Rules Contributing to Suspicious Access Attempt to Windows Object Alerts

The following rules are used to identify suspicious activity with Access Attempt to Windows Objects. Any one or more of these will trigger Suspicious Access Attempt to Windows Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Sysmon Channel Reference Deletion

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Suspicious Teams Application Related ObjectAcess Event

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.