Rules Contributing to Suspicious Handle Request to Sensitive Object Alerts
The following rules are used to identify suspicious activity with handle requests to sensitive Windows objects. Any one or more of these will trigger a Suspicious Handle Request to Sensitive Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
SysKey Registry Keys Access |
Detects handle requests and access operations to specific registry keys to calculate the SysKey More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName|endswith': ['\\Lsa\\JD', '\\Lsa\\GBG', '\\Lsa\\Skew1', '\\Lsa\\Data']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Microsoft Entra Health Service Agents Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1d2ab8ac-1a01-423b-9c39-001510eae8e8 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Microsoft Entra Health Monitoring Agent Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ff151c33-45fa-475d-af4f-c2f93571f4fe Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host More details
Rule IDQuery{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67 Author: Thomas Patzke Tactics, Techniques, and ProceduresReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Secure Deletion with SDelete |
Detects renaming of file while deletion with SDelete tool. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d Author: Thomas Patzke Tactics, Techniques, and ProceduresT1027.005, T1070.004, T1485, T1553.002 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows Defender Exclusion Set |
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d Author: @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Password Dumper Activity on LSASS |
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN More details
Rule IDQuery{'selection': {'EventID': 4656, 'ProcessName|endswith': '\\lsass.exe', 'AccessMask': '0x705', 'ObjectType': 'SAM_DOMAIN'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c Author: sigma Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
SAM Registry Hive Handle Request |
Detects handles requested to SAM registry hive More details
Rule IDQuery{'selection': {'EventID': 4656, 'ObjectType': 'Key', 'ObjectName|endswith': '\\SAM'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f8748f2c-89dc-4d95-afb0-5a2dfdbad332 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|