Definitions
Behavior Tagging
BAS/CS™ behavior tagging provides broad behavioral groupings to categorize the types of events sensors may generate. This method of event tagging allows for flexibility in sensor capability selection. Vendor proprietary event analytics are mapped to a BAS/CS™ Event (BE) tag, standardizing how correlative analytics can be performed across diverse sensor event data. There are two main BE categories: Host and Network events.
Host Events
Host events focus on the events that would be generated from within a host.
Access
| BE ID | BE Name | BE Description |
|---|---|---|
| ACC01 | Pass the Hash Attempt | NTLM or LM login attempt (a pass the hash (PtH) vulnerability) |
| ACC02 | Remote Login Attempt | Authenticated remote login attempt (RDP, ssh, etc.) |
| ACC03 | Successful Remote Login | Successful remote login (RDP, ssh, etc.) |
| ACC04 | Admin Share Access | Modification of admin share settings |
| ACC05 | New Service | A new service was installed |
| ACC06 | Scheduled Task | A scheduled task was created |
| ACC07 | User Created | A new user account was created |
| ACC08 | User Added to Security Global Group | A member was added to a security-enabled global group |
| ACC09 | User Added to Security Local Group | A member was added to a security-enabled local group |
| ACC10 | Local Group Change | A security-enabled local group was changed |
| ACC11 | Explicit Login Attempt | New login attempt with explicit credentials |
| ACC12 | Failed Login Attempt | Unsuccessful login attempt |
| ACC13 | New Login | New logon session created |
| ACC14 | File Share Write | Suspicious write or append to a common file share (SYSVOL or other) |
File
| BE ID | BE Name | BE Description |
|---|---|---|
| FIL01 | New File | A new file was detected in a monitored file system |
| FIL02 | File Deletion | A file was deleted from a monitored file system |
Log
| BE ID | BE Name | BE Description |
|---|---|---|
| LOG01 | Significant Timestamp Difference | Significant timestamp difference in log |
| LOG02 | Decrease in Logging | Significant decrease in logging has been observed |
Process
| BE ID | BE Name | BE Description |
|---|---|---|
| PRO01 | Process Change | A process has been created or changed |
| PRO02 | Application Control Policy Block | Application control policies blocked an installer or script from executing (AppLocker or other) |
| PRO03 | New Command/Scripting Interpreter or Exploitation | A new command/scripting interpreter or exploitation detected |
| PRO04 | Suspicious Use of System Process | Suspicious use of a system process |
| PRO05 | Process | A process was stopped |
| PRO06 | Driver Loaded | New kernel driver loaded |
| PRO07 | Potential | Process injection potentially detected |
| PRO08 | WMI Event Detected | A Windows Management Instrumentation (WMI) event filter or consumer activity has been detected |
| PRO09 | Security Audit Logs Cleared | The security audit logs have been cleared |
| PRO10 | System Logs Cleared | System logs have been cleared |
| PRO11 | Event Logging Stopped | Event logging service has stopped |
| PRO12 | Outgoing Connection from Suspicious Process | Suspicious process connection detected |
| PRO13 | Remote | Suspicious remote process execution was detected |
| PRO14 | Remote Management Executed Suspicious Commands | Suspicious remote process command execution was detected |
| PRO15 | Remote Service Management | Service control was used to create, modify, or start services on a remote host |
| PRO16 | Named Pipe | A named pipe has been created or connected to |
Peripheral
| BE ID | BE Name | BE Description |
|---|---|---|
| USB01 | USB Peripheral Connected | A USB peripheral device has been connected |
| USB02 | USB Peripheral Removed | A USB peripheral device has been removed |
| USB03 | USB Storage Connected | A USB storage device has been connected |
| USB04 | USB Storage Removed | A USB storage device has been removed |
Network Events
Network events focus on events generated from network communications.
Intrusion Detection
| BE ID | BE Name | BE Description |
|---|---|---|
| IDS01 | Network Conversation Anomaly | A change in the normal conversations between nodes was observed |
| IDS02 | New Node | A new network node has been established |
| IDS03 | New Logical Link | A link (communication channel) has been established |
| IDS04 | OT Write Command | A control system protocol write command was observed |
| IDS05 | OT Read Command | A control system protocol read command was observed |
| IDS06 | Function Code Anomaly | An unusual or new function code was observed |
| IDS07 | Protocol Anomaly | Improper or unusual use of a network protocol was observed |
| IDS08 | Configuration Change | A change to firmware, logic, or software program has occurred |
| IDS09 | Hardware Change | Change to serial number, I/O hardware, etc. |
| IDS10 | Network Interface Change | A change to a MAC or IP address has occurred |
| IDS11 | External Conversation | A conversation with a node outside of control system network boundary has occurred |
| IDS12 | Network Scanning | Asset or port scanning was observed |
| IDS13 | System Elements Not Synchronized | A message with an anomalous time stamp was observed |
| IDS14 | Device State Change | A mode change or reboot has occurred |
| IDS15 | Signature Based Alerts | A signature-based alert has been generated |
| IDS16 | Process Variable Anomaly | A process variable outside normal or expected ranges was observed |
Network Flow
| BE ID | BE Name | BE Description |
|---|---|---|
| NET01 | Link Traffic Increase | An unexpected increase in traffic has occurred |
| NET02 | Link Traffic Decrease | An unexpected decrease in traffic has occurred |
| NET03 | Link Loss | A communication link has dropped or been lost |
| NET04 | Stale Node | A node has stopped communicating |
| NET05 | Network Scanning | Asset or port scanning has occurred |
| NET06 | Network Interface Change | A change to a MAC or IP address has occurred |
Correlation Rules
BAS/CS™ Alerts are defined as a collection of correlations of BE. Each BAS/CS™ Correlation Rule consists of an alert logic statement, which provides the logical relationship between the BE using AND (&&) and OR (||) expressions. Each of these logical expressions is used to query the BE data in a SIEM, and if the logical expression returns TRUE, for the given time range and aggregation field (typically the event source hostname), then an alert is raised.
Alert Examples
| Alert ID | Alert Name | Alert Description | Alert Logic |
|---|---|---|---|
| BAS.2.1 | Unusual Account Activity | A new shell process has been created or AppLocker has warned against the execution of a script or installer (.msi) file. A user may be attempting to execute malicious commands, scripts, or binaries. | PRO02 || PRO03 |
| BAS.2.2 | Unusual Account Activity (Potential Privilege Escalation) | One or more suspicious actions have been identified: installing a new Windows service, creating a scheduled task, creating a new user, adding a member to a security-enabled group, or modifying a security-enabled group. This may indicate a user is attempting to gain elevated privileges. | ACC05 || ACC06 || ACC07 || ACC08 || ACC09 || ACC10 |
| BAS.2.3 | Unusual Account Activity (Potential Privilege Escalation) (Enriched) | One or more suspicious actions have been identified: installing a new Windows service, creating a scheduled task, creating a new user, adding a member to a security-enabled group, or modifying a security-enabled group. Additionally, a user has attempted to logon using explicit credentials. This may indicate a user is attempting to gain elevated privileges and may have scheduled a task or used the "RUNAS" command. | (ACC05 || ACC06 || ACC07 || ACC08 || ACC09 || ACC10) && ACC11 |
| BAS.3 | Unusual Process Detected | A process has been detected that is not within the list of known, expected processes. An adversary may be executing malicious code on the system. | PRO01 |
| BAS.4.1 | Suspicious Process Termination | A process has been terminated that is not within the list of known, expected processes. | PRO05 |
| BAS.4.2 | Suspicious Process Termination with File Deletion | A process has been terminated that is not within the list of expected processes and one or more file deletions have occurred. | PRO05 && FIL02 |
| BAS.5 | Irregular Audit Log Event | One or more audit logs have been cleared or stopped, or contain significant timestamp differences. An attacker may be attempting to evade detection. | LOG01 || PRO09 || PRO10 || PRO11 |
| BAS.6 | Suspicious Kernel Driver Installed | A suspicious kernel driver has been installed. | PRO06 |
| BAS.7 | Network Enumeration Activity | A device is perceived to be communicating with other devices in an attempt to enumerate details about the endpoint devices. | IDS12 || NET05 || ((IDS02 || IDS03) && IDS05) |
| BAS.8.1 | Unexpected OT Command Activity | Unexpected behavior of an HMI, OPC, or control server affecting control equipment. HMI or OPC not updating after operator made changes to instructions, commands, or alarm thresholds. Expected changes are not appearing on control equipment. | (IDS04 || IDS06 || IDS07) && (NET03 || IDS13 || IDS14 || IDS16) |
| BAS.9 | Loss of Communication | One or more devices on your network are no longer communicating. A denial-of-service attack may be affecting devices in order to mask an attacker's activities. | NET03 || NET04 |
| BAS.11 | Unusual Control System Traffic | An unusual Internet protocol (IP) address or an unusual port, protocol, or service (from a known IP address) is attempting to communicate with the control system. | (IDS02 || IDS03 || NET01) && (IDS04 || IDS05 || IDS06 || IDS07) |
| BAS.20 | Remote OT Command Activity | A remote connection has been established to a device on the control system network. This connection is engaging in OT command and control activity, attempting to impact the physical control system. | ACC03 && IDS11 && (IDS04 || IDS06 || IDS07 || IDS08 || IDS10) |
| BAS.24 | Unusually High Network Traffic | The network is experiencing higher-than-usual traffic. This may be due to network scanning or a denial-of-service attack aimed to disrupt operations. | NET01 && (PRO01 || PRO04 || PRO07) |
| BAS.25 | Unusual Decrease in Network Traffic | The normal flow of control traffic appears slower, sluggish, or there is less traffic than normal (polling cycles not executing for example). | NET02 && (PRO01 || PRO04 || PRO07) |
| BAS.26 | Unexpected Connection to External or Unknown IPs | A control system field controller is communicating with an unknown asset. | (IDS02 && IDS03) || IDS11 |
| BAS.27 | Potential Lateral Movement | Recent remote login attempts or other suspicious network activity have been detected. An unexpected process has also been identified. An attacker may be conducting lateral movement on the network. | (PRO01 || PRO07) && (ACC01 || ACC02 || ACC03 || ACC04 || PRO15 || IDS01) |
| BAS.28.1 | Potentially Malicious Command & Control Activity | File creation, suspicious process, and network events have been identified. This may indicate that an attacker is attempting to establish command and control using a malicious process. | PRO01 && FIL01 && (IDS02 || IDS03 || IDS11) |
| BAS.28.2 | Potentially Malicious Command & Control Activity (Shell Activity) | Signs of shell activity have been detected and changes have been made to your network. An attacker may be attempting to establish a command and control presence. | (PRO03 || PRO04) && (IDS02 || IDS03 || IDS11) |
| BAS.28.3 | Potentially Malicious Command & Control Activity (Process Injection Focused) | Signs of process injection have been detected and changes have been made to your network. An attacker may be attempting to establish a command and control presence. | (PRO07 || PRO16) && (IDS02 || IDS03 || IDS11) |
| BAS.31 | Potentially Malicious Privilege Escalation Activity | A new user has been created and a user has been added to a global security-enabled group. This may indicate a privilege escalation attempt. | ACC07 && ACC09 && (ACC01 || ACC02 || ACC03 || ACC04) |
| BAS.36 | Malicious Network Behavior Signature | A signature-based detection has been triggered from a network intrusion detection system. A signature-based detection is very likely indicating malicious behavior within the network. | IDS15 |