Endpoint
Use the IBM Security QRadar Endpoint Content Extension to closely monitor the Linux® and Windows endpoints in your deployment.
Endpoint Content Extension includes one or more QRadar Pulse dashboards. For more information about QRadar Pulse dashboards, see QRadar Pulse app.
IBM Security QRadar Endpoint
- IBM Security QRadar Endpoint 2.9.0
- IBM Security QRadar Endpoint 2.8.3
- IBM Security QRadar Endpoint 2.8.2
- IBM Security QRadar Endpoint 2.8.1
- IBM Security QRadar Endpoint 2.8.0
- IBM Security QRadar Endpoint 2.7.2
- IBM Security QRadar Endpoint 2.7.1
- IBM Security QRadar Endpoint 2.7.0
- IBM Security QRadar Endpoint 2.6.0
- IBM Security QRadar Endpoint 2.5.0
- IBM Security QRadar Endpoint 2.4.0
- IBM Security QRadar Endpoint 2.3.0
- IBM Security QRadar Endpoint 2.2.0
- IBM Security QRadar Endpoint 2.1.1
- IBM Security QRadar Endpoint 2.1.0
- IBM Security QRadar Endpoint 2.0.0
- IBM Security QRadar Endpoint 1.0.0
IBM Security QRadar Endpoint 2.9.0
The following table shows the new and updated rules, and building blocks in IBM Security QRadar Endpoint Content Extension 2.9.0.
Type | Name | Description |
---|---|---|
Rule | PowerShell Downgrade Attack | This rule triggers when an adversary might revert PowerShell to engine version 4 or earlier. |
Rule | Executables Started in Suspicious Folder | The rule triggers when a suspicious execution is detected in an uncommon folder. |
Rule | MavInject Process Injection | This rule triggers when process injection by using the MavInject Windows tool through process name, or command-line parameter, is detected. |
Rule | Rubeus Hack Tool Execution | This rule triggers when the execution of the hack tool Rubeus through process name, or command-line parameters, is detected. |
Rule | Malicious Named Pipe | This rule triggers when the creation of, or connection to a named pipe that is used by known malware, is detected. |
Rule | Ping Hex IP | This rule triggers when it is detected that the ping command ran with an IP address in hexadecimal form. |
Rule | New RUN Key Pointing to Suspicious Folder | This rule triggers when a run key is created in the registry for Windows Explorer, pointing to a suspicious folder. |
Rule | Addition of SID History to Active Directory Object | This rule triggers when a SID History attribute is added to an Active Directory Object. |
Rule | Potential LSASS.exe Credential Dumping Activity | This rule triggers when SAM_DOMAIN access by the LSASS.exe file is detected, indicating activities such as credential dumping. |
Rule | Malicious PowerShell Commandlets | This rule triggers when execution of a PowerShell Commandlet from a known PowerShell exploitation framework is detected. |
Rule | PowerShell Called From an Executable Version Mismatch | This rule detects when PowerShell is called from an arbitrary executable file by comparing the Host and Engine versions. |
Rule | Backup Catalog Deleted | This rule triggers when a command is run to delete the backup catalog that is stored on the local computer. |
Rule | Access to Browser Login Data | This rule triggers when the stored login credentials (such as usernames and passwords) by web browsers are viewed or retrieved. The rule might indicate an adversary that acquires credentials from web browsers by reading the files specific to the target browser. |
Rule | Java Running with Remote Debugging | This rule triggers when a Java process is running with remote debugging enabled, allowing connections from sources other than the local host. |
Rule | Potential Reconnaissance for Cached Credentials via Cmdkey.exe | This rule triggers when usage of cmdkey to look for cached credentials on the system is
detected. The rule might indicate that an adversary is attempting to access cached domain
credentials to enable authentication in case a domain controller is not available. Note: By default,
the rule is disabled because cmdkey can be used for legitimate administrative tasks. Enable this
rule if you want to identify command-line usage indicative of reconnaissance for cached
credentials.
|
Rule | DHCP Callout DLL Installation | This rule triggers when the installation of a Callout DLL through CalloutDlls and CalloutEnabled parameter in the Registry is detected. The rule might indicate the usage of CalloutDlls to run code in the context of the DHCP server. |
Rule | Active Directory User Backdoor | This rule detects when a user might control another account without specifying the credentials of the target account. |
Rule | PowerShell Download and run File | This rule triggers when a PowerShell command downloads and runs a remote file. |
Rule | NTDS.dit Domain Hash Retrieval Activity | This rule triggers when a suspicious command might be related to attempts to retrieve hashes from the NTDS.dit file. |
Rule | InvisiMole Wrapper DLL Loaded | This rule triggers when process activity that is associated with the InvisiMole loader is detected. |
Building Block | BB:BehaviorDefinition: Arbitrary Script Execution via Diskshadow.exe or Vshadow.exe | The building block triggers when either the diskshadow.exe or vshadow.exe file is started with a parameter to run an arbitrary script. The building block might indicate a malicious attempt to access sensitive files such as NTDS.dit. |
Building Block | BB:BehaviorDefinition: Network Connection Listing via Get-NetTCPConnection | The Building Block triggers when a query for information over the network generated a list of network connections. |
Building Block | BB:BehaviorDefinition: PowerShell File Download Activity | The Building Block detects when PowerShell is used to download files. |
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 2.9.0.
Name | Optimized | Found in |
---|---|---|
SID History | TRUE | Microsoft Windows |
Engine Version | TRUE | Microsoft Windows |
Delegation | FALSE | Microsoft Windows |
Object Class | FALSE | Microsoft Windows |
LDAP Display Name | FALSE | Microsoft Windows |
Host Version | TRUE | Microsoft Windows |
Pipe Name | TRUE | Microsoft Windows |
IBM Security QRadar Endpoint 2.8.3
The following table shows the new and updated rules, and building blocks in IBM Security QRadar Endpoint Content Extension 2.8.3.
Type | Name | Description |
---|---|---|
Rule | Multiple Login Failures due to Bad Password |
Detects the password spraying attack. |
Rule | Possible Brute Force Attempt |
Detects the brute force attack. |
Rule | Remote: VNC Access from the Internet |
Triggers when a Virtual Network Computing (VNC) application is detected from the internet to a local host. |
Rule | Remote: Remote Desktop Access from the Internet |
Triggers when the Microsoft Remote Desktop Protocol (RDP) is detected from the internet to a local host. |
Rule | Suspicious Valid Accounts Logon |
Triggers when a suspicious login from a valid account is detected. |
Rule | Suspicious Parent for a Process |
Triggers when a process that is not supposed to haves a child starts a process. |
Rule | Critical File Deleted |
Triggers when a critical file or a file in a critical directory is deleted. |
Rule | Critical File Modified followed by Suspicious Activity |
Triggers when critical files or directories are modified and a suspicious activity occurs. |
Rule | Communication with a Potential Hostile IP Address |
Triggers when communication with a potential hostile IP address occurs. The potential hostile IP addresses are either recorded in IBM X-force or in the custom reference set collection. |
Rule | Suspicious PSExec Module Usage Detected |
Triggers when a usage of the PSExec module is detected. |
Rule | Service Configured to Use PowerShell |
Triggers when a service is configured to use PowerShell. |
Rule | Ransomware: Ryuk IOC in Events |
Triggers when an IOC (File Hash) related to Ryuk ransomware is observed in events. |
Rule | Ransomware: Ryuk IOC in Flows |
Triggers when an IOC (File Hash) related to Ryuk ransomware is observed in flows. |
Rule | Dump Credentials from Windows Credential Manager With PowerShell |
Detects an attempt of searching for common locations for storing passwords to obtain user credentials. |
Rule | Enumerate Credentials from Windows Credential Manager With PowerShell |
Detects consecutive attempts of searching for common locations for storing passwords to obtain user credentials. |
Rule | Token Impersonation via PowerShell |
Detects an attempt of using Windows API functions related to token impersonation or token theft. |
Rule | Regsvr32 Outbound Network Connection |
Detects outbound connections that are initiated by the regsvr32.exe file. |
Rule | Dllhost Outbound Network Connection |
Detects outbound connections that are initiated by the dllhost.exe file. |
Rule | RunDLL32 Outbound Network Connection |
Detects outbound connections that are initiated by the rundll32.exe file. |
Rule | Ransomware: Petya / NotPetya Payload in Flows |
Triggers when a Petya payload is observed in flows. |
Rule | Access Token Abuse |
Detects token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.) |
Rule | Detection of Turla Registry IOC in events |
Triggers when an IOC is recognized as a Turla registry value. |
Rule | Potential StandIn Post-Compromise Traffic |
Triggers when behavior potentially belonging to X-Force Red StandIn is detected. |
Building Block | BB:CategoryDefinition: Files with Sensitive Permissions |
Triggers when the current working directory (CWD) is detected in the following directories:
The following files are under watch:
|
Building Block | BB:CategoryDefinition: Sensitive Current Working Directory |
Defines sensitive current working directories that trigger alerts for directory traversal attack. |
Building Block | BB:CategoryDefinition: Sensitive File Accessed |
Defines a rule that triggers when the current working directory (CWD) is detected in the following directories:
The following files are under watch:
|
Building Block | BB:BehaviorDefinition: Directory Discovery (Windows) |
Defines when the PowerShell Get-ChildItem command is used to discover directories recursively.
This event occurs when the |
Building Block | BB:BehaviorDefinition: Potential StandIn Post-Compromise Traffic |
Triggers when a process related to the StandIn tool is observed. StandIn is a penetration-testing tool that is commonly used by red teams. However, malicious actors can use this application for attacks. |
Building Block | BB:BehaviorDefinition: Potential StandIn Post-Compromise Persistence Traffic |
Triggers when persistence commands related to the StandIn tool are observed. StandIn is a penetration-testing tool that is commonly used by red teams. However, malicious actors can use this application for attacks. |
Building Block | BB:BehaviorDefinition: Potential StandIn Post-Compromise Defense Evasion Traffic |
Triggers when defense evasion commands related to the StandIn tool are observed. StandIn is a penetration-testing tool that is commonly used by red teams. However, malicious actors can use this application for attacks. |
Building Block | BB:BehaviorDefinition: Potential StandIn Post-Compromise Privilege Escalation Traffic |
Triggers when privilege escalation commands related to the StandIn tool are observed. StandIn is a penetration-testing tool that is commonly used by red teams. However, malicious actors can use this application for attacks. |
Building Block | BB:BehaviorDefinition: Potential StandIn Post-Compromise Enumeration Traffic |
Triggers when enumeration commands related to the StandIn tool are observed. StandIn is a penetration-testing tool that is commonly used by red teams. However, malicious actors can use this application for attacks. |
IBM Security QRadar Endpoint 2.8.2
The following table shows the rules in IBM Security QRadar Endpoint Content Extension 2.8.2.
Type | Name | Description |
---|---|---|
Rule | Service Configured to Use Pipe |
Triggers when a service is configured to use a pipe. This could indicate an attacker gaining
access to a users' system through privilege escalation by using |
IBM Security QRadar Endpoint 2.8.1
The following table shows the new rules in IBM Security QRadar Endpoint Content Extension 2.8.1.
Type | Name | Description |
---|---|---|
Rule | MOVEit Transfer Vulnerability Exploit Commands |
Detects MOVEit transfer vulnerability exploit via command line indicator of compromise. |
Rule | MOVEit Transfer Vulnerability Exploit Filenames |
Detects MOVEit transfer vulnerability exploit via filename indicator of compromise. |
Rule | MOVEit Transfer Vulnerability Exploit Hashes |
Detects MOVEit transfer vulnerability exploit via hash indicator of compromise. |
IBM Security QRadar Endpoint 2.8.0
The following table shows the new rules and building blocks in IBM Security QRadar Endpoint Content Extension 2.8.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Account Tampering - Suspicious Failed Logon Reasons | Detects uncommon error codes on failed logon to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. |
Building Block | BB:BehaviorDefinition: Cloud Account Discovery | Detects cloud account discovery commands. |
Building Block | BB:BehaviorDefinition: Cloud Firewall Modified or Stopped | Detects cloud firewall, modified or stopped. |
Building Block | BB:BehaviorDefinition: Create Process with Token | Detects token creation from PowerShell. |
Building Block | BB:BehaviorDefinition: Email Account Discovery from PowerShell | Detects email account discovery from PowerShell. |
Building Block | BB:BehaviorDefinition: Invalid Password at Login | Detects invalid password at login. |
Building Block | BB:BehaviorDefinition: Invalid Password during Kerberos Pre-Authentication | Detects invalid password login during Kerberos pre-authentication. |
Building Block | BB:BehaviorDefinition: Mailbox Permission Added | Detects mailbox permissions added |
Building Block | BB:BehaviorDefinition: Potential Initial Access Tasks | Defines potential initial access tasks. This includes activities such as: account discovery, stopping firewall, or changing permissions. |
Building Block | BB:BehaviorDefinition: Rogue Named Pipe Impersonation | Detects a privilege escalation attempt via rogue named pipe impersonation. |
Building Block | BB:BehaviorDefinition: Suspicious Changing of User Agent | Detects a suspicious changing of user agent. Adversaries may communicate using application layer protocols associated with web traffic to avoid detection or network filtering by blending in with existing traffic. |
Building Block | BB:BehaviorDefinition: Suspicious Outbound SMTP Connections | Detects potential exfiltration over SMTP protocol. |
Building Block | BB:BehaviorDefinition: Suspicious Remote Logon with Explicit Credentials | Detects suspicious processes logging on with explicit credentials. |
Building Block | BB:BehaviorDefinition: User Added to Local Administrators | Detects user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity. |
Building Block | BB:BehaviorDefinition: User Agent Changed via Curl | Detects user agent changed via curl. |
Building Block | BB:BehaviorDefinition: User Agent Changed via PowerShell | Detects user agent changed via PowerShell. |
Building Block | BB:BehaviorDefinition: Windows Firewall Stopped | Detects a Windows firewall stopped. |
Rule | Access Token Abuse | Detects token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON23_LOGON_NEW_CREDENTIALS flag.) |
Rule | Dllhost Outbound Network Connection | Detects outbound connections initiated by dllhost.exe. |
Rule | Dump Credentials from Windows Credential Manager With PowerShell | Detects adversaries searching for common password storage locations to obtain user credentials. |
Rule | Enumerate Credentials from Windows Credential Manager With PowerShell | Detects adversaries searching for common password storage locations to obtain user credentials. |
Rule | Impair Command History Logging Activity Detected | Detects impair command history logging activity. |
Rule | Multiple Login Failures due to Bad Password | Detects adversary performing password spraying. |
Rule | Multiple Login Failures from Default Accounts | Detects multiple login failures from default accounts. |
Rule | Possible Brute Force Attempt | Detects adversary performing brute force. |
Rule | Potential Exfiltration of Stored Credentials from Browsers | Detects potential exfiltration of credentials stored in browsers. |
Rule | PPID Sppofing Detected | Detects PPID spoofing on the system. |
Rule | Regsvr32 Outbound Network Connection | Detects outbound connections initiated by the regsvr32.exe file. |
Rule | RunDLL32 Outbound Network Connection | Detects outbound connections initiated by the rundll32.exe file. |
Rule | Suspicious Activity Followed by Potential Initial Access Task | Triggers when potential initial access tasks are performed, followed by suspicious activity. Initial access tasks include: account discovery, turning off firewall, and more. |
Rule | Stored Credentials from Windows | Detects stored credentials from Windows. |
Rule | SID History Injection | Detects SID (security identifier) history injection activities. |
Rule | Suspicious Valid Accounts Logon | Triggers when a suspicious login from a valid account is detected. |
Rule | Token Impersonation via PowerShell | Detects adversaries leveraging Windows API functions related to token impersonation or theft. |
The following is a list of new custom properties in the IBM Security QRadar Endpoint 2.8.0 content extension.
Name | Description | Optimized |
---|---|---|
Authentication Package | Default custom extraction of Authentication Package from DSM payload. | Yes |
Attribute New Value | Default custom extraction of Attribute New Value from DSM payload. | No |
Description | Default custom extraction of Description from DSM payload. | No |
Initiated | Default custom extraction of Initiated from DSM payload. | Yes |
Impersonation Level | Default custom extraction of Impersonation Level from DSM payload. | Yes |
Logon Process | Default custom extraction of Logon Process from DSM payload. | Yes |
Target Server Name | Default custom extraction of Target Server Name from DSM payload. | No |
IBM Security QRadar Endpoint 2.7.2
The following table shows the new rules in IBM Security QRadar Endpoint Content Extension 2.7.2.
Type | Name | Description |
---|---|---|
Rule | Detection of Turla Directory and Filename IOC in Events | Triggers when an IOC is recognized as a Turla directory and filename combination. Note: The
rules Malware as a Service Hash IOC in Events, Ransomware: Ryuk
IOC in Events have been excluded from this rule to avoid repetition, their purpose is to
have a dedicated rule response.
|
Rule | Detection of Turla Filename IOC in Events | Triggers when an IOC is recognized as a Turla related filename. Note: The rules
Malware as a Service Hash IOC in Events, Ransomware: Ryuk IOC in
Events have been excluded from this rule to avoid repetition, their purpose is to have a
dedicated rule response.
|
Rule | Detection of Turla Hash IOC in Events | Triggers when an IOC is recognized as a Turla hash. Note: The rules Malware as a
Service Hash IOC in Events, Ransomware: Ryuk IOC in Events have
been excluded from this rule to avoid repetition, their purpose is to have a dedicated rule
response.
|
Rule | Detection of Turla IP IOC in Events | Triggers when an IOC is recognized as a known Turla IP. Note: The rules Malware as
a Service Hash IOC in Events, Ransomware: Ryuk IOC in Events have
been excluded from this rule to avoid repetition, their purpose is to have a dedicated rule
response.
|
Rule | Detection of Turla Registry IOC in Events | Triggers when an IOC is recognized as a Turla registry value. Note: The rules
Malware as a Service Hash IOC in Events, Ransomware: Ryuk IOC in
Events have been excluded from this rule to avoid repetition, their purpose is to have a
dedicated rule response.
|
Rule | Detection of Turla URL Host IOC in Events | Triggers when an IOC is recognized as a known Turla URL host. Note: The rules
Malware as a Service Hash IOC in Events, Ransomware: Ryuk IOC in
Events have been excluded from this rule to avoid repetition, their purpose is to have a
dedicated rule response.
|
Rule | Detection of Turla URL IOC in Events | Triggers when an IOC is recognized as a known Turla URL. Note: The rules Malware as
a Service Hash IOC in Events, Ransomware: Ryuk IOC in Events have
been excluded from this rule to avoid repetition, their purpose is to have a dedicated rule
response.
|
- Turla SHA Hashes
- Turla MD5 Hashes
- Known Turla Filenames
- Known Turla URLs
- Known Turla IPs
- Known Turla Hostnames
IBM Security QRadar Endpoint 2.7.1
- BB:BehaviorDefinition: Critical Process Created
- BB:BehaviorDefinition: Critical Process Created by Shortcut (lnk) File
- BB:BehaviorDefinition: New File Created in Temporary Directory
- BB:BehaviorDefinition: New Registry Added to HKLM/HKCU (Windows)
The Malware Clean Failed saved search has been removed.
Fixed reference set link ID's that were incorrect.
IBM Security QRadar Endpoint 2.7.0
The following table shows the new rules in IBM Security QRadar Endpoint Content Extension 2.7.0.
Type | Name | Description |
---|---|---|
Rule | Microsoft Windows RCE Vulnerability - File Modification |
Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082" Exchange Server. |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Download Using Certutil |
Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082" Exchange Server. |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Files |
Detects Remote Code Execution vulnerabilities in Microsoft Exchange. Microsoft issued "CVE-2022-41040" and "CVE-2022-41082" Exchange Server. |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Hashes | Detects known Windows RCE SHA256 hashes. |
Rule | Microsoft Windows RCE Vulnerability - Suspicious Ips |
This rule detects known Windows RCE IPs. Note: Tune based on log sources to reduce number of events matching against this rule.
|
IBM Security QRadar Endpoint 2.6.0
The following table shows the new building blocks and rules in IBM Security QRadar Endpoint Content Extension 2.6.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Critical Process Created |
Detects new critical processes created. Critical processes refer to ones that can potentially be misused by adversaries to perform malicious activities. Common processes include: PowerShell, cmd, mshta. Note: The rule can be tuned by the Process CommandLine field. Some common
Process CommandLine keywords that appear in malware are:
findstr, tmp, temp, vbs,
regsvr32, command, outfile,
dll, and http.
|
Building Block | BB:BehaviorDefinition: Critical Process Created by Shortcut (lnk) File | Detects new processes that are created from shortcut (lnk) files. Processes typically used by adversaries, such as PowerShell, cmd, mshta should be monitored. |
Building Block | BB:BehaviorDefinition: Excessive File Modifications | Detects excessive file modifications within a short duration. |
Building Block | BB:BehaviorDefinition: New File Created in Temporary Directory |
Detects new files created under temporary directories. Certain temporary directories may be used by adversaries to drop malicious files. Note: The directories monitored are.
|
Building Block | BB:BehaviorDefinition: New Registry Added to HKLM/HKCU (Windows) | Detects new registry key set under HKLM or HKCU directories. While this activity only is legitimate, if there are potential ransomware behaviors detected this may be a persistence method. |
Building Block | BB:BehaviorDefinition: Shortcut (lnk) File Executing a Critical Process (1) |
Detects critical processes created from shortcut (lnk) files, in order by QRadar rules. Note: Events may be received in the wrong order, see BB:BehaviorDefinition: Shortcut
(lnk) File Executing a Critical Process (2) for the reverse order.
|
Building Block | BB:BehaviorDefinition: Shortcut (lnk) File Executing a Critical Process (2) |
Detects critical processes created from shortcut (lnk) files, in order by QRadar rules. Note: Events may be received in the wrong order, see BB:BehaviorDefinition: Shortcut
(lnk) File Executing a Critical Process (1) for the reverse order.
|
Rule | Potential Mailto Ransomware Behavior (Windows) | Triggers when a potential mailto ransomware behavior is detected. A mailto ransomware
typically performs the following steps (may have slight changes based on the variant):
|
Rule | Potential Windows Exploit via MSDT |
Triggers when a potential Microsoft Support Diagnostic Tool (MSDT) vulnerability exploitation is detected. Microsoft issued "CVE-2022-30190" for the vulnerability on MSDT. The adversary may perform remote code execution using MSDT to run arbitrary code. |
Rule | Shortcut (lnk) File Executing Commands (Windows) | Triggers when a shortcut (lnk) file has created processes that can execute commands. Several malware such as Emotet use shortcut files that when opened execute malicious commands. |
Additional rules are added in the rule filter for the BB:BehaviorDefinition: Suspicious Endpoint Activities building block.
The rule filter is updated for the Ransomware Encrypted File Extension rule.
IBM Security QRadar Endpoint 2.5.0
The following table shows the new building blocks and rules in IBM Security QRadar Endpoint Content Extension 2.5.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile Host (Reference Sets) | Defines communication with a potential hostile host, categorized by reference sets. The reference sets starting with "XFE ATPF" prefixes are automatically managed by the Threat Intelligence app and requires a paid subscription. The other reference sets are provided by the Threat Intelligence app and can be used to include third-party Threat Intelligence feeds. |
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile Host (X-force Categorization) | Triggers when communication with a potential hostile host is detected. Categorized by X-force. |
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (Reference Sets) |
Defines communication with a potential hostile IP, categorized by reference sets. The reference sets starting with "XFE ATPF" prefixes are automatically managed by the Threat Intelligence app and requires a paid subscription. The other reference sets are provided by the Threat Intelligence app and can be used to include third-party Threat Intelligence feeds. |
Building Block | BB:BehaviorDefinition: Communication with a Potential Hostile IP Address (X-force Categorization) | Triggers when communication with a potential hostile IP address is detected. Categorized by X-force. |
Rule | BB:BehaviorDefinition: Critical File Modification | Detects any modifications, including create or deletions, of critical file or directories. |
Rule | Critical File Modified followed by Suspicious Activity | Triggers when a critical file or directory is modified, followed by suspicious activity. This can be indicative of an attacker that is modifying files and dropping executable files to gain access to the host. |
Rule | Excessive Login Failures via RDP Connection | Triggers when multiple failed authentication events on the same machine in RDP from a single source IP address are detected. |
- Critical File Deleted
- Critical File Permission Changed
The following is a list of building blocks and rules that have received an update to their rule notes in IBM Security QRadarEndpoint Content Extension 2.5.0.
- Communication with a Potential Hostile Host
- Communication with a Potential Hostile IP Address
- Excessive Login Failures via Network Connection
The rule filter is updated for the Communication with a Potential Hostile Host and Communication with a Potential Hostile IP Address building blocks.
The following is a list of the new reference sets in IBM Security QRadarEndpoint Content Extension 2.5.0.
- XFE ATPF-anonsvcs_ipv4
- XFE ATPF-anonsvcs_ipv6
- XFE ATPF-anonsvcs_url
- XFE ATPF-bots_ipv4
- XFE ATPF-bots_ipv6
- XFE ATPF-c2server_ipv4
- XFE ATPF-c2server_ipv6
- XFE ATPF-c2server_url
- XFE ATPF-cryptomining_ipv4
- XFE ATPF-cryptomining_ipv6
- XFE ATPF-cryptomining_url
- XFE ATPF-ew_url
- XFE ATPF-mw_ipv4
- XFE ATPF-mw_ipv6
- XFE ATPF-mw_url
- XFE ATPF-phishing_url
- XFE ATPF-scanning_ipv4
- XFE ATPF-scanning_ipv6
The following is a list of reference sets where element type is updated to "Alphanumeric Ignore Case" in IBM Security QRadarEndpoint Content Extension 2.5.0.
- Petya_File_Hash
- Petya_File_Name
- Shims Allowlist
- WCry_FileHash
- WCry_FileName
- WCry_HostName
IBM Security QRadar Endpoint 2.4.0
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 2.4.0.
Name | Optimized | Found in |
---|---|---|
Integrity Level | Yes | Microsoft Windows |
ParentCommandLine | Yes | Microsoft Windows |
Process Id | Yes | Microsoft Windows |
Registry Value Name | Yes | Microsoft Windows |
Signed | Yes | Microsoft Windows |
Expression IDs are fixed in the Encoded Argument, StartAddress, and Terminated Process Name custom properties.
The following table shows the rules and building blocks in IBM Security QRadar Endpoint 2.4.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Image Loaded from Mock System Directory | Triggers when an executable or DLL is loaded from a directory masquerading as the system directory. |
Building Block | BB:BehaviorDefinition: Suspicious Endpoint Activities | Added Potential UAC Bypass to list of suspicious activities |
Building Block | BB:BehaviorDefinition: UAC Bypass - DLL Hijacking (Non-System Directory) | Triggers when specific files are dropped to specific locations where they can be loaded and run without UAC using genuine Windows executables. |
Building Block | BB:BehaviorDefinition: UAC Bypass - DLL Hijacking (System Directory) | Triggers when a privileged process loads an unsigned DLL from the system directory. |
Building Block | BB:BehaviorDefinition: UAC Bypass - Elevated COM Object | Triggers when COM interfaces that can bypass UAC are hosted by the dllhost.exe file and spawn a privileged process. |
Building Block | BB:BehaviorDefinition: UAC Bypass - IE Add-On Installer | Triggers when the Internet Explorer add-on installer spawns a privileged process when started from a COM interface. |
Building Block | BB:BehaviorDefinition: UAC Bypass - Mock System Directory (Image) | Triggers when a privileged process loads an executable or DLL from a directory masquerading as the system directory. |
Building Block | BB:BehaviorDefinition: UAC Bypass - Mock System Directory (Process) | Triggers when a privileged process starts from a directory masquerading as the system directory. |
Building Block | BB:BehaviorDefinition: Unsigned DLL Loaded from System Directory | Triggers when an unsigned DLL is loaded from the system directory. |
Building Block | BB:CategoryDefinition: Elevated Process (Windows) | Identifies elevated processes. |
Building Block | BB:CategoryDefinition: UAC Bypass Registry Key | Identifies registry keys known to facilitate UAC bypassing. |
Rule | Potential UAC Bypass | Triggers when behavior associated with bypassing Windows User Account Control is detected. |
IBM Security QRadar Endpoint 2.3.0
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 2.3.0.
Name | Optimized | Found in |
---|---|---|
Encoded Argument | Yes | Microsoft Windows |
The following table shows the rules and building blocks in IBM Security QRadar Endpoint 2.3.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Remote Desktop Access from a Remote Host | Identifies flows where a remote desktop application is being accessed from a remote host |
Building Block | BB:BehaviorDefinition: Administrative Share Accessed | Triggers when an administrative share is accessed. |
Building Block | BB:BehaviorDefinition: Cobalt Strike Inbound Traffic | Identifies flows that show a host sending mail to remote hosts. |
Building Block | BB:BehaviorDefinition: Cobalt Strike Inbound Traffic | Triggers when a TLS fingerprint known to be a communication from a Cobalt Strike server is detected. |
Building Block | BB:BehaviorDefinition: Cobalt Strike Outbound Traffic | Triggers when a TLS fingerprint known to be a communication from a Cobalt Strike client is detected. |
Building Block | BB:BehaviorDefinition: Potential Cobalt Strike Traffic | Triggers when a TLS fingerprint known to be related to Cobalt Strike is observed. Cobalt Strike is a penetration-testing tool commonly used by red teams. However, malicious actors will often use illegally-obtained versions of this application to utilize in their own attacks. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Building Block | BB:BehaviorDefinition: Programming Environment Started with a Privileged Account | Triggers when a programming environment has been started with a privileged account. |
Building Block | BB:BehaviorDefinition: Regular Endpoint Administration | Defines regular administration activity such as user management, download file in command line, or execution with elevated privilege. |
Building Block | BB:BehaviorDefinition: Suspicious Endpoint Activities | Defines suspicious endpoint activities. |
Building Block | BB:BehaviorDefinition: VNC Activity from a Remote Host | Identifies flows where a VNC service is being accessed from a remote host. |
Rule | Cobalt Strike Behaviour Detected | Triggers when behavior potentially belonging to Cobalt Strike is detected. Cobalt Strike is a penetration-testing tool commonly used by red teams. However, malicious actors will often use illegally-obtained versions of this application to utilize in their own attacks. |
Rule | Communication with a Potential Hostile Host | Triggers when communication with a potential hostile host, categorized by X-force or in the reference set collection is detected. |
Rule | Encoded Command Malicious Usage in a Programming Environment | Triggers when an encoded command is used in a programming environment type cmd or PowerShell. |
Rule | Malware: Potential Dridex Traffic | Triggers when a TLS fingerprint known to be related to the Dridex trojan is observed. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Malware: Potential Emotet Traffic | Triggers when a JA3 fingerprint known to be related to the Emotet trojan is observed. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Malware: Potential Empire Traffic | Triggers when a TLS fingerprint known to be related to the Empire downloader is observed. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Malware: Potential Trickbot Traffic | Triggers when a TLS fingerprint known to be related to the Trickbot trojan is observed. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Potential Metasploit Traffic | Triggers when a TLS fingerprint known to be related to the Metasploit is observed. Metasploit is a penetration-testing tool commonly used by red teams. However, malicious actors will often use it in their own attacks. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Potential Tor Traffic | Triggers when a TLS fingerprint known to be related to the Tor project is observed. Tor is a non malicious anonymization service that can be used to bypass policies and conduct malicious activities. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Ransomware: Ryuk Potential Traffic | Triggers when a TLS fingerprint known to be related to the Ryuk ransomware is observed. The rule is looking to match both client and server fingerprints to reduce the risk of false-positives. |
Rule | Remote: Remote Desktop Access from the Internet | Triggers when the Microsoft Remote Desktop Protocol is detected from the internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule. |
Rule | Remote: VNC Access from the Internet | Triggers when VNC (a remote desktop access application) is detected from the Internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule. |
Rule | Service Configured to Use PowerShell | Triggers when a service is configured to use PowerShell. |
Rule | Suspicious Parent for a process | Triggers when a service is configured to use PowerShell. |
Rule | Suspicious PSExec Module Usage Detected | Triggers when a usage of the PSExec module is detected. |
The following table shows the updated reference sets in IBM Security QRadar Endpoint 2.3.0
Name | Description |
---|---|
Default Process Name and Process Directories | Lists sensitive processes and their directories. |
A synchronization error was fixed in the Endpoint Overview Pulse dashboard.
IBM Security QRadar Endpoint 2.2.0
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 2.2.0.
Name | Optimized | Found in |
---|---|---|
ServiceFileName | Yes | Microsoft Windows |
The following table shows the rules and building blocks in IBM Security QRadar Endpoint 2.2.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Malware as a Service Path IOC |
Triggers when a file path indicator of compromise (IoC) related to Malware as a Service (MaaS), such as Emotet Trojan and Trickbot Trojan, is observed. IOCs will follow the pattern in these custom directories:
The Malware as a Service_Path reference set is prepopulated. Tune this reference set with relevant IOC. |
Rule | Potential Memory Code Injection | Triggers when Cobalt strike beacon spawns a Windows process. Cobalt strike beacon spawn a native Windows binary and manipulating its memory space resulting in the spawned processes not having command line arguments. specified. |
Rule | Service Configured to Use a Pipe | Triggers when a service is configured to use a pipe. This could indicate an attacker gaining access to a users system via privilege escalation using getsystem. |
IBM Security QRadar Endpoint 2.1.1
Fixed a synchronization error in the Endpoint Overview and Ransomware Pulse dashboards.
IBM Security QRadar Endpoint 2.1.0
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 2.1.0.
Name | Optimized | Found in |
---|---|---|
Process Name | Yes | |
Terminated process | Yes | Microsoft Windows |
The following table shows the rules and building blocks in IBM Security QRadar Endpoint 2.1.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Malware as a Service Path IOC |
Triggers when a file path indicator of compromise (IoC) related to Malware as a Service (MaaS), such as Emotet Trojan and Trickbot Trojan, is observed. IOCs will follow the pattern in these custom directories:
The Malware as a Service_Path reference set is prepopulated. Tune this reference set with relevant IOC. |
Building Block | BB:DeviceDefinition: Operating System | Defines all operating systems on the system. |
Rule | Detection of Malicious IOC in Events |
Triggers when an IoC is categorized as malicious in a reference set collection. The Malware as a Service Hash IOC in Events, and Ransomware: Ryuk IOC in Events rules are excluded from this rule to avoid repetition. Their purpose is to have a dedicated rule response. |
Rule | Detection of Malicious IOC in Flows |
Triggers when an IoC is categorized as malicious in a reference set collection. The Malware as a Service Hash IOC in Flows, and Ransomware: Ryuk IOC in Flows are excluded from this rule to avoid repetition. Their purpose is to have a dedicated rule response. |
Rule | Excessive Administrative Share Access Failures from the Same Host | Triggers when repeated failures to access administrative shares are seen from the same
host. This rule was renamed from Excessive Failed Access to an Administrative Share from the Same Source |
Rule | Excessive Login Failures via Network Connection |
Triggers when multiple failed authentication events on the same machine from a single source IP address are detected. This behavior indicates a potential brute-force attempt to access a machine. This rule was renamed from Excessive Login Failures via RDP. |
Rule | Excessive Login Failures via Network Connection to Multiple Machines |
Triggers when multiple failed authentication events on different machines from a single source IP address are detected. This behavior indicates a potential brute-force attempt to access a machine. This rule was renamed from Excessive Login Failures via Network Connection to Multiple Machines. |
Rule | Malicious DLL created by spoolsv | Triggers when a suspicious file has been created by spoolsv.exe. |
Rule | Malware as a Service Behaviour |
Triggers when a Malware as a service behavior is observed. These behaviors include using a download utility on the endpoint and the file path showing the indication of compromise. |
Rule | Malware as a Service Hash IOC in Events |
Triggers when a file hash IoC related to MaaS, such as Emotet Trojan and Trickbot Trojan, is observed. The Malware as a Service_SHA1, Malware as a Service_SHA256, and Malware as a Service_MD5 reference sets are prepopulated. Tune these reference sets with relevant IoC. |
Rule | Malware as a Service Hash IOC in Flows |
Triggers when a file hash IoC related to MaaS, such as Emotet Trojan and Trickbot Trojan, is observed. The Malware as a Service_SHA1, Malware as a Service_SHA256, and Malware as a Service_MD5 are prepopulated. Tune these reference sets with relevant IoC. |
Rule | Programming Environment Spawned by a Suspicious Process | Triggers when a programming environment is spawned by a suspicious process. This could
indicate an attacker trying to execute a malicious script. This rule was updated for Windows vulnerabilities. |
Rule | Ransomware Decryption Instructions Created | Triggers when a decryption instruction filename is found on a machine. It is typical for
ransomware to create a decryption instruction file to provide users with instructions on how to pay
the ransom to recover their files. This particular file is often named with common terms such as:
decrypt, recover, instructions, or
how to. This rule was updated for Ryuk ransomware. |
Rule | Ransomware Encrypted File Extension | Triggers when a known ransomware file extension is detected. Ransomware typically encrypts
files and appends a specific file extension as part of their process. This rule was updated for Ryuk ransomware. |
Rule | Ransomware IOCs Detected on Multiple Machines | Triggers when a ransomware IoC is detected on five or more different machines. This could
indicate the ransomware is successfully spreading in the network. This rule was updated for all of the new detection rules that were added in this release. |
Rule | Ransomware: Ryuk IOC in Events |
Triggers when a file hash IoC related to Ryuk ransomware is observed. The Ryuk_SHA256, Ryuk_SHA1, and Ryuk_MD5 are prepopulated. Tune these reference sets with relevant IoC. |
Rule | Ransomware: Ryuk IOC in Flows |
Triggers when a file hash IoC related to Ryuk ransomware is observed. The Ryuk_SHA256, Ryuk_SHA1, and Ryuk_MD5 are prepopulated. Tune these reference sets with relevant IoC. |
Rule | Ransomware: Ryuk Service or Process Termination |
Triggers when Ryuk ransomware terminates running processes after making a copy of itself. The Ryuk Service and Process Termination List reference set is prepopulated. Tune this reference set with relevant services and processes. |
The following table shows the reference sets in IBM Security QRadar Endpoint 2.1.0.
Name | Description |
---|---|
Malware as a Service_MD5 | Lists MD5 file hashes that are indicators for malwares as a service. |
Malware as a Service_Path | Lists file paths that are indicators for malwares as a service. |
Malware as a Service_SHA1 | Lists SHA1 file hashes that are indicators for malwares as a service. |
Malware as a Service_SHA256 | Lists SHA256 file hashes that are indicators for malwares as a service. |
Pulse_imports | Pulse dashboard. |
Ryuk Service and Process Termination List | Lists possible processes or services terminated by Ryuk ransomware. |
Ryuk_MD5 | Lists MD5 file hashes that are indicators for Ryuk ransomware. |
Ryuk_SHA1 | Lists SHA1 file hashes that are indicators for Ryuk ransomware. |
Ryuk_SHA256 | Lists SHA256 file hashes that are indicators for Ryuk ransomware. |
The Pulse dashboard added in IBM Security QRadar Endpoint Content Extension 2.1.0 contains eight widgets related to ransomware:
- One with statistics about the number of machines affected per rules.
- One with statistics about the number of alerts per machine.
- Six tables which represent the six phases of an attack.
The first two widgets include all rules from each phase:
WHERE (RULENAME(creEventList) IN ('Attempt to Delete Shadow Copies', 'Critical File Deleted (Unix)', 'RDP Hijacking Tool Detected', 'Recovery Disabled in Boot Configuration Data', 'Detection of Malicious File or Process', 'Detection of Malicious IOC', 'File Decode or Download followed by Suspicious Activity', 'Cobalt Strike Behaviour Detected', 'Excessive Failed Access to an Administrative Share from the Same Source', 'Excessive Nslookup Usage', 'Reconnaissance Tool Detected', 'Excessive File Deletion and Creation', 'Suspicious Amount of Files Renamed on the Same Machine (Windows)', 'Suspicious Amount of Files Renamed/Moved on the Same Machine (Unix)', 'Suspicious Amount of Files Deleted on the Same Machine')
OR RULENAME(creEventList) MATCHES '.*(Ransomware|Maze|Bad Rabbit|Petya|REvil|Ryuk|WCry|Malware as a Service Hash IOC).*?')
The following table lists the rules included for each phase.
Phase | Rules |
---|---|
Distribution |
|
Staging |
|
Infection |
|
Reconnaissance |
|
Encryption |
|
Ransom notification | Ransomware Decryption Instructions Created |
IBM Security QRadar Endpoint 2.0.0
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 2.0.0.
Name | Optimized | Found in |
---|---|---|
Logon Type | Yes | Microsoft Windows |
Share Name | Yes | Microsoft Windows |
StartAddress | Yes | Microsoft Windows |
The following table shows the rules and building blocks in IBM Security QRadar Endpoint 2.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Cobalt Strike Inbound Traffic | Triggers when a TLS fingerprint known to be a communication from a Cobalt Strike server is detected. |
Building Block | BB:BehaviorDefinition: Cobalt Strike Outbound Traffic | Triggers when a TLS fingerprint known to be a communication from a Cobalt Strike client is detected. |
Building Block | BB:BehaviorDefinition: Cobalt Strike Port Usage | Triggers when outbound TCP traffic over the port 50050 is detected. This is the default port for communication with a Cobalt Strike Server. |
Building Block | BB:BehaviorDefinition: Cobalt Strike Process Address | Triggers when a remote thread is created at a start address ending in "0B80". This behavior is indicative of a thread being created by Cobalt Strike. |
Building Block | BB:BehaviorDefinition: Directory Discovery (Unix) | Defines when a Unix command is run that discovers a large number of directories. The commands
detected by this rule are:
|
Building Block | BB:BehaviorDefinition: Directory Discovery (Windows) | Defines when a PowerShell is run which discovers directories recursively. This can occur when the Get-ChildItem function is run with the -recurse argument, or is used inside of a ForEach loop. |
Building Block | BB:BehaviorDefinition: File Creation and Deletion | Detects file creation and file deletion events in the same directory on a Windows computer, and can be used in rules to detect multiple file modifications across many directories. |
Building Block | BB:BehaviorDefinition: PowerShell File Upload Activity | Triggers when PowerShell is used to upload files. |
Building Block | BB:BehaviorDefinition: Repeated nslookup Usage | Triggers when the nslookup is used repeatedly. The threshold can still be considered as a normal administration behavior and needs to be correlated with other events to be considered as abnormal. |
Building Block | BB:CategoryDefinition: Multiple File Deletions on Endpoint System | Triggers when multiple non-temporary files are deleted on endpoint systems. |
Building Block | BB:BehaviorDefinition: Hostname or Network Discovery | Matches when a hostname or network discovery action is performed. |
Building Block | BB:BehaviorDefinition: Regular Endpoint Administration | Defines regular administration activity such as user management, download file in command line, execution with elevated privilege. |
Building Block | BB:BehaviorDefinition: Suspicious Endpoint Activities | Defines suspicious endpoint activities. |
Rule | Attempt to Delete Shadow Copies | Triggers when a command to delete shadowcopies is run. Malicious programs can attempt to use the Windows Management Instrumentation or Vssadmin to remove snapshots of files created by Windows. |
Rule | Cobalt Strike Behaviour Detected | Triggers when behavior potentially belonging to Cobalt Strike is detected. Cobalt Strike is a penetration-testing tool that is commonly used by red teams. However, malicious actors often use illegally obtained versions of this application for attacks. |
Rule | Critical File Deleted (Unix) | Detects when a critical file or file in a critical directory is deleted. The swap files are
excluded by default and any other file extensions that you do not want to monitor can be excluded as
well. Edit the BB:CategoryDefinition: Files with Sensitive Permissions building block with files or directories to monitor. These locations should be related to boot, backup, logging, or credentials, which have a higher severity when exploited. |
Rule | Detection Malicious File or Process | Detects when a file name or process name considered as being part of Malware execution is
observed. This rule is monitoring for the following file or process names:
|
Rule | Excessive Failed Access to an Administrative Share from the Same Source | Triggers after consecutive failed attempts to access an administrative share are observed. |
Rule | Excessive Files Deletion and Creation | Triggers when a large number of filesof are being created and deleted across multiple directories. This might indicate the presence of a ransomware like WCry or Samsam which create an encrypted copy of a file before deleting the original. |
Rule | Excessive Login Failures via RDP | Triggers when multiple failed authentication events on the same machine in RDP from a single source IP address are detected. This behavior indicates a potential brute-force latertempt to access a machine. |
Rule | Excessive Login Failures via RDP to Multiple Machines | Triggers when multiple failed authentication events on different machines in RDP from a single source IP address are detected. This behavior indicates a potential brute-force attempt to access multiple machines. |
Rule | Excessive Nslookup Usage | Triggers when the nslookup command is executed an excessive number of times from the same machine. This behavior might indicate a malicious actor attempting to gather information about the network to exfiltrate at. |
Rule | Ransomware Decryption Instructions Created | Triggers when a decryption instruction file name is found on a machine. It is typical for ransomware to create a decryption instruction file to provide users with instructions on how to pay ransom to recover their files. This particular file is often named with common terms such as: decrypt, recover, instructions, how to, and so on. |
Rule | Ransomware Encrypted File Extension | Triggers when a known ransomware file extension is detected. Ransomware typically encrypts files and appends a specific file extension as part of their process. The full list of extensions is: aes_ni, 1999, _23-06-2016-20-27-23_$f_tactics@aol.com$.legion, _crypt, $centurion_legion@aol.com$.cbf, 0x0, 34xxx, 3angle@india.com, 73i87a, 8lock8, aaa, abc, acrypt, aes_ni_0day, aes256, alcatraz, arzamass7@163.com, bart.zip, better_call_saul, biz, blackblock, bleep, bloc, bloccato, btc, btc-help-you, btcbtcbtc, btcware, bugsecccc, cazzo, ccc, cerber, chifrator@qq_com, clf, code, coverton, crab, crime, crinf, crjoker, cry, cryp1, crypt, crypted, cryptendblackdc, crypto, cryptobyte, cryptoshield, cryptotorlocker2015!, cryptowall, cryptowin, crysis, ctb2, ctbl, czvxce, darkness, dharma, dll555, don0t0uch7h!$cryptedfile, doomed, duhust, dyatel@qq_com_ryp, ecc, ecovector2@aol.com, ecrypt, enc, encedrsa, enciphered, encrypt, encrypted, encryptedaes, encryptedfile, encryptedrsa, encryptile, enigma, epic, exploit, exx, ezz, flyper, foobar.docx.onyon, frozen, fucked, fun, gdcb, gefickt, globe, good, greg_blood@india.com, gruzin@qq_com, gsupport, gws, ha3, hb15, helpdecrypt@ukr, hnyear, hollycrypt, html, hush, infected, j, johnycryptor@hackermail.com, justbtcwillhelpyou, keybtc@inbox_com, keyh0les, keyz, kimcilware, kimcilware.lechiffre, kkk, korrektor, krab, kraken, kratos, krypted, kyra, lechiffre, lesli, lock, locked, locky, lok, lol!, magic, mecpt, micro, milarepa.lotos@aol.com, mole, monstro, mychemicalromance4ever, nalog@qq_com, no.btc@protonmail.ch, no.btcw@protonmail.ch, no.xop@protonmail.ch, nochance, obfuscated, omg!*, only-we_can-help_you, oor, oplata@qq_com, oshit, p5tkjw, payb, paybtcs, paymds, paymrts, payms, paymst, paymts, payransom, payrms, payrmts, pays, pizda@qq_com, poar2w, porno, pornoransom, purged, pzdc, r16m01d05, r4a, r5a, radamant, raid, razy, rdm, rdmk, relock@qq_com, remind, rmd, rokku, rrk, rscl, saeid, sanction, savepanda@india.com, scl, securecrypted, siri-down@india.com, sport, sql772@aol.com, supercrypt, surprise, systemdown@india.com, szf, theva, tombit@india.com, toxcrypt, troyancoder@qq_com, trun, ttt*, uk-dealer@sigaint.org, unlockit, vault, vegclass@aol.com, versiegelt, vscrypt, vvv, wallet, xdata, xort, xrnt, xrtn, xtbl, xxx, xyz, zendr, zendrz, zepto, zzz, 암호화됨 |
Rule | Ransomware IOCs Detected on Multiple Machines | Triggers when a ransomware IOC detected on five or more different machines. This mightindicate that the ransomware isthe is successfully spreading in the network. |
Rule | Ransomware: BadRabbit IOC in Events | Triggers when an IOC (file name, file hash, hostname, IP address) related to BadRabbit Ransomware is observed. |
Rule | Ransomware: BadRabbit IOC in Flows | Triggers when an IOC (file name, file hash, hostname, IP address) related to BadRabbit Ransomware is observed. |
Rule | Ransomware: Maze IOC in Events | Triggers when an IOC (Filename) related to Maze Ransomware is observed. |
Rule | Ransomware: Maze Suspicious File Transfer | Triggers when a file transfer associated with Maze ransomware data exfiltration is detected. |
Rule | Ransomware: Petya / NotPetya IOC in Events | Triggers when an IOC (file name, file hash, hostname, IP address) related to Petya Ransomware is observed. |
Rule | Ransomware: Petya / NotPetya IOC in Flows | Triggers when an IOC (file name, file hash, hostname, IP address) related to Petya Ransomware is observed. |
Rule | Ransomware: Petya / NotPetya Payload in Flows | Triggers when a Petya payload is observed in flows. |
Rule | Ransomware: REvil IOC in Events | Triggers when an IOC (Filename) related to REvil Ransomware, also known as Sodinokibi and Sodin, is observed. |
Rule | Ransomware: WCry IOC in Events | Triggers when an IOC (file name, file hash, hostname, IP address) related to WCry Ransomware is observed. |
Rule | Ransomware: WCry IOC in Flows | Triggers when an IOC (file name, file hash, hostname, IP address) related to WCry Ransomware is observed. |
Rule | Ransomware: WCry Payload in Flows | Triggers when a WCry payload is observed in flows. |
Rule | RDP Hijacking Tool Detected | Triggers when a process that can bypass RDP security is created. The tools that are monitored
are:
|
Rule | Reconnaissance Tool Process Detected | Triggers when discovery tools commonly used before deploying ransomware are detected. These
tools can also be used by red teams and are not inherently dangerous, however malicious actors can
use them to survey an environment before attacking it. The rule has been prepopulated with the
following tools:
|
Rule | Recovery Disabled in Boot Configuration Data | Triggers when recovery options are disabled in the boot configuration data. This might indicate a malicious actor attempting to disable to ability to recover files from a ransomware attack. |
Rule | Search for Password Files using findstr (Windows) | Triggers when a search is made for the string passwordby using the findstr command. This behavior might indicate a malicious actor searching for files containing passwords. |
Rule | Search for Password Files using grep or find (Unix) | Triggers when a search is made for the string passwordby using the grep or find commands. This behavior might indicate a malicious actor searching for files containing passwords on a Unix system. |
Rule | Search for Password Files using Select-String (Windows) | Triggers when a search is made for the string passwordby using the Select-String PowerShell command. This behavior might indicate a malicious actor searching for files containing passwords. |
Rule | SharpHound PowerShell Detected | Triggers when a SharpHound PowerShell script is run. The primary function that is used in the
script is named invoke-BloodHound. |
Rule | Suspicious Amount of Files Deleted on the Same Machine | Triggers when a suspicious number of files are deleted from a large number of different folders. This might indicate an attempt to disrupt services or hide traces an attack. |
Rule | Suspicious Amount of Files Renamed on the Same Machine (Windows) | Triggers when a suspicious number of files are renamed from PowerShell. This might indicate the presence of ransomware, which typically encrypt and rename files as part of their process. |
Rule | Suspicious Amount of Files Renamed/Moved on the Same Machine (Unix) | Triggers when a suspicious number of files are renamed by using the mv command. This might indicate the presence of ransomware, which typically encrypt and rename files as part of their process. |
The following table shows the reference data in IBM Security QRadar Endpoint
Type | Name | Description |
---|---|---|
Reference Set | BadRabbit_FileHash | Lists file hashes associated with the BadRabbit ransomware. |
Reference Set | BadRabbit_FileName | Lists file names that are associated with the BadRabbit ransomware. |
Reference Set | BadRabbit_Hostname | Lists hostnames associated with the BadRabbit ransomware. |
Reference Set | BadRabbit_IP | Lists IP addresses associated with the BadRabbit ransomware. |
Reference Set | Petya_File_Name | Lists file names that are associated with the Petya/NotPetya ransomware. |
Reference Set | Petya_FileHash | Lists file hashes associated with the Petya/NotPetya ransomware. |
Reference Set | Petya_HostName | Lists hostnames associated with the Petya/NotPetya ransomware. |
Reference Set | Petya_IP | Lists IP addresses associated with the Petya/NotPetya ransomware. |
Reference Set | WCry_FileHash | Lists file hashes associated with the WannaCry ransomware. |
Reference Set | WCry_FileName | Lists file names that are associated with the WannaCry ransomware. |
Reference Set | WCry_HostName | Lists hostnames associated with the WannaCry ransomware. |
Reference Set | WCry_IP | Lists IP addresses associated with the WannaCry ransomware. |
The following table shows the saved searches in IBM Security QRadar Endpoint
Name | Description |
---|---|
BadRabbit Event "DestinationIP" Last 24 Hours | Displays events with a known BadRabbit destination IP address. |
BadRabbit Event "FileHash" Last 24 Hours | Displays events with a known BadRabbit file hash. |
BadRabbit Event "Hostname" Last 24 Hours | Displays events with a known BadRabbit hostname. |
BadRabbit Event "SourceIP" Last 24 Hours | Displays events with a known BadRabbit source IP address. |
BadRabbit Flows "DestinationIP" Last 24 Hours | Displays flows with a known BadRabbit destination IP address. |
BadRabbit Flows "SourceIP" Last 24 Hours | Displays flows with a known BadRabbit source IP address. |
Outbound UDP Traffic | Displays outbound flows that use UDP. |
Petya/NotPetya Event "DestinationIP" Last 24 Hours | Displays events with a known Petya/NotPetya destination IP address. |
Petya/NotPetya Event "File Hash" Last 24 Hours | Displays events with a known Petya/NotPetya file hash. |
Petya/NotPetya Event "SourceIP" Last 24 Hours | Displays events with a known Petya/NotPetya source IP address. |
Petya/NotPetya Flows "DestinationIP" Last 24 Hours | Displays flows with a known Petya/NotPetya destination IP address. |
Petya/NotPetya Flows "SourceIP" Last 24 Hours | Displays flows with a known Petya/NotPetya source IP address. |
Petya/NotPetya Flows Last 24 Hours | Displays flows that are associated with Petya/NotPetya. |
Potential Ransomware (Suspicious activity, Possible Petya, NotPetya) | Displays flows with suspicious payloads that are associated with Ransomware. |
WannaCry Events "Destination Hostname" Last 24 Hours | Displays events with a known WannaCry destination hostname. |
WannaCry Events "DestinationIP" Last 24 Hours | Displays events with a known WannaCry destination IP address. |
WannaCry Events "File Hash" Last 24 Hours | Displays events with a known WannaCry file hash. |
WannaCry Events "Host Name" Last 24 Hours | Displays events with a known WannaCry hostname |
WannaCry Events "Source Host Name" Last 24 Hours | Displays events with a known WannaCry source hostname. |
WannaCry Events "SourceIP" Last 24 Hours | Displays events with a known WannaCry source IP address. |
WannaCry Events "URL" Last 24 Hours | Displays events with a known WannaCry URL. |
WannaCry Flows Last 24 Hours | Displays flows that are associated with WannaCry. |
IBM Security QRadar Endpoint 1.0.0
The following table shows the custom properties in IBM Security QRadar Endpoint Content Extension 1.0.0.
Name | Optimized | Found in |
---|---|---|
Application | Yes | Linux |
Architecture | Yes | Linux |
Audit ID | Yes | Linux |
Call Type | Yes | Linux |
Command Arguments | Yes | Linux |
Encoded File Directory | Yes | Linux |
Encoded Filename | Yes | Linux |
File Directory | Yes | |
File Extension | Yes | |
File Permissions | Yes | |
Filename | Yes | |
Group Name | Yes | |
Machine ID | Yes | |
MD5 Hash | No | |
Parent Process Name | Yes | |
Process CommandLine | Yes | |
Process Name | Yes | |
Process Path | Yes | |
Record Number | No | Linux |
Registry Key | Yes | Microsoft Windows |
Registry Value Data | Yes | Microsoft Windows |
Rule Name | Yes | Microsoft Windows |
SHA256 Hash | Yes | |
Target User Name | Yes | |
Token Elevation Type | Yes | Microsoft Windows |
UrlHost | Yes | |
User ID | Yes |
The following table shows the rules and building blocks in IBM Security QRadar Endpoint 1.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Admin Privileges Added (Unix) | Detects admin privileges added to standard users. An adversary may escalate its privileges for further attacks. |
Building Block | BB:BehaviorDefinition: Admin Privileges Added (Windows) | Detects admin privileges added to standard users. An adversary may escalate its privileges for further attacks. |
Building Block | BB:BehaviorDefinition: Admin Privileges Removed (Windows) | Detects permission removed from a superuser group. An adversary may strip off high privileges to prevent mitigation actions from administrators. |
Building Block | BB:BehaviorDefinition: Component Object Model Hijacking | Detects Component Object Model (COM) hijacking activities. Monitors registry details that may be changed to load a different process. For example Command Prompt was modified to execute a malicious .exe file instead, followed by a process creation. |
Building Block | BB:BehaviorDefinition: Component Object Model Hijacking Rules | Detects Component Object Model (COM) hijacking activity by monitoring registry modifications on Windows Tooltip handler, keys that contain the application to establish Dynamic Data Exchange (DDE) conversation, and keys that contain the path of a Dynamic Link Library (DLL). |
Building Block | BB:BehaviorDefinition: Critical Security Tool Process Information | Detects when an audit message records information about a Critical Security Tool as a response to its PID being targeted by another signal. |
Building Block | BB:BehaviorDefinition: Download Utilities in Events | Detects when a download utility is being used on an endpoint, such as ftp, sftp, curl, cuteftp, wget, certutil, bits, or nc. |
Building Block | BB:BehaviorDefinition: Group or Account Discovery | Matches when a group or account discovery action is performed. |
Building Block | BB:BehaviorDefinition: Hidden File or Folder Created | Triggers when a hidden file or folder is created. A hidden file or folder can take three
forms:
|
Building Block | BB:BehaviorDefinition: Password Policy Discovery (Unix) | Detects when a password policy discovery action is performed. By default, this building block
is watching the following files:
|
Building Block | BB:BehaviorDefinition: Password Policy Discovery (Windows) | Detects when a password policy discovery action is performed. |
Building Block | BB:BehaviorDefinition: PowerShell File Download Activity | Detects when PowerShell is used to download files. |
Building Block | BB:BehaviorDefinition: Process Killed | Triggers when a Linux process is killed using the kill system call. |
Building Block | BB:BehaviorDefinition: Regular Endpoint Administration | Defines regular administration activity such as user management, download file in command line, execution with elevated privilege. |
Building Block | BB:BehaviorDefinition: Run as Superuser or Another User (Unix) | Detects programs run as root or another user. |
Building Block | BB:BehaviorDefinition: Run as Superuser or Another User (Windows) | Detects programs run as administrator or by another user. |
Building Block | BB:BehaviorDefinition: Suspicious Endpoint Activities | Defines suspicious endpoint activities. |
Building Block | BB:BehaviorDefinition: User Account Added (Unix) | Detects when a user account is created. |
Building Block | BB:BehaviorDefinition: User Account Added (Windows) | Detects when a user or group account is created. |
Building Block | BB:BehaviorDefinition: User Account Deleted (Unix) | Detects when a user account is deleted. |
Building Block | BB:BehaviorDefinition: User Account Deleted (Windows) | Detects when a user or group account is deleted. |
Building Block | BB:CategoryDefinition: File Decode by a Utility | Detects when a utility is used to decode files. |
Building Block | BB:CategoryDefinition: File Permission Changed | Detects when a command has been executed to change the permissions assigned to a file. |
Building Block | BB:CategoryDefinition: Files with Sensitive Permissions | Defines files for which permissions shouldn't be changed. This might reveal the behavior of
an attacker trying to prevent normal functioning. By default, this building block is watching the
following files:
|
Building Block | BB:DeviceDefinition: Operating System | Defines all operating systems on the system. |
Rule | Communication with a Potential Hostile Host | Detects communication with a potential hostile host, categorized by X-force or in the reference set collection. |
Rule | Communication with a Potential Hostile IP Address | Detects communication with a potential hostile IP address, categorized by X-force or in the reference set collection. |
Rule | Credential Dumping Activities Discovered | Triggers when credential dumping activities are detected in Windows registry. Adversaries may query the registry looking for credentials and
passwords that have been stored for use by other programs or services and exploit those credentials.
Credential dumping activities include, but are not limited to:
The AQL filter conditions below indicate three credential dumping methods that are implemented in this rule. Each method can be implemented separately using these AQL filters for tuning purpose.
|
Rule | Critical File Permission Changed (Unix) | Triggers when permission of critical files or directories are modified. An attacker may
modify the permissions of a sensitive file to become the only user able to access it and proceed to
defacement, data destruction, or disabling security tools. Note: Edit the
BB:CategoryDefinition: Files with Sensitive Permissions building block with
files or directories to monitor. These locations should be related to boot, backup, logging, or
credentials, which have a higher severity when exploited.
|
Rule | Critical Security Tool Killed (Unix) | Detects when a critical security process has been killed. An adversary may disable security
tools to avoid detection. Note: The building blocks included in this rule use the
Critical Security Tool Processes reference set. The Critical
Security Tool Processes reference set has been prepopulated with common security tool
process names. Tune the reference set with any tool used by the organization.
|
Rule | Critical Security Tool Stopped | Triggers when permission of critical files or directories are modified. An attacker may
modify the permissions of a sensitive file to become the only user able to access it and proceed to
defacement, data destruction, or disabling security tools. Note: The Critical Security
Tool Processes reference set has been prepopulated with common security tool process
names. Tune the reference set with any tool used by the organization.
|
Rule | Detection of Malicious IOC | Detects when an IOC is categorized as malicious in a reference set collection. |
Rule | File Created with Right to Left Override | Triggers when the Right to Left Overridecharacter (U+202E) is found in the name of a created file. In some operating systems, the graphical interface will process this character - reversing the display order of parts of the file name. |
Rule | File Created with Space After Filename | Triggers when the last character of a file name is a space. This will force the operating
system to determine the file's type and execute accordingly, even if there appears to be a valid
file extension. For example, a shell script named info.txt would open as a text
file, while info.txt(note the space after the name) opens with whatever default program handles shell scripts. |
Rule | File Decode or Download followed by Suspicious Activity | Triggers when utilities such as certutil is used to decode a file. This might indicate a malicious user downloading an encoded file and decoding the file to evade security. |
Rule | Potential Component Object Model (COM) Hijacking | Detects Potential Component Object Model (COM) hijacking activities. An attacker can execute malicious code by hijacking legitimate COM references. |
Rule | Potential DLL Hijacking | Triggers when a dynamic-link library (DLL) file is created or downloaded, and loaded by an
application. This can indicate a DLL search order hijacking. Note: Exclude processes to monitor to
reduce false positives.
|
Rule | Potential Malicious Application Shimming | Detects application shimming activity by monitoring registry modifications. Attackers can use
retrocompatibility functionalities to perform privilege escalation, install backdoors, etc. Custom
Databases can be found in the following locations:
Note: The Shims Allowlist reference set is populated with default shims
installed by the default Windows installer. Tune this
reference set with any custom Shim.
|
Rule | Process Masquerading (Unix) | Triggers when a process is executing from a directory it is not supposed to run from. An
attacker can masquerade a legitimate process to avoid detection, thereby execute malicious commands
from the non-legitimate process. Note: Tune this rule to include or exclude any
directory.
|
Rule | Process Masquerading (Windows) | Triggers when a sensitive process is executing from a non-legitimate directory. An attacker
can masquerade a legitimate process to avoid detection, thereby execute malicious commands from the
non-legitimate process. Note: The Sensitive Process Names reference set is
populated with known sensitive processes. Tune this reference set with processes to watch. The
Default Process Name and Process Directories reference map set has been
prepopulated with sensitive process names and directories. Tune this reference data with the default
location of the sensitive processes.
|
Rule | Programming Environment Spawned by a Suspicious Process | Triggers when a programming environment is spawned by a suspicious process. This might indicate an attacker trying to execute a malicious script. |
Rule | Recommended Blocked Process is Running | Detects a recommended block process running in the system. Microsoft
Windows lists recommended block rules to disable
application that can potentially be exploited by an attacker and also bypass Windows
Defender Application Control. Note: The
Recommended Blocked Processes reference set is prepopulated with the Microsoft commonly exploited applications. Tune the reference
set with any endpoint process to fit business needs.
|
Rule | Suspicious Activity Followed by Endpoint Administration Task | Detects normal administration tasks (download a file, update user rights, run as another user, etc) are performed after a suspicious activity is detected on the same machine. |
Rule | User Account Creation followed by Account Deletion | Triggers when a user is created and deleted within a short period of time. This might indicate an attacker or malware trying to hide or evade detection by using different user accounts or to drop a bomb on the system. |
The following table shows the reference data in IBM Security QRadar Endpoint 1.0.0.
Type | Name | Description |
---|---|---|
Reference Map of Sets | Default Process Name and Process Directories | This reference map of sets lists sensitive processes and their directories. |
Reference Data | pulse_imports | Part of the Pulse dashboard. |
Reference Set | Anonymizer IPs | Lists identified anonymizer IP addresses. |
Reference Set | Botnet C&C IPs | Lists identified botnet command and control server IP addresses. |
Reference Set | Botnet IPs | Lists identified botnet IP addresses. |
Reference Set | Critical Security Tool Processes | Lists critical security tools. |
Reference Set | Malicious URLs | Lists identified malicious URLs. |
Reference Set | Malware Hashes MD5 | Lists identified md5 malware hashes. |
Reference Set | Malware Hashes SHA | Lists identified sha256 malware hashes. |
Reference Set | Malware IPs | Lists identified malware IP addresses. |
Reference Set | Malware URLs | Lists identified malware URLs. |
Reference Set | Phishing IPs | Lists identified phishing IP addresses. |
Reference Set | Phishing URLs | Lists identified phishing URLs. |
Reference Set | Recommended Blocked Processes | Lists processes that are recommended to be blocked. |
Reference Set | Sensitive Process Names | Lists sensitive processes. |
Reference Set | Shims Allowlist | Lists applications shimming registry. |