Appendix A: Endpoint Risk Scoring Rules

Endpoint risk scoring requires the following content:

  • "accesses administrative share using command shell"

  • "activates bits job"

  • "adds files to bits download job"

  • "adds firewall rule"

  • "allocates remote memory"

  • "antivirus disabled"

  • "archiving software reads multiple documents"

  • "autorun debian package mismatch"

  • "autorun file path not part of debian package"

  • "autorun file path not part of rpm"

  • "autorun key contains non-printable characters"

  • "autorun"

  • "autorun rpm mismatch"

  • "autorun unsigned active setup"

  • "autorun unsigned appinit_dlls"

  • "autorun unsigned bho"

  • "autorun unsigned bootexecute registry startup method"

  • "autorun unsigned explorer registry startup method"

  • "autorun unsigned hidden"

  • "autorun unsigned hidden only executable in directory"

  • "autorun unsigned ie toolbar"

  • "autorun unsigned in appdatalocal directory"

  • "autorun unsigned in appdataroaming directory"

  • "autorun unsigned in programdata directory"

  • "autorun unsigned in temp directory"

  • "autorun unsigned logontype registry startup method"

  • "autorun unsigned lsa provider"

  • "autorun unsigned servicedll"

  • "autorun unsigned winlogon helper dll"

  • "autorun unsigned winsock lsp"

  • "bad certificate warning disabled"

  • "blacklisted file"

  • "browser runs command prompt"

  • "browser runs mshta"

  • "browser runs powershell"

  • "builds script incrementally"

  • "clears application event log"

  • "clears event logs using powershell"

  • "clears security event log"

  • "clears setup event log"

  • "clears system event log"

  • "combines binaries using command prompt"

  • "command line usage of archiving software"

  • "command line writes script files"

  • "command prompt obfuscation"

  • "command prompt obfuscation using value extraction"

  • "command shell runs rundll32"

  • "completes bits download job"

  • "configures image hijacking"

  • "configures port redirection"

  • "copies binary over administrative share"

  • "created in last month"

  • "creates browser extension"

  • "creates domain user account"

  • "creates executable in startup directory"

  • "creates local driver service"

  • "creates local service"

  • "creates local task"

  • "creates local user account"

  • "creates password-protected archive"

  • "creates recursive archive"

  • "creates remote process using wmi command-line tool"

  • "creates remote service"

  • "creates remote task"

  • "creates run key"

  • "creates shadow volume for logical drive"

  • "creates suspicious service running command prompt"

  • "debian package hash mismatch in important system directory"

  • "debian package hash mismatch"

  • "deletes backup catalog"

  • "deletes firewall rule"

  • "deletes shadow volume copies"

  • "deletes shadow volume copies using powershell"

  • "deletes usn change journal"

  • "disables event logging service"

  • "disables firewall"

  • "disables safe mode"

  • "disables security service"

  • "disables startup repair"

  • "disables uac"

  • "disables uac remote restrictions"

  • "disables windows audit policy"

  • "disables windows defender using powershell"

  • "downloads binary using certutil"

  • "drops credential dumping tools"

  • "dumps dns cache"

  • "dyld inserted"

  • "enables cleartext credential storage"

  • "enables login bypass"

  • "enables rdp from command-line"

  • "enables safe mode"

  • "enumerates arp table"

  • "enumerates available systems on network"

  • "enumerates domain account policy"

  • "enumerates domain administrators"

  • "enumerates domain computers"

  • "enumerates domain controllers"

  • "enumerates domain groups"

  • "enumerates domain users"

  • "enumerates enterprise administrators"

  • "enumerates exchange domain servers"

  • "enumerates exchange servers"

  • "enumerates ip configuration"

  • "enumerates local account policy"

  • "enumerates local administrators"

  • "enumerates local administrators on domain controller"

  • "enumerates local groups"

  • "enumerates local services"

  • "enumerates local users"

  • "enumerates logical disk"

  • "enumerates mapped resources"

  • "enumerates network connections"

  • "enumerates primary domain controller"

  • "enumerates processes on local system"

  • "enumerates processes on remote system"

  • "enumerates remote netbios name table"

  • "enumerates remote resources"

  • "enumerates route table"

  • "enumerates services hosted in processes"

  • "enumerates system info"

  • "enumerates trusted domains"

  • "evades scanning within windows defender"

  • "evasive powershell used over network"

  • "event viewer executes uncommon binary"

  • "execute dll through rundll32"

  • "exports sensitive registry hive"

  • "extracts password-protected archive"

  • "file encrypted"

  • "file hidden"

  • "file path not part of debian package in important system directory"

  • "file path not part of debian package"

  • "file path not part of rpm in important system directory"

  • "file path not part of rpm"

  • "file vault disabled"

  • "floating module and hooking"

  • "floating module in browser process"

  • "floating module in os process"

  • "floating module"

  • "gatekeeper disabled"

  • "gets current user as system"

  • "gets current username and group information"

  • "gets current username"

  • "gets hostname"

  • "gets remote time"

  • "gina replacement"

  • "graylisted file"

  • "hidden and hooking"

  • "hidden in appdata"

  • "hidden plist and autorun"

  • "hidden running as root"

  • "hooks audio output function"

  • "hooks authentication function"

  • "hooks crypto function"

  • "hooks dnsquery function"

  • "hooks gui function"

  • "hooks network http function"

  • "hooks network io function"

  • "hooks ntldr function"

  • "hooks registry access function"

  • "hooks registry enumeration function"

  • "http daemon runs command prompt"

  • "http daemon runs powershell"

  • "http daemon runs reconnaissance tool"

  • "http daemon writes executable"

  • "ie dep disabled"

  • "ie enhanced security disabled"

  • "in appdata directory"

  • "in hidden directory"

  • "in recycle bin directory"

  • "in root of appdatalocal directory"

  • "in root of appdataroaming directory"

  • "in root of logical drive"

  • "in root of program directory"

  • "in root of users directory"

  • "installs root certificate"

  • "in system volume information directory"

  • "in temporary directory"

  • "in uncommon directory"

  • "invalid signature"

  • "kext signature validation disabled"

  • "lateral movement with credentials using net utility"

  • "ld preload"

  • "library preferences directory"

  • "lists anti-spyware products"

  • "lists antivirus products"

  • "lists firewall products"

  • "login bypass configured"

  • "lua disabled"

  • "mac firewall disabled"

  • "malicious file by reputation service"

  • "maps administrative share"

  • "maps ipc$ share"

  • "misleading file extension"

  • "modifies file associations"

  • "modifies image file execution for persistence"

  • "modifies registry using command-line registry tool"

  • "modifies run key"

  • "modifies shell-open-command file association"

  • "modifies startup folder location"

  • "modifies winlogon dll for persistence"

  • "modifies winlogon registry settings"

  • "mshta runs command prompt"

  • "mshta runs powershell"

  • "mshta runs scripting engine"

  • "mshta writes executable"

  • "network access"

  • "no antivirus notification disabled"

  • "no firewall notification disabled"

  • "non-microsoft modifies bad certificate warning setting"

  • "non-microsoft modifies firewall policy"

  • "non-microsoft modifies internet zone setting"

  • "non-microsoft modifies lua setting"

  • "non-microsoft modifies registry editor setting"

  • "non-microsoft modifies security center config"

  • "non-microsoft modifies services imagepath"

  • "non-microsoft modifies task manager setting"

  • "non-microsoft modifies windows system policy"

  • "non-microsoft modifies zone crossing warning setting"

  • "no uac notification disabled"

  • "no windows update notification disabled"

  • "office application crashed"

  • "office application injects remote process"

  • "office application runs bits"

  • "office application runs command prompt"

  • "office application runs powershell"

  • "office application runs scripted ftp"

  • "office application runs scripting engine"

  • "office application runs task scheduler"

  • "office application runs wmi scripting engine"

  • "office application writes executable"

  • "opens browser process"

  • "opens os process"

  • "opens process"

  • "opswat reported infected"

  • "opswat reported suspicious"

  • "os process runs command shell"

  • "packed and autorun"

  • "packed and network access"

  • "packed"

  • "performs scripted file transfer"

  • "possible login bypass"

  • "possible mimikatz activity"

  • "possible rdp session hijacking"

  • "possibly configures uac bypass"

  • "possibly renamed net.exe detected"

  • "potential abuse of odbcconf"

  • "potential outlook exploit"

  • "powershell command using string manipulation"

  • "powershell injects remote process"

  • "powershell opens lsass process"

  • "powershell runs command prompt"

  • "powershell runs scripting engine"

  • "process authorized in firewall"

  • "process redirects to stdout or stderr"

  • "process with matched yara rule"

  • "process with opswat reported infected"

  • "process with opswat reported suspicious"

  • "psexesvc runs powershell"

  • "psexesvc runs scripting engine"

  • "psexesvc runs shell commands"

  • "pubprn detection"

  • "queries cached kerberos tickets"

  • "queries processes on local system"

  • "queries processes on remote system"

  • "queries registry using command-line registry tool"

  • "queries terminal sessions"

  • "queries users logged on local system"

  • "queries users logged on remote system"

  • "record screen captures using psr tool"

  • "registers always install elevated policy"

  • "registers appcert dll"

  • "registers appinit dll"

  • "registers boot execute"

  • "registers lsa authentication package"

  • "registers lsa notification package"

  • "registers lsa security package"

  • "registers netsh helper dll"

  • "registers port monitor dll"

  • "registers shim database"

  • "registers startup during safe mode boot"

  • "registers time provider dll"

  • "registry tools disabled"

  • "regsvr32 creates windows task"

  • "regsvr32 runs powershell"

  • "regsvr32 runs rundll32"

  • "regsvr32 writes executable"

  • "remote directory traversal"

  • "removes windows defender definitions"

  • "rpm hash mismatch in important system directory"

  • "rpm hash mismatch"

  • "rpm ownership changed"

  • "rpm permissions changed"

  • "rundll32 creates windows task"

  • "rundll32 runs powershell"

  • "runkey persistence"

  • "runs acl management tool"

  • "runs active directory service query tool"

  • "runs binary located in recycle bin directory"

  • "runs binary located in root of logical drive"

  • "runs binary located in root of program directory"

  • "runs binary located in root of users directory"

  • "runs binary located in system volume information directory"

  • "runs blacklisted file"

  • "runs certutil with decode arguments"

  • "runs certutil with encode arguments"

  • "runs certutil with hashfile arguments"

  • "runs chained command shell"

  • "runs chmod"

  • "runs credential dumping tools"

  • "runs curl"

  • "runs ditto"

  • "runs dns lookup tool for txt record"

  • "runs dns lookup tool"

  • "runs file attributes modification tool"

  • "runs file transfer tool"

  • "runs forfiles.exe"

  • "runs graylisted file"

  • "runs ifconfig"

  • "runs kextload"

  • "runs kextstat"

  • "runs launchctl"

  • "runs malicious file by reputation service"

  • "runs mshta with http argument"

  • "runs mshta with script argument"

  • "runs msiexec with http argument"

  • "runs netstat"

  • "runs network configuration tool"

  • "runs network connectivity tool"

  • "runs one letter executable"

  • "runs one letter script"

  • "runs ping"

  • "runs powershell bypassing execution policy"

  • "runs powershell decoding base64 string"

  • "runs powershell defining function"

  • "runs powershell downloading content"

  • "runs powershell invoke-mimikatz function"

  • "runs powershell memory stream function"

  • "runs powershell"

  • "runs powershell shellexecute function"

  • "runs powershell using encoded command"

  • "runs powershell using environment variables"

  • "runs powershell with hidden window"

  • "runs powershell with http argument"

  • "runs powershell with long arguments"

  • "runs psexec on remote system and silently accepts user license"

  • "runs psexec on remote system as system user"

  • "runs ps"

  • "runs registry tool"

  • "runs regsvr32 com scriplets"

  • "runs regsvr32 using one letter dll"

  • "runs regsvr32 with http argument"

  • "runs regsvr32 without arguments"

  • "runs remote execution tool"

  • "runs remote powershell command"

  • "runs robocopy.exe"

  • "runs rundll32 using one letter dll"

  • "runs rundll32 with http argument"

  • "runs rundll32 with javascript argument"

  • "runs rundll32 without arguments"

  • "runs scripting engine in batch mode using execution engine argument"

  • "runs scripting engine"

  • "runs service control tool"

  • "runs shim database installer"

  • "runs sh"

  • "runs suspicious file by reputation service"

  • "runs tar"

  • "runs tasks management tool"

  • "runs unzip"

  • "runs waitfor.exe"

  • "runs wmi command-line tool"

  • "runs wmi scripting engine"

  • "runs xcopy.exe"

  • "safari fraud website warning disabled"

  • "scripting addition in process"

  • "scripting engine injects remote process"

  • "scripting engine runs powershell"

  • "scripting engine runs regsvr32"

  • "scripting engine runs rundll32"

  • "self signed"

  • "services in programdata directory"

  • "services runs command shell"

  • "smartscreen filter disabled"

  • "starts local service"

  • "starts rdp service"

  • "starts remote service"

  • "stops diagtrack service"

  • "stops error reporting service"

  • "stops security service"

  • "stops windows update service"

  • "sudo no password prompt"

  • "suspicious file by reputation service"

  • "suspicious regsvr32.exe task"

  • "system integrity protection disabled"

  • "system restore disabled"

  • "tampers with windows defender registry"

  • "task manager disabled"

  • "tasks in programdata directory"

  • "terminates process"

  • "transfers file using bits"

  • "uac disabled"

  • "unexpected csrss.exe parent"

  • "unexpected explorer.exe destination location"

  • "unexpected explorer.exe parent"

  • "unexpected explorer.exe source location"

  • "unexpected lsass.exe parent"

  • "unexpected lsm.exe parent"

  • "unexpected msdtc.exe parent"

  • "unexpected os process destination location"

  • "unexpected os process source location"

  • "unexpected runtimebroker.exe parent"

  • "unexpected services.exe parent"

  • "unexpected smss.exe parent"

  • "unexpected svchost arguments"

  • "unexpected svchost.exe parent"

  • "unexpected taskhostw.exe parent"

  • "unexpected wininit.exe parent"

  • "unexpected winlogon.exe parent"

  • "unknown segment"

  • "unsigned copies self"

  • "unsigned creates remote thread and file hidden"

  • "unsigned creates remote thread"

  • "unsigned cron job"

  • "unsigned deletes self"

  • "unsigned kext"

  • "unsigned library in suspicious daemon"

  • "unsigned module in signed process"

  • "unsigned reserved name"

  • "unsigned runs python"

  • "unsigned writes executable"

  • "unsigned writes executable to appdatalocal directory"

  • "unsigned writes executable to appdataroaming directory"

  • "unsigned writes executable to library application support directory"

  • "unsigned writes executable to library directory"

  • "unsigned writes executable to library preferences directory"

  • "unsigned writes executable to scripting additions directory"

  • "unsigned writes executable to system directory"

  • "unsigned writes executable to var directory"

  • "unsigned writes executable to windows directory"

  • "unsigned writes to autorun"

  • "uses libnss"

  • "uses libpcap"

  • "uses mach injection"

  • "uses mach override"

  • "warning on post redirect disabled"

  • "windows firewall disabled"

  • "windows task runs powershell"

  • "windows update disabled"

  • "wmic remote node activity"

  • "wmiprvse runs command shell"

  • "wmiprvse runs powershell"

  • "wmiprvse runs scripting engine"

  • "writes blacklisted file"

  • "writes executable to recycle bin directory"

  • "writes executable to root of logical drive"

  • "writes executable to root of program directory"

  • "writes executable to root of users directory"

  • "writes executable to system volume information directory"

  • "writes graylisted file"

  • "writes malicious file by reputation service"

  • "writes suspicious file by reputation service"

  • "yara rule matched"

  • "executable in ads"

  • "explorer public folder dll load"

  • "powershell double base64"

  • "outbound from windows directory"

  • "outbound from unsigned temporary directory"

  • "unsigned opens lsass"

  • "outbound from unsigned appdata directory"

  • "rdp launching loopback address"

  • "autorun invalid signature windows directory"

  • "command shell copy items"