Rules Contributing to Suspicious Access Attempt to Windows Object Alerts

The following rules are used to identify suspicious activity with Access Attempt to Windows Objects. Any one or more of these will trigger Suspicious Access Attempt to Windows Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SysKey Registry Keys Access

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Rule ID

windows_security_2

Query

{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName|endswith': ['\\Lsa\\JD', '\\Lsa\\GBG', '\\Lsa\\Skew1', '\\Lsa\\Data']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,9a4ff3b8-6187-4fd2-8e8b-e0eae1129495

Author: Roberto Rodriguez @Cyb3rWard0g

Tactics, Techniques, and Procedures

T1012

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/08/12 high

  • Unknown

Sysmon Channel Reference Deletion

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Rule ID

windows_security_19

Query

{'selection1': {'EventID': 4657, 'ObjectName|contains': ['WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}', 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'], 'ObjectValueName': 'Enabled', 'NewValue': '0'}, 'selection2': {'EventID': 4663, 'ObjectName|contains': ['WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}', 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'], 'AccessMask': '0x10000'}, 'condition': '1 of selection*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1112

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/07/14 high

  • Unknown

Suspicious Teams Application Related ObjectAcess Event

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Rule ID

windows_security_24

Query

{'selection': {'EventID': 4663, 'ObjectName|contains': ['\\Microsoft\\Teams\\Cookies', '\\Microsoft\\Teams\\Local Storage\\leveldb']}, 'filter': {'ProcessName|contains': '\\Microsoft\\Teams\\current\\Teams.exe'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,25cde13e-8e20-4c29-b949-4e795b76f16f

Author: @SerkinValery

Tactics, Techniques, and Procedures

T1528

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/09/16 high

  • Unknown

Processes Accessing the Microphone and Webcam

Potential adversaries accessing the microphone and webcam in an endpoint.

Rule ID

windows_security_48

Query

{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1123

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/06/07 medium

  • Unknown

Azure AD Health Service Agents Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Rule ID

windows_security_54

Query

{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,1d2ab8ac-1a01-423b-9c39-001510eae8e8

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC

Tactics, Techniques, and Procedures

T1012

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/26 medium

  • Unknown

Azure AD Health Monitoring Agent Registry Keys Access

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Rule ID

windows_security_70

Query

{'selection': {'EventID': [4656, 4663], 'ObjectType': 'Key', 'ObjectName': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent'}, 'filter': {'ProcessName|contains': ['Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe', 'Microsoft.Identity.Health.Adfs.InsightsService.exe', 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe', 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe', 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe']}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,ff151c33-45fa-475d-af4f-c2f93571f4fe

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC

Tactics, Techniques, and Procedures

T1012

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/26 medium

  • Unknown

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Rule ID

windows_security_93

Query

{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1003

References

N/A

Severity

90

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/06/14 critical

  • Unknown

Secure Deletion with SDelete

Detects renaming of file while deletion with SDelete tool.

Rule ID

windows_security_101

Query

{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

Rule Source

SigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d

Author: Thomas Patzke

Tactics, Techniques, and Procedures

T1027.005, T1070.004, T1485, T1553.002

References

N/A

Severity

50

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2017/06/14 medium

  • Legitimate usage of SDelete

Windows Defender Exclusion Set

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

Rule ID

windows_security_111

Query

{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows security events

  • Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User

Rule Source

SigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d

Author: @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)

Tactics, Techniques, and Procedures

T1562.001

References

N/A

Severity

75

Suppression Logic Based On

  • hostip
  • event_data.ObjectName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/10/26 high

  • Intended inclusions by administrator