Rules Contributing to Suspicious Windows Logon Event Alerts
The following rules are used to identify suspicious Windows logon activities. Any one or more of these will trigger Suspicious Windows Logon Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Hacktool Ruler |
This events that are generated when using the hacktool Ruler by Sensepost More details
Rule IDQuery{'selection1': {'EventID': 4776, 'Workstation': 'RULER'}, 'selection2': {'EventID': [4624, 4625], 'WorkstationName': 'RULER'}, 'condition': '(1 of selection*)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,24549159-ac1b-479c-8175-d42aea947cae Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresT1059, T1087, T1114, T1550.002 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Remote WMI ActiveScriptEventConsumers |
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '3', 'ProcessName|endswith': 'scrcons.exe'}, 'filter': {'TargetLogonId': '0x3e7'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9599c180-e3a8-4743-8f92-7fb96d3be648 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
RottenPotato Like Attack Pattern |
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '3', 'TargetUserName|re': '(?:ANONYMOUS(_| )LOGON)$', 'WorkstationName': ['-', ''], 'IpAddress': ['127.0.0.1', '::1']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,16f5d8ca-44bd-47c8-acbe-6fc95a16c12f Author: @SBousseaden, Florian Roth Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Successful Overpass the Hash Attempt |
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '9', 'LogonProcessName': 'seclogo', 'AuthenticationPackageName': 'Negotiate'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,192a0330-c20b-4356-90b6-7b7049ae0b87 Author: Roberto Rodriguez (source), Dominik Schaudel (rule) Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
DiagTrackEoP Default Login Username |
Detects the default "UserName" used by the DiagTrackEoP POC More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '9', 'TargetOutboundUserName': 'thisisnotvaliduser'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2111118f-7e46-4fc8-974a-59fd8ec95196 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Access Token Abuse |
This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.) More details
Rule IDQuery{'selection': {'EventID': 4624, 'LogonType': '9', 'LogonProcessName': 'Advapi', 'AuthenticationPackageName': 'Negotiate', 'ImpersonationLevel': '%%1833'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,02f7c9c1-1ae8-4c6a-8add-04693807f92f Author: Michaela Adams, Zach Mathis Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
KrbRelayUp Attack Pattern |
Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like More details
Rule IDQuery{'selection1': {'EventID': 4624, 'LogonType': '3', 'AuthenticationPackageName': 'Kerberos', 'TargetUserSid|startswith': 'S-1-5-21-', 'TargetUserSid|endswith': '-500'}, 'selection2': {'IpAddress': ['::1', '127.0.0.1']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,749c9f5e-b353-4b90-a9c1-05243357ca4b Author: @SBousseaden, Florian Roth Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|