Rules Contributing to Potentially Malicious Windows Event Alerts

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Rule ID

windows_security_2

Query

{'selection': {'EventID': [4656, 4663], 'ObjectType': 'key', 'ObjectName|endswith': ['lsa\\JD', 'lsa\\GBG', 'lsa\\Skew1', 'lsa\\Data']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,9a4ff3b8-6187-4fd2-8e8b-e0eae1129495

Author: Roberto Rodriguez @Cyb3rWard0g

Tactics, Techniques, and Procedures

T1012

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/08/12	high	Unknown

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

More details

Rule ID

windows_security_3

Query

{'selection_etw_enabled': {'EventID': 4657, 'ObjectName|endswith': '\\SOFTWARE\\Microsoft\\.NETFramework', 'ObjectValueName': 'ETWEnabled', 'NewValue': '0'}, 'selection_complus': {'EventID': 4657, 'ObjectName|contains': '\\Environment', 'ObjectValueName': ['COMPlus_ETWEnabled', 'COMPlus_ETWFlags'], 'NewValue': '0'}, 'condition': '1 of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,a4c90ea1-2634-4ca0-adbb-35eae169b6fc

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1112, T1562

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/06/05	high	Unknown

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

More details

Rule ID

windows_security_4

Query

{'selection': {'EventID': 4657, 'ObjectName|contains|all': ['\\REGISTRY\\MACHINE\\SYSTEM', 'ControlSet', '\\Control\\Lsa'], 'ObjectValueName': ['LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
Requirements: Audit Policy : Object Access > Audit Registry (Success)

Rule Source

SigmaHQ,d3abac66-f11c-4ed0-8acb-50cc29c97eed

Author: Florian Roth (Nextron Systems), wagga

Tactics, Techniques, and Procedures

T1112, T1562.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/03/20	high	Unknown

Windows Defender Discarded Signature

Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats.

More details

Rule ID

windows_security_5

Query

{'selection2': {'EventID': 2013}, 'condition': 'selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1562.006

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

More details

Rule ID

windows_security_7

Query

{'selection': {'EventID': 4768, 'TargetUserName|endswith': '$', 'CertThumbprint|contains': '*'}, 'filter_local': {'IpAddress': '::1'}, 'filter_thumbprint': {'CertThumbprint': ''}, 'condition': 'selection and not 1 of filter_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure

Rule Source

SigmaHQ,6a53d871-682d-40b6-83e0-b7c1a6c4e3a5

Author: Mauricio Velazco, Michael Haag

Tactics, Techniques, and Procedures

T1187

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/09/02	high	False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.

Potential LSASS Clone Creation via PssCaptureSnapShot

Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

More details

Rule ID

windows_security_11

Query

{'selection1': {'EventID': 4688}, 'selection2': {'Image': '?:\\Windows\\System32\\lsass.exe'}, 'selection3': {'ParentImage': '?:\\Windows\\System32\\lsass.exe'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/11/27	high	N/A

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

More details

Rule ID

windows_security_16

Query

{'selection': {'EventID': 4611, 'LogonProcessName': 'User32LogonProcesss'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,12e6d621-194f-4f59-90cc-1959e21e69f7

Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

Tactics, Techniques, and Procedures

T1558.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/24	high	Unknown

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

More details

Rule ID

windows_security_18

Query

{'selection': {'EventID': 4692}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,39a94fd1-8c9a-4ff6-bf22-c058762f8014

Author: Roberto Rodriguez @Cyb3rWard0g

Tactics, Techniques, and Procedures

T1003.004

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/08/10	medium	If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

More details

Rule ID

windows_security_21

Query

{'selection': {'EventID': 4625, 'TargetUserName': 'AAAAAAA'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,8400629e-79a9-4737-b387-5db940ab2367

Author: Florian Roth (Nextron Systems), Adam Bradbury (idea)

Tactics, Techniques, and Procedures

T1210

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/06/02	high	Unlikely

Security Event Log Cleared

Checks for event id 1102 which indicates the security event log was cleared.

More details

Rule ID

windows_security_22

Query

{'selection': {'EventID': 1102, 'Provider_Name': 'Microsoft-Windows-Eventlog'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,a122ac13-daf8-4175-83a2-72c387be339d

Author: Saw Winn Naung

Tactics, Techniques, and Procedures

T1070.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/15	medium	Legitimate administrative activity

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

More details

Rule ID

windows_security_23

Query

{'selection_eid': {'EventID': 4702}, 'selection_paths': {'TaskContentNew|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContentNew|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Rule Source

SigmaHQ,614cf376-6651-47c4-9dcc-6b9527f749f4

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1053.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/12/05	high	Unknown

Windows Defender Disabled

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.

More details

Rule ID

windows_security_28

Query

{'selection2': {'EventID': 5001}, 'condition': 'selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1562

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

More details

Rule ID

windows_security_29

Query

{'selection1': {'EventID': 4898, 'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection2': {'EventID': 4899, 'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': 'selection1 or selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.

Rule Source

SigmaHQ,5ee3a654-372f-11ec-8d3d-0242ac130003

Author: Orlinum , BlueDefenZer

Tactics, Techniques, and Procedures

T1068

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/11/17	low	Administrator activity Proxy SSL certificate with subject modification Smart card enrollement

Network Activity From msxsl

Msxsl allows you to perform command line Extensible Stylesheet Language (XSL) transformations. If the msxsl utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

More details

Rule ID

windows_security_30

Query

{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\msxsl.exe'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Potential Credential Access via LSASS Memory Dump

Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.

More details

Rule ID

windows_security_36

Query

{'selection1': {'EventID': 10}, 'selection2': {'TargetImage': '?:\\WINDOWS\\system32\\lsass.exe'}, 'selection3': {'CallTrace': ['*dbghelp*', '*dbgcore*']}, 'selection4': {'Image': ['?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\System32\\WerFaultSecure.exe']}, 'condition': 'selection1 and selection2 and selection3 and (not selection4)'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/10/07	high	N/A

Addition of Domain Trusts

Addition of domains is seldom and should be verified for legitimacy.

More details

Rule ID

windows_security_38

Query

{'selection': {'EventID': 4706}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,0255a820-e564-4e40-af2b-6ac61160335c

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
stable	2019/12/03	medium	Legitimate extension of domain structure

User Added to Local Administrators

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

More details

Rule ID

windows_security_40

Query

{'selection': {'EventID': 4732}, 'selection_group1': {'TargetUserName|startswith': 'Administr'}, 'selection_group2': {'TargetSid': 'S-1-5-32-544'}, 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and (1 of selection_group*) and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,c265cf08-3f99-46c1-8d59-328247057d57

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1078, T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
stable	2017/03/14	medium	Legitimate administrative activity

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

More details

Rule ID

windows_security_41

Query

{'selection1': {'EventID': 4704}, 'selection2': {'PrivilegeList': 'SeEnableDelegationPrivilege'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1212

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022/01/27	high	N/A

Suspicious Computer Account Name Change CVE-2021-42287

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

More details

Rule ID

windows_security_44

Query

{'selection': {'EventID': 4781, 'OldTargetUserName|contains': '$'}, 'filter': {'NewTargetUserName|contains': '$'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,45eb2ae2-9aa2-4c3a-99a5-6e5077655466

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1078

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/12/22	high	Unknown

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

More details

Rule ID

windows_security_45

Query

{'selection': {'EventID': 4648, 'ProcessName|endswith': ['\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\winrs.exe', '\\wmic.exe', '\\net.exe', '\\net1.exe', '\\reg.exe']}, 'filter1': {'TargetServerName': 'localhost'}, 'filter2': {'SubjectUserName|endswith': '$', 'TargetUserName|endswith': '$'}, 'condition': 'selection and not 1 of filter*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,941e5c45-cda7-4864-8cea-bbb7458d194a

Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton

Tactics, Techniques, and Procedures

T1078

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/05	medium	Administrators that use the RunAS command or scheduled tasks

The Password Hash of an Account was Accessed

The Password Hash of an Account was Accessed. This could be an indication of malicious activity.

More details

Rule ID

windows_security_46

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4782}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

More details

Rule ID

windows_security_48

Query

{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1123

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/06/07	medium	Unknown

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

More details

Rule ID

windows_security_49

Query

{'selection': {'EventID': 4701, 'TaskName': '\\Microsoft\\Windows\\Defrag\\ScheduledDefrag'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
Requirements: Audit Policy : Audit Other Object Access Events > Success

Rule Source

SigmaHQ,c5a178bf-9cfb-4340-b584-e4df39b6a3e7

Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)

Tactics, Techniques, and Procedures

T1053

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/03/04	medium	Unknown

Azure AD Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

More details

Rule ID

windows_security_54

Query

{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,1d2ab8ac-1a01-423b-9c39-001510eae8e8

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC

Tactics, Techniques, and Procedures

T1012

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/26	medium	Unknown

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

More details

Rule ID

windows_security_59

Query

{'selection': {'EventID': 5379, 'TargetName|contains|all': ['Microsoft_Windows_Shell_ZipFolder:filename', '\\Temporary Internet Files\\Content.Outlook']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,571498c8-908e-40b4-910b-d2369159a3da

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1212

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/05/09	high	Legitimate used of encrypted ZIP files

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

More details

Rule ID

windows_security_62

Query

{'selection': {'EventID': 4661, 'ObjectType': ['SAM_USER', 'SAM_GROUP']}, 'selection_object': [{'ObjectName|endswith': ['-512', '-502', '-500', '-505', '-519', '-520', '-544', '-551', '-555']}, {'ObjectName|contains': 'admin'}], 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and selection_object and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
Requirements: enable Object Access SAM on your Domain Controllers

Rule Source

SigmaHQ,35ba1d85-724d-42a3-889f-2e2362bcaf23

Author: Samir Bousseaden

Tactics, Techniques, and Procedures

T1087.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2019/04/03	high	If source account name is not an admin then its super suspicious

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

More details

Rule ID

windows_security_63

Query

{'selection': {'EventID': 5379, 'TargetName|contains': 'Microsoft_Windows_Shell_ZipFolder:filename'}, 'selection_filename': {'TargetName|contains': ['invoice', 'new order', 'rechnung', 'factura', 'delivery', 'purchase', 'order', 'payment']}, 'condition': 'selection and selection_filename'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,54f0434b-726f-48a1-b2aa-067df14516e4

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1212

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/05/09	high	Legitimate used of encrypted ZIP files

Network Activity From MSBuild

MSBuild is a powerful tool used to compile and package code. If the MSBuild utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. Malicious executables can even run inside of MSBuild with little indication it is doing so.

More details

Rule ID

windows_security_64

Query

{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\MSBuild.exe'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1127

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Unexpected Network Activity from Microsoft Tool

A Microsoft tool was executed with suspicious network connection activity. This could be an indication of malicious activity.

More details

Rule ID

windows_security_66

Query

{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|re': '\\\\(?:bginfo|rcsi|control|odbcconf)\\.exe'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Potential LSASS Memory Dump via PssCaptureSnapShot

Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

More details

Rule ID

windows_security_68

Query

{'selection1': {'EventID': 10}, 'selection2': {'TargetImage': 'C:\\Windows\\system32\\lsass.exe'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/10/14	high	N/A

Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

More details

Rule ID

windows_security_70

Query

{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,ff151c33-45fa-475d-af4f-c2f93571f4fe

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC

Tactics, Techniques, and Procedures

T1012

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/26	medium	Unknown

Network Activity From mshta

Mshta is the Microsoft HTML Application Host and allows the execution of .hta files. If the mshta utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

More details

Rule ID

windows_security_75

Query

{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\mshta.exe'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Potential Credential Access via DuplicateHandle in LSASS

Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

More details

Rule ID

windows_security_78

Query

{'selection1': {'EventID': 10}, 'selection2': {'ProcessName': 'lsass.exe'}, 'selection3': {'GrantedAccess': '0x40'}, 'selection4': {'CallTrace': '*UNKNOWN*'}, 'condition': 'selection1 and selection2 and selection3 and selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/09/27	medium	N/A

Security Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

More details

Rule ID

windows_security_82

Query

{'selection_517': {'EventID': 517, 'Provider_Name': 'Security'}, 'selection_1102': {'EventID': 1102, 'Provider_Name': 'Microsoft-Windows-Eventlog'}, 'condition': '1 of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,d99b79d2-0a6f-4f46-ad8b-260b6e17f982

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1070.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/01/10	high	Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) System provisioning (system reset before the golden image creation)

Operation Wocao Activity - Security

Detects activity mentioned in Operation Wocao report

More details

Rule ID

windows_security_83

Query

{'selection': {'EventID': 4799, 'TargetUserName|startswith': 'Administr', 'CallerProcessName|endswith': '\\checkadmin.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,74ad4314-482e-4c3e-b237-3f7ed3b9ca8d

Author: Florian Roth (Nextron Systems), frack113

Tactics, Techniques, and Procedures

T1012, T1027, T1036.004, T1053.005, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/12/20	high	Administrators that use checkadmin.exe tool to enumerate local administrators

Kerberos Manipulation

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

More details

Rule ID

windows_security_84

Query

{'selection': {'EventID': [675, 4768, 4769, 4771], 'FailureCode': ['0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,f7644214-0eb0-4ace-9455-331ec4c09253

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1212

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/02/10	high	Faulty legacy applications

Windows Login Default Point Of Sale Credentials

Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure.

More details

Rule ID

windows_security_85

Query

{'selection2': {'EventID': 4625}, 'selection3': {'SourceUserName': "'aloha'"}, 'selection4': {'SourceUserName': "'micros'"}, 'selection5': {'SourceUserName': "'posi'"}, 'selection6': {'SourceUserName': "'support'"}, 'selection7': {'SourceUserName': "'ddpos'"}, 'selection8': {'SourceUserName': "'term1'"}, 'selection9': {'SourceUserName': "'pos'"}, 'selection10': {'SourceUserName': "'pos2'"}, 'condition': 'selection2 and (selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9 or selection10)'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1110

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

More details

Rule ID

windows_security_86

Query

{'selection': {'EventID': 4674, 'ObjectType': 'SC_MANAGER OBJECT', 'ObjectName': 'servicesactive', 'PrivilegeList': 'SeTakeOwnershipPrivilege'}, 'filter': {'SubjectLogonId': '0x3e4', 'ProcessName|endswith': ':\\Windows\\System32\\services.exe'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,dae8171c-5ec6-4396-b210-8466585b53e9

Author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton

Tactics, Techniques, and Procedures

T1548

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/08/15	medium	Unknown

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

More details

Rule ID

windows_security_88

Query

{'selection': {'EventID': 4661, 'AccessMask': '0x2d', 'ObjectType': ['SAM_USER', 'SAM_GROUP'], 'ObjectName|startswith': 'S-1-5-21-', 'ObjectName|endswith': ['-500', '-512']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems

Rule Source

SigmaHQ,968eef52-9cff-4454-8992-1e74b9cbad6c

Author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community

Tactics, Techniques, and Procedures

T1069.002, T1087.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/03/07	high	Administrator activity

Kerberos Policy was Changed

The Kerberos policy was changed. This could be an indication of malicious activity.

More details

Rule ID

windows_security_89

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4713}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Network Activity From verclsid

Verclsid allows you to validate shell extensions before they are instantiated by the Windows shell or Windows Explorer. If the verclsid utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

More details

Rule ID

windows_security_91

Query

{'selection2': {'EventID': 3}, 'selection3': {'ProcessName|contains': '\\verclsid.exe'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Monitoring process creation

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1218

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Hacking Tool detected by Antivirus

The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc.

More details

Rule ID

windows_security_92

Query

{'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|re': '(?:hacktool|meterpreter|metasploit|powersploit|cobalt|mimikatz|wpdump|htool|wce)'}, 'selection4': {'FileName': ''}, 'selection5': {'MalwareFamily': ''}, 'condition': 'selection2 and selection3 and not selection4 and not selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1518

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

More details

Rule ID

windows_security_93

Query

{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/06/14	critical	Unknown

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

More details

Rule ID

windows_security_95

Query

{'selection': {'EventID': [4699, 4701], 'TaskName|contains': ['\\Windows\\SystemRestore\\SR', '\\Windows\\Windows Defender\\', '\\Windows\\BitLocker', '\\Windows\\WindowsBackup\\', '\\Windows\\WindowsUpdate\\', '\\Windows\\UpdateOrchestrator\\Schedule', '\\Windows\\ExploitGuard']}, 'filter_sys_username': {'EventID': 4699, 'SubjectUserName|endswith': '$', 'TaskName|contains': '\\Windows\\Windows Defender\\'}, 'condition': 'selection and not 1 of filter_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Rule Source

SigmaHQ,7595ba94-cf3b-4471-aa03-4f6baa9e5fad

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1053.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/12/05	high	Unknown

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

More details

Rule ID

windows_security_97

Query

{'selection': {'EventID': [4625, 4776], 'Status': ['0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B']}, 'filter': {'SubjectUserSid': 'S-1-0-0'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,9eb99343-d336-4020-a3cd-67f3819e68ee

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1078

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2017/02/19	medium	User using a disabled account

Encrypted Data Recovery Policy was Changed

The Encrypted Data policy was changed. This could be an indication of malicious activity.

More details

Rule ID

windows_security_99

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4714}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Suspicious LSASS Access via MalSecLogon

Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.

More details

Rule ID

windows_security_100

Query

{'selection1': {'EventID': 10}, 'selection2': {'TargetImage': '?:\\WINDOWS\\system32\\lsass.exe'}, 'selection3': {'CallTrace': '*seclogon.dll*'}, 'selection4': {'ProcessName': 'svchost.exe'}, 'selection5': {'GrantedAccess': '0x14c0'}, 'condition': 'selection1 and selection2 and selection3 and selection4 and selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022/06/29	high	N/A

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

More details

Rule ID

windows_security_101

Query

{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1027.005, T1070.004, T1485, T1553.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/06/14	medium	Legitimate usage of SDelete

ADCS Certificate Template Configuration Vulnerability with Risky EKU

Detects certificate creation with template allowing risk permission subject and risky EKU

More details

Rule ID

windows_security_104

Query

{'selection10': {'EventID': 4898, 'TemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection11': {'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection20': {'EventID': 4899, 'NewTemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection21': {'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': '(selection10 and selection11) or (selection20 and selection21)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.

Rule Source

SigmaHQ,bfbd3291-de87-4b7c-88a2-d6a5deb28668

Author: Orlinum , BlueDefenZer

Tactics, Techniques, and Procedures

T1068

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/11/17	high	Administrator activity Proxy SSL certificate with subject modification Smart card enrollement

KRBTGT Delegation Backdoor

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

More details

Rule ID

windows_security_109

Query

{'selection1': {'EventID': 4738}, 'selection2': {'AllowedToDelegateTo': '*krbtgt*'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, TA0006, T1098, T1558

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022/01/27	high	N/A

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

More details

Rule ID

windows_security_111

Query

{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User

Rule Source

SigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d

Author: @BarryShooshooga

Tactics, Techniques, and Procedures

T1562.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/26	high	Intended inclusions by administrator

Password Change on Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

More details

Rule ID

windows_security_112

Query

{'selection': {'EventID': 4794}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,53ad8e36-f573-46bf-97e4-15ba5bf4bb51

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
stable	2017/02/19	high	Initial installation of a domain controller

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

More details

Rule ID

windows_security_113

Query

{'selection1': {'EventID': 4776, 'Workstation': 'RULER'}, 'selection2': {'EventID': [4624, 4625], 'WorkstationName': 'RULER'}, 'condition': '(1 of selection*)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,24549159-ac1b-479c-8175-d42aea947cae

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1059, T1087, T1114, T1550.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/05/31	high	Go utilities that use staaldraad awesome NTLM library

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

More details

Rule ID

windows_security_115

Query

{'selection_eid': {'EventID': 4698}, 'selection_paths': {'TaskContent|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContent|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Rule Source

SigmaHQ,3a734d25-df5c-4b99-8034-af1ddb5883a4

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1053.005

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/12/05	high	Unknown

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

More details

Rule ID

windows_security_116

Query

{'selection': {'EventID': 4673, 'Service': 'LsaRegisterLogonProcess()', 'Keywords': '0x8010000000000000'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,6daac7fc-77d1-449a-a71a-e6b4d59a0e54

Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

Tactics, Techniques, and Procedures

T1558.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/24	high	Unknown

User Account Deleted

A user account has been deleted. This could be an indication of malicious activity.

More details

Rule ID

windows_security_118

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4726}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

More details

Rule ID

windows_security_124

Query

{'selection': {'EventID': 4649}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,5a44727c-3b85-4713-8c44-4401d5499629

Author: frack113

Tactics, Techniques, and Procedures

T1550

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/10/14	high	Unknown

Device Installation Blocked

Detects an installation of a device that is forbidden by the system policy

More details

Rule ID

windows_security_130

Query

{'selection': {'EventID': 6423}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,c9eb55c3-b468-40ab-9089-db2862e42137

Author: frack113

Tactics, Techniques, and Procedures

T1200

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/10/14	medium	Unknown

Webshell detected by Antivirus

The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver.

More details

Rule ID

windows_security_131

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Windows Defender'}, 'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|contains': 'webshell'}, 'selection4': {'MalwareFamily|contains': 'chopper'}, 'selection5': {'MalwareFamily|re': '(?:PHP|JSP|ASP) [\\/]Backdoor'}, 'selection6': {'MalwareFamily|re': 'Backdoor[.:](?:PHP|JSP|ASP)'}, 'condition': 'selection1 and selection2 and (selection3 or selection4 or selection5 or selection6)'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1505.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2022/05/01	medium	N/A

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

More details

Rule ID

windows_security_132

Query

{'selection_service': {'EventID': 4698, 'TaskName': ['SC Scheduled Scan', 'UpdatMachine']}, 'condition': 'selection_service'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,c0580559-a6bd-4ef6-b9b7-83703d98b561

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Tactics, Techniques, and Procedures

T1053.005, T1071.004, T1112, T1543.003

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2018/03/23	critical	Unlikely