Rules Contributing to Suspicious Windows Logon Event Alerts
The following rules are used to identify suspicious Windows logon activities. Any one or more of these will trigger Suspicious Windows Logon Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Remote WMI ActiveScriptEventConsumers |
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '3', 'ProcessName|endswith': 'scrcons.exe'}, 'filter': {'TargetLogonId': '0x3e7'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9599c180-e3a8-4743-8f92-7fb96d3be648 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
RottenPotato Like Attack Pattern |
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '3', 'TargetUserName': 'ANONYMOUS LOGON', 'WorkstationName': '-', 'IpAddress': ['127.0.0.1', '::1']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,16f5d8ca-44bd-47c8-acbe-6fc95a16c12f Author: @SBousseaden, Florian Roth Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Successful Overpass the Hash Attempt |
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '9', 'LogonProcessName': 'seclogo', 'AuthenticationPackageName': 'Negotiate'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,192a0330-c20b-4356-90b6-7b7049ae0b87 Author: Roberto Rodriguez (source), Dominik Schaudel (rule) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
RottenPotato Logon |
RottenPotato is a exploitation tool used to get elevated privileges in Windows machines. A new Windows logon event matches the attack vector used by RottenPotato, what is an indicator of compromise. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4624}, 'selection3': {'UserName|re': '(?:ANONYMOUS(_| )LOGON)$'}, 'selection4': {'WorkstationName': '-'}, 'selection5': {'WorkstationName': ''}, 'selection6': {'SourceIp': '127.0.0.1'}, 'condition': 'selection1 and selection2 and selection3 and (selection4 or selection5) and selection6'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
DiagTrackEoP Default Login Username |
Detects the default "UserName" used by the DiagTrackEoP POC More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '9', 'TargetOutboundUserName': 'thisisnotvaliduser'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2111118f-7e46-4fc8-974a-59fd8ec95196 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Access Token Abuse |
This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.) More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '9', 'LogonProcessName': 'Advapi', 'AuthenticationPackageName': 'Negotiate', 'ImpersonationLevel': '%%1833'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,02f7c9c1-1ae8-4c6a-8add-04693807f92f Author: Michaela Adams, Zach Mathis Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
KrbRelayUp Attack Pattern |
Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '3', 'AuthenticationPackageName': 'Kerberos', 'IpAddress': '127.0.0.1', 'TargetUserSid|startswith': 'S-1-5-21-', 'TargetUserSid|endswith': '-500'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,749c9f5e-b353-4b90-a9c1-05243357ca4b Author: @SBousseaden, Florian Roth Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|