Rules Contributing to Potentially Malicious Windows Event Alerts
The following rules are used to identify suspicious activity with Windows Events. This is a generic rule name. Any one or more of these will trigger Potentially Malicious Windows Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
SysKey Registry Keys Access |
Detects handle requests and access operations to specific registry keys to calculate the SysKey More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'key', 'ObjectName|endswith': ['lsa\\JD', 'lsa\\GBG', 'lsa\\Skew1', 'lsa\\Data']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
ETW Logging Disabled In .NET Processes - Registry |
Potential adversaries stopping ETW providers recording loaded .NET assemblies. More details
Rule IDQuery{'selection_etw_enabled': {'EventID': 4657, 'ObjectName|endswith': '\\SOFTWARE\\Microsoft\\.NETFramework', 'ObjectValueName': 'ETWEnabled', 'NewValue': '0'}, 'selection_complus': {'EventID': 4657, 'ObjectName|contains': '\\Environment', 'ObjectValueName': ['COMPlus_ETWEnabled', 'COMPlus_ETWFlags'], 'NewValue': '0'}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a4c90ea1-2634-4ca0-adbb-35eae169b6fc Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
NetNTLM Downgrade Attack |
Detects NetNTLM downgrade attack More details
Rule IDQuery{'selection': {'EventID': 4657, 'ObjectName|contains|all': ['\\REGISTRY\\MACHINE\\SYSTEM', 'ControlSet', '\\Control\\Lsa'], 'ObjectValueName': ['LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d3abac66-f11c-4ed0-8acb-50cc29c97eed Author: Florian Roth (Nextron Systems), wagga Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Windows Defender Discarded Signature |
Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats. More details
Rule IDQuery{'selection2': {'EventID': 2013}, 'condition': 'selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
PetitPotam Suspicious Kerberos TGT Request |
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. More details
Rule IDQuery{'selection': {'EventID': 4768, 'TargetUserName|endswith': '$', 'CertThumbprint|contains': '*'}, 'filter_local': {'IpAddress': '::1'}, 'filter_thumbprint': {'CertThumbprint': ''}, 'condition': 'selection and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 Author: Mauricio Velazco, Michael Haag Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Potential LSASS Clone Creation via PssCaptureSnapShot |
Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. More details
Rule IDQuery{'selection1': {'EventID': 4688}, 'selection2': {'Image': '?:\\Windows\\System32\\lsass.exe'}, 'selection3': {'ParentImage': '?:\\Windows\\System32\\lsass.exe'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Register new Logon Process by Rubeus |
Detects potential use of Rubeus via registered new trusted logon process More details
Rule IDQuery{'selection': {'EventID': 4611, 'LogonProcessName': 'User32LogonProcesss'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,12e6d621-194f-4f59-90cc-1959e21e69f7 Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
DPAPI Domain Master Key Backup Attempt |
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. More details
Rule IDQuery{'selection': {'EventID': 4692}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39a94fd1-8c9a-4ff6-bf22-c058762f8014 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Scanner PoC for CVE-2019-0708 RDP RCE Vuln |
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep More details
Rule IDQuery{'selection': {'EventID': 4625, 'TargetUserName': 'AAAAAAA'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8400629e-79a9-4737-b387-5db940ab2367 Author: Florian Roth (Nextron Systems), Adam Bradbury (idea) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Security Event Log Cleared |
Checks for event id 1102 which indicates the security event log was cleared. More details
Rule IDQuery{'selection': {'EventID': 1102, 'Provider_Name': 'Microsoft-Windows-Eventlog'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a122ac13-daf8-4175-83a2-72c387be339d Author: Saw Winn Naung Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Scheduled Task Update |
Detects update to a scheduled task event that contain suspicious keywords. More details
Rule IDQuery{'selection_eid': {'EventID': 4702}, 'selection_paths': {'TaskContentNew|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContentNew|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,614cf376-6651-47c4-9dcc-6b9527f749f4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Windows Defender Disabled |
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. More details
Rule IDQuery{'selection2': {'EventID': 5001}, 'condition': 'selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
ADCS Certificate Template Configuration Vulnerability |
Detects certificate creation with template allowing risk permission subject More details
Rule IDQuery{'selection1': {'EventID': 4898, 'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection2': {'EventID': 4899, 'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': 'selection1 or selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5ee3a654-372f-11ec-8d3d-0242ac130003 Author: Orlinum , BlueDefenZer Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Network Activity From msxsl |
Msxsl allows you to perform command line Extensible Stylesheet Language (XSL) transformations. If the msxsl utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. More details
Rule IDQuery{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\msxsl.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Potential Credential Access via LSASS Memory Dump |
Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. More details
Rule IDQuery{'selection1': {'EventID': 10}, 'selection2': {'TargetImage': '?:\\WINDOWS\\system32\\lsass.exe'}, 'selection3': {'CallTrace': ['*dbghelp*', '*dbgcore*']}, 'selection4': {'Image': ['?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\System32\\WerFaultSecure.exe']}, 'condition': 'selection1 and selection2 and selection3 and (not selection4)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Addition of Domain Trusts |
Addition of domains is seldom and should be verified for legitimacy. More details
Rule IDQuery{'selection': {'EventID': 4706}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0255a820-e564-4e40-af2b-6ac61160335c Author: Thomas Patzke Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
User Added to Local Administrators |
This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity More details
Rule IDQuery{'selection': {'EventID': 4732}, 'selection_group1': {'TargetUserName|startswith': 'Administr'}, 'selection_group2': {'TargetSid': 'S-1-5-32-544'}, 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and (1 of selection_group*) and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c265cf08-3f99-46c1-8d59-328247057d57 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User |
Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. More details
Rule IDQuery{'selection1': {'EventID': 4704}, 'selection2': {'PrivilegeList': 'SeEnableDelegationPrivilege'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Computer Account Name Change CVE-2021-42287 |
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 More details
Rule IDQuery{'selection': {'EventID': 4781, 'OldTargetUserName|contains': '$'}, 'filter': {'NewTargetUserName|contains': '$'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,45eb2ae2-9aa2-4c3a-99a5-6e5077655466 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious Remote Logon with Explicit Credentials |
Detects suspicious processes logging on with explicit credentials More details
Rule IDQuery{'selection': {'EventID': 4648, 'ProcessName|endswith': ['\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\winrs.exe', '\\wmic.exe', '\\net.exe', '\\net1.exe', '\\reg.exe']}, 'filter1': {'TargetServerName': 'localhost'}, 'filter2': {'SubjectUserName|endswith': '$', 'TargetUserName|endswith': '$'}, 'condition': 'selection and not 1 of filter*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,941e5c45-cda7-4864-8cea-bbb7458d194a Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
The Password Hash of an Account was Accessed |
The Password Hash of an Account was Accessed. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4782}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Defrag Deactivation - Security |
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group More details
Rule IDQuery{'selection': {'EventID': 4701, 'TaskName': '\\Microsoft\\Windows\\Defrag\\ScheduledDefrag'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c5a178bf-9cfb-4340-b584-e4df39b6a3e7 Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Azure AD Health Service Agents Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1d2ab8ac-1a01-423b-9c39-001510eae8e8 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Password Protected ZIP File Opened (Email Attachment) |
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. More details
Rule IDQuery{'selection': {'EventID': 5379, 'TargetName|contains|all': ['Microsoft_Windows_Shell_ZipFolder:filename', '\\Temporary Internet Files\\Content.Outlook']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,571498c8-908e-40b4-910b-d2369159a3da Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AD Privileged Users or Groups Reconnaissance |
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs More details
Rule IDQuery{'selection': {'EventID': 4661, 'ObjectType': ['SAM_USER', 'SAM_GROUP']}, 'selection_object': [{'ObjectName|endswith': ['-512', '-502', '-500', '-505', '-519', '-520', '-544', '-551', '-555']}, {'ObjectName|contains': 'admin'}], 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and selection_object and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,35ba1d85-724d-42a3-889f-2e2362bcaf23 Author: Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Password Protected ZIP File Opened (Suspicious Filenames) |
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. More details
Rule IDQuery{'selection': {'EventID': 5379, 'TargetName|contains': 'Microsoft_Windows_Shell_ZipFolder:filename'}, 'selection_filename': {'TargetName|contains': ['invoice', 'new order', 'rechnung', 'factura', 'delivery', 'purchase', 'order', 'payment']}, 'condition': 'selection and selection_filename'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,54f0434b-726f-48a1-b2aa-067df14516e4 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Network Activity From MSBuild |
MSBuild is a powerful tool used to compile and package code. If the MSBuild utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. Malicious executables can even run inside of MSBuild with little indication it is doing so. More details
Rule IDQuery{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\MSBuild.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Unexpected Network Activity from Microsoft Tool |
A Microsoft tool was executed with suspicious network connection activity. This could be an indication of malicious activity. More details
Rule IDQuery{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|re': '\\\\(?:bginfo|rcsi|control|odbcconf)\\.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Potential LSASS Memory Dump via PssCaptureSnapShot |
Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. More details
Rule IDQuery{'selection1': {'EventID': 10}, 'selection2': {'TargetImage': 'C:\\Windows\\system32\\lsass.exe'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Azure AD Health Monitoring Agent Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ff151c33-45fa-475d-af4f-c2f93571f4fe Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Network Activity From mshta |
Mshta is the Microsoft HTML Application Host and allows the execution of .hta files. If the mshta utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. More details
Rule IDQuery{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\mshta.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Potential Credential Access via DuplicateHandle in LSASS |
Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. More details
Rule IDQuery{'selection1': {'EventID': 10}, 'selection2': {'ProcessName': 'lsass.exe'}, 'selection3': {'GrantedAccess': '0x40'}, 'selection4': {'CallTrace': '*UNKNOWN*'}, 'condition': 'selection1 and selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Security Eventlog Cleared |
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution More details
Rule IDQuery{'selection_517': {'EventID': 517, 'Provider_Name': 'Security'}, 'selection_1102': {'EventID': 1102, 'Provider_Name': 'Microsoft-Windows-Eventlog'}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d99b79d2-0a6f-4f46-ad8b-260b6e17f982 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Operation Wocao Activity - Security |
Detects activity mentioned in Operation Wocao report More details
Rule IDQuery{'selection': {'EventID': 4799, 'TargetUserName|startswith': 'Administr', 'CallerProcessName|endswith': '\\checkadmin.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,74ad4314-482e-4c3e-b237-3f7ed3b9ca8d Author: Florian Roth (Nextron Systems), frack113 Tactics, Techniques, and ProceduresT1012, T1027, T1036.004, T1053.005, T1059.001 References
N/A
Additional Information
|
||||||||
Kerberos Manipulation |
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages More details
Rule IDQuery{'selection': {'EventID': [675, 4768, 4769, 4771], 'FailureCode': ['0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f7644214-0eb0-4ace-9455-331ec4c09253 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Windows Login Default Point Of Sale Credentials |
Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure. More details
Rule IDQuery{'selection2': {'EventID': 4625}, 'selection3': {'SourceUserName': "'aloha'"}, 'selection4': {'SourceUserName': "'micros'"}, 'selection5': {'SourceUserName': "'posi'"}, 'selection6': {'SourceUserName': "'support'"}, 'selection7': {'SourceUserName': "'ddpos'"}, 'selection8': {'SourceUserName': "'term1'"}, 'selection9': {'SourceUserName': "'pos'"}, 'selection10': {'SourceUserName': "'pos2'"}, 'condition': 'selection2 and (selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9 or selection10)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
SCM Database Privileged Operation |
Detects non-system users performing privileged operation os the SCM database More details
Rule IDQuery{'selection': {'EventID': 4674, 'ObjectType': 'SC_MANAGER OBJECT', 'ObjectName': 'servicesactive', 'PrivilegeList': 'SeTakeOwnershipPrivilege'}, 'filter': {'SubjectLogonId': '0x3e4', 'ProcessName|endswith': ':\\Windows\\System32\\services.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,dae8171c-5ec6-4396-b210-8466585b53e9 Author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Reconnaissance Activity |
Detects activity as "net user administrator /domain" and "net group domain admins /domain" More details
Rule IDQuery{'selection': {'EventID': 4661, 'AccessMask': '0x2d', 'ObjectType': ['SAM_USER', 'SAM_GROUP'], 'ObjectName|startswith': 'S-1-5-21-', 'ObjectName|endswith': ['-500', '-512']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,968eef52-9cff-4454-8992-1e74b9cbad6c Author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Kerberos Policy was Changed |
The Kerberos policy was changed. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4713}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Network Activity From verclsid |
Verclsid allows you to validate shell extensions before they are instantiated by the Windows shell or Windows Explorer. If the verclsid utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. More details
Rule IDQuery{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\verclsid.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Hacking Tool detected by Antivirus |
The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc. More details
Rule IDQuery{'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|re': '(?:hacktool|meterpreter|metasploit|powersploit|cobalt|mimikatz|wpdump|htool|wce)'}, 'selection4': {'FileName': ''}, 'selection5': {'MalwareFamily': ''}, 'condition': 'selection2 and selection3 and not selection4 and not selection5'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host More details
Rule IDQuery{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67 Author: Thomas Patzke Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Important Scheduled Task Deleted/Disabled |
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities More details
Rule IDQuery{'selection': {'EventID': [4699, 4701], 'TaskName|contains': ['\\Windows\\SystemRestore\\SR', '\\Windows\\Windows Defender\\', '\\Windows\\BitLocker', '\\Windows\\WindowsBackup\\', '\\Windows\\WindowsUpdate\\', '\\Windows\\UpdateOrchestrator\\Schedule', '\\Windows\\ExploitGuard']}, 'filter_sys_username': {'EventID': 4699, 'SubjectUserName|endswith': '$', 'TaskName|contains': '\\Windows\\Windows Defender\\'}, 'condition': 'selection and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7595ba94-cf3b-4471-aa03-4f6baa9e5fad Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Account Tampering - Suspicious Failed Logon Reasons |
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. More details
Rule IDQuery{'selection': {'EventID': [4625, 4776], 'Status': ['0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B']}, 'filter': {'SubjectUserSid': 'S-1-0-0'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9eb99343-d336-4020-a3cd-67f3819e68ee Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Encrypted Data Recovery Policy was Changed |
The Encrypted Data policy was changed. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4714}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Suspicious LSASS Access via MalSecLogon |
Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. More details
Rule IDQuery{'selection1': {'EventID': 10}, 'selection2': {'TargetImage': '?:\\WINDOWS\\system32\\lsass.exe'}, 'selection3': {'CallTrace': '*seclogon.dll*'}, 'selection4': {'ProcessName': 'svchost.exe'}, 'selection5': {'GrantedAccess': '0x14c0'}, 'condition': 'selection1 and selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Secure Deletion with SDelete |
Detects renaming of file while deletion with SDelete tool. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d Author: Thomas Patzke Tactics, Techniques, and ProceduresT1027.005, T1070.004, T1485, T1553.002 References
N/A
Additional Information
|
||||||||
ADCS Certificate Template Configuration Vulnerability with Risky EKU |
Detects certificate creation with template allowing risk permission subject and risky EKU More details
Rule IDQuery{'selection10': {'EventID': 4898, 'TemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection11': {'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection20': {'EventID': 4899, 'NewTemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection21': {'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': '(selection10 and selection11) or (selection20 and selection21)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bfbd3291-de87-4b7c-88a2-d6a5deb28668 Author: Orlinum , BlueDefenZer Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
KRBTGT Delegation Backdoor |
Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. More details
Rule IDQuery{'selection1': {'EventID': 4738}, 'selection2': {'AllowedToDelegateTo': '*krbtgt*'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Windows Defender Exclusion Set |
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d Author: @BarryShooshooga Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Password Change on Directory Service Restore Mode (DSRM) Account |
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. More details
Rule IDQuery{'selection': {'EventID': 4794}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,53ad8e36-f573-46bf-97e4-15ba5bf4bb51 Author: Thomas Patzke Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Hacktool Ruler |
This events that are generated when using the hacktool Ruler by Sensepost More details
Rule IDQuery{'selection1': {'EventID': 4776, 'Workstation': 'RULER'}, 'selection2': {'EventID': [4624, 4625], 'WorkstationName': 'RULER'}, 'condition': '(1 of selection*)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,24549159-ac1b-479c-8175-d42aea947cae Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresT1059, T1087, T1114, T1550.002 References
N/A
Additional Information
|
||||||||
Suspicious Scheduled Task Creation |
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. More details
Rule IDQuery{'selection_eid': {'EventID': 4698}, 'selection_paths': {'TaskContent|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContent|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3a734d25-df5c-4b99-8034-af1ddb5883a4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' |
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. More details
Rule IDQuery{'selection': {'EventID': 4673, 'Service': 'LsaRegisterLogonProcess()', 'Keywords': '0x8010000000000000'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6daac7fc-77d1-449a-a71a-e6b4d59a0e54 Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
User Account Deleted |
A user account has been deleted. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4726}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Replay Attack Detected |
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client More details
Rule IDQuery{'selection': {'EventID': 4649}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5a44727c-3b85-4713-8c44-4401d5499629 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Device Installation Blocked |
Detects an installation of a device that is forbidden by the system policy More details
Rule IDQuery{'selection': {'EventID': 6423}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c9eb55c3-b468-40ab-9089-db2862e42137 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Webshell detected by Antivirus |
The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Windows Defender'}, 'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|contains': 'webshell'}, 'selection4': {'MalwareFamily|contains': 'chopper'}, 'selection5': {'MalwareFamily|re': '(?:PHP|JSP|ASP) [\\/]Backdoor'}, 'selection6': {'MalwareFamily|re': 'Backdoor[.:](?:PHP|JSP|ASP)'}, 'condition': 'selection1 and selection2 and (selection3 or selection4 or selection5 or selection6)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
OilRig APT Schedule Task Persistence - Security |
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report More details
Rule IDQuery{'selection_service': {'EventID': 4698, 'TaskName': ['SC Scheduled Scan', 'UpdatMachine']}, 'condition': 'selection_service'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c0580559-a6bd-4ef6-b9b7-83703d98b561 Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Tactics, Techniques, and ProceduresT1053.005, T1071.004, T1112, T1543.003 References
N/A
Additional Information
|