Rules Contributing to Suspicious Access Attempt to Windows Object Alerts

The following rules are used to identify suspicious activity with access attempt to Windows objects. Any one or more of these will trigger Suspicious Access Attempt to Windows Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Sysmon Channel Reference Deletion

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Suspicious Teams Application Related ObjectAcess Event

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Microsoft Entra Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Microsoft Entra Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender