Rules Contributing to Potentially Malicious Windows Event Alerts

The following rules are used to identify suspicious activity with Windows Events. This is a generic rule name. Any one or more of these will trigger Potentially Malicious Windows Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
---|---|
SysKey Registry Keys Access |
Detects handle requests and access operations to specific registry keys to calculate the SysKey |
ETW Logging Disabled In .NET Processes - Registry |
Potential adversaries stopping ETW providers recording loaded .NET assemblies. |
NetNTLM Downgrade Attack |
Detects NetNTLM downgrade attack |
Windows Defender Discarded Signature |
Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats. |
PetitPotam Suspicious Kerberos TGT Request |
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. |
Potential LSASS Clone Creation via PssCaptureSnapShot |
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |
Register new Logon Process by Rubeus |
Detects potential use of Rubeus via registered new trusted logon process |
DPAPI Domain Master Key Backup Attempt |
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. |
Scanner PoC for CVE-2019-0708 RDP RCE Vuln |
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep |
Security Event Log Cleared |
Checks for event id 1102 which indicates the security event log was cleared. |
Suspicious Scheduled Task Update |
Detects update to a scheduled task event that contain suspicious keywords. |
Windows Defender Disabled |
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. |
ADCS Certificate Template Configuration Vulnerability |
Detects certificate creation with template allowing risk permission subject |
Network Activity From msxsl |
Msxsl allows you to perform command line Extensible Stylesheet Language (XSL) transformations. If the msxsl utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. |
Potential Credential Access via LSASS Memory Dump |
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. |
Addition of Domain Trusts |
Addition of domains is seldom and should be verified for legitimacy. |
User Added to Local Administrators |
This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity |
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User |
Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. |
Suspicious Computer Account Name Change CVE-2021-42287 |
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 |
Suspicious Remote Logon with Explicit Credentials |
Detects suspicious processes logging on with explicit credentials |
The Password Hash of an Account was Accessed |
The Password Hash of an Account was Accessed. This could be an indication of malicious activity. |
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. |
Defrag Deactivation - Security |
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group |
Azure AD Health Service Agents Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. |
Password Protected ZIP File Opened (Email Attachment) |
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. |
AD Privileged Users or Groups Reconnaissance |
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs |
Password Protected ZIP File Opened (Suspicious Filenames) |
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. |
Network Activity From MSBuild |
MSBuild is a powerful tool used to compile and package code. If the MSBuild utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. Malicious executables can even run inside of MSBuild with little indication it is doing so. |
Unexpected Network Activity from Microsoft Tool |
A Microsoft tool was executed with suspicious network connection activity. This could be an indication of malicious activity. |
Potential LSASS Memory Dump via PssCaptureSnapShot |
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |
Azure AD Health Monitoring Agent Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. |
Network Activity From mshta |
Mshta is the Microsoft HTML Application Host and allows the execution of .hta files. If the mshta utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. |
Potential Credential Access via DuplicateHandle in LSASS |
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. |
Security Eventlog Cleared |
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution |
Operation Wocao Activity - Security |
Detects activity mentioned in Operation Wocao report |
Kerberos Manipulation |
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages |
Windows Login Default Point Of Sale Credentials |
Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure. |
SCM Database Privileged Operation |
Detects non-system users performing privileged operation os the SCM database |
Reconnaissance Activity |
Detects activity as "net user administrator /domain" and "net group domain admins /domain" |
Kerberos Policy was Changed |
The Kerberos policy was changed. This could be an indication of malicious activity. |
Network Activity From verclsid |
Verclsid allows you to validate shell extensions before they are instantiated by the Windows shell or Windows Explorer. If the verclsid utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. |
Hacking Tool detected by Antivirus |
The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc. |
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host |
Important Scheduled Task Deleted/Disabled |
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities |
Account Tampering - Suspicious Failed Logon Reasons |
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. |
Encrypted Data Recovery Policy was Changed |
The Encrypted Data policy was changed. This could be an indication of malicious activity. |
Suspicious LSASS Access via MalSecLogon |
Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. |
Secure Deletion with SDelete |
Detects renaming of file while deletion with SDelete tool. |
ADCS Certificate Template Configuration Vulnerability with Risky EKU |
Detects certificate creation with template allowing risk permission subject and risky EKU |
KRBTGT Delegation Backdoor |
Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. |
Windows Defender Exclusion Set |
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender |
Password Change on Directory Service Restore Mode (DSRM) Account |
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. |
Hacktool Ruler |
This events that are generated when using the hacktool Ruler by Sensepost |
Suspicious Scheduled Task Creation |
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. |
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' |
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. |
User Account Deleted |
A user account has been deleted. This could be an indication of malicious activity. |
Replay Attack Detected |
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client |
Device Installation Blocked |
Detects an installation of a device that is forbidden by the system policy |
Webshell detected by Antivirus |
The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver. |
OilRig APT Schedule Task Persistence - Security |
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report |