T1553-Subvert Trust Controls Code Signing. This rule block execution of binaries signed with untrusted certs. It should only be turned on for systems that are in highly restrictive environments as it may generate many false positives.
504
131576
2
15
Prevent use of sdbinst.exe to install application shims
Mitre-T1546: Prevent use of sdbinst.exe to install application shims. This can be used to patch existing binaries to help establish persistence or escalate privilege.
Tactic: Privilege Escalation, Persistence – Technique: T1546. Application shimming is a form of event triggered execution and should be carefully monitored for use in your environment. Usage of sdbinst.exe to install an application shim could be an indication of potential malicious behavior.
505
131577
2
15
Detect obfuscated cmd.exe command-line parameters
Mitre-T1027: Detect attempts at obfuscating cmd.exe command-line parameters. Targets tools like Invoke-DOSfuscation
Tactic: Defense Evasion – Technique: T1027. Attackers can try to bypass command-line detections by obfuscating their payloads. Obfuscated command-line parameters can be an indicator of malicious activity and should be investigated to verify it’s expected usage.
506
197114
3
30
Detect commands for user discovery
Mitre-T1033: Detect commands that allow for system owner/user discovery.
Tactic: Discovery – Technique: T1033. Upon gaining a foothold an attacker may try to use common system administration tools to learn more about the system they have gained access to. This rule can generate false positives due to its generic coverage so it should be enabled with care.
507
197115
3
30
Detect commands used to discover more information about a system
Mitre-T1082: Detect commands commonly used to perform additional recon on a system.
Tactic: Discovery – Technique: T1082. Upon gaining a foothold an attacker may try to use common system administration tools to further discover details such as hotfixes installed and OS version to better understand the box they have gained initial access to. Caution should be taken when enabling this rule as it can generate false positives due to how generic these commands are.
508
197116
3
30
Detect commands used to discover permission information related to users and groups
Mitre-T1069: Permission groups discovery.
Tactic: Discovery – Technique: T1069. During the discovery phase of an attack, an adversary may use common tools to enumerate what user and groups have permissions to different assets in the environment. These commands can generate false positives due to how generic they’re but can serve as a potential indicator of compromise during the discovery phase of an attack.
509
262653
4
30
Detect commands used to discover network-related configurations
Mitre-T1016, T1049: Detect commands used to discover information related to network configuration and connections information.
Tactic: Discovery – Technique: T1016, T1049. During the discovery phase of an attack, an adversary may use common tools to enumerate network configuration and network connections. These commands can generate false positives due to how generic they’re but can serve as a potential indicator of compromise during the discovery phase of an attack.
510
131582
2
15
Detect data encryption attempts for suspicious activities
Mitre-T1022-T1560: Detect attempts of compression and encryption before exfiltration attempts by suspicious actors.
Tactic: Collection – Technique: T1560: Detection encryption by third-party softwares or custom methods before exfiltration. The rule is meant for highly restrictive environments and could be prone to false positives.
511
197119
3
30
Detect attempts to dump sensitive information via registry or lsass
Mitre-T1003: Detect commands that can be used to dump sensitive OS information related to credentials.
Tactic: Credential Access – Technique: T1003. Attackers commonly leverage custom or native tools to export sensitive data such as a memory dump of LSASS.exe, an export of SAM registry hive or make a shadow copy of ntds.dit to facilitate dumping of hashes/credentials. Some software may do this legitimately, so false positives may be generated using this rule.
512
197120
3
30
Detect commands that allow for indirect execution outside of cmd and PowerShell
Mitre-T1202: Detect commands that can execute commands other than cmd or PowerShell. Indirect command execution can be a way for adversaries to evade some detections.
Tactic: Defense Evasion – Technique: T1202. One way to evade defenses can be to use indirect command execution that may allow for attackers to stay under the radar and bypass detections that may be looking for direct execution via cmd.exe or powershell.exe. Some scripts may legitimately use these commands so false positives may be generated when enabling this rule.
513
197121
3
15
Detect commands used for copying files from a remote system
Mitre-T1105,T1570: Detect commands used to transfer tools or other files from external environment to compromised system.
Tactic: Command and Control – Technique: T1105, T1570. Block remote copy operations or lateral tool operations from external environment. This rule can generate false positives, hence meant for highly restrictive environments.
514
262658
4
15
Detect DLL loads that have potentially been hijacked
Mitre-T1574: Detect attempts to hijack execution flow by preventing suspicious DLLs from being loaded.
Tactic: Persistence, Privilege Escalation, Defense Evasion – Technique: T1574. Control flow hijacking can be done a number of ways by abusing the order legitimate binaries attempt to load dependencies. This can allow attackers to use trusted binaries to load an untrusted DLL by taking advantage when the binary isn’t explicit of the absolute path where dependencies are expected.
515
197123
3
-1
Protect against office apps launching unknown processes from non-standard locations.
This rule protects against the suspicious use of office apps. It looks for suspicious processes launched by office apps in non-standard locations.
Office Apps are commonly used to deliver malware, this rule looks for launching of suspicious processes from office apps. This rule can generate false positives so it should be enabled with care.
516
131588
2
15
Identify and block processes executing with non-standard command lines
Attempt to block processes which are executing with command lines normally not seen by the process.
Tactic: Defense Evasion. This rule targets common windows processes which are executing with non-standard command lines. It needs to be manually enabled if you want to use it.
517
131589
2
15
Prevent actor process with unknown reputations from launching processes in common system folders
This rule looks for actors with an unknown process reputation and prevents it from launching child processes with blank command lines from common system directories.
This rule targets processes with an unknown process reputation (or lower) launching binaries from common system folders. It also looks for blank command lines as is common in some cobalt strike spawnto uses.
518
66054
1
15
Prevent unknown actor processes from launching target processes in common system folders
This rule is similar to 517 but looks for any unknown actor launching a target with suspicious command-line parameters.
This rule is similar to 517 but looks for any unknown actor launching a target with suspicious command-line parameters.
519
131591
2
15
Detect use of GetSystem command elevate privileges
Mitre-T1134: Access token manipulation for privilege escalation. This rule looks for named pipe impersonation technique used to get SYSTEM privileges.
Adversaries can use named pipes to connect to and duplicate the handle to gain SYSTEM privileges. If this rule fires the source and target should be carefully inspected to look for any potential system abuse.
520
66056
1
15
Detect abuse of File Permission Modification commands to execute malware
Mitre-T1222.001: File and Directory Permission Modification. This rule detects suspicious usages of the file system modification commands to execute malware.
Mitre-T1222.001: File and Directory Permission Modification. This rule detects suspicious usages of the file system modification commands to execute malware.
521
131593
2
15
Detect attempts to hijack a service whose path is unquoted
Mitre-T1574.009: Hijack Execution Flow via path interception.
Tactics: Persistence, Privilege Escalation, Defense Evasion. Service paths that aren’t properly quoted may be hijackable by placing a binary in a folder that is searched before the intended service
522
66058
1
15
Detect attempts to hijack execution flow via search order of the PATH environment variable
Mitre-T1574.007: Hijack Execution Flow via PATH environment variable interception.
Tactics: Persistence, Privilege Escalation, Defense Evasion. The order of the paths in the PATH environment variable can be susceptible to execution hijacking.
523
66059
1
15
Detect services or scheduled tasks launched from a suspect location
Mitre-T1036.004: Masquerade Task or Service
Tactics: Persistence, Privilege Escalation, Defense Evasion. Malware may use a scheduled task or service for persistence or to escalate privileges. To evade detection, they may masquerade the name of the service or task to look legitimate. If this rule triggers scheduled tasks and services should be inspected for legitimacy.
524
66060
1
15
Prevent any execution of cmd.exe from mshta.exe
This rule is designed to prevent execution of cmd.exe from mshta.exe
Prevent execution of cmd.exe spawning from mshta.exe process.
Security Posture: High
Rule ID
Mandatory
State
1
TRUE
enabled
2
TRUE
enabled
3
FALSE
enabled
4
TRUE
enabled
5
FALSE
enabled
10
TRUE
enabled
12
TRUE
enabled
20
TRUE
enabled
34
FALSE
enabled
35
TRUE
enabled
36
TRUE
enabled
38
FALSE
enabled
50
TRUE
enabled
51
TRUE
enabled
55
TRUE
enabled
57
FALSE
enabled
58
FALSE
evaluated
60
FALSE
evaluated
61
TRUE
enabled
62
TRUE
enabled
95
FALSE
enabled
96
TRUE
enabled
97
FALSE
evaluated
98
FALSE
enabled
99
FALSE
enabled
125
FALSE
evaluated
126
TRUE
enabled
127
TRUE
enabled
128
TRUE
enabled
129
TRUE
enabled
130
TRUE
enabled
131
TRUE
enabled
132
TRUE
enabled
133
FALSE
enabled
134
FALSE
enabled
136
FALSE
enabled
137
FALSE
enabled
138
FALSE
enabled
139
TRUE
enabled
140
TRUE
enabled
151
TRUE
enabled
152
FALSE
evaluated
153
FALSE
evaluated
205
FALSE
evaluated
206
FALSE
evaluated
207
FALSE
enabled
208
FALSE
enabled
209
FALSE
enabled
211
FALSE
evaluated
213
FALSE
evaluated
214
FALSE
enabled
217
FALSE
enabled
218
FALSE
evaluated
219
FALSE
enabled
220
FALSE
evaluated
222
FALSE
enabled
234
FALSE
enabled
235
FALSE
evaluated
237
FALSE
evaluated
238
FALSE
evaluated
239
FALSE
enabled
240
FALSE
evaluated
243
FALSE
evaluated
250
FALSE
enabled
251
FALSE
evaluated
252
FALSE
evaluated
253
FALSE
evaluated
255
FALSE
enabled
256
FALSE
evaluated
257
FALSE
enabled
258
FALSE
evaluated
259
FALSE
enabled
260
FALSE
evaluated
262
FALSE
enabled
263
FALSE
enabled
264
FALSE
enabled
265
FALSE
evaluated
266
FALSE
evaluated
267
FALSE
enabled
268
FALSE
enabled
269
FALSE
evaluated
270
FALSE
evaluated
300
FALSE
enabled
301
FALSE
evaluated
303
FALSE
enabled
304
FALSE
evaluated
306
FALSE
enabled
307
FALSE
evaluated
309
FALSE
enabled
310
FALSE
enabled
311
FALSE
enabled
312
FALSE
evaluated
313
FALSE
enabled
314
FALSE
enabled
315
FALSE
evaluated
316
FALSE
enabled
317
FALSE
enabled
318
FALSE
evaluated
319
FALSE
enabled
320
FALSE
enabled
321
FALSE
evaluated
322
FALSE
enabled
323
FALSE
enabled
324
FALSE
evaluated
325
FALSE
enabled
326
FALSE
enabled
327
FALSE
evaluated
329
FALSE
enabled
330
FALSE
evaluated
331
FALSE
enabled
332
FALSE
enabled
333
FALSE
evaluated
334
FALSE
evaluated
335
FALSE
enabled
336
FALSE
enabled
337
FALSE
enabled
338
FALSE
evaluated
339
FALSE
evaluated
340
FALSE
evaluated
341
FALSE
enabled
342
FALSE
enabled
343
FALSE
evaluated
344
FALSE
enabled
345
FALSE
enabled
346
FALSE
evaluated
347
FALSE
disabled
349
FALSE
evaluated
350
FALSE
evaluated
500
FALSE
disabled
501
FALSE
disabled
502
FALSE
disabled
503
FALSE
disabled
504
FALSE
disabled
505
FALSE
disabled
506
FALSE
disabled
507
FALSE
disabled
508
FALSE
disabled
509
FALSE
disabled
510
FALSE
disabled
511
FALSE
disabled
512
FALSE
disabled
513
FALSE
disabled
514
FALSE
disabled
515
FALSE
disabled
516
FALSE
disabled
517
FALSE
disabled
518
FALSE
disabled
519
FALSE
disabled
520
FALSE
disabled
521
FALSE
disabled
522
FALSE
disabled
523
FALSE
disabled
524
FALSE
disabled
Security Posture: Medium
Rule ID
Mandatory
State
1
TRUE
enabled
2
TRUE
enabled
3
FALSE
enabled
4
TRUE
enabled
5
FALSE
enabled
10
TRUE
enabled
12
TRUE
enabled
20
TRUE
enabled
34
FALSE
enabled
35
TRUE
enabled
36
TRUE
enabled
38
FALSE
enabled
50
TRUE
enabled
51
TRUE
enabled
55
TRUE
enabled
57
FALSE
enabled
58
FALSE
evaluated
60
FALSE
evaluated
61
TRUE
enabled
62
TRUE
enabled
95
FALSE
enabled
96
TRUE
enabled
97
FALSE
evaluated
98
FALSE
enabled
99
FALSE
enabled
125
FALSE
evaluated
126
TRUE
enabled
127
TRUE
enabled
128
TRUE
enabled
129
TRUE
enabled
130
TRUE
enabled
131
TRUE
enabled
132
TRUE
enabled
133
FALSE
enabled
134
FALSE
enabled
136
FALSE
enabled
137
FALSE
enabled
138
FALSE
enabled
139
TRUE
enabled
140
TRUE
enabled
151
TRUE
enabled
152
FALSE
evaluated
153
FALSE
evaluated
205
FALSE
evaluated
206
FALSE
evaluated
207
FALSE
enabled
208
FALSE
enabled
209
FALSE
enabled
211
FALSE
evaluated
213
FALSE
evaluated
214
FALSE
enabled
217
FALSE
enabled
218
FALSE
evaluated
219
FALSE
enabled
220
FALSE
evaluated
222
FALSE
enabled
234
FALSE
enabled
235
FALSE
evaluated
237
FALSE
evaluated
238
FALSE
evaluated
239
FALSE
enabled
240
FALSE
evaluated
243
FALSE
evaluated
250
FALSE
enabled
251
FALSE
evaluated
252
FALSE
evaluated
253
FALSE
evaluated
255
FALSE
evaluated
256
FALSE
evaluated
257
FALSE
enabled
258
FALSE
evaluated
259
FALSE
enabled
260
FALSE
evaluated
262
FALSE
evaluated
263
FALSE
enabled
264
FALSE
evaluated
265
FALSE
evaluated
266
FALSE
evaluated
267
FALSE
evaluated
268
FALSE
enabled
269
FALSE
evaluated
270
FALSE
evaluated
300
FALSE
enabled
301
FALSE
evaluated
303
FALSE
enabled
304
FALSE
evaluated
306
FALSE
enabled
307
FALSE
evaluated
309
FALSE
evaluated
310
FALSE
enabled
311
FALSE
evaluated
312
FALSE
evaluated
313
FALSE
enabled
314
FALSE
evaluated
315
FALSE
evaluated
316
FALSE
enabled
317
FALSE
evaluated
318
FALSE
evaluated
319
FALSE
enabled
320
FALSE
evaluated
321
FALSE
evaluated
322
FALSE
enabled
323
FALSE
evaluated
324
FALSE
evaluated
325
FALSE
enabled
326
FALSE
evaluated
327
FALSE
evaluated
329
FALSE
evaluated
330
FALSE
evaluated
331
FALSE
evaluated
332
FALSE
enabled
333
FALSE
evaluated
334
FALSE
evaluated
335
FALSE
enabled
336
FALSE
evaluated
337
FALSE
evaluated
338
FALSE
evaluated
339
FALSE
evaluated
340
FALSE
evaluated
341
FALSE
evaluated
342
FALSE
enabled
343
FALSE
evaluated
344
FALSE
evaluated
345
FALSE
enabled
346
FALSE
evaluated
347
FALSE
disabled
349
FALSE
evaluated
350
FALSE
evaluated
500
FALSE
disabled
501
FALSE
disabled
502
FALSE
disabled
503
FALSE
disabled
504
FALSE
disabled
505
FALSE
disabled
506
FALSE
disabled
507
FALSE
disabled
508
FALSE
disabled
509
FALSE
disabled
510
FALSE
disabled
511
FALSE
disabled
512
FALSE
disabled
513
FALSE
disabled
514
FALSE
disabled
515
FALSE
disabled
516
FALSE
disabled
517
FALSE
disabled
518
FALSE
disabled
519
FALSE
disabled
520
FALSE
disabled
521
FALSE
disabled
522
FALSE
disabled
523
FALSE
disabled
524
FALSE
disabled
Security Posture: Low
Rule ID
Mandatory
State
1
TRUE
enabled
2
TRUE
enabled
3
FALSE
enabled
4
TRUE
enabled
5
FALSE
enabled
10
TRUE
enabled
12
TRUE
enabled
20
TRUE
enabled
34
FALSE
enabled
35
TRUE
enabled
36
TRUE
enabled
38
FALSE
enabled
50
TRUE
enabled
51
TRUE
enabled
55
TRUE
enabled
57
FALSE
enabled
58
FALSE
evaluated
60
FALSE
evaluated
61
TRUE
enabled
62
TRUE
enabled
95
FALSE
enabled
96
TRUE
enabled
97
FALSE
evaluated
98
FALSE
enabled
99
FALSE
enabled
125
FALSE
evaluated
126
TRUE
enabled
127
TRUE
enabled
128
TRUE
enabled
129
TRUE
enabled
130
TRUE
enabled
131
TRUE
enabled
132
TRUE
enabled
133
FALSE
enabled
134
FALSE
enabled
136
FALSE
enabled
137
FALSE
enabled
138
FALSE
enabled
139
TRUE
enabled
140
TRUE
enabled
151
TRUE
enabled
152
FALSE
evaluated
153
FALSE
evaluated
205
FALSE
evaluated
206
FALSE
evaluated
207
FALSE
enabled
208
FALSE
enabled
209
FALSE
enabled
211
FALSE
evaluated
213
FALSE
evaluated
214
FALSE
enabled
217
FALSE
enabled
218
FALSE
evaluated
219
FALSE
enabled
220
FALSE
evaluated
222
FALSE
enabled
234
FALSE
enabled
235
FALSE
evaluated
237
FALSE
evaluated
238
FALSE
evaluated
239
FALSE
enabled
240
FALSE
evaluated
243
FALSE
evaluated
250
FALSE
enabled
251
FALSE
evaluated
252
FALSE
evaluated
253
FALSE
evaluated
255
FALSE
evaluated
256
FALSE
evaluated
257
FALSE
enabled
258
FALSE
evaluated
259
FALSE
enabled
260
FALSE
evaluated
262
FALSE
evaluated
263
FALSE
enabled
264
FALSE
evaluated
265
FALSE
evaluated
266
FALSE
evaluated
267
FALSE
evaluated
268
FALSE
enabled
269
FALSE
evaluated
270
FALSE
evaluated
300
FALSE
enabled
301
FALSE
evaluated
303
FALSE
enabled
304
FALSE
evaluated
306
FALSE
enabled
307
FALSE
evaluated
309
FALSE
evaluated
310
FALSE
enabled
311
FALSE
evaluated
312
FALSE
evaluated
313
FALSE
enabled
314
FALSE
evaluated
315
FALSE
evaluated
316
FALSE
enabled
317
FALSE
evaluated
318
FALSE
evaluated
319
FALSE
enabled
320
FALSE
evaluated
321
FALSE
evaluated
322
FALSE
enabled
323
FALSE
evaluated
324
FALSE
evaluated
325
FALSE
enabled
326
FALSE
evaluated
327
FALSE
evaluated
329
FALSE
evaluated
330
FALSE
evaluated
331
FALSE
evaluated
332
FALSE
enabled
333
FALSE
evaluated
334
FALSE
evaluated
335
FALSE
enabled
336
FALSE
evaluated
337
FALSE
evaluated
338
FALSE
evaluated
339
FALSE
evaluated
340
FALSE
evaluated
341
FALSE
evaluated
342
FALSE
enabled
343
FALSE
evaluated
344
FALSE
evaluated
345
FALSE
enabled
346
FALSE
evaluated
347
FALSE
disabled
349
FALSE
evaluated
350
FALSE
evaluated
500
FALSE
disabled
501
FALSE
disabled
502
FALSE
disabled
503
FALSE
disabled
504
FALSE
disabled
505
FALSE
disabled
506
FALSE
disabled
507
FALSE
disabled
508
FALSE
disabled
509
FALSE
disabled
510
FALSE
disabled
511
FALSE
disabled
512
FALSE
disabled
513
FALSE
disabled
514
FALSE
disabled
515
FALSE
disabled
516
FALSE
disabled
517
FALSE
disabled
518
FALSE
disabled
519
FALSE
disabled
520
FALSE
disabled
521
FALSE
disabled
522
FALSE
disabled
523
FALSE
disabled
524
FALSE
disabled
Use this solution forClick to expand the section you want to view:
Solution
2
Use this solution for TIEm for VSE.
Contents
Click to expand the section you want to view:
How to identify which TIE rule triggers an event in the TIEm for VSE
Workstation
If you have access only to the workstation where the event is generated, follow the steps below:
- Open the TIEMDetections.log file using Notepad.exe.
NOTE: You can find the log file in the following location: %PROGRAMDATA%\McAfee\TIEM\
- Find the relevant entry for the detection in the log file.
- Locate the RuleID in the value for convictingRuleID in the same record.
Example:
09/12/14 17:55:26 [I] [0xb34] “!TIEM_DETECTION”:[“file”:”C:\USERS\USER\DESKTOP\SAMPLES\TestDetection1.EXE“,”user”:”user1″,”reaction”:
“repair”,”sha1″:”ab3b93171b7c36db16bdd76e194701815ae23b92″,”md5″:”0a43766a03339ea79393d4afe9d745e1″,”certSha1″:””,”size”:”1024501″,
“reputation”:”1″,”convictingRule”:”65540″,“convictingRuleID”:”4″,”convictingRuleVersion”:”1″,”detectionName”:”TIEM/Suspicious.rule4″,
“contentVersion”:”1.0.0.268″,”clientVersion”:”1.0.0.972″,”reputationSource”:”tie”,”evaluationMode”:”true”,”cached”:”false”,”osVersion”:”6.1.7600″,
“osArchitecture”:”64″,”agentGuid”:”{868b368a-3841-11e4-307b-000c290c89e4}”,”timestamp”:”1410540926″,”prompted”:”false”]
NOTE:
The RuleID that triggers the detection for TestDetection1.EXE is RuleID=4. This value corresponds to a detection using GTI File Reputation, as described in the table below.
ePO
If you have access only to the ePO console, follow these steps:
- Log on to the ePO console.
- Select either the report under Dashboards or click Menu, Reporting.
- Select TIE Module for VSE Events and drill down to the relevant report.
NOTE:
If the RuleID isn’t displayed on the report, perform the following steps:
- Click Actions, Choose Columns, and under Threat Intelligence Exchange for VSE Events, select Rule ID.
- Click Save.
- Access the report again.
How to update TIE content on the TIEm for VSE client from ePO
- Download the TIE content package (for example, jcmcontent-xxxx.zip) to the ePO server system desktop.
- Log on to the ePO server.
- Check in the TIE content package to the ePO server. Go to Master Repository, click Check In Package, and upload the ZIP file to the ePO server.
- After uploading the TIE content package, you can see it in the Master Repository as below.
- Create a content update task for the clients.
- Go to System Tree and click the client system for which you want to update the content. Click the Assigned Client Tasks tab and click New Client Task Assignment.
- Select McAfee Agent for the Product and Product Update for the Task Type. Click Create New Task.
- Select the TIE content package and click Save.
- Set the Schedule type to Run immediately and click Save. Now, the client task is created successfully.
- Go to System Tree and click the client system for which you want to update the content. Click the Assigned Client Tasks tab and click New Client Task Assignment.
- Click Systems, select the clients that you want to update, and click Wake Up Agents.
- After some time, verify the TIE module content version on the client system by opening the product user interface. Make sure that the version is the same as what you wanted to update.
Rule IDs and corresponding rule names and descriptions
The following table is provided for reference only. The details in the table might become outdated when we release rule updates. To view the latest details, access the ePO console as follows:
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Select Threat Intelligence Exchange Module for VSE under Setting Categories.
NOTE: Rule Reputation –1 means that the score value is dynamic.
Rule
ID
Rule Identifier
Rule Version
Repu-
tation
Name
Description
Long Description
0
0
0
–1
N/A
No Rule affects this reputation.
No Rule affects this reputation.
1
458753
7
–1
Use certificate reputation to identify trusted or malicious files
Determines if a file is trusted or malicious based on the GTI or Enterprise reputation of the signing certificate.
This rule determines if a file is trusted or malicious based on the GTI or Enterprise reputation of the signing certificate. The certificate reputation must be Known Malicious, Known Trusted, Most Likely Malicious, or Most Likely Trusted.
2
131074
2
–1
Use Enterprise file reputation to identify trusted or malicious files
Determines if a file is trusted or malicious based on the file’s Enterprise reputation.
This rule determines if a file is trusted or malicious based on the file’s Enterprise reputation. The reputation must be at least Known Malicious, Known Trusted, Most Likely Malicious, or Most Likely Trusted.
4
196612
3
–1
Use GTI file reputation to identify trusted or malicious files
Determines if a file is trusted or malicious based on the file’s GTI reputation.
This rule determines if a file is trusted or malicious based on the file’s GTI reputation. The reputation must be at least Known Malicious, Known Trusted, Most Likely Malicious, or Most Likely Trusted.
10
131082
2
100
Identify that a file is the main component of a trusted installer using the file's attributes, certificate reputation, and file reputation
Determines whether a file is a trusted installer based on the file’s attributes, file name, and the GTI or Enterprise certificate and file reputation.
This rule determines if file is a trusted installer based on the file’s GTI or Enterprise reputation. It also looks at the file name, company name, and other similar attributes to determine if it’s an updater or installer component that can be trusted.
12
131084
2
100
Identify that a file is the main component of a trusted installer based on a specific file identified by hash
Determines whether a file is a trusted installer based on the file hash and the GTI or Enterprise reputation.
This rule determines if the file is a trusted installer based on the file’s hash and GTI or Enterprise file reputation to determine if it’s an updater or installer component that can be trusted.
20
65556
1
–1
Identify trusted files that have Trellix permission
Identifies trusted files using certificates or hashes that are distributed in the AV DAT files.
This rule identifies trusted files using certificates or hashes that are distributed in the AV DAT files and might also have elevated rights with Trellix processes and drivers.
35
196643
3
1
Installation Verification
Identifies a test sample that can be used for installation verification.
This rule identifies a test sample that can be used for installation verification.
36
65572
1
1
Installation Verification with no TIE Server
Identifies a test sample that can be used for installation verification in a configuration with no TIE Server.
This rule identifies a test sample that can be used for installation verification in a configuration with no TIE Server.
50
65586
1
85
Identify trusted files from a trusted creator
Identifies trusted files that a fully trusted updater creates.
This rule identifies trusted files that a fully trusted updater creates and that haven’t been modified.
55
65591
1
99
Identify certificates needing reputation correction
Identifies certificates from Tier1 vendors that need a correction to their reputation level.
This rule identifies certificates from Tier1 vendors that need a correction to their reputation level.
57
262201
4
–1
Use GTI file reputation to identify files that Might be Trusted or Might be Malicious
Determines files that Might be Trusted or Might be Malicious based on the GTI file reputation.
This rule identifies files that are less conclusive in their GTI reputation. These files include Might be Trusted and Might be Malicious.
58
131130
2
70
Identify trust for files executed on network shares
Identifies trust for files executed on network shares using file attributes and other related information like prevalence.
This rule identifies trust for files executed on network shares using scanner results and file attributes to indicate trust.
95
131167
2
85
Identify files that are signed by certificate of known clean reputation and mark them Most Likely Trusted
Identifies files that are signed by a certificate of known clean reputation and mark them as Most Likely Trusted when offline.
Identifies files that are signed by a certificate of known clean reputation and mark them as Most Likely Trusted when in No connectivity mode.
97
262241
4
70
Trust files while offline unless highly suspicious for JTI Scanner versions released after June 2018
Determines that files with no suspicious characteristics are trusted when the system is offline (disconnected from TIE and GTI).
This rule treats files that have no suspicious characteristics as trusted when the system is disconnected from the TIE server and GTI. This rule uses less rigorous criteria for determining trust to help mitigate issues with large numbers of Unknown files while disconnected from the TIE Server or GTI. This Rule applies to JTI Scanner version 2.1.4.1590 and above, released June 2018.
98
262242
4
70
Trust files while offline unless highly suspicious for JTI Scanner versions released before June 2018
Determines that files with no suspicious characteristics are trusted when the system is offline (disconnected from TIE and GTI).
This rule treats files that have no suspicious characteristics as trusted when the system is disconnected from the TIE server and GTI. This rule uses less rigorous criteria for determining trust to help mitigate issues with large numbers of Unknown files while disconnected from the TIE Server or GTI. This Rule applies to JTI Scanner versions below 2.1.4.1590, released June 2018.
99
196707
3
50
Trust files based on Low Change Systems security level when offline
Determines that files with no suspicious characteristics are unknown when the system is offline (disconnected from the TIE server and from GTI).
Treats files with no suspicious characteristics as unknown when the system is disconnected from the TIE server and GTI. This rule is the last rule to execute.
125
131197
2
70
Identify files marked as Trusted Windows AppStore Applications
Identifies files that are marked as trusted Windows AppStore Applications. Identification is based off the file and process attributes.
This rule identifies files that are marked as trusted Windows AppStore Applications based on the file attributes, file location, and process attributes.
126
327806
5
85
Identify trusted signed applications
Identifies files that are signed and located in paths commonly used for installing programs. They also might have a Start menu entry.
This rule identifies files that are signed and have a valid non self-signed certificate. File location is considered with environmental attributes such as Start menu entry.
127
196735
3
85
Identify trusted Help resource libraries
Identifies signed resource libraries that are used by trusted software.
This rule identifies resource libraries that are used by trusted software. The files are signed and don’t have a malicious certificate reputation. They have characteristics indicating that it’s a resource library, such as no imports or exports and fewer PE Sections.
128
196736
3
85
Identify trusted help resource libraries
Identifies signed resource libraries that are used by trusted software. These libraries are used as part of Help documentation.
This rule identifies signed resource libraries that are used by trusted software. The libraries are used as part of the application Help documentation. They’re signed and don’t have a malicious certificate reputation. They have characteristics indicating that it’s a resource library, such as no imports or exports and fewer PE Sections. They’re also located in application installation folders.
129
196737
3
85
Identify trusted signed utility applications
Identifies utility applications that are signed, and the certificate isn’t distrusted. These files don’t start on startup and have characteristics that suggest that they’re utility programs.
This rule identifies utility applications that are signed, and the certificate isn’t distrusted. These files don’t start on startup. They’re located in a folder that’s indicative of a tool or installed program (example: programfilessubfolder) and import APIs, and have other characteristics that are consistent with trusted utility applications.
130
262274
4
85
Identify trusted signed drivers
Identifies device drivers that are signed and installed on the local system.
This rule identifies device drivers that are signed and installed on the local system. They use the native subsystem and are located in the windirsystem32drivers or driverstore folders.
131
262275
4
85
Identify trusted signed DRM libraries
Identifies signed trusted DRM libraries used by Windows.
This rule identifies trusted DRM libraries that are signed and whose certificate is trusted. These files are in the Windows DRM and DRM cache folders.
132
196740
3
85
Identify trusted signed files
Identifies files that are signed and trusted, and whose certificate reputation is trusted.
This rule identifies files that are signed and trusted, and whose certificate is also trusted.
133
262277
4
70
Identify trusted files on the disk
Identifies files that are present on the disk and aren’t suspicious before installing the TIE module.
This rule identifies files that are on the disk and aren’t suspicious before installing the TIE module. They haven’t been tampered with as identified by the NTFS file journaling.
134
327814
5
85
Identify trusted files on the disk that are prevalent in the Enterprise before installing the TIE
Identifies files that are present on the disk and aren’t suspicious before installing the TIE module and have been seen in the Enterprise.
This rule identifies files that are on the disk and aren’t suspicious before installing the TIE module. They haven’t been tampered with as identified by the NTFS file journaling. The files must also have been seen in the Enterprise.
136
262280
4
70
Identify unsigned NativeImage Files that Might Be Trusted
Detects NativeImage Files that aren’t signed with a known trusted certificate. These files are often of low prevalence and can be unique to a system.
This rule detects precompiled binary files that Might Be Trusted and have been installed into the NativeImages folder and don’t contain suspicious attributes.
137
131209
2
70
Identify unsigned DOTNet assemblies that Might Be Trusted
Detects DOTNet assemblies that aren’t signed with a known trusted certificate. These files are often of low prevalence and can be unique to a system.
This rule detects files that Might Be Trusted and have been installed into the global assembly cache folders and don’t contain suspicious attributes. These files are often on few systems in the network and might include pre-compiled DOTNet native image files and similar assemblies.
138
262282
4
85
Identify trusted unsigned Microsoft DOTNet assemblies
Detects Microsoft DOTNet assemblies that aren’t signed with a known trusted certificate. These files might not be present on many systems within the Enterprise.
This rule detects Microsoft-provided files that have CLR code (DOTNet), have been installed into the global assembly cache folders, and don’t contain suspicious attributes. The files might or might not be found on multiple systems within the Enterprise, which can include just-in-time compiled assemblies.
139
262283
4
70
Identify trusted DOTNet assemblies
Detects .NET assemblies that have been installed into the global assembly cache and are present on multiple systems.
This rule detects files that have CLR code (DOTNet) and have been installed into the global assembly cache folders. The files are present on multiple systems within the Enterprise, indicating that they aren’t just-in-time compiled assemblies.
140
196748
3
85
Identify trusted prevalent files
Detects files that have been present in the enterprise for a long time and are prevalent across multiple systems.
This rule detects files that are trusted because they’re widespread and well known. The files are present on multiple systems within the Enterprise and have been known for more than three months.
151
131223
2
70
Identify web installers
Identifies web installers that are signed and whose certificate isn’t distrusted. It also identifies the company, product, and version.
This rule identifies web installers that are signed and whose certificate isn’t distrusted. It also identifies the web installers company, product, and version.
152
262296
4
70
Identify safe files extracted by Windows Installer
Identifies safe files extracted by Windows Installer based on the actor process, certificate, and cloud reputation.
This rule identifies safe files extracted by Windows Installer based on the actor process, certificate, and cloud reputation. If anything is suspicious about the installer dropped file, the rule doesn’t yield a clean reputation.
153
65689
1
70
Identify files that ATD doesn’t report as suspicious
Identifies files that ATD doesn’t report as suspicious.
This rule identifies files that ATD has assessed and aren’t reported as suspicious.
205
196813
3
30
Identify suspicious files that have odd creation dates and are likely not packed
Identifies suspicious files that are likely not packed, have odd creation dates, and are in locations such as the Temp or Downloads folders.
This rule identifies suspicious files in locations such as the Temp or Downloads folders. These files are likely not packed and there’s evidence that the date properties have been tampered with.
206
65742
1
30
Identify suspicious files that have odd creation dates and are likely packed
Identifies suspicious files anywhere on the system. The files are likely packed and show evidence that the date has been tampered with.
This rule identifies suspicious files located anywhere on the system. These files are identified as packed and there’s evidence that the date properties have been tampered with.
207
196815
3
15
Identify suspicious files executing from the Recycle bin
Identifies suspicious files that are executed from the Recycle bin.
This rule identifies suspicious files that reside in and are executed from the Recycle bin.
208
65744
1
15
Identify suspicious files executing from the roaming folder
Identifies suspicious files that are executed or loaded from the user’s roaming folder.
This rule identifies suspicious files that are executed or loaded from the user’s roaming folder (userprofileappdataroaming) in an incorrect way.
209
196817
3
15
Identify suspicious files that are hidden from the user
Identifies suspicious files that are executed or loaded while hidden from the user.
This rule identifies suspicious files that are executed or loaded, and are hidden from using a mechanism such as a file attribute. These files appear to be critical operating system files but aren’t.
211
65747
1
15
Identify suspicious files created by an untrusted process
Identifies suspicious files created by a process that has a suspicious or known malicious reputation.
This rule identifies a file that’s suspicious because the process that creates it has a reputation of Might be Malicious to Known Malicious at the time of creation. Also, the file hasn’t been modified since its creation.
213
65749
1
30
Identify a file as suspicious based on how it’s packed
Identifies a packed or encrypted file as suspicious and the packer isn’t used by legitimate software.
This rule identifies a file as suspicious when it’s determined to be packed or encrypted, and there are features in the file that aren’t commonly found in legitimate software.
214
65750
1
30
Identify a suspicious keylogger
Identifies a file as suspicious when it has features that aren’t used by legitimate software and looks like a keylogger.
This rule identifies a file as suspicious when it has features that aren’t used by legitimate software. The file has suspicious characteristics such as importing APIs, which are used to monitor keystrokes, and has missing version information.
217
131289
2
15
Identify a suspicious password stealer
Identifies files that have been incorrectly installed into the user’s roaming profile and has suspicious characteristics.
This rule identifies a file that has been incorrectly installed into the user’s roaming profile and has suspicious characteristics. The file imports APIs that are used for monitoring keystrokes, capturing screenshots, or checking for active debuggers.
218
65754
1
30
Identify a suspicious file that hides its age
Identifies files that modify the presented age of the file. The files contain suspicious characteristics and don’t look like installed programs.
This rule identifies files that modify the presented age of the file. The files contain suspicious characteristics such as being packed, missing version information, tagged as a system file, or importing suspicious APIs. They aren’t present in a path typically used for installed programs.
219
262363
4
15
Identify a suspicious file that hides in a secure location
Identifies files in secure locations, such as folders reserved for system drivers. These files aren’t consistent with other files in that location and have suspicious characteristics.
This rule identifies files that are in secured locations, such as folders reserved for system drivers. The files don’t use the native subsystem, and have suspicious characteristics such as missing or incorrect version information, or a file type that doesn’t match the extension.
220
65756
1
30
Identify new suspicious files
Identifies files that are new to the system and contain suspicious characteristics such as modified section names or modified code at the entry point of the binary.
This rule identifies files that have a creation date in the last 30 days and contain suspicious characteristics. These include modified section names or modified code at the entry point of the binary.
222
131294
2
15
Identify a suspicious keylogger hiding as an installed program
Detects files that import keylogging APIs and hide in locations used by an installed program. They have suspicious characteristics such as fewer imports and being new to the system, while not looking like a legitimate application.
This rule detects files that import keylogging APIs and hide in program file folders or subfolders. The files aren’t registered as a service or in add or remove programs. They have registry keys that start at startup, and suspicious characteristics such as fewer imports or PE Sections.
234
65770
1
15
Identify files that ATD reports as suspicious
Identifies files that ATD reports as suspicious.
This rule identifies files that ATD reports as suspicious.
235
65771
1
30
Identify suspicious files from the internet that might be malicious based on GTI reputation
Identifies files that come from the internet that might be malicious based on GTI reputation.
This rule identifies files that came from an untrusted URL. They’re malicious and have suspicious characteristics such as being packed, are less than 15 days old, and appear on fewer than 10 systems or one of the Enterprises.
237
196845
3
15
Find suspicious files signed with a revoked certificate
Detects files that have an embedded revoked certificate. They’re newly discovered files and are seen on a few systems.
This rule detects files with an embedded certificate that has been revoked. The files have been in the environment for less than five days and are seen on less than one of systems.
240
65776
1
30
Identify suspicious files with characteristics that have been predominantly seen in ransomware
Identify suspicious files with characteristics that have been predominantly seen in ransomware and are in uncommonly used locations.
Identify suspicious files with characteristics that have been predominantly seen in ransomware and are in uncommonly used locations.
250
131322
2
–1
Elevate trust of a file that’s scanned multiple times without detection
Elevate trust of a file based on local age on the disk when the file is scanned multiple times.
Elevate trust of a file based on local age on the disk when the file is scanned multiple times and has no suspicious characteristics.
251
65787
1
15
Identify files that WG reports as suspicious
Identifies files that WG reports as Known Malicious or Most Likely Malicious and issues a Most Likely Malicious reputation.
This rule identifies files that WG reports as Known Malicious or Most Likely Malicious and issues a Most Likely Malicious reputation. This rule doesn’t issue a reputation for files that WG determines as Might Be Malicious.
252
131324
2
15
Identify files that CTD reports as suspicious
Identifies files that CTD reports as High or Very High and issues a Most Likely Malicious reputation.
This rule identifies files that CTD reports with a High or Very High trust score and issues a Most Likely Malicious reputation. This rule doesn’t issue a reputation for files that CTD determines with a Medium trust score.
Security Posture: Medium
Rule ID
Mandatory
State
1
true
enabled
2
true
enabled
4
true
enabled
10
true
enabled
12
true
enabled
20
true
enabled
35
true
enabled
36
true
enabled
50
true
enabled
55
true
enabled
57
false
enabled
58
false
evaluated
95
false
enabled
97
false
evaluated
98
false
enabled
99
false
enabled
125
false
evaluated
126
true
enabled
127
true
enabled
128
true
enabled
129
true
enabled
130
true
enabled
131
true
enabled
132
true
enabled
133
false
enabled
134
false
enabled
136
false
enabled
137
false
enabled
138
false
enabled
139
true
enabled
140
true
enabled
151
true
enabled
152
false
evaluated
153
false
evaluated
205
false
evaluated
206
false
evaluated
207
false
enabled
208
false
enabled
209
false
enabled
211
false
evaluated
213
false
evaluated
214
false
enabled
217
false
enabled
218
false
evaluated
219
false
enabled
220
false
evaluated
222
false
enabled
234
false
enabled
235
false
evaluated
237
false
evaluated
240
false
evaluated
250
false
enabled
251
false
evaluated
252
false
evaluated
Security Posture: Low
Rule ID
Mandatory
State
1
true
enabled
2
true
enabled
4
true
enabled
10
true
enabled
12
true
enabled
20
true
enabled
35
true
enabled
36
true
enabled
50
true
enabled
55
true
enabled
57
false
enabled
58
false
evaluated
95
false
enabled
97
false
evaluated
98
false
enabled
99
false
enabled
125
false
evaluated
126
true
enabled
127
true
enabled
128
true
enabled
129
true
enabled
130
true
enabled
131
true
enabled
132
true
enabled
133
false
enabled
134
false
enabled
136
false
enabled
137
false
enabled
138
false
enabled
139
true
enabled
140
true
enabled
151
true
enabled
152
false
evaluated
153
false
evaluated
205
false
evaluated
206
false
evaluated
207
false
enabled
208
false
enabled
209
false
enabled
211
false
evaluated
213
false
evaluated
214
false
enabled
217
false
enabled
218
false
evaluated
219
false
enabled
220
false
evaluated
222
false
enabled
234
false
enabled
235
false
evaluated
237
false
evaluated
240
false
evaluated
250
false
enabled
251
false
evaluated
252
false
evaluated
Use this solution forClick to expand the section you want to view:
Affected Products
Languages:
This article is available in the following languages: