Rules Contributing to Potentially Malicious Windows Event Alerts

The following rules are used to identify suspicious activity with Windows Events. This is a generic rule name. Any one or more of these will trigger Potentially Malicious Windows Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

Windows Defender Discarded Signature

Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats.

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

Potential LSASS Clone Creation via PssCaptureSnapShot

Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Security Event Log Cleared

Checks for event id 1102 which indicates the security event log was cleared.

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Windows Defender Disabled

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Network Activity From msxsl

Msxsl allows you to perform command line Extensible Stylesheet Language (XSL) transformations. If the msxsl utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

Potential Credential Access via LSASS Memory Dump

Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.

Addition of Domain Trusts

Addition of domains is seldom and should be verified for legitimacy.

User Added to Local Administrators

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

Suspicious Computer Account Name Change CVE-2021-42287

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

The Password Hash of an Account was Accessed

The Password Hash of an Account was Accessed. This could be an indication of malicious activity.

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Azure AD Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Network Activity From MSBuild

MSBuild is a powerful tool used to compile and package code. If the MSBuild utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. Malicious executables can even run inside of MSBuild with little indication it is doing so.

Unexpected Network Activity from Microsoft Tool

A Microsoft tool was executed with suspicious network connection activity. This could be an indication of malicious activity.

Potential LSASS Memory Dump via PssCaptureSnapShot

Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Network Activity From mshta

Mshta is the Microsoft HTML Application Host and allows the execution of .hta files. If the mshta utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

Potential Credential Access via DuplicateHandle in LSASS

Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Security Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Operation Wocao Activity - Security

Detects activity mentioned in Operation Wocao report

Kerberos Manipulation

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

Windows Login Default Point Of Sale Credentials

Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure.

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Kerberos Policy was Changed

The Kerberos policy was changed. This could be an indication of malicious activity.

Network Activity From verclsid

Verclsid allows you to validate shell extensions before they are instantiated by the Windows shell or Windows Explorer. If the verclsid utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

Hacking Tool detected by Antivirus

The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc.

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Encrypted Data Recovery Policy was Changed

The Encrypted Data policy was changed. This could be an indication of malicious activity.

Suspicious LSASS Access via MalSecLogon

Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

ADCS Certificate Template Configuration Vulnerability with Risky EKU

Detects certificate creation with template allowing risk permission subject and risky EKU

KRBTGT Delegation Backdoor

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

Password Change on Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

User Account Deleted

A user account has been deleted. This could be an indication of malicious activity.

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Device Installation Blocked

Detects an installation of a device that is forbidden by the system policy

Webshell detected by Antivirus

The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver.

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report