Rules Contributing to Suspicious Handle Request to Sensitive Object Alerts
The following rules are used to identify suspicious activity with Handle Requests to Sensitive Objects. Any one or more of these will trigger a Suspicious Handle Request to Sensitive Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Password Dumper Activity on LSASS |
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN More details
Rule IDQuery{'selection': {'EventID': 4656, 'ProcessName|endswith': '\\lsass.exe', 'AccessMask': '0x705', 'ObjectType': 'SAM_DOMAIN'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c Author: sigma Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
SAM Registry Hive Handle Request |
Detects handles requested to SAM registry hive More details
Rule IDQuery{'selection': {'EventID': 4656, 'ObjectType': 'Key', 'ObjectName|endswith': '\\SAM'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f8748f2c-89dc-4d95-afb0-5a2dfdbad332 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|