Rules Contributing to Suspicious Windows Logon Event Alerts

The following rules are used to identify suspicious Windows logon activities. Any one or more of these will trigger Suspicious Windows Logon Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Rule ID

windows_security_113

Query

{'selection1': {'EventID': 4776, 'Workstation': 'RULER'}, 'selection2': {'EventID': [4624, 4625], 'WorkstationName': 'RULER'}, 'condition': '(1 of selection*)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,24549159-ac1b-479c-8175-d42aea947cae

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1059, T1087, T1114, T1550.002

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/05/31 high

  • Go utilities that use staaldraad awesome NTLM library

Remote WMI ActiveScriptEventConsumers

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Rule ID

windows_security_134

Query

{'selection': {'EventID': 4624, 'LogonType': '3', 'ProcessName|endswith': 'scrcons.exe'}, 'filter': {'TargetLogonId': '0x3e7'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,9599c180-e3a8-4743-8f92-7fb96d3be648

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1546.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/09/02 high

  • SCCM

RottenPotato Like Attack Pattern

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Rule ID

windows_security_136

Query

{'selection': {'EventID': 4624, 'LogonType': '3', 'TargetUserName|re': '(?:ANONYMOUS(_| )LOGON)$', 'WorkstationName': ['-', ''], 'IpAddress': ['127.0.0.1', '::1']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,16f5d8ca-44bd-47c8-acbe-6fc95a16c12f

Author: @SBousseaden, Florian Roth

Tactics, Techniques, and Procedures

T1068

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/11/15 high

  • Unknown

Successful Overpass the Hash Attempt

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Rule ID

windows_security_138

Query

{'selection': {'EventID': 4624, 'LogonType': '9', 'LogonProcessName': 'seclogo', 'AuthenticationPackageName': 'Negotiate'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,192a0330-c20b-4356-90b6-7b7049ae0b87

Author: Roberto Rodriguez (source), Dominik Schaudel (rule)

Tactics, Techniques, and Procedures

T1550.002

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2018/02/12 high

  • Runas command-line tool using /netonly parameter

DiagTrackEoP Default Login Username

Detects the default "UserName" used by the DiagTrackEoP POC

Rule ID

windows_security_140

Query

{'selection': {'EventID': 4624, 'LogonType': '9', 'TargetOutboundUserName': 'thisisnotvaliduser'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,2111118f-7e46-4fc8-974a-59fd8ec95196

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/08/03 critical

  • Unlikely

Access Token Abuse

This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)

Rule ID

windows_security_142

Query

{'selection': {'EventID': 4624, 'LogonType': '9', 'LogonProcessName': 'Advapi', 'AuthenticationPackageName': 'Negotiate', 'ImpersonationLevel': '%%1833'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,02f7c9c1-1ae8-4c6a-8add-04693807f92f

Author: Michaela Adams, Zach Mathis

Tactics, Techniques, and Procedures

T1134.001

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/11/06 medium

  • Anti-Virus

KrbRelayUp Attack Pattern

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Rule ID

windows_security_143

Query

{'selection1': {'EventID': 4624, 'LogonType': '3', 'AuthenticationPackageName': 'Kerberos', 'TargetUserSid|startswith': 'S-1-5-21-', 'TargetUserSid|endswith': '-500'}, 'selection2': {'IpAddress': ['::1', '127.0.0.1']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,749c9f5e-b353-4b90-a9c1-05243357ca4b

Author: @SBousseaden, Florian Roth

Tactics, Techniques, and Procedures

T1550

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/04/27 high

  • Unknown