Rules Contributing to Potentially Malicious Windows Event Alerts

The following rules are used to identify suspicious activity with Windows Events. This is a generic rule name. Any one or more of these will trigger Potentially Malicious Windows Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Rule ID

windows_security_3

Query

{'selection_etw_enabled': {'EventID': 4657, 'ObjectName|endswith': '\\SOFTWARE\\Microsoft\\.NETFramework', 'ObjectValueName': 'ETWEnabled', 'NewValue': '0'}, 'selection_complus': {'EventID': 4657, 'ObjectName|contains': '\\Environment', 'ObjectValueName': ['COMPlus_ETWEnabled', 'COMPlus_ETWFlags'], 'NewValue': '0'}, 'condition': '1 of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,a4c90ea1-2634-4ca0-adbb-35eae169b6fc

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1112, T1562

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/06/05 high

  • Unknown

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

Rule ID

windows_security_4

Query

{'selection': {'EventID': 4657, 'ObjectName|contains|all': ['\\REGISTRY\\MACHINE\\SYSTEM', 'ControlSet', '\\Control\\Lsa'], 'ObjectValueName': ['LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Requirements: Audit Policy : Object Access > Audit Registry (Success)

Rule Source

SigmaHQ,d3abac66-f11c-4ed0-8acb-50cc29c97eed

Author: Florian Roth (Nextron Systems), wagga

Tactics, Techniques, and Procedures

T1112, T1562.001

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2018/03/20 high

  • Unknown

Windows Defender Discarded Signature

Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats.

Rule ID

windows_security_5

Query

{'selection2': {'EventID': 2013}, 'condition': 'selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1562.006

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

Rule ID

windows_security_7

Query

{'selection': {'EventID': 4768, 'TargetUserName|endswith': '$', 'CertThumbprint|contains': '*'}, 'filter_local': {'IpAddress': '::1'}, 'filter_thumbprint': {'CertThumbprint': ''}, 'condition': 'selection and not 1 of filter_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure

Rule Source

SigmaHQ,6a53d871-682d-40b6-83e0-b7c1a6c4e3a5

Author: Mauricio Velazco, Michael Haag

Tactics, Techniques, and Procedures

T1187

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2021/09/02 high

  • False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Rule ID

windows_security_18

Query

{'selection': {'EventID': 4692}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,39a94fd1-8c9a-4ff6-bf22-c058762f8014

Author: Roberto Rodriguez @Cyb3rWard0g

Tactics, Techniques, and Procedures

T1003.004

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/08/10 medium

  • If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Rule ID

windows_security_21

Query

{'selection': {'EventID': 4625, 'TargetUserName': 'AAAAAAA'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,8400629e-79a9-4737-b387-5db940ab2367

Author: Florian Roth (Nextron Systems), Adam Bradbury (idea)

Tactics, Techniques, and Procedures

T1210

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/06/02 high

  • Unlikely

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Rule ID

windows_security_23

Query

{'selection_eid': {'EventID': 4702}, 'selection_paths': {'TaskContentNew|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContentNew|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Rule Source

SigmaHQ,614cf376-6651-47c4-9dcc-6b9527f749f4

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1053.005

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/12/05 high

  • Unknown

Windows Defender Disabled

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Rule ID

windows_security_28

Query

{'selection2': {'EventID': 5001}, 'condition': 'selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1562

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

ADCS Certificate Template Configuration Vulnerability

Detects certificate creation with template allowing risk permission subject

Rule ID

windows_security_29

Query

{'selection1': {'EventID': 4898, 'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection2': {'EventID': 4899, 'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': 'selection1 or selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.

Rule Source

SigmaHQ,5ee3a654-372f-11ec-8d3d-0242ac130003

Author: Orlinum , BlueDefenZer

Tactics, Techniques, and Procedures

T1068

References

N/A

Severity

25

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/11/17 low

  • Administrator activity

  • Proxy SSL certificate with subject modification

  • Smart card enrollement

Addition of Domain Trusts

Addition of domains is seldom and should be verified for legitimacy.

Rule ID

windows_security_38

Query

{'selection': {'EventID': 4706}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,0255a820-e564-4e40-af2b-6ac61160335c

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1098

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
stable 2019/12/03 medium

  • Legitimate extension of domain structure

User Added to Local Administrators

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Rule ID

windows_security_40

Query

{'selection': {'EventID': 4732}, 'selection_group1': {'TargetUserName|startswith': 'Administr'}, 'selection_group2': {'TargetSid': 'S-1-5-32-544'}, 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and (1 of selection_group*) and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,c265cf08-3f99-46c1-8d59-328247057d57

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1078, T1098

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
stable 2017/03/14 medium

  • Legitimate administrative activity

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

Rule ID

windows_security_41

Query

{'selection1': {'EventID': 4704}, 'selection2': {'PrivilegeList': 'SeEnableDelegationPrivilege'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1212

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/01/27 high N/A

Suspicious Computer Account Name Change CVE-2021-42287

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Rule ID

windows_security_44

Query

{'selection': {'EventID': 4781, 'OldTargetUserName|contains': '$'}, 'filter': {'NewTargetUserName|contains': '$'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,45eb2ae2-9aa2-4c3a-99a5-6e5077655466

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1078

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/12/22 high

  • Unknown

Suspicious Remote Logon with Explicit Credentials

Detects suspicious processes logging on with explicit credentials

Rule ID

windows_security_45

Query

{'selection': {'EventID': 4648, 'ProcessName|endswith': ['\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\winrs.exe', '\\wmic.exe', '\\net.exe', '\\net1.exe', '\\reg.exe']}, 'filter1': {'TargetServerName': 'localhost'}, 'filter2': {'SubjectUserName|endswith': '$', 'TargetUserName|endswith': '$'}, 'condition': 'selection and not 1 of filter*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,941e5c45-cda7-4864-8cea-bbb7458d194a

Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton

Tactics, Techniques, and Procedures

T1078

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2020/10/05 medium

  • Administrators that use the RunAS command or scheduled tasks

The Password Hash of an Account was Accessed

The Password Hash of an Account was Accessed. This could be an indication of malicious activity.

Rule ID

windows_security_46

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4782}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1003

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Rule ID

windows_security_48

Query

{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1123

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/06/07 medium

  • Unknown

Defrag Deactivation - Security

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Rule ID

windows_security_49

Query

{'selection': {'EventID': 4701, 'TaskName': '\\Microsoft\\Windows\\Defrag\\ScheduledDefrag'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Requirements: Audit Policy : Audit Other Object Access Events > Success

Rule Source

SigmaHQ,c5a178bf-9cfb-4340-b584-e4df39b6a3e7

Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)

Tactics, Techniques, and Procedures

T1053

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/03/04 medium

  • Unknown

Password Protected ZIP File Opened (Email Attachment)

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Rule ID

windows_security_59

Query

{'selection': {'EventID': 5379, 'TargetName|contains|all': ['Microsoft_Windows_Shell_ZipFolder:filename', '\\Temporary Internet Files\\Content.Outlook']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,571498c8-908e-40b4-910b-d2369159a3da

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1212

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/05/09 high

  • Legitimate used of encrypted ZIP files

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Rule ID

windows_security_62

Query

{'selection': {'EventID': 4661, 'ObjectType': ['SAM_USER', 'SAM_GROUP']}, 'selection_object': [{'ObjectName|endswith': ['-512', '-502', '-500', '-505', '-519', '-520', '-544', '-551', '-555']}, {'ObjectName|contains': 'admin'}], 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and selection_object and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Requirements: enable Object Access SAM on your Domain Controllers

Rule Source

SigmaHQ,35ba1d85-724d-42a3-889f-2e2362bcaf23

Author: Samir Bousseaden

Tactics, Techniques, and Procedures

T1087.002

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2019/04/03 high

  • If source account name is not an admin then its super suspicious

Password Protected ZIP File Opened (Suspicious Filenames)

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Rule ID

windows_security_63

Query

{'selection': {'EventID': 5379, 'TargetName|contains': 'Microsoft_Windows_Shell_ZipFolder:filename'}, 'selection_filename': {'TargetName|contains': ['invoice', 'new order', 'rechnung', 'factura', 'delivery', 'purchase', 'order', 'payment']}, 'condition': 'selection and selection_filename'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,54f0434b-726f-48a1-b2aa-067df14516e4

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1212

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/05/09 high

  • Legitimate used of encrypted ZIP files

Operation Wocao Activity - Security

Detects activity mentioned in Operation Wocao report

Rule ID

windows_security_83

Query

{'selection': {'EventID': 4799, 'TargetUserName|startswith': 'Administr', 'CallerProcessName|endswith': '\\checkadmin.exe'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,74ad4314-482e-4c3e-b237-3f7ed3b9ca8d

Author: Florian Roth (Nextron Systems), frack113

Tactics, Techniques, and Procedures

T1012, T1027, T1036.004, T1053.005, T1059.001

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/12/20 high

  • Administrators that use checkadmin.exe tool to enumerate local administrators

Kerberos Manipulation

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

Rule ID

windows_security_84

Query

{'selection': {'EventID': [675, 4768, 4769, 4771], 'FailureCode': ['0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,f7644214-0eb0-4ace-9455-331ec4c09253

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1212

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/02/10 high

  • Faulty legacy applications

Windows Login Default Point Of Sale Credentials

Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure.

Rule ID

windows_security_85

Query

{'selection2': {'EventID': 4625}, 'selection3': {'SourceUserName': "'aloha'"}, 'selection4': {'SourceUserName': "'micros'"}, 'selection5': {'SourceUserName': "'posi'"}, 'selection6': {'SourceUserName': "'support'"}, 'selection7': {'SourceUserName': "'ddpos'"}, 'selection8': {'SourceUserName': "'term1'"}, 'selection9': {'SourceUserName': "'pos'"}, 'selection10': {'SourceUserName': "'pos2'"}, 'condition': 'selection2 and (selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9 or selection10)'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1110

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

Rule ID

windows_security_86

Query

{'selection': {'EventID': 4674, 'ObjectType': 'SC_MANAGER OBJECT', 'ObjectName': 'servicesactive', 'PrivilegeList': 'SeTakeOwnershipPrivilege'}, 'filter': {'SubjectLogonId': '0x3e4', 'ProcessName|endswith': ':\\Windows\\System32\\services.exe'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,dae8171c-5ec6-4396-b210-8466585b53e9

Author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton

Tactics, Techniques, and Procedures

T1548

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/08/15 medium

  • Unknown

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Rule ID

windows_security_88

Query

{'selection': {'EventID': 4661, 'AccessMask': '0x2d', 'ObjectType': ['SAM_USER', 'SAM_GROUP'], 'ObjectName|startswith': 'S-1-5-21-', 'ObjectName|endswith': ['-500', '-512']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems

Rule Source

SigmaHQ,968eef52-9cff-4454-8992-1e74b9cbad6c

Author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community

Tactics, Techniques, and Procedures

T1069.002, T1087.002

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/03/07 high

  • Administrator activity

Kerberos Policy was Changed

The Kerberos policy was changed. This could be an indication of malicious activity.

Rule ID

windows_security_89

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4713}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Hacking Tool detected by Antivirus

The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc.

Rule ID

windows_security_92

Query

{'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|re': '(?:hacktool|meterpreter|metasploit|powersploit|cobalt|mimikatz|wpdump|htool|wce)'}, 'selection4': {'FileName': ''}, 'selection5': {'MalwareFamily': ''}, 'condition': 'selection2 and selection3 and not selection4 and not selection5'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1518

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Rule ID

windows_security_93

Query

{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1003

References

N/A

Severity

90

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/06/14 critical

  • Unknown

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Rule ID

windows_security_95

Query

{'selection': {'EventID': [4699, 4701], 'TaskName|contains': ['\\Windows\\SystemRestore\\SR', '\\Windows\\Windows Defender\\', '\\Windows\\BitLocker', '\\Windows\\WindowsBackup\\', '\\Windows\\WindowsUpdate\\', '\\Windows\\UpdateOrchestrator\\Schedule', '\\Windows\\ExploitGuard']}, 'filter_sys_username': {'EventID': 4699, 'SubjectUserName|endswith': '$', 'TaskName|contains': '\\Windows\\Windows Defender\\'}, 'condition': 'selection and not 1 of filter_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Rule Source

SigmaHQ,7595ba94-cf3b-4471-aa03-4f6baa9e5fad

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1053.005

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/12/05 high

  • Unknown

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Rule ID

windows_security_97

Query

{'selection': {'EventID': [4625, 4776], 'Status': ['0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B']}, 'filter': {'SubjectUserSid': 'S-1-0-0'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,9eb99343-d336-4020-a3cd-67f3819e68ee

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1078

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2017/02/19 medium

  • User using a disabled account

Encrypted Data Recovery Policy was Changed

The Encrypted Data policy was changed. This could be an indication of malicious activity.

Rule ID

windows_security_99

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4714}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

Rule ID

windows_security_101

Query

{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1027.005, T1070.004, T1485, T1553.002

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/06/14 medium

  • Legitimate usage of SDelete

ADCS Certificate Template Configuration Vulnerability with Risky EKU

Detects certificate creation with template allowing risk permission subject and risky EKU

Rule ID

windows_security_104

Query

{'selection10': {'EventID': 4898, 'TemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection11': {'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection20': {'EventID': 4899, 'NewTemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection21': {'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': '(selection10 and selection11) or (selection20 and selection21)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.

Rule Source

SigmaHQ,bfbd3291-de87-4b7c-88a2-d6a5deb28668

Author: Orlinum , BlueDefenZer

Tactics, Techniques, and Procedures

T1068

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/11/17 high

  • Administrator activity

  • Proxy SSL certificate with subject modification

  • Smart card enrollement

KRBTGT Delegation Backdoor

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Rule ID

windows_security_109

Query

{'selection1': {'EventID': 4738}, 'selection2': {'AllowedToDelegateTo': '*krbtgt*'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, TA0006, T1098, T1558

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/01/27 high N/A

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

Rule ID

windows_security_111

Query

{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User

Rule Source

SigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d

Author: @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1562.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/10/26 high

  • Intended inclusions by administrator

Password Change on Directory Service Restore Mode (DSRM) Account

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Rule ID

windows_security_112

Query

{'selection': {'EventID': 4794}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,53ad8e36-f573-46bf-97e4-15ba5bf4bb51

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1098

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
stable 2017/02/19 high

  • Initial installation of a domain controller

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Rule ID

windows_security_113

Query

{'selection1': {'EventID': 4776, 'Workstation': 'RULER'}, 'selection2': {'EventID': [4624, 4625], 'WorkstationName': 'RULER'}, 'condition': '(1 of selection*)'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,24549159-ac1b-479c-8175-d42aea947cae

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1059, T1087, T1114, T1550.002

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/05/31 high

  • Go utilities that use staaldraad awesome NTLM library

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Rule ID

windows_security_115

Query

{'selection_eid': {'EventID': 4698}, 'selection_paths': {'TaskContent|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContent|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Rule Source

SigmaHQ,3a734d25-df5c-4b99-8034-af1ddb5883a4

Author: Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1053.005

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/12/05 high

  • Unknown

User Account Deleted

A user account has been deleted. This could be an indication of malicious activity.

Rule ID

windows_security_118

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4726}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Replay Attack Detected

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Rule ID

windows_security_124

Query

{'selection': {'EventID': 4649}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,5a44727c-3b85-4713-8c44-4401d5499629

Author: frack113

Tactics, Techniques, and Procedures

T1550

References

N/A

Severity

75

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/10/14 high

  • Unknown

Device Installation Blocked

Detects an installation of a device that is forbidden by the system policy

Rule ID

windows_security_130

Query

{'selection': {'EventID': 6423}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,c9eb55c3-b468-40ab-9089-db2862e42137

Author: frack113

Tactics, Techniques, and Procedures

T1200

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/10/14 medium

  • Unknown

Webshell detected by Antivirus

The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver.

Rule ID

windows_security_131

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Windows Defender'}, 'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|contains': 'webshell'}, 'selection4': {'MalwareFamily|contains': 'chopper'}, 'selection5': {'MalwareFamily|re': '(?:PHP|JSP|ASP) [\\/]Backdoor'}, 'selection6': {'MalwareFamily|re': 'Backdoor[.:](?:PHP|JSP|ASP)'}, 'condition': 'selection1 and selection2 and (selection3 or selection4 or selection5 or selection6)'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1505.003

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Rule ID

windows_security_132

Query

{'selection_service': {'EventID': 4698, 'TaskName': ['SC Scheduled Scan', 'UpdatMachine']}, 'condition': 'selection_service'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,c0580559-a6bd-4ef6-b9b7-83703d98b561

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Tactics, Techniques, and Procedures

T1053.005, T1071.004, T1112, T1543.003

References

N/A

Severity

90

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2018/03/23 critical

  • Unlikely

Windows Privilege Escalation through Security Group Modification

This rule detects request for privilege escalation by modifying windows security group

Rule ID

windows_security_201

Query

{'selection1': {'EventID': [632, 4728, 636, 4732, 660, 4756]}, 'selection2': {'TargetUserName': ['Group Policy Creator Owners', 'Administrators', 'DHCP Administrators', 'DNS Admins', 'Domain Admins', 'Enterprise Admins', 'Enterprise Key Admins', 'Hyper-V Administrators', 'Key Admins', 'Schema Admins', 'Storage Replica Administrators']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1078, T1098

References

N/A

Severity

50

Suppression Logic Based On

  • event_id
  • hostip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2023/06/22 high

  • Legitimate administrative activity