Rules Contributing to Suspicious Access Attempt to Windows Object Alerts
The following rules are used to identify suspicious activity with access attempt to Windows objects. Any one or more of these will trigger Suspicious Access Attempt to Windows Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
SysKey Registry Keys Access |
Detects handle requests and access operations to specific registry keys to calculate the SysKey More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName|endswith': ['\\Lsa\\JD', '\\Lsa\\GBG', '\\Lsa\\Skew1', '\\Lsa\\Data']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Sysmon Channel Reference Deletion |
Potential threat actor tampering with Sysmon manifest and eventually disabling it More details
Rule IDQuery{'selection1': {'EventID': 4657, 'ObjectName|contains': ['WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}', 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'], 'ObjectValueName': 'Enabled', 'NewValue': '0'}, 'selection2': {'EventID': 4663, 'ObjectName|contains': ['WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}', 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'], 'AccessMask': '0x10000'}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Teams Application Related ObjectAcess Event |
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. More details
Rule IDQuery{'selection': {'EventID': 4663, 'ObjectName|contains': ['\\Microsoft\\Teams\\Cookies', '\\Microsoft\\Teams\\Local Storage\\leveldb']}, 'filter': {'ProcessName|contains': '\\Microsoft\\Teams\\current\\Teams.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,25cde13e-8e20-4c29-b949-4e795b76f16f Author: @SerkinValery Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Microsoft Entra Health Service Agents Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1d2ab8ac-1a01-423b-9c39-001510eae8e8 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Microsoft Entra Health Monitoring Agent Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ff151c33-45fa-475d-af4f-c2f93571f4fe Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host More details
Rule IDQuery{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67 Author: Thomas Patzke Tactics, Techniques, and ProceduresReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Secure Deletion with SDelete |
Detects renaming of file while deletion with SDelete tool. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d Author: Thomas Patzke Tactics, Techniques, and ProceduresTA0005, T1070.004, T1027.005, T1553.002, TA0040, T1485 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows Defender Exclusion Set |
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d Author: @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|