Rules Contributing to Suspicious Access Attempt to Windows Object Alerts
The following rules are used to identify suspicious activity with Access Attempt to Windows Objects. Any one or more of these will trigger Suspicious Access Attempt to Windows Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
Sysmon Channel Reference Deletion |
Potential threat actor tampering with Sysmon manifest and eventually disabling it More details
Rule IDQuery{'selection1': {'EventID': 4657, 'ObjectName|contains': ['WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}', 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'], 'ObjectValueName': 'Enabled', 'NewValue': '0'}, 'selection2': {'EventID': 4663, 'ObjectName|contains': ['WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}', 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'], 'AccessMask': '0x10000'}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Teams Application Related ObjectAcess Event |
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. More details
Rule IDQuery{'selection': {'EventID': 4663, 'ObjectName|contains': ['\\Microsoft\\Teams\\Cookies', '\\Microsoft\\Teams\\Local Storage\\leveldb']}, 'filter': {'ProcessName|contains': '\\Microsoft\\Teams\\current\\Teams.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,25cde13e-8e20-4c29-b949-4e795b76f16f Author: @SerkinValery Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
