Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
default.png

Alert Rules

Alert Rules consist of alert packages, a dashboard package and Knowledge Base (KB) lists for analytics integrated into Logpoint. It provides a compliance and triage dashboard, enabling you to analyze trends and behaviors of entities and users within the organization and perform defensive gap assessment with MITRE ATT&CK. 

Release Details
Version: 5.4.17
Release date: Jan 1, 2025
Supported On: Logpoint 7.4.0 or later
Documentation: Alert Rules guide
SHA 256: ae3aa05b347dace06a17dc6793db7c4eb17c0134f83621fa9d98a35fb0ded965
Download 

 

 

 

 

 

 

 

 

 

Enhancements

Description Issue ID Reference ID

Added the following new Alert Rules:

  • LP_File Creation with RTLO Character for Filename Obfuscation
  • LP_RDP Extension File Dropped in Outlook Folder
  • LP_Suspicious AutoIt Execution
  • LP_Block Network Connections from EDR via WFP

For more details, see MITRE ATT&CK.

SR-171

 

 -

 

 

 

 

Updated query and description of the following Alert Rules:

  • LP_Empire PowerShell Launch Parameters
  • LP_Empire PowerShell UAC Bypass Detected
  • LP_Enabled User Right in AD to Control User Objects
  • LP_Eventlog Cleared Detected
  • LP_Executables Started in Suspicious Folder
  • LP_Execution in Non-Executable Folder Detected
  • LP_Execution in Outlook Temp Folder Detected
  • LP_Execution in Webserver Root Folder Detected
  • LP_Execution of Renamed PaExec Detected
  • LP_External Disk Drive or USB Storage Device Detected
  • LP_Firewall Disabled via Netsh Detected
  • LP_Formbook Process Creation Detected
  • LP_GAC DLL Loaded Via Office Applications Detected
  • LP_Grabbing Sensitive Hives via Reg Utility
  • LP_HH Execution Detected
  • LP_Hiding Files with Attrib Detected
  • LP_IIS Native-Code Module Command Line Installation
  • LP_In-memory PowerShell Detected
  • LP_Java Running with Remote Debugging
  • LP_Koadic Execution Detected
  • LP_LSASS Memory Dump Detected
  • LP_Lsass Memory Dump with MiniDumpWriteDump API Detected
  • LP_Malicious Service Installations Detected
  • LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected
  • LP_PowerShell Encoded FromBase64String Detected
  • LP_Regsvr32 Anomalous Activity Detected
  • LP_Suspicious Binary Execution in User Directory
  • LP_Suspicious Child Process Spawned by Microsoft Office Product

  • LP_Suspicious Driver Loaded

  • LP_Suspicious File Execution via MSHTA
  • LP_Suspicious MSHTA Process Pattern
  • LP_Suspicious Rundll32 Activity Detected

Removed the following generic and redundant Alert Rules:

  • LP_Default Account privilege elevation followed by restoration of previous account state
  • LP_Default Excessive Blocked Connections
  • LP_Default Port Scan Detected
  • LP_Invocation of Active Directory Diagnostic Tool Detected
  • LP_Judgement Panda Exfil Activity
  • LP_Multiple Failed User Login Followed by Successful Login
  • LP_NTDS or SAM Database Copy Operation
  • LP_Suspicious Control Panel DLL Load Detected

Added the following Knowledge Base (KB) lists:

  • EDR_PROCESS 
  • SUSPICIOUS_DRIVER

Past Releases

Alert Rules v5.4.16

Release Date: October 16, 2024

Supported On: Logpoint 7.4.0 or later

SHA 256: c1c7caf7ed4956b62f0817cfc966d4c1b8d0a6f89d190fc1022028c6be900051

Download: Alert_Rules_5.4.16.pak

Enhancements

Description Issue ID Reference ID

Renamed the LP_Supsicious Usage of Csharp or Roslyn Csharp Interactive Console alert rule to LP_Suspicious Usage of Csharp or Roslyn Csharp Interactive Console. 

SR-52

 -

 

 

 

 

Updated query and description of the following Alert Rules:

  • LP_Bypass UAC via CMSTP Detected
  • LP_Capture a Network Trace with netsh
  • LP_Cmdkey Cached Credentials Recon Detected
  • LP_CMSTP Execution Detected
  • LP_CobaltStrike Process Injection Detected
  • LP_Copy from Admin Share Detected
  • LP_CreateMiniDump Hacktool Detected
  • LP_CreateRemoteThread API and LoadLibrary
  • LP_Credential Dump Tools Dropped Files Detected
  • LP_Default PowerSploit and Empire Schtasks Persistence
  • LP_Devtoolslauncher Executes Specified Binary
  • LP_DHCP Server Loaded the CallOut DLL
  • LP_Disable of ETW Trace
  • LP_DLL Load via LSASS Detected
  • LP_DNS ServerLevelPluginDll Install
  • LP_dotNET DLL Loaded Via Office Applications
  • LP_DPAPI Domain Backup Key Extraction Detected
  • LP_DPAPI Domain Master Key Backup Attempt
  • LP_Dridex Process Pattern Detected
  • LP_Network Connection to Suspicious Server
  • LP_Potential Webshell Activity Detected
  • LP_Remote Thread Creation via Cactustorch
  • LP_SecurityXploded Tool Detected
  • LP_Shadow Copy Deletion Using OS Utilities Detected
  • LP_smbexec Service Installation Detected
  • LP_Sticky Key Like Backdoor Usage Detected
  • LP_Successful Overpass the Hash Attempt
  • LP_Suspicious Call by Ordinal Detected
  • LP_Suspicious Certutil Command Detected
  • LP_Suspicious Code Page Switch Detected
  • LP_Suspicious Compression Tool Parameters
  • LP_Suspicious Control Panel DLL Load Detected
  • LP_Suspicious Csc Source File Folder Detected
  • LP_Suspicious Double Extension Detected
  • LP_Suspicious Driver Load from Temp
  • LP_Suspicious Eventlog Clear or Configuration Using Wevtutil Detected
  • LP_Suspicious Execution from Outlook
  • LP_Suspicious File Execution Using Wscript or Cscript
  • LP_Suspicious GUP Usage Detected
  • LP_Suspicious HWP Sub Processes Detected
  • LP_Suspicious Kerberos RC4 Ticket Encryption
  • LP_Suspicious Msiexec Usage Detected
  • LP_Suspicious Outbound Kerberos Connection
  • LP_Suspicious Outbound RDP Connections Detected
  • LP_Suspicious PowerShell Invocation Based on Parent Process
  • LP_Suspicious Process Start Locations Detected
  • LP_Suspicious Program Location with Network Connections
  • LP_Suspicious PsExec Execution Detected
  • LP_Suspicious RDP Redirect Using TSCON Detected
  • LP_Suspicious Remote Thread Created
  • LP_Suspicious RUN Key from Download Detected
  • LP_Suspicious Rundll32 Activity Detected
  • LP_Suspicious Scripting in a WMI Consumer
  • LP_Suspicious Svchost Process Detected
  • LP_Suspicious TSCON Start
  • LP_Suspicious Userinit Child Process
  • LP_Suspicious Windows ANONYMOUS LOGON Local Account Creation
  • LP_SysKey Registry Keys Access
  • LP_System File Execution Location Anomaly Detected
  • LP_Tap Driver Installation Detected
  • LP_Tasks Folder Evasion Detected
  • LP_Terminal Service Process Spawn Detected
  • LP_UAC Bypass via Event Viewer Detected
  • LP_Unsigned Image Loaded Into LSASS Process
  • LP_Usage of Sysinternals Tools Detected
  • LP_WCE wceaux dll Access Detected
  • LP_Wdigest Registry Modification
  • LP_Windows Command Line Execution with Suspicious URL and AppData Strings

Removed the following generic and redundant Alert Rules:

  • LP_Default Inbound Connection with Non-Whitelist Country
  • LP_Default Inbound RDP Connection
  • LP_Default Inbound SMB Connection
  • LP_Default Inbound SMTP Connection
  • LP_Default Inbound SSH Connection
  • LP_Default Outbound Connection with Non-Whitelist Country
  • LP_Default Outbound Traffic from Unusual Source
  • LP_Default Possible Network Performance Degradation Detected
  • LP_Default Possible Spamming Zombie
  • LP_MsiExec Web Install Detected
  • LP_Possible Botnet Connection-IRC Port
  • LP_Possible Botnet Connection-Outbound DDOS
  • LP_Possible Botnet Connection-Outbound Spam
  • LP_Possible GootKit WScript Execution
  • LP_Possible JSP Webshell Detected
  • LP_Remote File Execution via MSIEXEC
  • LP_Suspect Svchost Activity Detected
  • LP_Suspicious In-Memory Module Execution Detected
  • LP_Suspicious MsiExec Directory Detected
  • LP_Suspicious Use of CSharp Interactive Console Detected
  • LP_WScript or CScript Dropper Detected

Alert Rules v5.4.15

Release Date: September 11, 2024

Supported On: Logpoint 7.4.0 or later

SHA 256:  73ac489b3cd4b45299e3ac1a1d23147c083c0019324d1d0c76d3829e58299aa0

Download: Alert_Rules_5.4.15.pak

Enhancements

Description Issue ID Reference ID

Added the following new Alert Rules: 

  • LP_Certify Tool Execution for AD CS Abuse
  • LP_Certipy Tool Execution for AD CS Abuse
  • LP_CVE-2024-38112 Exploitation Detected

For more details, see MITRE ATT&CK.

SR-33

 -

 

 

 

 

Updated query and description of the following Alert Rules:

  • LP_Active Directory DLLs Loaded By Office Applications
  • LP_Active Directory Module Load in PowerShell
  • LP_Activity Related to NTDS Domain Hash Retrieval
  • LP_BCDEdit Safe Mode Command Execution
  • LP_Credential Access via LaZagne
  • LP_DCSync detected
  • LP_Executable Files Created and Executed by Office Applications
  • LP_Impacket PsExec Execution
  • LP_Microsoft Defender AMSI Trigger
  • LP_Microsoft Defender Disabling Attempt via PowerShell
  • LP_Ngrok RDP Tunnel Detected
  • LP_Office Security Settings Changed
  • LP_Possible Access to ADMIN Share
  • LP_Possible Active Directory Enumeration via AD Module
  • LP_Possible GootKit WScript Execution
  • LP_Possible Kerberoasting via Rubeus
  • LP_PowerShell ADRecon Execution
  • LP_Proxy Execution via Explorer
  • LP_RClone Utility Execution
  • LP_RDP Connection Inititated from Domain Controller
  • LP_Remote File Execution via MSIEXEC
  • LP_Stealthy VSTO Persistence
  • LP_Suspect Svchost Memory Access
  • LP_Suspicious CSharp or FSharp Interactive Console Execution
  • LP_Suspicious File Deletion Detected
  • LP_Suspicious InstallUtil Execution
  • LP_Suspicious Microsoft Equation Editor Child Process
  • LP_Suspicious PowerShell Parameter Substring Detected
  • LP_Suspicious Process Execution via Pester Detected
  • LP_Suspicious process spawned by FTP
  • LP_Suspicious Root Certificate installation Detected
  • LP_Suspicious Scheduled Task Creation
  • LP_Suspicious Scheduled Task Creation via Masqueraded XML File
  • LP_Suspicious Shells Spawn by SQL Server
  • LP_Suspicious Sysmon Driver Unload Detected
  • LP_Suspicious VMToolsd Child Process
  • LP_Suspicious WMIC Child Process
  • LP_Suspicious WMIC XSL Script Execution
  • LP_Suspicious WMPRVSE Child Process
  • LP_UAC Bypass via SDCLT
  • LP_UltraVNC Execution via Command Line
  • LP_VBA DLL Loaded by Office
  • LP_Weak Encryption Enabled for User
  • LP_Windows Crash Dump Disabled
  • LP_Windows Error Process Masquerading
  • LP_Windows Logon Reminder Usage as Launcher
  • LP_Windows User Account Created via Command Line
  • LP_WMI DLL Loaded by Office
  • LP_WMI Modules Loaded by Suspicious Process

Removed the following generic and redundant Alert Rules:

  • LP_HermeticWiper Driver Load
  • LP_Microsoft ActiveX Control Code Execution Vulnerability Detected
  • LP_Microsoft DotNET Framework Remote Code Execution Detected

Alert Rules v5.4.14

Release Date: July 17, 2024

Supported On: Logpoint 7.4.0 or later

SHA 256: 45a4e6ddf981b6058f25ba018cf5303e271e390c30e307850d6ba20860887b63 

Download: Alert_Rules_5.4.14.pak

Enhancements

Description Issue ID Reference ID

Added a new Alert Rule - LP_Behavior Related to Named Pipe Impersonation to detect suspicious events such as creating a named pipe or creating a service with a named pipe. 

 

For more details, see MITRE ATT&CK.

KB-25063

 -

 

 

 

 

Updated query and description of the following Alert Rules:

  • LP_Active Directory Enumeration via ADFind
  • LP_Change of Default File Association Detected
  • LP_Clearing of PowerShell Logs Detected
  • LP_Command Obfuscation via Character Insertion
  • LP_Command Obfuscation via Environment Variable Concatenation Reassembly
  • LP_Credential Access via Input Prompt Detected
  • LP_Disabling of UAC Detected
  • LP_Discovery via PowerSploit Recon Module
  • LP_Elevated Command Prompt Activity by Non-Admin User Detected
  • LP_Encoded PowerShell Command Detected
  • LP_Execution via Control Panel Items
  • LP_Execution via HTA using IE JavaScript Engine Detected
  • LP_Execution via Windows Scripting Host Component Detected
  • LP_File Creation by PowerShell Detected
  • LP_High Severity EPP Alert
  • LP_Host Generating Multiple High Severity EPP Alert
  • LP_Host Generating Multiple Medium Severity EPP Alert
  • LP_Local Account Creation on Workstation Detected
  • LP_Macro file Creation Detected
  • LP_Medium Severity EPP Alert 
  • LP_Microsoft Build Engine Loading Credential Libraries
  • LP_MsiExec Web Install Detected
  • LP_MSTSC Shadowing Detected
  • LP_Named Pipe added to Null Session Detected
  • LP_Narrators Feedback-Hub Persistence Detected
  • LP_NetNTLM Downgrade Attack Detected
  • LP_Non Interactive PowerShell Execution
  • LP_NoPowerShell Tool Activity Detected
  • LP_NotPetya Ransomware Activity Detected
  • LP_Password Dumper Activity on LSASS
  • LP_Password Dumper Remote Thread in LSASS
  • LP_Password Spraying Attack Detected
  • LP_Persistence and Execution at Scale via GPO Scheduled Task
  • LP_Possible Applocker Bypass Detected
  • LP_Possible CLR DLL Loaded Via Office Applications
  • LP_Possible Empire Monkey Detected
  • LP_PowerShell Execution Policy Modification Detected
  • LP_PowerShell Profile Modification
  • LP_PowerShell Version Downgrade Detected
  • LP_Process Execution from Suspicious Location
  • LP_Safe DLL Search Mode Disabled
  • LP_Stealthy Scheduled Task Creation via VBA Macro Detected
  • LP_Suspicious Taskkill Activity
  • LP_Sysmon Configuration Modification Detected
  • LP_Sysmon Error Event Detected
  • LP_Unsigned Driver Loading Detected

Renamed and updated query of the following Alert Rules:

Previously Used Alert Rule Name Renamed Alert Rule
LP_BlueMashroom DLL Load Detected LP_BlueMushroom DLL Load Detected

LP_Possible Credential Dump-Tools Named Pipes Detected

 LP_Credential Dumping Tools Named Pipes Detected

LP_Suspicious Typical Malware Back Connect Ports Detected

LP_Potential Suspicious Malware Callback Communication

 

Removed the following generic and redundant Alert Rules:

  • LP_Execution via Squiblydoo Technique Detected
  • LP_Firewall Configuration Modification Detected
  • LP_Kerberoasting via PowerShell Detected
  • LP_Microsoft Office Memory Corruption Vulnerability CVE-2015-1641 Detected
  • LP_Microsoft Office Memory Corruption Vulnerability CVE-2017-0199 Detected
  • LP_Netsh RDP Port Forwarding Detected
  • LP_Suspicious DLL or VBS Files being created in ProgramData
  • LP_Suspicious WMIC Process Creation
  • LP_Windows CryptoAPI Spoofing Vulnerability Detected
  • LP_Windows Login Attempt on Disabled Account
  • LP_Windows Suspicious Creation of User Accounts
  • LP_WMI Spawning Windows Shell
  • LP_WMIExec VBS Script Detected
  • LP_Wmiprvse Spawning Process

Alert Rules v5.4.13

Release Date: May 17, 2024

Supported On: Logpoint 7.4.0 or later

SHA 256: a12721678017b38858ac6720e0b5ef09c63375798f13ec81f9ae8ebdd6e72f87

Download: Alert_Rules_5.4.13.pak

Enhancements

Description Issue ID Reference ID

Added the following new Alert Rules: 

  • LP_Outlook Security Settings Change
  • LP_Chrome Addition of VPN Extension

For more details, see MITRE ATT&CK.

KB-24605, KB-24012, KB-24567, KB-24603, KB-23839, KB-24555

 -

 

 

 

 

Updated query and description of the following Alert Rules:

  • LP_Active Directory Enumeration via ADFind
  • LP_Alternate PowerShell Hosts via Powershell Module
  • LP_Clearing of PowerShell Logs Detected
  • LP_Copying Sensitive Files with Credential Data
  • LP_Direct Autorun Keys Modification Detected
  • LP_Execution via Squiblydoo Technique Detected
  • LP_File or Folder Permissions Modifications
  • LP_Grabbing Sensitive Hives via Reg Utility
  • LP_Impacket PsExec Execution
  • LP_Macro file Creation Detected
  • LP_Malicious PowerShell Commandlets Detected
  • LP_Meterpreter or Cobalt Strike Getsystem Service Start Detected
  • LP_Microsoft Defender Disabling Attempt via PowerShell
  • LP_Password Spraying Attack Detected
  • LP_Possible Modification of Boot Configuration
  • LP_PowerView PowerShell Commandlets
  • LP_PsExec Tool Execution Detected
  • LP_RClone Utility Execution
  • LP_Rubeus Hack Tool Detected
  • LP_Rundll32 Internet Connection Detected
  • LP_Shadow Copy Deletion Using OS Utilities Detected
  • LP_Suspicious Binary Execution in User Directory
  • LP_Suspicious Call by Ordinal Detected
  • LP_Suspicious Certutil Command Detected
  • LP_Suspicious Child Process Spawned by Microsoft Office Product
  • LP_Suspicious Compression Tool Parameters
  • LP_Suspicious Execution of LNK File
  • LP_Suspicious File Execution via MSHTA
  • LP_Suspicious File Extraction via Expand Detected
  • LP_Suspicious MSHTA Process Pattern
  • LP_Suspicious Msiexec Usage Detected
  • LP_Suspicious PowerShell Invocation Based on Parent Process
  • LP_Suspicious PowerShell Parameter Substring Detected
  • LP_Suspicious Rundll32 Activity Detected
  • LP_Suspicious Service Path Modification Detected
  • LP_Suspicious Svchost Process Detected
  • LP_Suspicious Usage of Advanced IP Scanner
  • LP_Suspicious WMI Execution Detected
  • LP_Suspicious WMPRVSE Child Process
  • LP_System File Execution Location Anomaly Detected
  • LP_Transfering Files with Credential Data via Network Shares
  • LP_Usage of Web Request Command
  • LP_Windows Defender Antivirus Definitions Removal Detected
  • LP_Windows User Account Created via Command Line

Renamed and updated query of the following Alert Rules:

Previously Used Alert Rule Name Renamed Alert Rule

LP_Disable of ETW Trace Detected 

 LP_Disable of ETW Trace

LP_Discovery via PowerSploit Recon Module Detected 

 LP_Discovery via PowerSploit Recon Module
LP_Encoded IEX Detected LP_Execution of Base64 Encoded Command Using IEX
LP_Fsutil Suspicious Invocation Detected LP_Suspicious Fsutil Invocation
LP_High Number of Service Stop or Task Kill in Short Span LP_High Number of Process Termination
LP_Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected LP_Suspicious Base64 Encoded PowerShell Command
LP_Ngrok Execution LP_Usage of Ngrok Utility Detected
LP_Possible Bitsadmin Download Detected LP_File Download via Bitsadmin Detected
LP_Possible Reconnaissance Activity LP_Reconnaissance using Windows Binaries Detected
LP_PowerShell Script Run in AppData Detected LP_PowerShell Script Execution from Suspicious Location

 

Removed the following generic and redundant Alert Rules:

  • LP_FromBase64String Command Line Detected
  • LP_Microsoft Build Engine started by Office
  • LP_Suspicious Commandline Escape Detected
  • LP_Suspicious File or Directory Permission Modification
  • LP_Suspicious Msiexec Child Process
  • LP_Svchost DLL Search Order Hijack Detected

Added CHROME_VPN_EXTENSIONS Knowledge Base (KB) list to search for logs associated with the LP_Chrome Addition of VPN Extension alert rule. 

Alert Rules v5.4.12

Release Date: April 25, 2024

Supported On: Logpoint 6.7.0 or later

SHA 256: 52f7b2a75708df2a33d48c4bb1187fa5fef8b659d475f49d3c9613f66a46e16b

Download: Alert_Rules_5.4.12.pak

Enhancements

Description Issue ID Reference ID

Added the following new Alert Rules:

  • LP_Application uninstall via WMIC
  • LP_Installed Software Updates Reconnaissance through WMI
  • LP_Local Users Reconnaissance through WMI
  • LP_Process Created through WMI
  • LP_Process Reconnaissance through WMI
  • LP_Suspicious Certutil Command Detected
  • LP_Suspicious Msiexec Child Process
  • LP_System Service Reconnaissance through WMI
  • LP_Terminal Service Configuration Modified
  • LP_Unsigned DLLs loaded by RunDLL32 or RegSvr32

For more details, see MITRE ATT&CK.

 KB-24224 -

Updated query and description of the following Alert Rules:

  • LP_Autorun Keys Modification Detected 
  • LP_PowerShell Version Downgrade Detected
  • LP_Network Share Discovery
  • LP_Suspicious Rundll32 Activity Detected
  • LP_Suspicious WMI Execution Detected 
  • LP_Windows Defender Exclusion Set Detected

Alert Rules v5.4.11

Release Date: February 05, 2024

Supported On: Logpoint 6.7.0 or later

SHA 256: c3d47edbdf2be48d28e27ac180271ca8d09b24a7adb777d4b610ea4a5d502766

Download: Alert_Rules_5.4.11.pak

Enhancements

Description Issue ID Reference ID

Updated query and description of the following Alert Rules:

  • LP_Active Directory Database Dump Attempt
  • LP_Active Directory Replication User Backdoor
  • LP_AD Object WriteDAC Access Detected
  • LP_AD Privileged Users or Groups Reconnaissance Detected
  • LP_Addition of SID History to Active Directory Object
  • LP_AppCert DLLs Detected
  • LP_AppInit DLLs Detected
  • LP_Application Whitelisting Bypass via Dnx Detected
  • LP_Application Whitelisting Bypass via Dxcap Detected
  • LP_Audio Capture Detected
  • LP_Authentication Package Detected
  • LP_Bloodhound and Sharphound Hack Tool Detected
  • LP_Bypass User Account Control using Registry
  • LP_Clipboard Data Access Detected
  • LP_Control Panel Items - Registry Detected
  • LP_Copying Sensitive Files with Credential Data
  • LP_Credential Access via LaZagne
  • LP_Credential Dump Tools Dropped Files Detected
  • LP_DPAPI Domain Backup Key Extraction Detected
  • LP_DPAPI Domain Master Key Backup Attempt
  • LP_HandleKatz Duplicating LSASS Handle
  • LP_Hidden Files and Directories Detected
  • LP_Install Root Certificate
  • LP_LSASS Access from Non System Account Detected
  • LP_LSASS Memory Dump Detected
  • LP_LSASS Memory Dump File Creation
  • LP_Lsass Memory Dump with MiniDumpWriteDump API Detected
  • LP_Memory Dump via Adplus
  • LP_Mimikatz Command Line Detected
  • LP_Network Share Connection Removed
  • LP_Password Dumper Activity on LSASS
  • LP_Password Dumper Remote Thread in LSASS
  • LP_Possible Impacket SecretDump Remote Activity
  • LP_Possible Modification of Boot Configuration
  • LP_Possible Privilege Escalation via Weak Service Permissions
  • LP_Possible Process Hollowing Image Loading
  • LP_Possible SPN Enumeration Detected
  • LP_Possible SquiblyTwo Detected
  • LP_Possible Taskmgr run as LOCAL_SYSTEM Detected
  • LP_PowerShell Base64 Encoded Shellcode Detected
  • LP_PowerShell Rundll32 Remote Thread Creation Detected
  • LP_PowerShell Script Run in AppData Detected
  • LP_Process Dump via Resource Leak Diagnostic Tool
  • LP_Process Dump via Rundll32 and Comsvcs
  • LP_Process Dump via Sqldumper Detected
  • LP_Protected Storage Service Access Detected
  • LP_RDP Login from Localhost Detected
  • LP_Register new Logon Process by Rubeus
  • LP_Registry Enumeration for credentials Detected
  • LP_Regsvr32 Anomalous Activity Detected
  • LP_Renamed Binary Detected
  • LP_Renamed PsExec Detected
  • LP_Rubeus Hack Tool Detected
  • LP_Run PowerShell Script from ADS Detected
  • LP_Rundll32 Internet Connection Detected
  • LP_SCM Database Handle Failure Detected
  • LP_SCM Database Privileged Operation Detected
  • LP_Security Software Discovery Process Detected
  • LP_Shadow Copy Deletion Using OS Utilities Detected
  • LP_Suspicious Execution of Dump64
  • LP_Suspicious Named Pipes Detected
  • LP_Suspicious Rundll32 Activity Detected
  • LP_System Service Discovery
  • LP_Transfering Files with Credential Data via Network Shares
  • LP_Usage of Procdump Detected
  • LP_Usage of Procdump Detected
  • LP_WCE wceaux dll Access Detected
  • LP_Windows Processes Suspicious Parent Directory Detected
  • LP_Windows Registry Persistence COM Key Linking Detected
  • LP_Windows Shell Spawning Suspicious Program
  • LP_Windows Webshell Creation Detected
  • LP_Winlogon Helper DLL
  • LP_WMI Persistence - Script Event Consumer Detected
  • LP_WMI Persistence - Script Event Consumer File Write
  • LP_Wmiprvse Spawning Process
  • LP_WScript or CScript Dropper Detected
  • LP_XSL Script Processing Detected
  • LP_ZOHO Dctask64 Process Injection Detected
 KB-23597  -

Renamed the LP_Possible Impacket Lateralization Detected alert rule to LP_Possible Impacket Lateral Movement Detected. 

Removed the following generic and redundant Alert Rules:

  • LP_Application Whitelisting Bypass via Bginfo Detected
  • LP_Credential Access via Pypykatz
  • LP_Credential Dumping - Process Access
  • LP_Credential Dumping - Process Creation
  • LP_Credential Dumping - Registry
  • LP_Credential Dumping - Registry Save
  • LP_Credential Dumping Using Procdump Detected
  • LP_Credentials Dumping Tools Accessing LSASS Memory
  • LP_GhostWriter IoC Detected
  • LP_HermeticWiper IoC Hashes Detected
  • LP_IsaacWiper IoC Hashes Detected
  • LP_LSASS Memory Dumping Detected
  • LP_LSASS Process Access by Mimikatz
  • LP_Possible Executable Used by PlugX in Uncommon Location
  • LP_SAM Registry Hive Dump via Reg Utility
  • LP_Signed Binary Proxy Execution - Network Detected
  • LP_Signed Binary Proxy Execution - Process Detected
  • LP_Suspicious Certutil Command Detected
  • LP_Suspicious DLL Added to AppInit DLL Registry
  • LP_WhisperGate IoC Hashes Detected
  • LP_Windows Credential Editor Detected

Removed the following Knowledge Base (KB) lists that are associated with the removed Alert Rules:

  • WHISPERGATE_HASHES
  • ISAAC_WIPER_HASHES
  • GHOSTWRITER_DOMAINS
  • HERMETIC_WIPER_HASHES

Alert Rules v5.4.10

Release Date: December 22, 2023

Supported On: Logpoint 6.7.0 or later

Download: Alert_Rules_5.4.10.pak

SHA256: 0ff96dee2914911154506129146a395217fa7173ae89655218fee7f810d2cb19

Enhancements

Description Issue ID Reference ID

Added the following new generic Alert Rules for endpoint protection platforms like CrowdStrike and Microsoft Defender for Endpoint that generate high or medium severity alerts: 

  • LP_High Severity EPP Alert
  • LP_Medium Severity EPP Alert
  • LP_Host Generating Multiple High Severity EPP Alert
  • LP_Host Generating Multiple Medium Severity EPP Alert

For more details, go to MITRE ATT&CK.

KB-22909

 -

 

 

 

 

Removed the LP_Service Stop Detected alert rule which is no longer relevant.

KB-23165

-

 

Support

If you have any questions or require assistance, create a support ticket.

Comments

Please sign in to leave a comment.

Follow

Related articles

  • Evaluation Process Plugin
  • JSON Parser
  • Cisco
  • NXLog Enterprise
  • CrowdStrike
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.