Rules Contributing to Suspicious Handle Request to Sensitive Object Alerts

The following rules are used to identify suspicious activity with Handle Requests to Sensitive Objects. Any one or more of these will trigger a Suspicious Handle Request to Sensitive Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Password Dumper Activity on LSASS

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

More details

Rule ID

windows_security_146

Query

{'selection': {'EventID': 4656, 'ProcessName|endswith': '\\lsass.exe', 'AccessMask': '0x705', 'ObjectType': 'SAM_DOMAIN'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c

Author: sigma

Tactics, Techniques, and Procedures

T1003.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/02/12	high	Unknown

SAM Registry Hive Handle Request

Detects handles requested to SAM registry hive

More details

Rule ID

windows_security_147

Query

{'selection': {'EventID': 4656, 'ObjectType': 'Key', 'ObjectName|endswith': '\\SAM'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events

Rule Source

SigmaHQ,f8748f2c-89dc-4d95-afb0-5a2dfdbad332

Author: Roberto Rodriguez @Cyb3rWard0g

Tactics, Techniques, and Procedures

T1012, T1552.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/08/12	high	Unknown