Rules Contributing to Suspicious Handle Request to Sensitive Object Alerts

The following rules are used to identify suspicious activity with handle requests to sensitive Windows objects. Any one or more of these will trigger a Suspicious Handle Request to Sensitive Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Microsoft Entra Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Microsoft Entra Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

Password Dumper Activity on LSASS

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

SAM Registry Hive Handle Request

Detects handles requested to SAM registry hive