Rules Contributing to Potentially Malicious Windows Event Alerts

The following rules are used to identify suspicious activity with Windows events. This is a generic rule name. Any one or more of these will trigger Potentially Malicious Windows Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

Windows Defender Discarded Signature

Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats.

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Windows Defender Disabled

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Addition of Domain Trusts

Addition of domains is seldom and should be verified for legitimacy.

User Added to Local Administrators

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

Suspicious Computer Account Name Change CVE-2021-42287

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

The Password Hash of an Account was Accessed

The Password Hash of an Account was Accessed. This could be an indication of malicious activity.

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Operation Wocao Activity - Security

Detects activity mentioned in Operation Wocao report

Kerberos Manipulation

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

Windows Login Default Point Of Sale Credentials

Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure.

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Kerberos Policy was Changed

The Kerberos policy was changed. This could be an indication of malicious activity.

Hacking Tool detected by Antivirus

The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc.

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Encrypted Data Recovery Policy was Changed

The Encrypted Data policy was changed. This could be an indication of malicious activity.

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

ADCS Certificate Template Configuration Vulnerability with Risky EKU

Detects certificate creation with template allowing risk permission subject and risky EKU

KRBTGT Delegation Backdoor

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

Password Change on Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

User Account Deleted

A user account has been deleted. This could be an indication of malicious activity.

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Device Installation Blocked

Detects an installation of a device that is forbidden by the system policy

Webshell detected by Antivirus

The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver.

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Windows Privilege Escalation through Security Group Modification

This rule detects request for privilege escalation by modifying windows security group