Rules Contributing to Potentially Malicious Windows Event Alerts
The following rules are used to identify suspicious activity with Windows events. This is a generic rule name. Any one or more of these will trigger Potentially Malicious Windows Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
ETW Logging Disabled In .NET Processes - Registry |
Potential adversaries stopping ETW providers recording loaded .NET assemblies. More details
Rule IDQuery{'selection_etw_enabled': {'EventID': 4657, 'ObjectName|endswith': '\\SOFTWARE\\Microsoft\\.NETFramework', 'ObjectValueName': 'ETWEnabled', 'NewValue': '0'}, 'selection_complus': {'EventID': 4657, 'ObjectName|contains': '\\Environment', 'ObjectValueName': ['COMPlus_ETWEnabled', 'COMPlus_ETWFlags'], 'NewValue': '0'}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a4c90ea1-2634-4ca0-adbb-35eae169b6fc Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
NetNTLM Downgrade Attack |
Detects NetNTLM downgrade attack More details
Rule IDQuery{'selection': {'EventID': 4657, 'ObjectName|contains|all': ['\\REGISTRY\\MACHINE\\SYSTEM', 'ControlSet', '\\Control\\Lsa'], 'ObjectValueName': ['LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d3abac66-f11c-4ed0-8acb-50cc29c97eed Author: Florian Roth (Nextron Systems), wagga Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Windows Defender Discarded Signature |
Dynamic Signature Service signature of Windows Defender has been discarded. This may be due to an attacker or a user disabling a security feature that can led the computer exposed to malware and other threats. More details
Rule IDQuery{'selection2': {'EventID': 2013}, 'condition': 'selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
PetitPotam Suspicious Kerberos TGT Request |
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. More details
Rule IDQuery{'selection': {'EventID': 4768, 'TargetUserName|endswith': '$', 'CertThumbprint|contains': '*'}, 'filter_local': {'IpAddress': '::1'}, 'filter_thumbprint': {'CertThumbprint': ''}, 'condition': 'selection and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 Author: Mauricio Velazco, Michael Haag Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
DPAPI Domain Master Key Backup Attempt |
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. More details
Rule IDQuery{'selection': {'EventID': 4692}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39a94fd1-8c9a-4ff6-bf22-c058762f8014 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Scanner PoC for CVE-2019-0708 RDP RCE Vuln |
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep More details
Rule IDQuery{'selection': {'EventID': 4625, 'TargetUserName': 'AAAAAAA'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8400629e-79a9-4737-b387-5db940ab2367 Author: Florian Roth (Nextron Systems), Adam Bradbury (idea) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Scheduled Task Update |
Detects update to a scheduled task event that contain suspicious keywords. More details
Rule IDQuery{'selection_eid': {'EventID': 4702}, 'selection_paths': {'TaskContentNew|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContentNew|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,614cf376-6651-47c4-9dcc-6b9527f749f4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Windows Defender Disabled |
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. More details
Rule IDQuery{'selection2': {'EventID': 5001}, 'condition': 'selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
ADCS Certificate Template Configuration Vulnerability |
Detects certificate creation with template allowing risk permission subject More details
Rule IDQuery{'selection1': {'EventID': 4898, 'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection2': {'EventID': 4899, 'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': 'selection1 or selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5ee3a654-372f-11ec-8d3d-0242ac130003 Author: Orlinum , BlueDefenZer Tactics, Techniques, and ProceduresReferencesSeverity25 Suppression Logic Based On
Additional Information
|
||||||||
Addition of Domain Trusts |
Addition of domains is seldom and should be verified for legitimacy. More details
Rule IDQuery{'selection': {'EventID': 4706}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0255a820-e564-4e40-af2b-6ac61160335c Author: Thomas Patzke Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
User Added to Local Administrators |
This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity More details
Rule IDQuery{'selection': {'EventID': 4732}, 'selection_group1': {'TargetUserName|startswith': 'Administr'}, 'selection_group2': {'TargetSid': 'S-1-5-32-544'}, 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and (1 of selection_group*) and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c265cf08-3f99-46c1-8d59-328247057d57 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User |
Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. More details
Rule IDQuery{'selection1': {'EventID': 4704}, 'selection2': {'PrivilegeList': 'SeEnableDelegationPrivilege'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Computer Account Name Change CVE-2021-42287 |
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 More details
Rule IDQuery{'selection': {'EventID': 4781, 'OldTargetUserName|contains': '$'}, 'filter': {'NewTargetUserName|contains': '$'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,45eb2ae2-9aa2-4c3a-99a5-6e5077655466 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Remote Logon with Explicit Credentials |
Detects suspicious processes logging on with explicit credentials More details
Rule IDQuery{'selection': {'EventID': 4648, 'ProcessName|endswith': ['\\cmd.exe', '\\powershell.exe', '\\pwsh.exe', '\\winrs.exe', '\\wmic.exe', '\\net.exe', '\\net1.exe', '\\reg.exe']}, 'filter1': {'TargetServerName': 'localhost'}, 'filter2': {'SubjectUserName|endswith': '$', 'TargetUserName|endswith': '$'}, 'condition': 'selection and not 1 of filter*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,941e5c45-cda7-4864-8cea-bbb7458d194a Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
The Password Hash of an Account was Accessed |
The Password Hash of an Account was Accessed. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4782}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4663], 'ObjectName|contains': ['\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged', '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8cd538a4-62d5-4e83-810b-12d41e428d6e Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Defrag Deactivation - Security |
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group More details
Rule IDQuery{'selection': {'EventID': 4701, 'TaskName': '\\Microsoft\\Windows\\Defrag\\ScheduledDefrag'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c5a178bf-9cfb-4340-b584-e4df39b6a3e7 Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Password Protected ZIP File Opened (Email Attachment) |
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. More details
Rule IDQuery{'selection': {'EventID': 5379, 'TargetName|contains|all': ['Microsoft_Windows_Shell_ZipFolder:filename', '\\Temporary Internet Files\\Content.Outlook']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,571498c8-908e-40b4-910b-d2369159a3da Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
AD Privileged Users or Groups Reconnaissance |
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs More details
Rule IDQuery{'selection': {'EventID': 4661, 'ObjectType': ['SAM_USER', 'SAM_GROUP']}, 'selection_object': [{'ObjectName|endswith': ['-512', '-502', '-500', '-505', '-519', '-520', '-544', '-551', '-555']}, {'ObjectName|contains': 'admin'}], 'filter': {'SubjectUserName|endswith': '$'}, 'condition': 'selection and selection_object and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,35ba1d85-724d-42a3-889f-2e2362bcaf23 Author: Samir Bousseaden Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Password Protected ZIP File Opened (Suspicious Filenames) |
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. More details
Rule IDQuery{'selection': {'EventID': 5379, 'TargetName|contains': 'Microsoft_Windows_Shell_ZipFolder:filename'}, 'selection_filename': {'TargetName|contains': ['invoice', 'new order', 'rechnung', 'factura', 'delivery', 'purchase', 'order', 'payment']}, 'condition': 'selection and selection_filename'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,54f0434b-726f-48a1-b2aa-067df14516e4 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Operation Wocao Activity - Security |
Detects activity mentioned in Operation Wocao report More details
Rule IDQuery{'selection': {'EventID': 4799, 'TargetUserName|startswith': 'Administr', 'CallerProcessName|endswith': '\\checkadmin.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,74ad4314-482e-4c3e-b237-3f7ed3b9ca8d Author: Florian Roth (Nextron Systems), frack113 Tactics, Techniques, and ProceduresT1012, T1027, T1036.004, T1053.005, T1059.001 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Kerberos Manipulation |
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages More details
Rule IDQuery{'selection': {'EventID': [675, 4768, 4769, 4771], 'FailureCode': ['0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f7644214-0eb0-4ace-9455-331ec4c09253 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Windows Login Default Point Of Sale Credentials |
Windows has reported a login from a user with the default username used by a Point of Sale system. These are well known and are often used as the targets of brute force attacks leading to unauthorized access of the payment infrastructure. More details
Rule IDQuery{'selection2': {'EventID': 4625}, 'selection3': {'SourceUserName': "'aloha'"}, 'selection4': {'SourceUserName': "'micros'"}, 'selection5': {'SourceUserName': "'posi'"}, 'selection6': {'SourceUserName': "'support'"}, 'selection7': {'SourceUserName': "'ddpos'"}, 'selection8': {'SourceUserName': "'term1'"}, 'selection9': {'SourceUserName': "'pos'"}, 'selection10': {'SourceUserName': "'pos2'"}, 'condition': 'selection2 and (selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9 or selection10)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
SCM Database Privileged Operation |
Detects non-system users performing privileged operation os the SCM database More details
Rule IDQuery{'selection': {'EventID': 4674, 'ObjectType': 'SC_MANAGER OBJECT', 'ObjectName': 'servicesactive', 'PrivilegeList': 'SeTakeOwnershipPrivilege'}, 'filter': {'SubjectLogonId': '0x3e4', 'ProcessName|endswith': ':\\Windows\\System32\\services.exe'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,dae8171c-5ec6-4396-b210-8466585b53e9 Author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Reconnaissance Activity |
Detects activity as "net user administrator /domain" and "net group domain admins /domain" More details
Rule IDQuery{'selection': {'EventID': 4661, 'AccessMask': '0x2d', 'ObjectType': ['SAM_USER', 'SAM_GROUP'], 'ObjectName|startswith': 'S-1-5-21-', 'ObjectName|endswith': ['-500', '-512']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,968eef52-9cff-4454-8992-1e74b9cbad6c Author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Kerberos Policy was Changed |
The Kerberos policy was changed. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4713}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Hacking Tool detected by Antivirus |
The Windows Defender AntiVirus has detected a hacking tool in the system. This is an indication that an attacker has access to your system and is trying to install tools to gain persistence, compromise other systems, etc. More details
Rule IDQuery{'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|re': '(?:hacktool|meterpreter|metasploit|powersploit|cobalt|mimikatz|wpdump|htool|wce)'}, 'selection4': {'FileName': ''}, 'selection5': {'MalwareFamily': ''}, 'condition': 'selection2 and selection3 and not selection4 and not selection5'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host More details
Rule IDQuery{'selection': {'EventID': [4656, 4658, 4660, 4663], 'ObjectName|endswith': '\\wceaux.dll'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1de68c67-af5c-4097-9c85-fe5578e09e67 Author: Thomas Patzke Tactics, Techniques, and ProceduresReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Important Scheduled Task Deleted/Disabled |
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities More details
Rule IDQuery{'selection': {'EventID': [4699, 4701], 'TaskName|contains': ['\\Windows\\SystemRestore\\SR', '\\Windows\\Windows Defender\\', '\\Windows\\BitLocker', '\\Windows\\WindowsBackup\\', '\\Windows\\WindowsUpdate\\', '\\Windows\\UpdateOrchestrator\\Schedule', '\\Windows\\ExploitGuard']}, 'filter_sys_username': {'EventID': 4699, 'SubjectUserName|endswith': '$', 'TaskName|contains': '\\Windows\\Windows Defender\\'}, 'condition': 'selection and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7595ba94-cf3b-4471-aa03-4f6baa9e5fad Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Account Tampering - Suspicious Failed Logon Reasons |
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. More details
Rule IDQuery{'selection': {'EventID': [4625, 4776], 'Status': ['0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B']}, 'filter': {'SubjectUserSid': 'S-1-0-0'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9eb99343-d336-4020-a3cd-67f3819e68ee Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Encrypted Data Recovery Policy was Changed |
The Encrypted Data policy was changed. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4714}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Secure Deletion with SDelete |
Detects renaming of file while deletion with SDelete tool. More details
Rule IDQuery{'selection': {'EventID': [4656, 4663, 4658], 'ObjectName|endswith': ['.AAA', '.ZZZ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39a80702-d7ca-4a83-b776-525b1f86a36d Author: Thomas Patzke Tactics, Techniques, and ProceduresT1027.005, T1070.004, T1485, T1553.002 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
ADCS Certificate Template Configuration Vulnerability with Risky EKU |
Detects certificate creation with template allowing risk permission subject and risky EKU More details
Rule IDQuery{'selection10': {'EventID': 4898, 'TemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection11': {'TemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'selection20': {'EventID': 4899, 'NewTemplateContent|contains': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.2.3.4', '1.3.6.1.4.1.311.20.2.2', '2.5.29.37.0']}, 'selection21': {'NewTemplateContent|contains': 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'}, 'condition': '(selection10 and selection11) or (selection20 and selection21)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bfbd3291-de87-4b7c-88a2-d6a5deb28668 Author: Orlinum , BlueDefenZer Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
KRBTGT Delegation Backdoor |
Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. More details
Rule IDQuery{'selection1': {'EventID': 4738}, 'selection2': {'AllowedToDelegateTo': '*krbtgt*'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Windows Defender Exclusion Set |
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender More details
Rule IDQuery{'selection': {'EventID': [4657, 4656, 4660, 4663], 'ObjectName|contains': '\\Microsoft\\Windows Defender\\Exclusions\\'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d Author: @BarryShooshooga, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Password Change on Directory Service Restore Mode (DSRM) Account |
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. More details
Rule IDQuery{'selection': {'EventID': 4794}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,53ad8e36-f573-46bf-97e4-15ba5bf4bb51 Author: Thomas Patzke Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Hacktool Ruler |
This events that are generated when using the hacktool Ruler by Sensepost More details
Rule IDQuery{'selection1': {'EventID': 4776, 'Workstation': 'RULER'}, 'selection2': {'EventID': [4624, 4625], 'WorkstationName': 'RULER'}, 'condition': '(1 of selection*)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,24549159-ac1b-479c-8175-d42aea947cae Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresT1059, T1087, T1114, T1550.002 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Scheduled Task Creation |
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. More details
Rule IDQuery{'selection_eid': {'EventID': 4698}, 'selection_paths': {'TaskContent|contains': ['\\AppData\\Local\\Temp\\', '\\AppData\\Roaming\\', '\\Users\\Public\\', '\\WINDOWS\\Temp\\', 'C:\\Temp\\', '\\Desktop\\', '\\Downloads\\', '\\Temporary Internet', 'C:\\ProgramData\\', 'C:\\Perflogs\\']}, 'selection_commands': {'TaskContent|contains': ['regsvr32', 'rundll32', 'cmd.exe</Command>', 'cmd</Command>', '<Arguments>/c ', '<Arguments>/k ', '<Arguments>/r ', 'powershell', 'pwsh', 'mshta', 'wscript', 'cscript', 'certutil', 'bitsadmin', 'bash.exe', 'bash ', 'scrcons', 'wmic ', 'wmic.exe', 'forfiles', 'scriptrunner', 'hh.exe']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3a734d25-df5c-4b99-8034-af1ddb5883a4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
User Account Deleted |
A user account has been deleted. This could be an indication of malicious activity. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4726}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Replay Attack Detected |
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client More details
Rule IDQuery{'selection': {'EventID': 4649}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5a44727c-3b85-4713-8c44-4401d5499629 Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Device Installation Blocked |
Detects an installation of a device that is forbidden by the system policy More details
Rule IDQuery{'selection': {'EventID': 6423}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c9eb55c3-b468-40ab-9089-db2862e42137 Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Webshell detected by Antivirus |
The Windows Defender AntiVirus has detected a webshell in the system. This is an indication that an attacker gained access to your server and he is trying to deploy a webshell in the webserver. More details
Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Windows Defender'}, 'selection2': {'EventID': 1116}, 'selection3': {'MalwareFamily|contains': 'webshell'}, 'selection4': {'MalwareFamily|contains': 'chopper'}, 'selection5': {'MalwareFamily|re': '(?:PHP|JSP|ASP) [\\/]Backdoor'}, 'selection6': {'MalwareFamily|re': 'Backdoor[.:](?:PHP|JSP|ASP)'}, 'condition': 'selection1 and selection2 and (selection3 or selection4 or selection5 or selection6)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
OilRig APT Schedule Task Persistence - Security |
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report More details
Rule IDQuery{'selection_service': {'EventID': 4698, 'TaskName': ['SC Scheduled Scan', 'UpdatMachine']}, 'condition': 'selection_service'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c0580559-a6bd-4ef6-b9b7-83703d98b561 Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Tactics, Techniques, and ProceduresT1053.005, T1071.004, T1112, T1543.003 ReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Windows Privilege Escalation through Security Group Modification |
This rule detects request for privilege escalation by modifying windows security group More details
Rule IDQuery{'selection1': {'EventID': [632, 4728, 636, 4732, 660, 4756]}, 'selection2': {'TargetUserName': ['Group Policy Creator Owners', 'Administrators', 'DHCP Administrators', 'DNS Admins', 'Domain Admins', 'Enterprise Admins', 'Enterprise Key Admins', 'Hyper-V Administrators', 'Key Admins', 'Schema Admins', 'Storage Replica Administrators']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|