ATT&CK Technique Quick Reference¶

Coverage reference for high-priority ATT&CK Enterprise techniques. Each entry includes detection guidance, KQL/SPL queries, and defensive recommendations.

How to Use This Reference¶

Find techniques by tactic. Each entry includes the technique ID, description, detection approach, and sample queries.

This reference covers 60 high-priority techniques across all 14 ATT&CK Enterprise tactics, identified through the ATT&CK Gap Analysis and prioritized by real-world prevalence and coverage deficit. Every tactic has at least 3 techniques with full detection guidance.

Defense Evasion (TA0005)¶

Defense Evasion had the lowest coverage at 19% (8 of 42 techniques). The following techniques close the most critical gaps.

T1112 — Modify Registry¶

Tactic: Defense Evasion | Platforms: Windows | Data Sources: Windows Registry, Process, Command

Description: Adversaries modify Windows Registry keys and values to hide configuration data, disable security tools, or establish persistence. Registry modifications are a foundational Windows technique used across nearly every stage of an intrusion. Changes to Run keys, service configurations, and security policy keys are especially high-signal.

Detection Approach:

• Monitor registry value set/create events in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce
• Watch for modifications to security-related keys (Windows Defender, Firewall, UAC)
• Correlate registry changes with the originating process — legitimate installers vs. suspicious binaries

// Detect registry modifications to common persistence and defense evasion keys
DeviceRegistryEvents
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (
    @"CurrentVersion\Run",
    @"CurrentVersion\RunOnce",
    @"Windows Defender\Exclusions",
    @"Policies\Microsoft\Windows Defender",
    @"CurrentVersion\Policies\System"  // UAC settings
)
| where InitiatingProcessFileName !in ("msiexec.exe", "TiWorker.exe", "svchost.exe")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
          RegistryValueData, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| sort by Timestamp desc

index=wineventlog sourcetype="WinRegistry" OR sourcetype="sysmon" EventCode=13
(TargetObject="*\\CurrentVersion\\Run*"
 OR TargetObject="*\\Windows Defender\\Exclusions*"
 OR TargetObject="*\\Policies\\Microsoft\\Windows Defender*"
 OR TargetObject="*\\CurrentVersion\\Policies\\System*")
| eval suspicious=if(like(Image, "%\\temp\\%") OR like(Image, "%\\appdata\\%"), "High", "Medium")
| stats count by _time, host, Image, TargetObject, Details, suspicious
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Purple Team PT-015

T1564 — Hide Artifacts¶

Tactic: Defense Evasion | Platforms: Windows, Linux, macOS | Data Sources: File, Process, Command, Windows Registry

Description: Adversaries hide files, directories, users, and other artifacts to evade detection. Sub-techniques include hidden files/directories (T1564.001), hidden users (T1564.002), hidden windows (T1564.003), NTFS file attributes / Alternate Data Streams (T1564.004), and hidden file systems (T1564.005). ADS abuse is a classic Windows evasion technique that allows embedding executable payloads inside innocuous files.

Detection Approach:

• Monitor for NTFS Alternate Data Streams creation via Sysmon Event ID 15 or endpoint telemetry
• Detect use of attrib +h or attrib +s +h to hide files
• Watch for hidden user account creation (net user /add with $ suffix)
• On Linux/macOS, watch for creation of dotfiles in non-standard locations

// Detect NTFS Alternate Data Streams creation and hidden file operations
union
(
    // ADS creation via file writes
    DeviceFileEvents
    | where FileName contains ":"
    | where FileName !endswith ":Zone.Identifier"  // Exclude MOTW
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    // attrib command hiding files
    DeviceProcessEvents
    | where FileName == "attrib.exe"
    | where ProcessCommandLine has "+h" or ProcessCommandLine has "+s"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine,
              InitiatingProcessFileName
)
| sort by Timestamp desc

index=sysmon (EventCode=15 OR EventCode=1)
| eval ads_detected=if(EventCode=15 AND NOT like(TargetFilename, "%:Zone.Identifier"), 1, 0)
| eval attrib_hidden=if(EventCode=1 AND Image="*\\attrib.exe"
    AND (CommandLine="*+h*" OR CommandLine="*+s*"), 1, 0)
| where ads_detected=1 OR attrib_hidden=1
| stats count by _time, host, Image, TargetFilename, CommandLine
| sort -_time

Nexus SecOps Coverage: Chapter 18 — Malware Analysis | Chapter 27 — Digital Forensics

T1553 — Subvert Trust Controls¶

Tactic: Defense Evasion | Platforms: Windows, Linux, macOS | Data Sources: File, Module, Windows Registry, Process

Description: Adversaries undermine security controls that rely on trust mechanisms such as code signing, certificate validation, and Mark-of-the-Web (MOTW). Sub-techniques include Gatekeeper Bypass (T1553.001), Code Signing (T1553.002), SIP and Trust Provider Hijacking (T1553.003), Install Root Certificate (T1553.004), and Mark-of-the-Web Bypass (T1553.005). MOTW bypass is increasingly used in phishing campaigns that deliver ISO/IMG or container files to avoid SmartScreen prompts.

Detection Approach:

• Monitor for installation of root certificates via certutil -addstore or registry modifications to ROOT certificate store
• Detect MOTW bypass attempts: files delivered via ISO/IMG/VHD mounts that lack Zone.Identifier
• Watch for SIP (Subject Interface Package) DLL hijacking in the registry
• Alert on executables with revoked, expired, or self-signed certificates

// Detect root certificate installation and MOTW bypass techniques
union
(
    // Root certificate installation via certutil
    DeviceProcessEvents
    | where FileName == "certutil.exe"
    | where ProcessCommandLine has_any ("-addstore", "/addstore", "-add", "Root")
    | project Timestamp, DeviceName, ProcessCommandLine,
              InitiatingProcessFileName, AccountName
),
(
    // ISO/IMG/VHD mount followed by execution (MOTW bypass)
    DeviceFileEvents
    | where FileName endswith_cs ".iso" or FileName endswith_cs ".img"
            or FileName endswith_cs ".vhd" or FileName endswith_cs ".vhdx"
    | where ActionType == "FileCreated"
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
)
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\certutil.exe" AND (CommandLine="*-addstore*" OR CommandLine="*/addstore*"))
 OR (Image="*\\powershell.exe" AND CommandLine="*Import-Certificate*"))
| append [
    search index=sysmon EventCode=11
    (TargetFilename="*.iso" OR TargetFilename="*.img"
     OR TargetFilename="*.vhd" OR TargetFilename="*.vhdx")
]
| stats count by _time, host, Image, CommandLine, TargetFilename
| sort -_time

Nexus SecOps Coverage: Chapter 18 — Malware Analysis | Chapter 5 — Detection Engineering

T1207 — Rogue Domain Controller (DCShadow)¶

Tactic: Defense Evasion | Platforms: Windows | Data Sources: Active Directory, Network Traffic, Windows Event Log

Description: DCShadow allows an adversary to register a rogue domain controller in Active Directory and push malicious replication changes (via DRSUAPI) that modify objects, SPNs, and group memberships. Because the changes originate from what AD considers a legitimate DC, they bypass many detection mechanisms that rely on standard event logs. This is one of the stealthiest AD attack techniques and is frequently paired with DCSync (T1003.006).

Detection Approach:

• Monitor for new nTDSDSA objects being added to the AD schema (rogue DC registration)
• Watch for DRS replication requests from non-DC sources (Event ID 4929)
• Detect new SPN registrations containing "GC/" or "E3514235-4B06-11D1-AB04" (DC replication SPN)
• Correlate with process execution of lsadump::dcshadow or Mimikatz indicators

// Detect DCShadow rogue domain controller indicators
SecurityEvent
| where EventID in (4742, 4929, 5136, 5137)
| where (EventID == 5137 and ObjectClass == "server"
         and OperationType == "%%14674")  // Object created in CN=Servers
    or (EventID == 4742 and ServicePrincipalNames has "GC/")
    or (EventID == 4929)  // Directory replication from new source
| extend AlertSeverity = "High"
| project TimeGenerated, Computer, EventID, Account,
          SubjectUserName, ObjectDN, ServicePrincipalNames
| sort by TimeGenerated desc

index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4742 ServicePrincipalNames="*GC/*")
OR (EventCode=5137 ObjectClass="server")
OR (EventCode=4929)
| eval alert_type=case(
    EventCode=4742, "SPN_Registration",
    EventCode=5137, "New_Server_Object",
    EventCode=4929, "Replication_From_New_Source")
| stats count by _time, host, Account_Name, alert_type, src_ip
| sort -_time

Nexus SecOps Coverage: Chapter 45 — AD Red Teaming | Purple Team PT-025

T1202 — Indirect Command Execution¶

Tactic: Defense Evasion | Platforms: Windows | Data Sources: Process, Command

Description: Adversaries use trusted Windows utilities to indirectly execute commands, bypassing security controls that monitor direct use of cmd.exe or powershell.exe. Utilities such as pcalua.exe, forfiles.exe, bash.exe (WSL), scriptrunner.exe, and SyncAppvPublishingServer.exe can proxy command execution. This technique evades application whitelisting and command-line auditing focused on traditional interpreters.

Detection Approach:

• Monitor process creation events for known proxy execution binaries spawning unexpected child processes
• Watch for forfiles.exe with /c parameter executing scripts or binaries
• Detect pcalua.exe -a used to launch arbitrary executables
• Alert on bash.exe or wsl.exe executing Windows binaries or scripts

// Detect indirect command execution via proxy binaries
DeviceProcessEvents
| where InitiatingProcessFileName in~
    ("forfiles.exe", "pcalua.exe", "bash.exe", "wsl.exe",
     "scriptrunner.exe", "SyncAppvPublishingServer.exe",
     "hh.exe", "control.exe", "cmstp.exe")
| where FileName !in~ ("conhost.exe", "cmd.exe")  // Expected children
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FileName,
          ProcessCommandLine, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
(ParentImage="*\\forfiles.exe"
 OR ParentImage="*\\pcalua.exe"
 OR ParentImage="*\\bash.exe"
 OR ParentImage="*\\wsl.exe"
 OR ParentImage="*\\scriptrunner.exe"
 OR ParentImage="*\\SyncAppvPublishingServer.exe"
 OR ParentImage="*\\hh.exe"
 OR ParentImage="*\\cmstp.exe")
| where NOT (Image="*\\conhost.exe")
| stats count by _time, host, ParentImage, Image, CommandLine
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 18 — Malware Analysis

T1578 — Modify Cloud Compute Infrastructure¶

Tactic: Defense Evasion | Platforms: IaaS (AWS, Azure, GCP) | Data Sources: Cloud API Logs, Instance Metadata

Description: Adversaries modify cloud compute infrastructure to evade defenses. Sub-techniques include Create Snapshot (T1578.001), Create Cloud Instance (T1578.002), Delete Cloud Instance (T1578.003), and Revert Cloud Instance (T1578.004). Attackers may snapshot a VM, launch a copy in a region without monitoring, extract credentials from the disk, and delete the evidence. This technique exploits the ephemeral and API-driven nature of cloud infrastructure.

Detection Approach:

• Monitor for VM snapshots created by unusual principals or at unusual times
• Detect instances launched in unused or unexpected cloud regions
• Alert on rapid create-snapshot-then-delete-instance patterns
• Watch for cross-account snapshot sharing

// Detect suspicious cloud infrastructure modifications (Azure)
AzureActivity
| where OperationNameValue in (
    "MICROSOFT.COMPUTE/SNAPSHOTS/WRITE",
    "MICROSOFT.COMPUTE/DISKS/WRITE",
    "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE",
    "MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE"
)
| where ActivityStatusValue == "Success"
| summarize Operations=make_set(OperationNameValue),
          Count=count() by Caller, CallerIpAddress,
          bin(TimeGenerated, 1h)
| where Count > 3  // Multiple infra changes in short window
| sort by TimeGenerated desc

index=cloudtrail eventName IN ("CreateSnapshot", "CreateImage",
    "RunInstances", "TerminateInstances", "CopySnapshot",
    "ModifySnapshotAttribute")
| eval suspicious=if(awsRegion!="us-east-1" AND awsRegion!="us-west-2", "Unusual_Region", "Normal")
| stats count dc(eventName) as unique_actions values(eventName) as actions
    by userIdentity.arn, sourceIPAddress, awsRegion, suspicious
| where count > 3 OR suspicious="Unusual_Region"
| sort -count

Nexus SecOps Coverage: Chapter 20 — Cloud Attack & Defense | Chapter 46 — Cloud & Container Red Team

T1197 — BITS Jobs¶

Tactic: Defense Evasion, Persistence | Platforms: Windows | Data Sources: Process, Command, Network, Service

Description: Adversaries abuse the Background Intelligent Transfer Service (BITS) to download payloads, establish persistence, and evade detection. BITS jobs are legitimate Windows mechanisms for asynchronous file transfers and survive reboots. Malware uses bitsadmin.exe or PowerShell Start-BitsTransfer to download payloads from C2 infrastructure. BITS jobs can also execute notification commands upon completion, providing a persistence mechanism.

Detection Approach:

• Monitor bitsadmin.exe executions with /transfer, /create, /addfile, or /SetNotifyCmdLine parameters
• Detect Start-BitsTransfer in PowerShell command lines
• Watch for BITS jobs downloading from external or suspicious URLs
• Alert on BITS notification commands pointing to executables in temp directories

// Detect BITS job abuse for download or persistence
union
(
    DeviceProcessEvents
    | where FileName =~ "bitsadmin.exe"
    | where ProcessCommandLine has_any
        ("/transfer", "/create", "/addfile",
         "/SetNotifyCmdLine", "/resume", "/complete")
    | project Timestamp, DeviceName, ProcessCommandLine,
              InitiatingProcessFileName, AccountName
),
(
    DeviceProcessEvents
    | where FileName in~ ("powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has "Start-BitsTransfer"
    | project Timestamp, DeviceName, ProcessCommandLine,
              InitiatingProcessFileName, AccountName
)
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\bitsadmin.exe"
  AND (CommandLine="*/transfer*" OR CommandLine="*/create*"
       OR CommandLine="*/addfile*" OR CommandLine="*/SetNotifyCmdLine*"))
 OR (Image="*\\powershell.exe" AND CommandLine="*Start-BitsTransfer*"))
| eval risk=case(
    like(CommandLine, "%http://%") OR like(CommandLine, "%https://%"), "High",
    like(CommandLine, "%SetNotifyCmdLine%"), "Critical",
    1=1, "Medium")
| stats count by _time, host, Image, CommandLine, risk
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Purple Team PT-034

T1014 — Rootkit¶

Tactic: Defense Evasion | Platforms: Windows, Linux, macOS | Data Sources: Drive, Firmware, File, Process

Description: Rootkits intercept and modify operating system API calls to hide the presence of malware, processes, files, network connections, and registry keys. Kernel-mode rootkits hook system call tables or use filter drivers, while user-mode rootkits intercept API calls in process memory. Modern rootkits include bootkits (T1542.003) that infect the MBR/VBR/UEFI to load before the OS. Detection requires integrity monitoring at the kernel level or comparison of API results against raw disk/memory analysis.

Detection Approach:

• Compare process listing from API calls vs. raw memory analysis (cross-view detection)
• Monitor for unsigned kernel drivers being loaded (Sysmon Event ID 6)
• Watch for DKOM (Direct Kernel Object Manipulation) indicators
• Detect bootkit indicators via Secure Boot violations or UEFI integrity checks

// Detect unsigned or suspicious kernel driver loading
DeviceEvents
| where ActionType == "DriverLoaded"
| where not(FolderPath startswith @"C:\Windows\System32\drivers\")
    or SHA256 == ""  // Unsigned driver
| project Timestamp, DeviceName, FileName, FolderPath,
          SHA256, SHA1, InitiatingProcessFileName
| sort by Timestamp desc
// Cross-reference SHA256 against known-good driver hashes

index=sysmon EventCode=6
(Signed="false" OR SignatureStatus!="Valid")
| eval driver_path=ImageLoaded
| where NOT like(driver_path, "C:\\Windows\\System32\\drivers\\%")
    OR Signed="false"
| stats count by _time, host, ImageLoaded, Signed, Signature, Hashes
| sort -_time

Nexus SecOps Coverage: Chapter 18 — Malware Analysis | Chapter 27 — Digital Forensics

T1220 — XSL Script Processing¶

Tactic: Defense Evasion | Platforms: Windows | Data Sources: Process, Command, Module

Description: Adversaries use Extensible Stylesheet Language (XSL) files to execute arbitrary code via msxsl.exe or the wmic process list /format: command. XSL files can contain embedded JScript or VBScript that runs when the stylesheet is processed. This technique bypasses application whitelisting because wmic.exe is a trusted Windows binary and XSL processing is a legitimate function. The Astaroth campaign notably used XSL script processing for fileless execution.

Detection Approach:

• Monitor for msxsl.exe process execution (not commonly used in enterprise environments)
• Detect wmic.exe with /format: parameter pointing to remote or local XSL files
• Watch for XSL files created in temp directories or downloaded from external sources
• Alert on wmic format parameters referencing HTTP/HTTPS URLs

// Detect XSL script processing abuse
DeviceProcessEvents
| where (FileName =~ "msxsl.exe")
    or (FileName =~ "wmic.exe"
        and ProcessCommandLine has "/format:"
        and ProcessCommandLine has_any (".xsl", "http://", "https://"))
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

index=sysmon EventCode=1
(Image="*\\msxsl.exe"
 OR (Image="*\\wmic.exe" AND CommandLine="*/format:*"
     AND (CommandLine="*.xsl*" OR CommandLine="*http*")))
| stats count by _time, host, Image, CommandLine, ParentImage
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 18 — Malware Analysis

T1221 — Template Injection¶

Tactic: Defense Evasion | Platforms: Windows | Data Sources: Network Traffic, Process, File

Description: Adversaries inject malicious code into document templates that are loaded when a user opens a seemingly benign Office document. The document contains a reference to a remote template URL, and when opened, Office fetches and executes the remote template containing macros or exploits. This technique bypasses email gateway scanning because the initial document is clean — the malicious payload is fetched at runtime. Template injection is heavily used in spear-phishing campaigns.

Detection Approach:

• Monitor Office applications (WINWORD.EXE, EXCEL.EXE) making HTTP/HTTPS connections to non-Microsoft domains
• Inspect Office document XML for external template references (Target= in .rels files)
• Watch for Office processes spawning scripting engines (cmd.exe, powershell.exe, wscript.exe)
• Alert on document template files downloaded from external IPs

// Detect Office template injection — Office app fetching remote template
DeviceNetworkEvents
| where InitiatingProcessFileName in~
    ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
| where RemoteUrl !has "microsoft.com"
    and RemoteUrl !has "office.com"
    and RemoteUrl !has "office365.com"
| where RemoteUrl has_any (".dotm", ".dotx", ".dot", ".xltm", ".xltx")
    or RemotePort == 443 or RemotePort == 80
| project Timestamp, DeviceName, InitiatingProcessFileName,
          RemoteUrl, RemoteIP, RemotePort
| sort by Timestamp desc

index=proxy OR index=sysmon
(EventCode=3 AND (Image="*\\WINWORD.EXE" OR Image="*\\EXCEL.EXE"
 OR Image="*\\POWERPNT.EXE"))
| where NOT (DestinationHostname="*microsoft.com"
    OR DestinationHostname="*office.com")
| stats count by _time, host, Image, DestinationHostname,
    DestinationIp, DestinationPort
| where count > 0
| sort -_time

Nexus SecOps Coverage: Chapter 25 — Social Engineering | Chapter 18 — Malware Analysis

Discovery (TA0007)¶

Discovery had 23% coverage (7 of 31 techniques). These techniques are high-volume but become high-signal when correlated with other suspicious activity.

T1016 — System Network Configuration Discovery¶

Tactic: Discovery | Platforms: Windows, Linux, macOS | Data Sources: Process, Command, Script

Description: Adversaries execute commands like ipconfig, ifconfig, route print, arp -a, and netsh interface show to enumerate network configuration, adapters, IP addresses, DNS servers, and routing tables. This is one of the first commands run during post-exploitation reconnaissance. While individually benign, a burst of network discovery commands from a single process or user within a short window is a strong indicator of hands-on-keyboard activity.

Detection Approach:

• Detect clusters of network enumeration commands from the same process or user within a short time window
• Watch for ipconfig, route, arp, netsh, nslookup executed in rapid succession
• Correlate with other Discovery techniques (T1049, T1057, T1082) for behavioral chaining
• Baseline normal admin behavior to reduce false positives

// Detect network configuration discovery command clusters
DeviceProcessEvents
| where FileName in~ ("ipconfig.exe", "route.exe", "arp.exe",
                      "netsh.exe", "nslookup.exe", "netstat.exe")
| summarize CommandCount=count(),
            Commands=make_set(FileName),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp)
    by DeviceName, AccountName, bin(Timestamp, 5m)
| where CommandCount >= 3  // 3+ discovery commands in 5 minutes
| project FirstSeen, LastSeen, DeviceName, AccountName,
          CommandCount, Commands
| sort by FirstSeen desc

index=sysmon EventCode=1
(Image="*\\ipconfig.exe" OR Image="*\\route.exe" OR Image="*\\arp.exe"
 OR Image="*\\netsh.exe" OR Image="*\\nslookup.exe"
 OR Image="*\\netstat.exe")
| bin _time span=5m
| stats dc(Image) as unique_cmds values(Image) as commands count
    by _time, host, User
| where unique_cmds >= 3
| sort -_time

Nexus SecOps Coverage: Chapter 31 — Network Security Architecture | Chapter 38 — Threat Hunting Advanced

T1049 — System Network Connections Discovery¶

Tactic: Discovery | Platforms: Windows, Linux, macOS | Data Sources: Process, Command

Description: Adversaries use netstat, ss, Get-NetTCPConnection, or WMI queries to enumerate active network connections, listening ports, and established sessions. This allows identification of services running on the host, active remote connections, and potential lateral movement targets. It is commonly observed in post-exploitation and is part of the standard reconnaissance playbook for both APT groups and commodity malware.

Detection Approach:

• Monitor for netstat -ano or netstat -anb execution, especially from non-admin processes
• Detect PowerShell Get-NetTCPConnection or WMI network queries
• Correlate with other discovery activity in the same time window
• On Linux, watch for ss -tulnp or netstat from unexpected users

// Detect network connection enumeration
DeviceProcessEvents
| where (FileName =~ "netstat.exe"
         and ProcessCommandLine has_any ("-a", "-n", "-o", "-b"))
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has "Get-NetTCPConnection")
    or (FileName =~ "cmd.exe"
        and ProcessCommandLine has "netstat")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\netstat.exe" AND (CommandLine="*-a*" OR CommandLine="*-n*"))
 OR (Image="*\\powershell.exe" AND CommandLine="*Get-NetTCPConnection*"))
| stats count by _time, host, User, Image, CommandLine, ParentImage
| sort -_time

Nexus SecOps Coverage: Chapter 31 — Network Security Architecture | Chapter 43 — Network Pentesting

T1057 — Process Discovery¶

Tactic: Discovery | Platforms: Windows, Linux, macOS | Data Sources: Process, Command

Description: Adversaries use tasklist, Get-Process, ps, or WMI to enumerate running processes. This helps identify security tools (AV, EDR agents), running applications, and potential targets for injection or termination. Process discovery is one of the most frequently observed discovery techniques and is present in nearly every post-exploitation toolkit. Detection must rely on behavioral context rather than individual command execution.

Detection Approach:

• Monitor tasklist.exe and wmic process list commands, especially those filtering for security products
• Detect PowerShell Get-Process combined with filtering for security tool names
• Watch for tasklist /v /fo csv (verbose output piped to file — staging for exfiltration)
• Correlate with other discovery commands in the same session

// Detect process discovery with security tool enumeration
DeviceProcessEvents
| where (FileName =~ "tasklist.exe"
         and (ProcessCommandLine has "/v" or ProcessCommandLine has "/fo"))
    or (FileName =~ "wmic.exe" and ProcessCommandLine has "process list")
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any ("Get-Process", "gwmi Win32_Process"))
| where ProcessCommandLine has_any
    ("defender", "symantec", "mcafee", "kaspersky", "crowdstrike",
     "carbon", "sentinel", "cylance", "sophos", "eset")
    or ProcessCommandLine has "/fo csv"
| project Timestamp, DeviceName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\tasklist.exe" AND (CommandLine="*/v*" OR CommandLine="*/fo*"))
 OR (Image="*\\wmic.exe" AND CommandLine="*process list*"))
| eval sec_enum=if(
    match(CommandLine, "(?i)(defender|crowdstrike|sentinel|carbon|sophos|symantec)"),
    "Security_Tool_Enum", "General")
| stats count by _time, host, User, Image, CommandLine, sec_enum
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 38 — Threat Hunting Advanced

T1033 — System Owner/User Discovery¶

Tactic: Discovery | Platforms: Windows, Linux, macOS | Data Sources: Process, Command

Description: Adversaries use whoami, query user, w, who, or id to identify the current user context, logged-on users, and privilege level. This is typically the first command run after gaining access to determine if privilege escalation is needed. While extremely common in legitimate administration, clustered execution with other discovery commands is a strong post-exploitation indicator.

Detection Approach:

• Monitor whoami.exe execution, particularly with /all, /priv, or /groups flags
• Detect query user or qwinsta execution for session enumeration
• Watch for net user commands querying specific accounts
• Correlate with process creation chains — shells spawning whoami immediately

// Detect user/owner discovery especially from suspicious parents
DeviceProcessEvents
| where FileName in~ ("whoami.exe", "query.exe", "qwinsta.exe")
    or (FileName =~ "net.exe" and ProcessCommandLine has "user")
| where InitiatingProcessFileName !in~
    ("explorer.exe", "services.exe", "taskeng.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
(Image="*\\whoami.exe"
 OR Image="*\\query.exe"
 OR Image="*\\qwinsta.exe"
 OR (Image="*\\net.exe" AND CommandLine="*user*"))
| where NOT ParentImage IN ("*\\explorer.exe", "*\\services.exe")
| stats count by _time, host, User, Image, CommandLine, ParentImage
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 45 — AD Red Teaming

T1518 — Software Discovery¶

Tactic: Discovery | Platforms: Windows, Linux, macOS | Data Sources: Process, Command, Windows Registry

Description: Adversaries enumerate installed software and versions to identify security tools (T1518.001), vulnerable applications, and potential attack surface. Commands include wmic product list, querying the Uninstall registry key, and Get-WmiObject Win32_Product. Security software discovery (T1518.001) is a priority sub-technique as attackers specifically look for EDR, AV, and monitoring tools to determine what evasion techniques to employ.

Detection Approach:

• Detect wmic product queries and PowerShell Get-WmiObject Win32_Product
• Monitor registry reads of SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
• Watch specifically for queries targeting security product names
• On Linux, detect dpkg -l, rpm -qa, or apt list --installed from unusual contexts

// Detect software and security tool discovery
DeviceProcessEvents
| where (FileName =~ "wmic.exe"
         and ProcessCommandLine has_any ("product list", "product get"))
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any
            ("Win32_Product", "Get-ItemProperty",
             "Uninstall", "Get-WmiObject"))
| project Timestamp, DeviceName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\wmic.exe" AND (CommandLine="*product list*"
  OR CommandLine="*product get*"))
 OR (Image="*\\powershell.exe" AND (CommandLine="*Win32_Product*"
  OR CommandLine="*Uninstall*")))
| stats count by _time, host, User, Image, CommandLine, ParentImage
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 29 — Vulnerability Management

T1007 — System Service Discovery¶

Tactic: Discovery | Platforms: Windows, Linux, macOS | Data Sources: Process, Command

Description: Adversaries use sc query, net start, systemctl list-units, or Get-Service to enumerate running services. This reveals security agents, database services, backup tools, and other targets of interest. Ransomware operators specifically enumerate services to identify which ones to stop (T1489) before encrypting data. Service discovery is also used to find services running as privileged accounts for credential harvesting.

Detection Approach:

• Monitor sc query with type=service state=all or net start enumeration
• Detect PowerShell Get-Service with output to file or piped to filtering
• Watch for service enumeration followed by sc stop or net stop commands
• On Linux, detect systemctl list-units --type=service from non-root or unusual contexts

// Detect system service discovery
DeviceProcessEvents
| where (FileName =~ "sc.exe"
         and ProcessCommandLine has_any ("query", "queryex"))
    or (FileName =~ "net.exe" and ProcessCommandLine has "start")
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has "Get-Service")
| summarize CommandCount=count(),
            Commands=make_set(ProcessCommandLine)
    by DeviceName, AccountName, bin(Timestamp, 10m)
| where CommandCount >= 2
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\sc.exe" AND (CommandLine="*query*" OR CommandLine="*queryex*"))
 OR (Image="*\\net.exe" AND CommandLine="*start*")
 OR (Image="*\\powershell.exe" AND CommandLine="*Get-Service*"))
| bin _time span=10m
| stats count values(CommandLine) as commands by _time, host, User
| where count >= 2
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 23 — Ransomware Deep Dive

Collection (TA0009)¶

Collection had 35% coverage (6 of 17 techniques). The following techniques represent common pre-exfiltration activities.

T1560 — Archive Collected Data¶

Tactic: Collection | Platforms: Windows, Linux, macOS | Data Sources: Process, Command, File

Description: Adversaries compress and/or encrypt collected data before exfiltration using utilities like rar.exe, 7z.exe, zip, tar, or PowerShell Compress-Archive. This is a near-universal pre-exfiltration step that reduces transfer size and may encrypt contents to evade DLP inspection. Sub-techniques include Archive via Utility (T1560.001), Archive via Library (T1560.002), and Archive via Custom Method (T1560.003). Detecting archive creation in staging directories is highly actionable.

Detection Approach:

• Monitor for archive tool execution (rar, 7z, zip) creating files in temp or staging directories
• Detect archive creation of sensitive directories (finance, HR, source code repositories)
• Watch for password-protected archive creation (-p flag in rar/7z — evades DLP)
• Alert on large archive files created by non-standard processes

// Detect suspicious archive creation for data staging
DeviceProcessEvents
| where FileName in~ ("rar.exe", "7z.exe", "7za.exe", "zip.exe",
                      "tar.exe", "WinRAR.exe")
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has "Compress-Archive")
| where ProcessCommandLine has_any
    ("-p", "a ", "Add", "-password", "Compress-Archive")
| extend HasPassword = ProcessCommandLine has_any ("-p", "-password")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          HasPassword, InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
(Image="*\\rar.exe" OR Image="*\\7z.exe" OR Image="*\\7za.exe"
 OR Image="*\\WinRAR.exe"
 OR (Image="*\\powershell.exe" AND CommandLine="*Compress-Archive*"))
| eval password_protected=if(like(CommandLine, "%-p%")
    OR like(CommandLine, "%-password%"), "Yes", "No")
| eval risk=if(password_protected="Yes", "High", "Medium")
| stats count by _time, host, User, Image, CommandLine,
    password_protected, risk
| sort -_time

Nexus SecOps Coverage: Chapter 26 — Insider Threats | Chapter 38 — Threat Hunting Advanced

T1115 — Clipboard Data¶

Tactic: Collection | Platforms: Windows, Linux, macOS | Data Sources: Process, Command

Description: Adversaries access clipboard data to collect sensitive information such as passwords, cryptocurrency wallet addresses, or confidential text that users have copied. Malware can monitor the clipboard continuously using Windows API calls (GetClipboardData, OpenClipboard) or PowerShell Get-Clipboard. Clipboard hijacking malware can also replace clipboard contents (e.g., swapping cryptocurrency addresses). Info stealers commonly include clipboard monitoring modules.

Detection Approach:

• Detect processes calling clipboard APIs at high frequency (process behavior monitoring)
• Monitor PowerShell Get-Clipboard usage, especially in loops or scripts
• Watch for clipboard access from unexpected processes (non-interactive, background services)
• Detect clipboard content replacement patterns (cryptocurrency address swapping)

// Detect clipboard access via PowerShell or suspicious processes
DeviceProcessEvents
| where (FileName in~ ("powershell.exe", "pwsh.exe")
         and ProcessCommandLine has_any
             ("Get-Clipboard", "Set-Clipboard",
              "[System.Windows.Forms.Clipboard]"))
    or (FileName in~ ("cmd.exe")
        and ProcessCommandLine has "clip")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\powershell.exe" AND (CommandLine="*Get-Clipboard*"
  OR CommandLine="*Set-Clipboard*"
  OR CommandLine="*Windows.Forms.Clipboard*"))
 OR (Image="*\\cmd.exe" AND CommandLine="*clip*"))
| stats count by _time, host, User, Image, CommandLine, ParentImage
| sort -_time

Nexus SecOps Coverage: Chapter 26 — Insider Threats | Chapter 18 — Malware Analysis

T1119 — Automated Collection¶

Tactic: Collection | Platforms: Windows, Linux, macOS | Data Sources: Process, Command, File, Script

Description: Adversaries use scripts or tools to automatically collect data from a target system at regular intervals. This includes PowerShell scripts that enumerate and copy sensitive files, scheduled tasks that harvest data periodically, or malware modules that continuously monitor specific directories for new files. Automated collection differs from manual collection in its systematic, recurring nature and is often a precursor to scheduled exfiltration (T1029).

Detection Approach:

• Monitor for scripts that recursively enumerate and copy files matching sensitive patterns (.docx, .xlsx, .pdf, .pst)
• Detect scheduled tasks or cron jobs that execute data collection scripts
• Watch for PowerShell Get-ChildItem -Recurse combined with Copy-Item to staging directories
• Alert on repeated file access patterns from the same process targeting multiple directories

// Detect automated file collection patterns
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any
    ("Get-ChildItem", "dir /s", "forfiles", "robocopy")
| where ProcessCommandLine has_any
    (".docx", ".xlsx", ".pdf", ".pst", ".kdbx",
     ".key", ".pem", ".pfx", ".config")
| project Timestamp, DeviceName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
(Image="*\\powershell.exe" OR Image="*\\cmd.exe")
(CommandLine="*Get-ChildItem*" OR CommandLine="*dir /s*"
 OR CommandLine="*robocopy*" OR CommandLine="*forfiles*")
(CommandLine="*.docx*" OR CommandLine="*.xlsx*" OR CommandLine="*.pdf*"
 OR CommandLine="*.pst*" OR CommandLine="*.kdbx*" OR CommandLine="*.pem*")
| stats count by _time, host, User, Image, CommandLine
| sort -_time

Nexus SecOps Coverage: Chapter 26 — Insider Threats | Chapter 38 — Threat Hunting Advanced

T1185 — Browser Session Hijacking¶

Tactic: Collection | Platforms: Windows, Linux, macOS | Data Sources: Process, Logon Session, File

Description: Adversaries exploit browser sessions to access authenticated web applications using the victim's existing session tokens and cookies. This can involve injecting into browser processes, using browser debugging protocols (Chrome DevTools Protocol on port 9222), or stealing session storage data. Browser session hijacking is increasingly relevant as organizations move to SaaS applications where session tokens provide full access without MFA re-prompting. Evilginx and similar AiTM frameworks automate this attack at scale.

Detection Approach:

• Monitor for browser processes launched with remote debugging flags (--remote-debugging-port)
• Detect non-browser processes accessing browser cookie databases and session storage
• Watch for connections to localhost on debugging ports (9222, 9229)
• Alert on browser extension installations from external sources

// Detect browser session hijacking indicators
union
(
    // Chrome remote debugging enabled
    DeviceProcessEvents
    | where FileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
    | where ProcessCommandLine has "--remote-debugging-port"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine,
              InitiatingProcessFileName
),
(
    // Non-browser process accessing browser data files
    DeviceFileEvents
    | where FolderPath has_any ("\\Google\\Chrome\\User Data",
                                "\\Microsoft\\Edge\\User Data",
                                "\\Mozilla\\Firefox\\Profiles")
    | where FileName has_any ("Cookies", "Login Data",
                              "Web Data", "Local State")
    | where InitiatingProcessFileName !in~
        ("chrome.exe", "msedge.exe", "firefox.exe", "update.exe")
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
)
| sort by Timestamp desc

index=sysmon
((EventCode=1 AND (Image="*\\chrome.exe" OR Image="*\\msedge.exe")
  AND CommandLine="*--remote-debugging-port*")
 OR (EventCode=11 AND (TargetFilename="*\\Cookies*"
     OR TargetFilename="*\\Login Data*")
     AND NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe"
              OR Image="*\\firefox.exe")))
| stats count by _time, host, Image, CommandLine, TargetFilename
| sort -_time

Nexus SecOps Coverage: Chapter 33 — Identity & Access Security | Chapter 26 — Insider Threats

Lateral Movement (TA0008)¶

T1534 — Internal Spearphishing¶

Tactic: Lateral Movement | Platforms: Windows, Linux, macOS, SaaS | Data Sources: Email, Network, Application Log

Description: After compromising a user's email account, adversaries send spearphishing emails from that trusted internal account to other employees. Because the email originates from a legitimate internal mailbox, it bypasses external email gateway filtering and is more likely to be trusted by recipients. Internal spearphishing was used in the SolarWinds supply chain attack and is a hallmark of sophisticated APT campaigns. It can also be performed via internal messaging platforms (Slack, Teams).

Detection Approach:

• Monitor for email rule changes (forwarding rules, auto-replies) on compromised accounts
• Detect emails with attachments or links sent to unusual recipients from a single mailbox in bulk
• Watch for login anomalies on the sending account (location, device, time) preceding the internal phishing
• Alert on email activity patterns that deviate from the user's baseline

// Detect internal spearphishing indicators in email activity
EmailEvents
| where SenderFromAddress endswith "@contoso.com"  // Internal domain
| where EmailDirection == "Intra-org"
| where AttachmentCount > 0 or UrlCount > 0
| summarize RecipientCount=dcount(RecipientEmailAddress),
            Recipients=make_set(RecipientEmailAddress, 10),
            AttachmentNames=make_set(AttachmentFileName)
    by SenderFromAddress, Subject, bin(Timestamp, 1h)
| where RecipientCount > 10  // Mass internal email with attachments
| sort by Timestamp desc

index=email sourcetype="o365:management:activity"
Operation="Send" AND SenderAddress="*@contoso.com"
| where RecipientAddress="*@contoso.com"
| where AttachmentCount > 0 OR UrlCount > 0
| bin _time span=1h
| stats dc(RecipientAddress) as unique_recipients
    values(RecipientAddress) as recipients count
    by _time, SenderAddress, Subject
| where unique_recipients > 10
| sort -_time

Nexus SecOps Coverage: Chapter 25 — Social Engineering | Chapter 9 — Incident Response Lifecycle

T1563 — Remote Service Session Hijacking¶

Tactic: Lateral Movement | Platforms: Windows, Linux | Data Sources: Process, Command, Logon Session, Network

Description: Adversaries hijack existing remote service sessions (RDP, SSH) to move laterally without needing credentials. On Windows, tscon.exe can be used by a SYSTEM-level process to connect to another user's disconnected RDP session without authentication. On Linux, SSH agent forwarding or screen/tmux session hijacking serves a similar purpose. RDP session hijacking (T1563.002) is particularly dangerous as it inherits all of the target user's active sessions and cached credentials.

Detection Approach:

• Monitor for tscon.exe execution, especially when run as SYSTEM
• Detect service creation used to spawn tscon.exe with elevated privileges
• Watch for query session followed by tscon with a target session ID
• Alert on unexpected RDP session switches or session ID changes

// Detect RDP session hijacking via tscon.exe
DeviceProcessEvents
| where FileName =~ "tscon.exe"
| extend SessionTarget = extract(@"(\d+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine,
          SessionTarget, InitiatingProcessFileName,
          InitiatingProcessCommandLine, AccountName
| sort by Timestamp desc
// Also check for service creation spawning tscon
// | join kind=inner (DeviceProcessEvents
//     | where FileName == "sc.exe" and ProcessCommandLine has "tscon")

index=sysmon EventCode=1 Image="*\\tscon.exe"
| eval hijack_indicator=if(User="NT AUTHORITY\\SYSTEM", "High", "Medium")
| stats count by _time, host, User, CommandLine, ParentImage,
    hijack_indicator
| sort -_time
// Correlate with Event ID 25 (RDP reconnection) in TerminalServices logs

Nexus SecOps Coverage: Chapter 33 — Identity & Access Security | Purple Team PT-042

T1021 — Remote Services¶

Tactic: Lateral Movement | Platforms: Windows, Linux, macOS | Data Sources: Logon Session, Network Traffic, Process

Description: Adversaries use valid accounts with remote services to move laterally within a network. Sub-techniques include Remote Desktop Protocol (T1021.001), SMB/Windows Admin Shares (T1021.002), DCOM (T1021.003), SSH (T1021.004), VNC (T1021.005), and WinRM (T1021.006). RDP and SMB are the most commonly abused protocols for lateral movement. Attackers use stolen credentials or pass-the-hash to authenticate to remote systems and execute payloads. WinRM (winrs.exe, Invoke-Command) is increasingly favored because it is less monitored than RDP or PsExec.

Detection Approach:

• Monitor for lateral RDP connections between workstations (unusual source-destination pairs)
• Detect WinRM usage from non-administrative workstations (winrs.exe, PowerShell remoting)
• Watch for PsExec-like behavior: service installation followed by remote command execution
• Alert on SMB access to admin shares (C$, ADMIN$) from non-server endpoints
• Monitor for SSH connections between Windows endpoints (unusual in Windows environments)

// Detect lateral movement via remote services
union
(
    // WinRM remote command execution
    DeviceProcessEvents
    | where FileName =~ "winrs.exe"
        or (FileName in~ ("powershell.exe", "pwsh.exe")
            and ProcessCommandLine has_any
                ("Invoke-Command", "Enter-PSSession", "New-PSSession",
                 "-ComputerName"))
    | project Timestamp, DeviceName, FileName, ProcessCommandLine,
              InitiatingProcessFileName, AccountName
),
(
    // Admin share access from workstations
    DeviceNetworkEvents
    | where RemotePort == 445
    | where InitiatingProcessFileName in~
        ("net.exe", "net1.exe", "cmd.exe", "powershell.exe")
    | project Timestamp, DeviceName, RemoteIP, RemotePort,
              InitiatingProcessFileName,
              InitiatingProcessCommandLine
)
| sort by Timestamp desc

(index=sysmon EventCode=1
 (Image="*\\winrs.exe"
  OR (Image="*\\powershell.exe"
      AND (CommandLine="*Invoke-Command*"
           OR CommandLine="*Enter-PSSession*"
           OR CommandLine="*-ComputerName*"))))
OR (index=wineventlog EventCode=5140
    ShareName IN ("\\\\*\\C$", "\\\\*\\ADMIN$")
    NOT SubjectUserName="*$")
| eval lateral_type=case(
    like(Image, "%winrs%"), "WinRM",
    like(CommandLine, "%Invoke-Command%"), "PS_Remoting",
    EventCode=5140, "Admin_Share_Access")
| stats count by _time, host, User, lateral_type, Image,
    CommandLine, ShareName
| sort -_time

Nexus SecOps Coverage: Chapter 45 — AD Red Teaming | Chapter 43 — Network Pentesting

T1570 — Lateral Tool Transfer¶

Tactic: Lateral Movement | Platforms: Windows, Linux, macOS | Data Sources: Network Traffic, File, Process

Description: Adversaries transfer tools and files between systems within a compromised network to enable further lateral movement. Unlike Ingress Tool Transfer (T1105) which brings tools from outside, this technique moves tools between internal hosts via SMB, RDP shared drives, scp, or web services. Cobalt Strike's upload command, PsExec's file copy mechanism, and SMB file drops are common examples. Detecting internal tool transfer helps identify lateral movement corridors and staging activities.

Detection Approach:

• Monitor for executable files written to admin shares (C$, ADMIN$) on remote hosts
• Detect copy, xcopy, or robocopy targeting remote UNC paths
• Watch for PsExec-like patterns: service executable copied to remote ADMIN$ then executed
• Alert on internal SCP/SFTP transfers of script or executable files
• Track file creation events on network shares correlated with remote logon events

// Detect lateral tool transfer between internal hosts
union
(
    // File copy to remote shares via command line
    DeviceProcessEvents
    | where FileName in~ ("xcopy.exe", "robocopy.exe", "copy.exe")
    | where ProcessCommandLine has "\\\\"
    | where ProcessCommandLine has_any (".exe", ".dll", ".ps1",
                                        ".bat", ".vbs", ".js")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine,
              AccountName
),
(
    // Executables created on network shares
    DeviceFileEvents
    | where ActionType == "FileCreated"
    | where FolderPath has "\\\\"
    | where FileName endswith_cs ".exe" or FileName endswith_cs ".dll"
            or FileName endswith_cs ".ps1" or FileName endswith_cs ".bat"
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
)
| sort by Timestamp desc

(index=sysmon EventCode=1
 (Image="*\\xcopy.exe" OR Image="*\\robocopy.exe")
 CommandLine="*\\\\*"
 (CommandLine="*.exe*" OR CommandLine="*.dll*"
  OR CommandLine="*.ps1*" OR CommandLine="*.bat*"))
OR (index=sysmon EventCode=11
    TargetFilename="\\\\*"
    (TargetFilename="*.exe" OR TargetFilename="*.dll"
     OR TargetFilename="*.ps1" OR TargetFilename="*.bat"))
| eval transfer_type=case(
    EventCode=1, "Command_Line_Copy",
    EventCode=11, "Network_File_Write")
| stats count by _time, host, User, transfer_type, Image,
    CommandLine, TargetFilename
| sort -_time

Nexus SecOps Coverage: Chapter 38 — Threat Hunting Advanced | Chapter 43 — Network Pentesting

Persistence (TA0003)¶

T1556 — Modify Authentication Process¶

Tactic: Persistence, Credential Access, Defense Evasion | Platforms: Windows, Linux, Azure AD, SaaS | Data Sources: DLL, File, Logon Session, Windows Registry

Description: Adversaries modify authentication mechanisms to bypass standard authentication and gain persistent access with any credentials. Sub-techniques include Domain Controller Authentication (T1556.001 — Skeleton Key), Password Filter DLL (T1556.002), Pluggable Authentication Modules (T1556.003 on Linux), Network Device Authentication (T1556.004), and Hybrid Identity (T1556.006 — compromising Azure AD Connect). Skeleton Key allows authentication with a master password on all domain accounts while legitimate passwords continue to work, making detection exceptionally difficult.

Detection Approach:

• Monitor for DLL loading into LSASS that does not match known-good baseline
• Detect modifications to PAM configuration files on Linux (/etc/pam.d/)
• Watch for Azure AD Connect configuration changes or credential extraction
• Alert on unexpected password filter DLLs registered in the registry
• Monitor Event ID 4697 (service installed) and 4657 (registry value modified) for LSASS-related changes

// Detect authentication process modification indicators
union
(
    // New DLLs loaded by LSASS
    DeviceImageLoadEvents
    | where InitiatingProcessFileName =~ "lsass.exe"
    | where not(FolderPath startswith @"C:\Windows\System32\")
    | project Timestamp, DeviceName, FileName, FolderPath,
              SHA256, InitiatingProcessFileName
),
(
    // Password filter DLL registration
    DeviceRegistryEvents
    | where RegistryKey has
        @"SYSTEM\CurrentControlSet\Control\Lsa"
    | where RegistryValueName in ("Notification Packages",
                                   "Security Packages",
                                   "Authentication Packages")
    | project Timestamp, DeviceName, RegistryKey,
              RegistryValueName, RegistryValueData
)
| sort by Timestamp desc

(index=sysmon EventCode=7 Image="*\\lsass.exe"
 NOT ImageLoaded="C:\\Windows\\System32\\*")
OR (index=sysmon EventCode=13
    TargetObject="*\\Control\\Lsa\\*"
    (TargetObject="*Notification Packages*"
     OR TargetObject="*Security Packages*"
     OR TargetObject="*Authentication Packages*"))
| eval alert_type=case(
    EventCode=7, "Suspicious_LSASS_DLL",
    EventCode=13, "LSA_Registry_Modified")
| stats count by _time, host, alert_type, ImageLoaded,
    TargetObject, Details
| sort -_time

Nexus SecOps Coverage: Chapter 45 — AD Red Teaming | Chapter 33 — Identity & Access Security

T1037 — Boot or Logon Initialization Scripts¶

Tactic: Persistence | Platforms: Windows, Linux, macOS | Data Sources: Process, Command, File, Windows Registry

Description: Adversaries use logon scripts, startup scripts, and initialization files to execute malicious code when a user logs on or the system boots. On Windows, this includes logon scripts assigned via Group Policy or the user's profile (UserInitMprLogon registry key), startup folder items, and Active Directory logon scripts. On Linux/macOS, this includes .bash_profile, .bashrc, .zshrc, /etc/profile.d/, and rc.local. These mechanisms provide reliable persistence across reboots and user sessions.

Detection Approach:

• Monitor for new or modified files in Windows startup folders and logon script directories
• Detect Group Policy modifications that add logon scripts
• Watch for changes to UserInitMprLogonScript registry value
• On Linux, monitor changes to shell profile files and /etc/profile.d/
• Alert on SYSVOL script modifications in Active Directory

// Detect logon script persistence mechanisms
union
(
    // Registry-based logon scripts
    DeviceRegistryEvents
    | where RegistryKey has "UserInitMprLogonScript"
        or RegistryKey has @"Environment\UserInitMprLogonScript"
    | project Timestamp, DeviceName, RegistryKey,
              RegistryValueData, InitiatingProcessFileName
),
(
    // Startup folder modifications
    DeviceFileEvents
    | where FolderPath has @"Start Menu\Programs\Startup"
    | where ActionType == "FileCreated"
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
),
(
    // GPO logon script modifications
    DeviceFileEvents
    | where FolderPath has @"SYSVOL" and FolderPath has @"scripts"
    | where ActionType in ("FileCreated", "FileModified")
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
)
| sort by Timestamp desc

(index=sysmon EventCode=13
 TargetObject="*UserInitMprLogonScript*")
OR (index=sysmon EventCode=11
    (TargetFilename="*\\Start Menu\\Programs\\Startup\\*"
     OR TargetFilename="*\\SYSVOL\\*scripts*"))
| eval persistence_type=case(
    EventCode=13, "Registry_Logon_Script",
    like(TargetFilename, "%Startup%"), "Startup_Folder",
    like(TargetFilename, "%SYSVOL%"), "GPO_Script")
| stats count by _time, host, persistence_type, Image,
    TargetObject, TargetFilename
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 45 — AD Red Teaming

T1137 — Office Application Startup¶

Tactic: Persistence | Platforms: Windows | Data Sources: Process, Command, File, Windows Registry

Description: Adversaries abuse Microsoft Office startup mechanisms to establish persistence. Sub-techniques include Office Template Macros (T1137.001), Office Test (T1137.002), Outlook Forms (T1137.003), Outlook Home Page (T1137.004), Outlook Rules (T1137.005), and Add-ins (T1137.006). The Office Test registry key (HKCU\Software\Microsoft\Office test\Special\Perf) loads a specified DLL every time any Office application starts. Outlook rules and forms can execute commands when triggered by specific email patterns, providing a unique persistence mechanism that is difficult to detect.

Detection Approach:

• Monitor for creation of the Office test\Special\Perf registry key
• Detect new Office add-in files (.xll, .wll, .dll) in Office startup directories
• Watch for Outlook rule creation via PowerShell or VBA that executes applications
• Alert on modifications to Office trusted locations or macro security settings

// Detect Office application startup persistence
union
(
    // Office Test registry key (DLL persistence)
    DeviceRegistryEvents
    | where RegistryKey has @"Office test\Special\Perf"
    | project Timestamp, DeviceName, RegistryKey,
              RegistryValueData, InitiatingProcessFileName
),
(
    // Office add-in file creation
    DeviceFileEvents
    | where (FileName endswith ".xll" or FileName endswith ".wll"
             or FileName endswith ".xlam")
    | where FolderPath has_any ("\\Microsoft\\AddIns",
                                "\\Office\\Startup",
                                "\\XLSTART")
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
)
| sort by Timestamp desc

(index=sysmon EventCode=13
 TargetObject="*Office test\\Special\\Perf*")
OR (index=sysmon EventCode=11
    (TargetFilename="*.xll" OR TargetFilename="*.wll"
     OR TargetFilename="*.xlam")
    (TargetFilename="*\\AddIns\\*" OR TargetFilename="*\\Startup\\*"
     OR TargetFilename="*\\XLSTART\\*"))
| eval persistence_type=case(
    like(TargetObject, "%Office test%"), "Office_Test_Key",
    1=1, "Office_AddIn")
| stats count by _time, host, persistence_type, Image,
    TargetObject, TargetFilename
| sort -_time

Nexus SecOps Coverage: Chapter 25 — Social Engineering | Chapter 5 — Detection Engineering

Credential Access (TA0006)¶

T1621 — Multi-Factor Authentication Request Generation¶

Tactic: Credential Access | Platforms: Windows, Azure AD, SaaS, IaaS | Data Sources: Logon Session, Application Log, User Account

Description: Adversaries bombard a user with MFA push notifications (MFA fatigue / MFA bombing) hoping the user will approve one to stop the notifications. This technique was used in high-profile breaches at Uber (2022), Cisco (2022), and Microsoft (2023). Once the user approves a push, the attacker gains authenticated access. This is effective against push-based MFA but not against phishing-resistant methods like FIDO2/WebAuthn. Organizations should implement number matching and additional context in MFA prompts.

Detection Approach:

• Monitor for repeated MFA push denials followed by an approval from the same user
• Alert on more than 5 MFA requests within 10 minutes for a single user
• Detect MFA approvals from geographically impossible locations
• Watch for sign-in patterns where the MFA request originates from a different IP than the user's typical location

// Detect MFA fatigue / MFA bombing attempts
SigninLogs
| where ResultType in ("50074", "50076")  // MFA required
    or AuthenticationRequirement == "multiFactorAuthentication"
| summarize
    TotalAttempts=count(),
    Denials=countif(ResultType != "0"),
    Approvals=countif(ResultType == "0"),
    UniqueIPs=dcount(IPAddress),
    IPs=make_set(IPAddress)
    by UserPrincipalName, bin(TimeGenerated, 10m)
| where TotalAttempts > 5
| where Denials > 3
| extend RiskLevel = iff(Approvals > 0 and Denials > 3,
                         "Critical - Likely Compromise", "High - Active Attack")
| sort by TimeGenerated desc

index=azure sourcetype="azure:aad:signin"
(ResultType="50074" OR ResultType="50076"
 OR AuthenticationRequirement="multiFactorAuthentication")
| bin _time span=10m
| stats count as total_attempts
    count(eval(ResultType!="0")) as denials
    count(eval(ResultType="0")) as approvals
    dc(IPAddress) as unique_ips values(IPAddress) as ips
    by _time, UserPrincipalName
| where total_attempts > 5 AND denials > 3
| eval risk=if(approvals > 0 AND denials > 3,
    "CRITICAL_LIKELY_COMPROMISE", "HIGH_ACTIVE_ATTACK")
| sort -_time

Nexus SecOps Coverage: Chapter 33 — Identity & Access Security | Chapter 9 — Incident Response Lifecycle

T1539 — Steal Web Session Cookie¶

Tactic: Credential Access | Platforms: Windows, Linux, macOS, SaaS | Data Sources: File, Process, Logon Session

Description: Adversaries steal web session cookies from browsers to hijack authenticated sessions without needing credentials or MFA tokens. Tools like Evilginx2 (adversary-in-the-middle) intercept session cookies during legitimate authentication flows. Locally, malware can extract cookies from browser SQLite databases (Cookies file in Chrome/Edge profile directories). Stolen session cookies bypass MFA entirely because they represent an already-authenticated session. This technique is central to modern AiTM phishing campaigns and token theft attacks.

Detection Approach:

• Detect non-browser processes reading browser cookie databases
• Monitor for token replay from new/unusual IP addresses or devices
• Watch for impossible travel: same session token used from two geographically distant IPs
• Alert on cookie database access from scripting engines (Python, PowerShell)
• Detect conditional access policy violations (session from non-compliant device)

// Detect session cookie theft and token replay
union
(
    // Non-browser process accessing cookie stores
    DeviceFileEvents
    | where FileName =~ "Cookies" or FileName =~ "Cookies-journal"
    | where FolderPath has_any ("Chrome", "Edge", "Firefox")
    | where InitiatingProcessFileName !in~
        ("chrome.exe", "msedge.exe", "firefox.exe",
         "GoogleUpdate.exe", "MicrosoftEdgeUpdate.exe")
    | project Timestamp, DeviceName, FileName, FolderPath,
              InitiatingProcessFileName
),
(
    // Sign-in with session token from unusual location
    AADSignInEventsBeta
    | where ErrorCode == 0
    | where IsInteractive == false  // Token-based auth
    | where RiskLevelDuringSignIn in ("high", "medium")
    | project Timestamp, AccountUpn, IPAddress, City, Country,
              Application, RiskLevelDuringSignIn
)
| sort by Timestamp desc

(index=sysmon EventCode=1
 (CommandLine="*\\Cookies*" OR CommandLine="*Login Data*")
 NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe"
      OR Image="*\\firefox.exe"))
OR (index=azure sourcetype="azure:aad:signin"
    ResultType=0 IsInteractive="false"
    (RiskLevelDuringSignIn="high" OR RiskLevelDuringSignIn="medium"))
| stats count by _time, host, Image, CommandLine, UserPrincipalName,
    IPAddress
| sort -_time

Nexus SecOps Coverage: Chapter 33 — Identity & Access Security | Chapter 25 — Social Engineering

T1528 — Steal Application Access Token¶

Tactic: Credential Access | Platforms: Azure AD, SaaS, IaaS | Data Sources: Application Log, Web Credential

Description: Adversaries steal OAuth tokens, API keys, and application access tokens to access cloud resources and SaaS applications. Consent phishing (illicit consent grant) tricks users into granting malicious applications permissions to their account. Attackers can also extract tokens from cloud metadata services, environment variables, configuration files, or browser local storage. Stolen application tokens often have broader permissions than user tokens and may not be subject to MFA or conditional access policies.

Detection Approach:

• Monitor for OAuth application consent grants, especially with high-privilege scopes (Mail.Read, Files.ReadWrite.All)
• Detect application registrations with unusual redirect URIs
• Watch for access tokens used from IPs that differ from the original authentication
• Alert on API calls using service principal tokens from non-approved IP ranges
• Monitor for unusual Graph API access patterns (bulk mail or file access)

// Detect illicit OAuth consent grants and token theft
AuditLogs
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties
    [4].newValue)
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite",
        "Files.ReadWrite.All", "Directory.ReadWrite.All",
        "User.ReadWrite.All")
| project TimeGenerated, InitiatedBy, AppName, Permissions,
          CorrelationId
| sort by TimeGenerated desc

index=azure sourcetype="azure:aad:audit"
Operation="Consent to application"
| spath output=app_name path="TargetResources{}.displayName"
| spath output=permissions path="TargetResources{}.modifiedProperties{}.newValue"
| where match(permissions,
    "(?i)(Mail\\.Read|Files\\.ReadWrite|Directory\\.ReadWrite)")
| stats count by _time, InitiatedBy, app_name, permissions
| sort -_time

Nexus SecOps Coverage: Chapter 33 — Identity & Access Security | Chapter 20 — Cloud Attack & Defense

Command and Control (TA0011)¶

T1105 — Ingress Tool Transfer¶

Tactic: Command and Control | Platforms: Windows, Linux, macOS | Data Sources: Process, Command, Network, File

Description: Adversaries transfer tools and payloads from external systems into the compromised environment. This is present in virtually every intrusion. Common methods include certutil -urlcache, curl, wget, Invoke-WebRequest, bitsadmin /transfer, and PowerShell DownloadString/DownloadFile. Detection of ingress tool transfer is a foundational capability that catches both commodity malware and advanced threats during the tooling phase.

Detection Approach:

• Monitor LOLBins used for downloads: certutil, bitsadmin, curl, wget
• Detect PowerShell download cradles: IEX, DownloadString, DownloadFile, Invoke-WebRequest
• Watch for executables and scripts created in temp directories after network connections
• Alert on large file downloads to unusual directories from non-browser processes

// Detect ingress tool transfer via LOLBins and PowerShell
DeviceProcessEvents
| where (FileName =~ "certutil.exe"
         and ProcessCommandLine has_any
             ("-urlcache", "urlcache", "-split", "http"))
    or (FileName =~ "curl.exe"
        and ProcessCommandLine has_any ("-o", "--output", "-O"))
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any
            ("DownloadString", "DownloadFile", "Invoke-WebRequest",
             "wget", "IWR", "Start-BitsTransfer",
             "Invoke-RestMethod", "IEX", "iex"))
    or (FileName =~ "bitsadmin.exe"
        and ProcessCommandLine has "/transfer")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\certutil.exe" AND (CommandLine="*-urlcache*"
  OR CommandLine="*http*"))
 OR (Image="*\\curl.exe" AND (CommandLine="*-o *" OR CommandLine="*-O*"))
 OR (Image="*\\powershell.exe"
     AND (CommandLine="*DownloadString*" OR CommandLine="*DownloadFile*"
          OR CommandLine="*Invoke-WebRequest*" OR CommandLine="*IEX*"
          OR CommandLine="*Start-BitsTransfer*"))
 OR (Image="*\\bitsadmin.exe" AND CommandLine="*/transfer*"))
| eval download_tool=case(
    like(Image, "%certutil%"), "CertUtil",
    like(Image, "%curl%"), "Curl",
    like(Image, "%powershell%"), "PowerShell",
    like(Image, "%bitsadmin%"), "BitsAdmin",
    1=1, "Other")
| stats count by _time, host, User, download_tool, Image, CommandLine
| sort -_time

Nexus SecOps Coverage: Chapter 5 — Detection Engineering | Chapter 38 — Threat Hunting Advanced

T1219 — Remote Access Software¶

Tactic: Command and Control | Platforms: Windows, Linux, macOS | Data Sources: Process, Network, File

Description: Adversaries use legitimate remote access tools (RATs) such as AnyDesk, TeamViewer, ConnectWise/ScreenConnect, Splashtop, Atera, and RustDesk as C2 channels. These tools provide encrypted, bidirectional communication that blends with legitimate IT administration traffic. Over 70% of ransomware incidents in 2024-2025 involved abuse of commercial remote access software. Because these are signed, legitimate applications, they bypass application whitelisting and many endpoint detection rules.

Detection Approach:

• Maintain an allowlist of approved remote access tools; alert on any not on the list
• Monitor for remote access tool installation or first-time execution
• Detect remote access tool network connections from endpoints that should not use them
• Watch for portable/standalone versions running from temp or download directories
• Alert on remote access tools running as services or scheduled tasks

// Detect unauthorized remote access tool usage
let ApprovedRATs = dynamic(["yourapprovedtool.exe"]);
DeviceProcessEvents
| where FileName in~
    ("AnyDesk.exe", "TeamViewer.exe", "ScreenConnect.ClientService.exe",
     "ScreenConnect.WindowsClient.exe", "SplashtopStreamer.exe",
     "AteraAgent.exe", "rustdesk.exe", "RemoteDesktopManager.exe",
     "LogMeIn.exe", "GoToAssist.exe", "Bomgar.exe",
     "dwservice.exe", "meshagent.exe")
| where FileName !in (ApprovedRATs)
| project Timestamp, DeviceName, FileName, FolderPath,
          ProcessCommandLine, AccountName
| sort by Timestamp desc

index=sysmon EventCode=1
(Image="*\\AnyDesk.exe" OR Image="*\\TeamViewer.exe"
 OR Image="*\\ScreenConnect*" OR Image="*\\SplashtopStreamer.exe"
 OR Image="*\\AteraAgent.exe" OR Image="*\\rustdesk.exe"
 OR Image="*\\LogMeIn.exe" OR Image="*\\meshagent.exe"
 OR Image="*\\dwservice.exe")
| lookup approved_rats.csv Image OUTPUT approved
| where isnull(approved) OR approved!="true"
| eval risk=if(like(Image, "%\\Temp\\%") OR like(Image, "%\\Downloads\\%"),
    "High", "Medium")
| stats count by _time, host, User, Image, risk
| sort -_time

Nexus SecOps Coverage: Chapter 38 — Threat Hunting Advanced | Chapter 23 — Ransomware Deep Dive

T1568 — Dynamic Resolution¶

Tactic: Command and Control | Platforms: Windows, Linux, macOS | Data Sources: Network Traffic, DNS

Description: Adversaries use dynamic resolution techniques to determine C2 server addresses at runtime rather than hardcoding them. Sub-techniques include Fast Flux DNS (T1568.001), Domain Generation Algorithms (T1568.002), and DNS Calculation (T1568.003). DGAs generate large numbers of pseudo-random domain names, only a few of which are registered by the attacker. This makes blocklisting infeasible and is used by malware families like Emotet, DarkGate, Qakbot, and many botnets. DGA detection is foundational for network-based threat hunting.

Detection Approach:

• Analyze DNS queries for high-entropy domain names (randomness scoring)
• Detect high volumes of NXDOMAIN responses from a single host (DGA domains that are not registered)
• Monitor for DNS queries to domains with unusual TLD distribution
• Watch for rapid cycling through many unique domains from a single process
• Use ML-based DGA classifiers on DNS query logs

// Detect Domain Generation Algorithm (DGA) activity
DnsEvents
| where Name !endswith ".arpa"  // Exclude reverse DNS
| extend DomainParts = split(Name, ".")
| extend SecondLevelDomain = tostring(DomainParts[0])
| extend DomainLength = strlen(SecondLevelDomain)
| where DomainLength > 12  // Long random-looking domains
| where ResultCode == 3  // NXDOMAIN
| summarize NXDomainCount=count(),
            UniqueDomains=dcount(Name),
            SampleDomains=make_set(Name, 10)
    by ClientIP, bin(TimeGenerated, 15m)
| where NXDomainCount > 50  // High NXDOMAIN rate = DGA
| sort by TimeGenerated desc

index=dns sourcetype="stream:dns" reply_code="NXDOMAIN"
| eval domain_parts=split(query, ".")
| eval sld=mvindex(domain_parts, 0)
| eval sld_len=len(sld)
| where sld_len > 12
| bin _time span=15m
| stats count as nxdomain_count dc(query) as unique_domains
    values(query) as sample_domains by _time, src_ip
| where nxdomain_count > 50
| sort -_time

Nexus SecOps Coverage: Chapter 38 — Threat Hunting Advanced | Chapter 31 — Network Security Architecture

T1571 — Non-Standard Port¶

Tactic: Command and Control | Platforms: Windows, Linux, macOS | Data Sources: Network Traffic, Process

Description: Adversaries use non-standard ports for C2 communication to evade firewall rules and network monitoring focused on standard service ports. Examples include HTTP traffic on port 8080, 8443, or 53 (masquerading as DNS); HTTPS on port 4443 or 8888; and custom protocols on high ports. While individual connections on non-standard ports may be legitimate, persistent connections to external IPs on unusual ports from endpoints that typically only use 80/443 are strong C2 indicators.

Detection Approach:

• Baseline normal port usage per endpoint and alert on deviations
• Detect HTTP/HTTPS protocol signatures on non-standard ports
• Monitor for long-duration connections on unusual ports to external IPs
• Watch for beaconing patterns (regular interval connections) on any port
• Alert on encrypted traffic to non-standard ports without valid certificates

// Detect C2 communication on non-standard ports
DeviceNetworkEvents
| where RemotePort !in (80, 443, 53, 22, 25, 110, 143, 993, 995, 587)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName !in~
    ("svchost.exe", "MicrosoftEdgeUpdate.exe", "OneDrive.exe",
     "Teams.exe", "Outlook.exe", "chrome.exe", "msedge.exe")
| summarize ConnectionCount=count(),
            BytesSent=sum(SentBytes),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessFileName, RemoteIP,
       RemotePort, bin(Timestamp, 1h)
| where ConnectionCount > 5  // Repeated connections
| sort by ConnectionCount desc

index=firewall OR index=proxy
NOT (dest_port IN (80, 443, 53, 22, 25, 110, 143, 993, 995, 587))
action="allowed" direction="outbound"
| where NOT cidrmatch("10.0.0.0/8", dest_ip)
    AND NOT cidrmatch("172.16.0.0/12", dest_ip)
    AND NOT cidrmatch("192.168.0.0/16", dest_ip)
| stats count dc(dest_ip) as unique_dests
    sum(bytes_out) as total_bytes_out
    by src_ip, dest_port, app
| where count > 5
| sort -count

Nexus SecOps Coverage: Chapter 31 — Network Security Architecture | Chapter 38 — Threat Hunting Advanced

Impact (TA0040)¶

T1489 — Service Stop¶

Tactic: Impact | Platforms: Windows, Linux | Data Sources: Process, Command, Service, Windows Event Log

Description: Adversaries stop security services, backup services, and database services to maximize the impact of destructive actions like ransomware encryption. Common targets include SQL Server, Exchange, backup agents (Veeam, Acronis), VSS (Volume Shadow Copy), and security tools (Windows Defender, EDR agents). Ransomware families like LockBit, BlackCat/ALPHV, and Conti systematically stop services before encrypting data. This is one of the most reliable ransomware precursor indicators.

Detection Approach:

• Monitor for bulk service stop commands (sc stop, net stop, Stop-Service)
• Detect batch scripts or PowerShell loops that iterate through service stop lists
• Watch for specific service targets: SQL, Exchange, backup, and security services
• Alert on VSS deletion (vssadmin delete shadows) combined with service stops
• Correlate with process creation from ransomware-associated parent processes

// Detect ransomware precursor: bulk service stop activity
DeviceProcessEvents
| where (FileName =~ "sc.exe" and ProcessCommandLine has "stop")
    or (FileName =~ "net.exe" and ProcessCommandLine has "stop")
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has "Stop-Service")
    or (FileName =~ "taskkill.exe"
        and ProcessCommandLine has_any ("/f", "/im"))
| where ProcessCommandLine has_any
    ("sql", "exchange", "veeam", "backup", "acronis",
     "sophos", "defender", "vss", "mysql", "oracle",
     "postgresql", "tomcat", "apache", "iis")
| summarize StopCount=count(),
            Services=make_set(ProcessCommandLine, 20)
    by DeviceName, AccountName, bin(Timestamp, 5m)
| where StopCount >= 3  // 3+ service stops in 5 minutes
| extend AlertSeverity = iff(StopCount > 5, "Critical", "High")
| sort by Timestamp desc

index=sysmon EventCode=1
((Image="*\\sc.exe" AND CommandLine="*stop*")
 OR (Image="*\\net.exe" AND CommandLine="*stop*")
 OR (Image="*\\powershell.exe" AND CommandLine="*Stop-Service*")
 OR (Image="*\\taskkill.exe" AND CommandLine="*/f*"))
(CommandLine="*sql*" OR CommandLine="*exchange*" OR CommandLine="*veeam*"
 OR CommandLine="*backup*" OR CommandLine="*sophos*"
 OR CommandLine="*defender*" OR CommandLine="*vss*")
| bin _time span=5m
| stats count dc(CommandLine) as unique_commands
    values(CommandLine) as commands by _time, host, User
| where count >= 3
| eval severity=if(count > 5, "CRITICAL", "HIGH")
| sort -_time

Nexus SecOps Coverage: Chapter 23 — Ransomware Deep Dive | Chapter 28 — Advanced Incident Response

T1496 — Resource Hijacking¶

Tactic: Impact | Platforms: Windows, Linux, macOS, IaaS, Containers | Data Sources: Process, Network, Sensor Health, Cloud API Logs

Description: Adversaries hijack compute resources for cryptocurrency mining (cryptojacking), distributed denial-of-service, or other resource-intensive tasks. Cryptojacking is the most common form, deploying miners like XMRig on compromised servers, cloud instances, or Kubernetes clusters. In cloud environments, attackers spin up large GPU instances for mining. Indicators include sustained high CPU usage, connections to mining pool domains/IPs, and Stratum protocol traffic. Cloud cryptojacking can generate significant financial impact through resource consumption.

Detection Approach:

• Monitor for known mining tool processes (xmrig, ccminer, cpuminer, minerd, ethminer)
• Detect connections to known mining pool domains and Stratum protocol ports (3333, 4444, 5555, 8333)
• Watch for sustained high CPU usage (>90%) on servers without corresponding legitimate workload
• In cloud environments, alert on unexpected GPU instance launches or cost anomalies
• Monitor for Kubernetes pods with resource requests inconsistent with their container image

// Detect cryptojacking / resource hijacking indicators
union
(
    // Known mining tool execution
    DeviceProcessEvents
    | where FileName in~ ("xmrig.exe", "xmrig", "ccminer.exe",
                          "cpuminer.exe", "minerd", "ethminer.exe",
                          "minergate.exe", "nicehashminer.exe")
        or ProcessCommandLine has_any
            ("stratum+tcp://", "stratum+ssl://",
             "--algo=", "-a cryptonight", "--donate-level",
             "pool.minexmr", "pool.hashvault", "nanopool.org")
    | project Timestamp, DeviceName, FileName,
              ProcessCommandLine, AccountName
),
(
    // Connections to mining pool ports
    DeviceNetworkEvents
    | where RemotePort in (3333, 4444, 5555, 7777, 8333, 9999, 14433)
    | where RemoteIPType == "Public"
    | project Timestamp, DeviceName, RemoteIP, RemotePort,
              InitiatingProcessFileName
)
| sort by Timestamp desc

(index=sysmon EventCode=1
 (Image="*xmrig*" OR Image="*ccminer*" OR Image="*cpuminer*"
  OR Image="*minerd*" OR Image="*ethminer*"
  OR CommandLine="*stratum+tcp*" OR CommandLine="*stratum+ssl*"
  OR CommandLine="*--algo=*" OR CommandLine="*cryptonight*"
  OR CommandLine="*pool.minexmr*" OR CommandLine="*nanopool*"))
OR (index=sysmon EventCode=3
    DestinationPort IN (3333, 4444, 5555, 7777, 8333, 14433)
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*"
         OR DestinationIp="192.168.*"))
| stats count by _time, host, Image, CommandLine,
    DestinationIp, DestinationPort
| sort -_time

Nexus SecOps Coverage: Chapter 20 — Cloud Attack & Defense | Cryptojacking Playbook

T1531 — Account Access Removal¶

Tactic: Impact | Platforms: Windows, Linux, Azure AD, SaaS | Data Sources: Active Directory, User Account, Windows Event Log

Description: Adversaries delete accounts, change passwords, or remove credentials to prevent legitimate users and administrators from accessing systems during or after an attack. This is commonly used alongside destructive attacks (wiper malware, ransomware) to slow incident response by locking out defenders. Examples include changing domain admin passwords, disabling accounts, removing MFA registration, and revoking cloud access keys. This technique maximizes dwell time by preventing responders from taking remediation actions.

Detection Approach:

• Monitor for bulk password resets or account disabling in Active Directory
• Detect removal of MFA methods from user accounts
• Watch for deletion of service accounts or privileged accounts
• Alert on mass group membership changes (removing users from admin groups)
• Correlate with other destructive techniques (T1485, T1486, T1489)

// Detect account access removal — bulk password changes or disabling
union
(
    // Bulk password resets in AD
    SecurityEvent
    | where EventID in (4724, 4723)  // Password reset
    | summarize ResetCount=count(),
                TargetAccounts=make_set(TargetUserName, 20)
        by SubjectUserName, bin(TimeGenerated, 15m)
    | where ResetCount > 5  // 5+ resets in 15 minutes
),
(
    // Account disabled events
    SecurityEvent
    | where EventID == 4725  // Account disabled
    | summarize DisabledCount=count(),
                DisabledAccounts=make_set(TargetUserName, 20)
        by SubjectUserName, bin(TimeGenerated, 15m)
    | where DisabledCount > 3
)
| sort by TimeGenerated desc

index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4724 OR EventCode=4723 OR EventCode=4725 OR EventCode=4726)
| eval action_type=case(
    EventCode=4724 OR EventCode=4723, "Password_Reset",
    EventCode=4725, "Account_Disabled",
    EventCode=4726, "Account_Deleted")
| bin _time span=15m
| stats count dc(TargetUserName) as unique_targets
    values(TargetUserName) as targets
    by _time, SubjectUserName, action_type
| where count > 3
| eval severity=if(count > 10, "CRITICAL", "HIGH")
| sort -_time

Nexus SecOps Coverage: Chapter 28 — Advanced Incident Response | Chapter 33 — Identity & Access Security

T1486 — Data Encrypted for Impact¶

Tactic: Impact | Platforms: Windows, Linux, macOS, IaaS | Data Sources: Process, Command, File, Network Share

Description: Adversaries encrypt data on target systems to interrupt availability and hold it for ransom. Ransomware encrypts files using symmetric encryption (AES) with keys protected by asymmetric encryption (RSA), making decryption without the attacker's private key infeasible. Modern ransomware variants (LockBit, BlackCat/ALPHV, Royal, Akira) target both local drives and network shares, rename files with custom extensions, drop ransom notes in every directory, and delete Volume Shadow Copies before encryption begins. Detection of early encryption indicators is critical for stopping ransomware before significant data loss occurs.

Detection Approach:

• Monitor for mass file rename operations with new extensions in a short time window
• Detect Volume Shadow Copy deletion (vssadmin delete shadows, wmic shadowcopy delete)
• Watch for ransom note file creation across multiple directories simultaneously
• Alert on encryption-related process behavior: high file I/O with entropy changes
• Monitor for bcdedit commands disabling recovery mode

// Detect ransomware encryption indicators
union
(
    // Volume Shadow Copy deletion
    DeviceProcessEvents
    | where (FileName =~ "vssadmin.exe"
             and ProcessCommandLine has "delete shadows")
        or (FileName =~ "wmic.exe"
            and ProcessCommandLine has "shadowcopy delete")
        or (FileName =~ "bcdedit.exe"
            and ProcessCommandLine has_any
                ("recoveryenabled no", "bootstatuspolicy ignoreallfailures"))
    | project Timestamp, DeviceName, FileName, ProcessCommandLine,
              InitiatingProcessFileName, AccountName
),
(
    // Mass file rename with suspicious extensions
    DeviceFileEvents
    | where ActionType == "FileRenamed"
    | where FileName endswith_cs ".locked" or FileName endswith_cs ".encrypted"
            or FileName endswith_cs ".enc" or FileName endswith_cs ".cry"
            or FileName endswith_cs ".ransom"
    | summarize RenameCount=count(),
                Extensions=make_set(tostring(split(FileName, ".")[-1]), 5)
        by DeviceName, InitiatingProcessFileName,
           bin(Timestamp, 1m)
    | where RenameCount > 50  // 50+ renames per minute
)
| sort by Timestamp desc