Correlation Rule Library

This repository contains a comprehensive set of rules designed to enhance your organization's security by detecting various types of suspicious activities and potential threats. Each rule is categorized for ease of navigation and to facilitate a structured approach to threat detection. By leveraging the rules in this library, you can significantly improve your ability to detect and respond to security incidents, ensuring more robust defenses against a wide range of cyberthreats.

Attacker Tool

These rules detect the presence and usage of known attacker tools.

WinPeas Detection MimiKatz Detection SharpShares Detection BadPotato Detection Bloodhound Detection SharpView Detection SafetyKatz Detection SharPersist Detection SharpZeroLogon Detection SharpDump Detection SafetyDump Detection VulnRecon Detection PrintSpoofer Detection SharpHound Detection SharpUp Detection SprayKatz Detection Metasploit Detection Hashcat Detection Petitpotam Detection Rubeus Detection Crackmapexec Detection SweetPotato Detection John The Ripper Kerbrute Detection Hydra Detection

Suspicious Process

These rules identify suspicious processes that may indicate malicious activity.

Spoolsv Spawning Rundll32 Excessive Attempt To Disable Services Excessive Usage Of Taskkill Office Product Spawning MSHTA Windows Masquerading Explorer As Child Process Wsmprovhost LOLBAS Execution Process Spawn Ryuk Wake on LAN Command Add or Set Windows Defender Exclusion Powershell Disable Security Monitoring

Suspicious Parent Process

These rules detect suspicious parent-child process relationships to identify potential attacks.

Suspicious parent spawning autochk Suspicious parent spawning fontdrvhost Suspicious parent spawning dwm Suspicious parent spawning Consent Suspicious parent spawning tiworker Suspicious parent spawning runtimebroker Suspicious parent spawning searchindexer Suspicious parent spawning searchprotocolhost Suspicious parent spawning dllhost Suspicious parent spawning smss Suspicious parent spawning csrss Suspicious parent spawning wininit Suspicious parent spawning winlogon Suspicious parent spawning lsass Suspicious Parent Spawning lsaIso Suspicious parent spawning LogonUI Suspicious parent spawning services Suspicious parent spawning svchost Suspicious parent spawning spoolsv Suspicious parent spawning taskhost

Suspicious Child Process

These rules identify suspicious child processes spawned from specific parent processes to detect potential malware.

SearchProtocolHost Spawning Suspicious Child taskhost Spawning Suspicious Child csrss Spawning Suspicious Child autochk Spawning Suspicious Child smss Spawning Suspicious Child wermgr Spawning Suspicious Child conhost spawning suspicious Child Excel Spawning Windows Script Host Office Product Spawning Windows Script Host

Living Off The Land Attack

These rules detect unusual use of system tools like PowerShell and WMI to identify hidden attacks.

Local privileged account group modification Credential theft using Procdump or comsvcs Suspicious Encoded PowerShell Command Line Suspicious execution of CertOC Suspicious file creation with Colorcpl Suspicious execution of ConfigSecurityPolicy Suspicious Certreq command to Download or Upload Volume Shadow Copy deleted using VSSADMIN or wmic Bypass UAC via CMSTP Bypassing Security controls Suspicious Certutil Command
Home »

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link