Full Analytic List

From Cyber Analytics Repository
Jump to: navigation, search

Below is a list of all of the analytics in Cyber Analytics Repository.


AnalyticSummaryHypothesisTypeATT&CK Techniques
CAR-2013-01-002: Autorun DifferencesAutorun DifferencesThe Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.Situational Awareness
TTP
Modify Existing Service
New Service
Scheduled Task
Local Port Monitor
Registry Run Keys / Start Folder
Path Interception
Accessibility Features
Modify Registry
Service Registry Permissions Weakness
Windows Management Instrumentation Event Subscription
Service File Permissions Weakness
Change Default File Association
Logon Scripts
Winlogon Helper DLL
AppInit DLLs
CAR-2013-01-003: SMB Events MonitoringSMB Events MonitoringServer Message Block (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve Lateral Movement. Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.Situational AwarenessLegitimate Credentials
Data from Network Shared Drive
Windows Admin Shares
CAR-2013-02-003: Processes Spawning cmd.exeProcesses Spawning cmd.exeThe Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy,mkdir, and type, as well as batch scripts (.bat).

Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice.

For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.
Situational AwarenessCommand-Line Interface
CAR-2013-02-008: Simultaneous Logins on a HostSimultaneous Logins on a HostMultiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.Situational AwarenessLegitimate Credentials
CAR-2013-02-012: User Logged in to Multiple HostsUser Logged in to Multiple HostsMost users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of lateral movement.Situational AwarenessLegitimate Credentials
CAR-2013-03-001: Reg.exe called from Command ShellReg.exe called from Command ShellRegistry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly.

The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe.

When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.
TTPQuery Registry
Modify Registry
Registry Run Keys / Start Folder
Service Registry Permissions Weakness
CAR-2013-04-002: Quick execution of a series of suspicious commandsQuick execution of a series of suspicious commandsCertain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.TTPAccount Discovery
Credential Dumping
Permission Groups Discovery
Process Discovery
Windows Admin Shares
New Service
Modify Existing Service
Modify Registry
Service Registry Permissions Weakness
Remote System Discovery
Service Execution
Scheduled Task
Scheduled Transfer
System Owner/User Discovery
System Service Discovery
System Information Discovery
Local Network Connections Discovery
Local Network Configuration Discovery
Application Window Discovery
Security Software Discovery
Network Service Scanning
Disabling Security Tools
Credential Manipulation
Indicator Blocking
Command-Line Interface
Query Registry
CAR-2013-05-002: Suspicious Run LocationsSuspicious Run LocationsIn Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.TTPMasquerading
CAR-2013-05-003: SMB Write RequestSMB Write RequestAs described in CAR-2013-01-003: SMB Events Monitoring, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.Situational Awareness
TTP
Remote File Copy
Windows Admin Shares
Legitimate Credentials
CAR-2013-05-004: Execution with ATExecution with ATIn order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001: Execution with schtasks) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.TTPScheduled Task
CAR-2013-05-005: SMB Copy and ExecutionSMB Copy and ExecutionAn adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by CAR-2013-05-003: SMB Write Request). Then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.TTPWindows Admin Shares
Legitimate Credentials
Remote File Copy
CAR-2013-05-009: Running executables with same hash and different namesRunning executables with same hash and different namesExecutables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection.Masquerading
CAR-2013-07-001: Suspicious ArgumentsSuspicious ArgumentsMalicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.TTPCredential Dumping
Masquerading
Remote Services
Remote File Copy
CAR-2013-07-002: RDP Connection DetectionRDP Connection DetectionThe Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Situational Awareness
TTP
Remote Desktop Protocol
CAR-2013-07-005: Command Line Usage of Archiving SoftwareCommand Line Usage of Archiving SoftwareBefore exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.TTPData Compressed
CAR-2013-08-001: Execution with schtasksExecution with schtasksThe Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004: Execution with AT. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain persistence and can be used in combination with a lateral movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag will cause a task to run as the SYSTEM user, usually indicating privilege escalation.TTPScheduled Task
CAR-2013-09-003: SMB Session SetupsSMB Session SetupsAccount usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.Situational Awareness
CAR-2013-09-005: Service Outlier ExecutablesService Outlier ExecutablesNew executables that are started as a service are suspicious. This analytic looks for anomalous service executables.Anomaly
Situational Awareness
Modify Existing Service
New Service
CAR-2013-10-001: User Login Activity MonitoringUser Login Activity MonitoringMonitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.Situational AwarenessRemote Desktop Protocol
Legitimate Credentials
CAR-2013-10-002: DLL Injection via Load LibraryDLL Injection via Load LibraryMicrosoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines.

Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
TTPDLL Injection
Bypass User Account Control
CAR-2014-02-001: Service Binary ModificationsService Binary ModificationsAdversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.Situational Awareness
TTP
New Service
Modify Existing Service
Service File Permissions Weakness
Service Execution
CAR-2014-03-001: SMB Write Request - NamedPipesSMB Write Request - NamedPipesAn SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.
CAR-2014-03-005: Remotely Launched Executables via ServicesRemotely Launched Executables via ServicesThere are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.
TTPNew Service
Modify Existing Service
Service Execution
CAR-2014-03-006: RunDLL32.exe monitoringRunDLL32.exe monitoringAdversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be "executed" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.TTPRundll32
CAR-2014-04-003: Powershell ExecutionPowershell ExecutionPowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.TTPPowerShell
Scripting
CAR-2014-05-001: RPC ActivityRPC ActivityMicrosoft Windows uses its implementation of Distributed Computing Environment/Remote Procedure Call (DCE/RPC), which it calls Microsoft RPC, to call certain APIs remotely.

A Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.

RPC is a legitimate functionality of Windows that allows remote interaction with a variety of services. For a Windows environment to be properly configured, several programs use RPC to communicate legitimately with servers. The background and benign RPC activity may be enormous, but must be learned, especially peer-to-peer RPC between workstations, which is often indicative of Lateral Movement.

According to ATT&CK, adversaries frequently use RPC connections to remotely

Additional endpoints are detailed at http://www.hsc.fr/ressources/articles/win_net_srv/well_known_named_pipes.html
TTP
Situational Awareness
Legitimate Credentials
Remote Services
CAR-2014-05-002: Services launching CmdServices launching CmdWindows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable.

Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain Persistence and Privilege Escalation.
TTPNew Service
CAR-2014-07-001: Service Search Path InterceptionService Search Path InterceptionAccording to ATT&CK, an adversary may escalate privileges by intercepting the search path for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths.TTPPath Interception
CAR-2014-11-002: Outlier Parents of CmdOutlier Parents of CmdMany programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning cmd.exe by looking for programs that do not normally create cmd.exe.Anomaly
TTP
Command-Line Interface
CAR-2014-11-003: Debuggers for Accessibility ApplicationsDebuggers for Accessibility ApplicationsThe Windows Registry location "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument.

Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger.

When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.
TTPAccessibility Features
CAR-2014-11-004: Remote PowerShell SessionsRemote PowerShell SessionsAccording to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exeTTPWindows Remote Management
PowerShell
CAR-2014-11-005: Remote RegistryRemote RegistryAn adversary can remotely manipulate the registry of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a lateral movement technique, discover the configuration of a host, achieve persistence, or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to remotely enable the RemoteRegistry service, which can be detected with CAR-2014-03-005: Remotely Launched Executables via Services.TTPModify Registry
CAR-2014-11-006: Windows Remote Management (WinRM)Windows Remote Management (WinRM)When a Windows Remote Management connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI "/wsman" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host.Situational AwarenessWindows Remote Management
CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPCRemote Windows Management Instrumentation (WMI) over RPCAs described in ATT&CK, an adversary can use Windows Management Instrumentation (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC (CAR-2014-05-001: RPC Activity), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.TTPWindows Management Instrumentation
CAR-2014-11-008: Command Launched from WinLogonCommand Launched from WinLogonAn adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. It should be used in tandem with CAR-2014-11-003: Debuggers for Accessibility Applications, which detects the accessibility programs in the command line.TTPAccessibility Features
CAR-2014-12-001: Remotely Launched Executables via WMIRemotely Launched Executables via WMIAdversaries can use Windows Management Instrumentation (WMI) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC. After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:"<hostname>" process call create "<command line>", which is detected via CAR-2016-03-002: Create Remote Process via WMIC.

This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.

After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.

When the command line is executed, it has the parent process of C:\windows\system32\wbem\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.
TTPWindows Management Instrumentation
CAR-2015-04-001: Remotely Scheduled Tasks via ATRemotely Scheduled Tasks via ATWhen AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe "ATSVC" is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\Windows\System32\AT<job_id>. Unlike CAR-2013-05-004: Execution with AT, this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained execution.TTPScheduled Task
CAR-2015-04-002: Remotely Scheduled Tasks via SchtasksRemotely Scheduled Tasks via SchtasksAn adversary can move laterally using the schtasks command to remotely schedule tasks. Although these events can be detected with command line analytics CAR-2013-08-001: Execution with schtasks, it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established (CAR-2014-05-001: RPC Activity), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.TTPScheduled Task
CAR-2015-07-001: All Logins Since Last BootAll Logins Since Last BootOnce a credential dumper like mimikatz runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of lsass.exe. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.Forensic
CAR-2016-03-001: Host Discovery CommandsHost Discovery CommandsWhen entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.TTPAccount Discovery
Permission Groups Discovery
Local Network Configuration Discovery
System Information Discovery
System Owner/User Discovery
Process Discovery
System Service Discovery
CAR-2016-03-002: Create Remote Process via WMICCreate Remote Process via WMICAdversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.

The analytic CAR-2014-12-001: Remotely Launched Executables via WMI describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic.

The command line on the source host is constructed into something like wmic.exe /node:"<hostname>" process call create "<command line>". It is possible to also connect via IP address, in which case the string "<hostname>" would instead look like IP Address.
TTPWindows Management Instrumentation
CAR-2016-04-002: User Activity from Clearing Event LogsUser Activity from Clearing Event LogsIt is unlikely that event log data would be cleared during normal operations, and it is likely that

malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a "Clear Event Log" is generated could point to this intruder technique.

Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.
AnomalyIndicator Blocking
CAR-2016-04-003: User Activity from Stopping Windows Defensive ServicesUser Activity from Stopping Windows Defensive ServicesSpyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.Situational AwarenessIndicator Blocking
CAR-2016-04-004: Successful Local Account LoginSuccessful Local Account LoginThe successful use of Pass The Hash for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.Situational AwarenessPass the Hash
CAR-2016-04-005: Remote Desktop LogonRemote Desktop LogonA remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.Situational AwarenessLegitimate Credentials