diff --git a/.github/workflows/create-rule-meta.yml b/.github/workflows/create-rule-meta.yml index 31211f94..3c049578 100644 --- a/.github/workflows/create-rule-meta.yml +++ b/.github/workflows/create-rule-meta.yml @@ -18,7 +18,7 @@ jobs: path: hayabusa-rules - name: Run - run: cd wela-extractor && cargo run --release -- ../hayabusa-rules ../config/eid_subcategory_mapping.csv ../config/hayabusa_rules_meta.json + run: cd wela-extractor && cargo run --release -- ../hayabusa-rules ../config/eid_subcategory_mapping.csv ../config/security_rules.json - name: Push changes env: diff --git a/config/hayabusa_rules_meta.json b/config/hayabusa_rules_meta.json deleted file mode 100644 index 2d82b7d2..00000000 --- a/config/hayabusa_rules_meta.json +++ /dev/null @@ -1,3245 +0,0 @@ -[ - { - "description": "Displays the dialog box message that popped up in Office Activated App for the user.", - "event_ids": [ - "300" - ], - "id": "8cab5688-ca77-483d-a295-56dd6c1db944", - "level": "informational", - "subcategory_guids": [], - "title": "Office App PopUp" - }, - { - "description": "The Windows Filtering Platform has allowed a connection.", - "event_ids": [ - "5156" - ], - "id": "d0a61a11-57c9-4afc-b940-3f19b60db08e", - "level": "informational", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Net Conn" - }, - { - "description": "The Windows Filtering Platform has blocked a connection.", - "event_ids": [ - "5157" - ], - "id": "b793a8e6-28a4-4fb8-816e-17a99e4e7b40", - "level": "informational", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Net Conn Blocked" - }, - { - "description": "", - "event_ids": [ - "5145" - ], - "id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919", - "level": "informational", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "NetShare File Access" - }, - { - "description": "", - "event_ids": [ - "5140" - ], - "id": "15d042c1-07c6-4e16-ae7d-e0e556ccd9a8", - "level": "informational", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "title": "NetShare Access" - }, - { - "description": "Scheduled task created. Malware often persists with tasks but also used legitimately often as well.", - "event_ids": [ - "4698" - ], - "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", - "level": "informational", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Task Created" - }, - { - "description": "Scheduled task was deleted.", - "event_ids": [ - "4699" - ], - "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", - "level": "informational", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Task Deleted" - }, - { - "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", - "event_ids": [ - "6410" - ], - "id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30", - "level": "low", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Code Integrity Proble (Possible Modification)" - }, - { - "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", - "event_ids": [ - "6281" - ], - "id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a", - "level": "low", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Code Integrity Error (Invalid Image Page Hash)" - }, - { - "description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.", - "event_ids": [ - "5038" - ], - "id": "0c871345-668e-4b71-bdad-61e42ecc31e3", - "level": "low", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Code Integrity Error (Invalid Image Hash)" - }, - { - "description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)", - "event_ids": [ - "4611" - ], - "id": "41ca6049-dd12-462c-a772-7bba78d8e2f0", - "level": "informational", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Abnormal Logon Proc Registered With LSA" - }, - { - "description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)", - "event_ids": [ - "4611" - ], - "id": "614c150b-905d-4071-9b8e-0425e370c493", - "level": "informational", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Proc Registered With LSA" - }, - { - "description": "A new service was installed. (Possibly malware.)", - "event_ids": [ - "4697" - ], - "id": "95fe88c9-5b9d-4454-97b4-957918b84208", - "level": "informational", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Svc Installed" - }, - { - "description": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.", - "event_ids": [ - "4825" - ], - "id": "f97a152e-753c-4975-9375-19087fb66f8c", - "level": "informational", - "subcategory_guids": [], - "title": "RDP Denied" - }, - { - "description": "Logged when NTLM authentication is used usually for local accounts but NTLM can also be used with domain accounts. The original event title says it is only generated on domain controllers but that is not true. This also gets logged on clients.", - "event_ids": [ - "4776" - ], - "id": "4fbe94b0-577a-4f77-9b13-250e27d440fa", - "level": "informational", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "NTLM Auth" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4769" - ], - "id": "da6257f3-cf49-464a-96fc-c84a7ce20636", - "level": "informational", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberos Service Ticket Requested" - }, - { - "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.", - "event_ids": [ - "4769" - ], - "id": "f19849e7-b5ba-404b-a731-9b624d7f6d19", - "level": "medium", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" - }, - { - "description": "For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.", - "event_ids": [ - "4768" - ], - "id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a", - "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4768" - ], - "id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c", - "level": "informational", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberos TGT Requested" - }, - { - "description": "Directory Service Object Modified. Log written only to domain controllers (2008+)", - "event_ids": [ - "5136" - ], - "id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8", - "level": "informational", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Dir Svc Obj Modified" - }, - { - "description": "Detects when there is a RDP session disconnect.", - "event_ids": [ - "4779" - ], - "id": "f3532729-5536-42b4-ad74-d061b61a3891", - "level": "informational", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Session Disconnect" - }, - { - "description": "Detects when there is a RDP session reconnect.", - "event_ids": [ - "4778" - ], - "id": "db23f704-61c8-4c95-a5b7-4db61c89f41d", - "level": "informational", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Session Reconnect" - }, - { - "description": "Originally \"Special privileges assigned to new logon\". This will create a seperate LID that is used when special admin-level privileges are used.", - "event_ids": [ - "4672" - ], - "id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e", - "level": "informational", - "subcategory_guids": [ - "0CCE921B-69AE-11D9-BED3-505054503030" - ], - "title": "Admin Logon" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4647" - ], - "id": "6bad16f1-02c4-4075-b414-3cd16944bc65", - "level": "informational", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "title": "Logoff (User Initiated)" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4634" - ], - "id": "84288799-8b61-4d98-bad0-4043c40cf992", - "level": "informational", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "title": "Logoff (Noisy)" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4634" - ], - "id": "7309e070-56b9-408b-a2f4-f1840f8f1ebf", - "level": "informational", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "title": "Logoff" - }, - { - "description": "Type 9 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "d80facaa-ca97-47bb-aed2-66362416eb49", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (NewCredentials) *Creds in memory*" - }, - { - "description": "Type 12 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (CachedRemoteInteractive) *Creds in memory*" - }, - { - "description": "System Noise", - "event_ids": [ - "4624" - ], - "id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Service) (Noisy)" - }, - { - "description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n", - "event_ids": [ - "4648" - ], - "id": "8c1899fe-493d-4faf-aae1-0853a33a3278", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Explicit Logon Attempt" - }, - { - "description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n", - "event_ids": [ - "4648" - ], - "id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Explicit Logon Attempt (Noisy)" - }, - { - "description": "Detects explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike or Mimikatz for user impersonation.", - "event_ids": [ - "4648" - ], - "id": "7616e857-8e41-4976-bc21-811d122b9fc9", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" - }, - { - "description": "Type 13 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "e50e3952-06d9-44a8-ab07-7a41c9801d78", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (CachedUnlock) *Creds in memory*" - }, - { - "description": "Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.", - "event_ids": [ - "4625" - ], - "id": "4574194d-e7ca-4356-a95c-21b753a1787e", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "User Guessing" - }, - { - "description": "Detects a failed logon event due to an incorrect username", - "event_ids": [ - "4625" - ], - "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon - Non-Existent User" - }, - { - "description": "Type 11 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (CachedInteractive) *Creds in memory*" - }, - { - "description": "Tries to detect token impersonation by tools like Cobalt Strike.", - "event_ids": [ - "4624" - ], - "id": "46614e82-7926-41f9-85aa-006b98c5c2a3", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Token Impersonation" - }, - { - "description": "Prints logon type 5 service logons.", - "event_ids": [ - "4624" - ], - "id": "408e1304-51d7-4d3e-ab31-afd07192400b", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Service)" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4625" - ], - "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Failure (Unknown Reason)" - }, - { - "description": "Prints logon information. Despite the naming NetworkCleartext, the password is not sent over the network in cleartext. It is usually for IIS Basic Authentication.", - "event_ids": [ - "4624" - ], - "id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (NetworkCleartext)" - }, - { - "description": "This is filtered by default as it is usually system noise.", - "event_ids": [ - "4624" - ], - "id": "b1782e40-d247-4de1-86d1-37392cb62e3b", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Interactive) (Noisy)" - }, - { - "description": "Detects a failed logon event due to a wrong password", - "event_ids": [ - "4648" - ], - "id": "ab1accc0-b6e2-4841-8dfb-5902581392c3", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon - Incorrect Password" - }, - { - "description": "The logon event happens when the computer boots up.", - "event_ids": [ - "4624" - ], - "id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (System) - Bootup" - }, - { - "description": "Detects a failed logon event due to a wrong password", - "event_ids": [ - "4625" - ], - "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon - Incorrect Password" - }, - { - "description": "Prints logon information", - "event_ids": [ - "4624" - ], - "id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Unlock)" - }, - { - "description": "Prints failed logons", - "event_ids": [ - "4625" - ], - "id": "8afa97ce-a217-4f7c-aced-3e320a57756d", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Failure (User Does Not Exist)" - }, - { - "description": "Prints logon information", - "event_ids": [ - "4624" - ], - "id": "c7b22878-e5d8-4c30-b245-e51fd354359e", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Network)" - }, - { - "description": "Tries to detect token impersonation by tools like Cobalt Strike.", - "event_ids": [ - "4624" - ], - "id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "NewInteractive Logon (Suspicious Process)" - }, - { - "description": "Type 2 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.", - "event_ids": [ - "4624" - ], - "id": "7beb4832-f357-47a4-afd8-803d69a5c85c", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Interactive) *Creds in memory*" - }, - { - "description": "Prints logon information.", - "event_ids": [ - "4625" - ], - "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Logon Failure (Wrong Password)" - }, - { - "description": "Outputs system noise", - "event_ids": [ - "4624" - ], - "id": "0266af4f-8825-495e-959c-bff801094349", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Network) (Noisy)" - }, - { - "description": "Search for many 4625 wrong password failed logon attempts in a short period of time.", - "event_ids": [ - "4625" - ], - "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "PW Guessing" - }, - { - "description": "Prints logon information", - "event_ids": [ - "4624" - ], - "id": "8ad8b25f-6052-4cfd-9a50-717cb514af13", - "level": "informational", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Logon (Batch)" - }, - { - "description": "Search for many 4648 explicit credential logon attempts in a short period of time.", - "event_ids": [ - "4648" - ], - "id": "ffd622af-d049-449f-af5a-0492fdcc3a58", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "PW Spray" - }, - { - "description": "A process has enumerated credential information in Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.", - "event_ids": [ - "5379" - ], - "id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936", - "level": "low", - "subcategory_guids": [], - "title": "Credential Manager Enumerated" - }, - { - "description": "A process has read credentials in the Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.", - "event_ids": [ - "5379" - ], - "id": "d478c070-8f84-4e65-9f45-cc432a000e93", - "level": "low", - "subcategory_guids": [], - "title": "Credential Manager Accessed" - }, - { - "description": "A user has cleared the Security event log.", - "event_ids": [ - "1102" - ], - "id": "c2f690ac-53f8-4745-8cfe-7127dda28c74", - "level": "high", - "subcategory_guids": [], - "title": "Log Cleared" - }, - { - "description": "", - "event_ids": [ - "4688" - ], - "id": "6c34b782-a5b5-4298-80f3-1918caf1f558", - "level": "low", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Possible LOLBIN" - }, - { - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "event_ids": [ - "4688" - ], - "id": "6be7f3fc-8917-11ec-a8a3-0242ac120002", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Possible RDP Hijacking" - }, - { - "description": "Process execution.", - "event_ids": [ - "4688" - ], - "id": "ac933178-c222-430d-8dcf-17b4f3a2fed8", - "level": "informational", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Proc Exec" - }, - { - "description": "", - "event_ids": [ - "4688" - ], - "id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e", - "level": "medium", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "title": "Susp CmdLine (Possible Meterpreter getsystem)" - }, - { - "description": "User Added To Non-Admin Global Security Group. Only logged on DCs.", - "event_ids": [ - "4728" - ], - "id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Non-Admin Global Grp" - }, - { - "description": "A user was added to the local Domain Admins group.", - "event_ids": [ - "4732" - ], - "id": "bc58e432-959f-464d-812e-d60ce5d46fa1", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Local Domain Admins Grp" - }, - { - "description": "A user was added to the Domain Admins group. Only logged on DCs.", - "event_ids": [ - "4728" - ], - "id": "4bb89c86-a138-42a0-baaf-fc2f777a4506", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Global Domain Admins Grp" - }, - { - "description": "A user was added to the local Administrators group. Unfortunately the user name does not get recorded in the log, only the SID, so you need to look up the username via the SID.", - "event_ids": [ - "4732" - ], - "id": "611e2e76-a28f-4255-812c-eb8836b2f5bb", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Local Admin Grp" - }, - { - "description": "A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subject user is the user that performed the action. Only logged on DCs.", - "event_ids": [ - "4728" - ], - "id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b", - "level": "medium", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added To Global Security Grp" - }, - { - "description": "A computer account was created.", - "event_ids": [ - "4741" - ], - "id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db", - "level": "informational", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Computer Account Created" - }, - { - "description": "A user accounts password was changed by another account. The current password is not required to reset the password. An adversary might change the password of another account to lock out legitimate users or gain access to the account. This could be done if the account controlled by the attacker has permission to change the password, or as a step in attacks like Pass the Cert.", - "event_ids": [ - "4724" - ], - "id": "0b78aca4-35f0-4bec-acce-c5743ff26614", - "level": "medium", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Password Reset By Admin" - }, - { - "description": "A local user account was created.", - "event_ids": [ - "4720" - ], - "id": "13edce80-2b02-4469-8de4-a3e37271dcdb", - "level": "low", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Local User Account Created" - }, - { - "description": "A user account changed it's own password. Adversaries might change the password to lockout legitimate user or set the password to a known clear text passwort via Pass the Hash if only the password hash is known. This will allow an adversary to access services where Pass the Hash is not an option.", - "event_ids": [ - "4723" - ], - "id": "3b3046f3-a51c-4378-b059-c716aaa865b4", - "level": "medium", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "User Password Changed" - }, - { - "description": "A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.", - "event_ids": [ - "4720" - ], - "id": "70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Hidden User Account Created" - }, - { - "description": "Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. \nFor example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) \nDisk wipers like bcwipe will also generate this.\nMore legitimate filepaths may have to be added to the filter.\nThis is marked as a medium alert as there is a high possibility for false positives.\n", - "event_ids": [ - "4673" - ], - "id": "5b6e58ee-c231-4a54-9eee-af2577802e08", - "level": "medium", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" - ], - "title": "Process Ran With High Privilege" - }, - { - "description": "User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.", - "event_ids": [ - "4674" - ], - "id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe", - "level": "medium", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Hidden Service Created" - }, - { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "event_ids": [ - "4701" - ], - "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Defrag Deactivation - Security" - }, - { - "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report", - "event_ids": [ - "4698" - ], - "id": "798c8f65-068a-0a31-009f-12739f547a2d", - "level": "critical", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "OilRig APT Schedule Task Persistence - Security" - }, - { - "description": "This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.\nThis will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n", - "event_ids": [ - "4663" - ], - "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", - "level": "medium", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "ScreenConnect User Database Modification - Security" - }, - { - "description": "This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n", - "event_ids": [ - "4663" - ], - "id": "74d067bc-3f42-3855-c13d-771d589cf11c", - "level": "critical", - "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" - }, - { - "description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n", - "event_ids": [ - "4737", - "4727", - "4755", - "4731", - "4754", - "4728", - "4756" - ], - "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity" - }, - { - "description": "Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.", - "event_ids": [ - "4698" - ], - "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Kapeka Backdoor Scheduled Task Creation" - }, - { - "description": "Detects the installation of a service named \"javamtsup\" on the system.\nThe CosmicDuke info stealer uses Windows services typically named \"javamtsup\" for persistence.\n", - "event_ids": [ - "4697" - ], - "id": "8428d90d-a928-f70a-c46e-f08457d6b01f", - "level": "critical", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "CosmicDuke Service Installation" - }, - { - "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.", - "event_ids": [ - "4663", - "4656" - ], - "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "CVE-2023-23397 Exploitation Attempt" - }, - { - "description": "Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884", - "event_ids": [ - "5140" - ], - "id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64", - "level": "high", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "title": "Potential CVE-2023-36884 Exploitation - Share Access" - }, - { - "description": "Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\n", - "event_ids": [ - "4698" - ], - "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", - "level": "critical", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Diamond Sleet APT Scheduled Task Creation" - }, - { - "description": "Hunts for known SVR-specific scheduled task names", - "event_ids": [ - "4699", - "4702", - "4698" - ], - "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" - }, - { - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "event_ids": [ - "5145" - ], - "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", - "level": "critical", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" - }, - { - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "event_ids": [ - "4781" - ], - "id": "17662114-5bee-2566-359c-68d830193830", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Computer Account Name Change CVE-2021-42287" - }, - { - "description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.", - "event_ids": [ - "4656", - "5145", - "4663" - ], - "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", - "level": "high", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "BlueSky Ransomware Artefacts" - }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "event_ids": [ - "4799" - ], - "id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55", - "level": "high", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "Operation Wocao Activity - Security" - }, - { - "description": "Remote registry management using REG utility from non-admin workstation", - "event_ids": [ - "5145" - ], - "id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Registry Management Using Reg Utility" - }, - { - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "event_ids": [ - "4624", - "4625" - ], - "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Pass the Hash Activity" - }, - { - "description": "Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)", - "event_ids": [ - "4742" - ], - "id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c", - "level": "high", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Zerologon (CVE-2020-1472) Exploitation" - }, - { - "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", - "event_ids": [ - "4672", - "4964" - ], - "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", - "level": "low", - "subcategory_guids": [ - "0CCE921B-69AE-11D9-BED3-505054503030" - ], - "title": "User with Privileges Logon" - }, - { - "description": "Detects interactive console logons to Server Systems", - "event_ids": [ - "529", - "528", - "4625", - "4624" - ], - "id": "7298c707-7564-3229-7c76-ec514847d8c2", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Interactive Logon to Server Systems" - }, - { - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.\nThis event is best correlated and used as an enrichment to determine the potential lateral movement activity.\n", - "event_ids": [ - "4624" - ], - "id": "910ec16d-6957-01b7-39a8-5e676e459cac", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" - }, - { - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", - "event_ids": [ - "4699" - ], - "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3", - "level": "low", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Scheduled Task Deletion" - }, - { - "description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n", - "event_ids": [ - "4663" - ], - "id": "7619b716-8052-6323-d9c7-87923ef591e6", - "level": "low", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Access To Browser Credential Files By Uncommon Applications - Security" - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "event_ids": [ - "4697" - ], - "id": "8ec23dfa-00a7-2b09-1756-678e941d69b2", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use Clip - Security" - }, - { - "description": "Detects external disk drives or plugged-in USB devices.", - "event_ids": [ - "6416" - ], - "id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5", - "level": "low", - "subcategory_guids": [ - "0CCE9248-69AE-11D9-BED3-505054503030" - ], - "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" - }, - { - "description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n", - "event_ids": [ - "5156" - ], - "id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Uncommon Outbound Kerberos Connection - Security" - }, - { - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "event_ids": [ - "4662" - ], - "id": "5c8e2537-5c7f-56d8-de80-1f0746b61067", - "level": "critical", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory Replication from Non Machine Account" - }, - { - "description": "Detects the mount of an ISO image on an endpoint", - "event_ids": [ - "4663" - ], - "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ISO Image Mounted" - }, - { - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "event_ids": [ - "4698" - ], - "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", - "level": "high", - "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Creation" - }, - { - "description": "Detects service ticket requests using RC4 encryption type", - "event_ids": [ - "4769" - ], - "id": "2d20edf4-6141-35c5-e54f-3c578082d1d3", - "level": "medium", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Kerberos RC4 Ticket Encryption" - }, - { - "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", - "event_ids": [ - "4616" - ], - "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0", - "level": "low", - "subcategory_guids": [ - "0CCE9210-69AE-11D9-BED3-505054503030", - "69979849-797A-11D9-BED3-505054503030" - ], - "title": "Unauthorized System Time Modification" - }, - { - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "event_ids": [ - "4738", - "4765", - "4766" - ], - "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", - "level": "medium", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Addition of SID History to Active Directory Object" - }, - { - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "event_ids": [ - "4692" - ], - "id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d", - "level": "medium", - "subcategory_guids": [ - "0CCE922D-69AE-11D9-BED3-505054503030" - ], - "title": "DPAPI Domain Master Key Backup Attempt" - }, - { - "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", - "event_ids": [ - "4673" - ], - "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", - "level": "medium", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" - }, - { - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "event_ids": [ - "5379" - ], - "id": "586bcb8e-f698-f372-54cf-ff08727352e7", - "level": "high", - "subcategory_guids": [], - "title": "Password Protected ZIP File Opened (Suspicious Filenames)" - }, - { - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "event_ids": [ - "5145" - ], - "id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Transferring Files with Credential Data via Network Shares" - }, - { - "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", - "event_ids": [ - "4769", - "4771", - "675", - "4768" - ], - "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", - "level": "high", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030", - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberos Manipulation" - }, - { - "description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.", - "event_ids": [ - "4800" - ], - "id": "c4d03743-7286-15e4-d317-c86d1b5fdc09", - "level": "informational", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "title": "Locked Workstation" - }, - { - "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n", - "event_ids": [ - "6281", - "5038" - ], - "id": "4f738466-2a14-5842-1eb3-481614770a49", - "level": "informational", - "subcategory_guids": [ - "0CCE9212-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Code Integrity Checks" - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "event_ids": [ - "4697" - ], - "id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" - }, - { - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "event_ids": [ - "4720" - ], - "id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Hidden Local User Creation" - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "event_ids": [ - "4697" - ], - "id": "89d88072-7a24-8218-a044-0c071bf36bf6", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use Rundll32 - Security" - }, - { - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "event_ids": [ - "4661" - ], - "id": "93c95eee-748a-e1db-18a5-f40035167086", - "level": "high", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" - ], - "title": "AD Privileged Users or Groups Reconnaissance" - }, - { - "description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.", - "event_ids": [ - "4719" - ], - "id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52", - "level": "high", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "title": "Important Windows Event Auditing Disabled" - }, - { - "description": "Detects known sensitive file extensions accessed on a network share", - "event_ids": [ - "5145" - ], - "id": "4af39497-9655-9586-817d-94f0df38913f", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Access to Sensitive File Extensions" - }, - { - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "event_ids": [ - "4697" - ], - "id": "1b037a84-214e-b58a-53ae-949542063f1f", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" - }, - { - "description": "Detects DCShadow via create new SPN", - "event_ids": [ - "5136", - "4742" - ], - "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", - "level": "medium", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Possible DC Shadow Attack" - }, - { - "description": "Detects process handle on LSASS process with certain access mask", - "event_ids": [ - "4656", - "4663" - ], - "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", - "level": "medium", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Potentially Suspicious AccessMask Requested From LSASS" - }, - { - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "event_ids": [ - "4697" - ], - "id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Service Installed By Unusual Client - Security" - }, - { - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "event_ids": [ - "4656", - "4663" - ], - "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", - "level": "medium", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Azure AD Health Monitoring Agent Registry Keys Access" - }, - { - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "event_ids": [ - "5145" - ], - "id": "85e72fe3-83af-8ed9-39d3-2883e46059f1", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" - }, - { - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "event_ids": [ - "5156" - ], - "id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Remote PowerShell Sessions Network Connections (WinRM)" - }, - { - "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", - "event_ids": [ - "4697" - ], - "id": "85e291ec-b85b-2553-1aba-03c9ad116b61", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Access Tool Services Have Been Installed - Security" - }, - { - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "event_ids": [ - "5136", - "5145" - ], - "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Persistence and Execution at Scale via GPO Scheduled Task" - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "event_ids": [ - "4697" - ], - "id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation VAR+ Launcher - Security" - }, - { - "description": "Detects read access to a domain user from a non-machine account", - "event_ids": [ - "4662" - ], - "id": "fe814c5a-505f-a313-7d8c-030187c24e8e", - "level": "medium", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Potential AD User Enumeration From Non-Machine Account" - }, - { - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "event_ids": [ - "5379" - ], - "id": "7e1daab0-3263-403e-ec26-de48e3bf22c3", - "level": "medium", - "subcategory_guids": [], - "title": "Password Protected ZIP File Opened" - }, - { - "description": "Detects powershell script installed as a Service", - "event_ids": [ - "4697" - ], - "id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "PowerShell Scripts Installed as Services - Security" - }, - { - "description": "Detects WRITE_DAC access to a domain object", - "event_ids": [ - "4662" - ], - "id": "09c08048-5eab-303f-dfe3-706a6052b6f9", - "level": "critical", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "AD Object WriteDAC Access" - }, - { - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "event_ids": [ - "4738" - ], - "id": "2ea71437-cb4d-5a41-2431-1773fce76de8", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Weak Encryption Enabled and Kerberoast" - }, - { - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "event_ids": [ - "4706" - ], - "id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5", - "level": "medium", - "subcategory_guids": [ - "0CCE9230-69AE-11D9-BED3-505054503030" - ], - "title": "A New Trust Was Created To A Domain" - }, - { - "description": "Detects access to ADMIN$ network share", - "event_ids": [ - "5140" - ], - "id": "37b219bc-37bb-1261-f179-64307c1a1829", - "level": "low", - "subcategory_guids": [ - "0CCE9224-69AE-11D9-BED3-505054503030" - ], - "title": "Access To ADMIN$ Network Share" - }, - { - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "event_ids": [ - "4625", - "4776" - ], - "id": "655eb351-553b-501f-186e-aa9af13ecf43", - "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Account Tampering - Suspicious Failed Logon Reasons" - }, - { - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "event_ids": [ - "4663", - "4657" - ], - "id": "249d836c-8857-1b98-5d7b-050c2d34e275", - "level": "high", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Sysmon Channel Reference Deletion" - }, - { - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "event_ids": [ - "4663", - "4657", - "4656" - ], - "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Processes Accessing the Microphone and Webcam" - }, - { - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "event_ids": [ - "4663", - "4656" - ], - "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", - "level": "high", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "SysKey Registry Keys Access" - }, - { - "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", - "event_ids": [ - "4624" - ], - "id": "e8c130a4-cf04-543d-919b-76947bde76b8", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Access Token Abuse" - }, - { - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "event_ids": [ - "4624" - ], - "id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c", - "level": "critical", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "DiagTrackEoP Default Login Username" - }, - { - "description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.", - "event_ids": [ - "4625" - ], - "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logon From Public IP" - }, - { - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "event_ids": [ - "4625" - ], - "id": "232ecd79-c09d-1323-8e7e-14322b766855", - "level": "high", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" - }, - { - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "event_ids": [ - "4624" - ], - "id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Admin User Remote Logon" - }, - { - "description": "Detects activity when a member is removed from a security-enabled global group", - "event_ids": [ - "4729", - "633" - ], - "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "A Member Was Removed From a Security-Enabled Global Group" - }, - { - "description": "Detects successful logon attempts performed with WMI", - "event_ids": [ - "4624" - ], - "id": "c310cab1-252e-1d98-6b6f-e6e60c88a374", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Successful Account Login Via WMI" - }, - { - "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.", - "event_ids": [ - "4624" - ], - "id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "External Remote RDP Logon from Public IP" - }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "event_ids": [ - "4624" - ], - "id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "RottenPotato Like Attack Pattern" - }, - { - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "event_ids": [ - "4624" - ], - "id": "059e7255-411c-1666-a2e5-2e99e294e614", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Pass the Hash Activity 2" - }, - { - "description": "Detects logon events that specify new credentials", - "event_ids": [ - "4624" - ], - "id": "897e25ba-f935-3fd3-c6d5-f9abf379e831", - "level": "low", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Outgoing Logon with New Credentials" - }, - { - "description": "RDP login with localhost source address may be a tunnelled login", - "event_ids": [ - "4624" - ], - "id": "b3f33f69-1331-d3d0-eb62-81f477abad86", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "RDP Login from Localhost" - }, - { - "description": "Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\n", - "event_ids": [ - "4624" - ], - "id": "96896e3a-28de-da11-c7fd-0040868e3a2f", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" - }, - { - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "event_ids": [ - "4624" - ], - "id": "20f4e87b-c272-42da-9a1f-ad54206e3622", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Successful Overpass the Hash Attempt" - }, - { - "description": "Detects activity when a security-enabled global group is deleted", - "event_ids": [ - "634", - "4730" - ], - "id": "ae7d8d1c-f75b-d952-e84e-a7981b861590", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "A Security-Enabled Global Group Was Deleted" - }, - { - "description": "Detects activity when a member is added to a security-enabled global group", - "event_ids": [ - "4728", - "632" - ], - "id": "26767093-828c-2f39-bdd8-d0439e87307c", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "A Member Was Added to a Security-Enabled Global Group" - }, - { - "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.", - "event_ids": [ - "4624" - ], - "id": "5c67a566-7829-eb05-4a1f-0eb292ef993f", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "External Remote SMB Logon from Public IP" - }, - { - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "event_ids": [ - "4663", - "4656" - ], - "id": "de10da38-ee60-f6a4-7d70-4d308558158b", - "level": "critical", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "WCE wceaux.dll Access" - }, - { - "description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity", - "event_ids": [ - "4732" - ], - "id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4", - "level": "medium", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "User Added to Local Administrator Group" - }, - { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "event_ids": [ - "4663" - ], - "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Teams Application Related ObjectAcess Event" - }, - { - "description": "Detects suspicious processes logging on with explicit credentials", - "event_ids": [ - "4648" - ], - "id": "250cf413-1d30-38fd-4b41-ae5a92452700", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Remote Logon with Explicit Credentials" - }, - { - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "event_ids": [ - "4702" - ], - "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Scheduled Task Update" - }, - { - "description": "Detect PetitPotam coerced authentication activity.", - "event_ids": [ - "5145" - ], - "id": "bcc12e55-1578-5174-2a47-98a6211a1c6c", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Possible PetitPotam Coerce Authentication Attempt" - }, - { - "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", - "event_ids": [ - "4647", - "4634" - ], - "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", - "level": "informational", - "subcategory_guids": [ - "0CCE9216-69AE-11D9-BED3-505054503030" - ], - "title": "User Logoff Event" - }, - { - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "event_ids": [ - "5145" - ], - "id": "f252afa3-fe83-562c-01c0-1334f55af84c", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "event_ids": [ - "4697" - ], - "id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation STDIN+ Launcher - Security" - }, - { - "description": "Detects non-system users performing privileged operation os the SCM database", - "event_ids": [ - "4674" - ], - "id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a", - "level": "medium", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "title": "SCM Database Privileged Operation" - }, - { - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "event_ids": [ - "4662" - ], - "id": "c42c534d-16ae-877f-0722-6d6914090855", - "level": "high", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "DPAPI Domain Backup Key Extraction" - }, - { - "description": "Detects an installation of a device that is forbidden by the system policy", - "event_ids": [ - "6423" - ], - "id": "53f7ff98-38dd-f02c-0658-1debbf8deddc", - "level": "medium", - "subcategory_guids": [ - "0CCE9248-69AE-11D9-BED3-505054503030" - ], - "title": "Device Installation Blocked" - }, - { - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "event_ids": [ - "4611" - ], - "id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Register new Logon Process by Rubeus" - }, - { - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "event_ids": [ - "4704" - ], - "id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d", - "level": "high", - "subcategory_guids": [ - "0CCE9231-69AE-11D9-BED3-505054503030" - ], - "title": "Enabled User Right in AD to Control User Objects" - }, - { - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "event_ids": [ - "5379" - ], - "id": "77366099-d04a-214d-365c-c62c537df3ba", - "level": "high", - "subcategory_guids": [], - "title": "Password Protected ZIP File Opened (Email Attachment)" - }, - { - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "event_ids": [ - "5145" - ], - "id": "426009da-814c-c1c0-cf41-6631c9ff6a8e", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious PsExec Execution" - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "event_ids": [ - "4697" - ], - "id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "CobaltStrike Service Installations - Security" - }, - { - "description": "Detects NetNTLM downgrade attack", - "event_ids": [ - "4657" - ], - "id": "68f0908b-8434-9199-f0a3-350c27ac97c4", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "NetNTLM Downgrade Attack" - }, - { - "description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.", - "event_ids": [ - "4656", - "4658", - "4663" - ], - "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", - "level": "medium", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Potential Secure Deletion with SDelete" - }, - { - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "event_ids": [ - "5145" - ], - "id": "308a3356-4624-7c95-24df-cf5a02e5eb56", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "First Time Seen Remote Named Pipe" - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "event_ids": [ - "4697" - ], - "id": "633bd649-4b18-b5bd-d923-07caeccd1ee0", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Credential Dumping Tools Service Execution - Security" - }, - { - "description": "Detects handles requested to SAM registry hive", - "event_ids": [ - "4656" - ], - "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", - "level": "high", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "SAM Registry Hive Handle Request" - }, - { - "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n", - "event_ids": [ - "5136", - "5145" - ], - "id": "bc613d09-5a80-cad3-6f65-c5020f960511", - "level": "medium", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Startup/Logon Script Added to Group Policy Object" - }, - { - "description": "Detects certificate creation with template allowing risk permission subject", - "event_ids": [ - "4899", - "4898" - ], - "id": "3a655a7c-a830-77ad-fc8b-f054fb713304", - "level": "low", - "subcategory_guids": [ - "0CCE9221-69AE-11D9-BED3-505054503030" - ], - "title": "ADCS Certificate Template Configuration Vulnerability" - }, - { - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "event_ids": [ - "4661" - ], - "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef", - "level": "high", - "subcategory_guids": [ - "0CCE9220-69AE-11D9-BED3-505054503030", - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Reconnaissance Activity" - }, - { - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "event_ids": [ - "4768" - ], - "id": "cd01c787-aad1-bbed-5842-aa8e58410aad", - "level": "high", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "PetitPotam Suspicious Kerberos TGT Request" - }, - { - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "event_ids": [ - "4697" - ], - "id": "566fa294-85f7-af27-80c7-753d9941729b", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Pcap Drivers" - }, - { - "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n", - "event_ids": [ - "5441", - "5447" - ], - "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", - "level": "high", - "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - EDRSilencer Execution - Filter Added" - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "event_ids": [ - "4697" - ], - "id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Stdin - Security" - }, - { - "description": "Detects when the password policy is enumerated.", - "event_ids": [ - "4661" - ], - "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4", - "level": "medium", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" - ], - "title": "Password Policy Enumerated" - }, - { - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "event_ids": [ - "5136" - ], - "id": "925d441a-37b4-0afa-1d98-809b5df5fd06", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious LDAP-Attributes Used" - }, - { - "description": "Detects execution of Impacket's psexec.py.", - "event_ids": [ - "5145" - ], - "id": "24e370e0-b9f0-5851-0261-f984742ff2a1", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Impacket PsExec Execution" - }, - { - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "event_ids": [ - "5145" - ], - "id": "7695295d-281f-23ce-d52e-8336ebd47532", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Protected Storage Service Access" - }, - { - "description": "Detects possible addition of shadow credentials to an active directory object.", - "event_ids": [ - "5136" - ], - "id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Shadow Credentials Added" - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "event_ids": [ - "4657" - ], - "id": "107a403c-5a05-2568-95a7-a7329d714440", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "ETW Logging Disabled In .NET Processes - Registry" - }, - { - "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\n", - "event_ids": [ - "4720" - ], - "id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f", - "level": "low", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Local User Creation" - }, - { - "description": "Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.\n", - "event_ids": [ - "4794" - ], - "id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Password Change on Directory Service Restore Mode (DSRM) Account" - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "event_ids": [ - "4697" - ], - "id": "e2755f38-e817-94c0-afef-acff29676b43", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" - }, - { - "description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.\n", - "event_ids": [ - "4769" - ], - "id": "4386b4e0-f268-42a6-b91d-e3bb768976d6", - "level": "medium", - "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030" - ], - "title": "Kerberoasting Activity - Initial Query" - }, - { - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "event_ids": [ - "4649" - ], - "id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8", - "level": "high", - "subcategory_guids": [ - "0CCE921C-69AE-11D9-BED3-505054503030" - ], - "title": "Replay Attack Detected" - }, - { - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "event_ids": [ - "4720" - ], - "id": "e5c627ea-fa27-df99-0573-e47092dc4a98", - "level": "high", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "event_ids": [ - "4697" - ], - "id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" - }, - { - "description": "Alerts on Metasploit host's authentications on the domain.", - "event_ids": [ - "4776", - "4625", - "4624" - ], - "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", - "level": "high", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Metasploit SMB Authentication" - }, - { - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "event_ids": [ - "4662" - ], - "id": "ec2275df-3a0a-933f-0573-490938cc47ef", - "level": "medium", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "WMI Persistence - Security" - }, - { - "description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\n", - "event_ids": [ - "4657" - ], - "id": "8948f034-2d45-47bc-c04b-14ab124247f3", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusion List Modified" - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "event_ids": [ - "4697" - ], - "id": "3dc2d411-4f0e-6564-d243-8351afd3d375", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Via Use MSHTA - Security" - }, - { - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "event_ids": [ - "5145" - ], - "id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "SMB Create Remote File Admin Share" - }, - { - "description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\n", - "event_ids": [ - "4697" - ], - "id": "15284efb-90de-5675-59c5-433d34675e8e", - "level": "low", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Tap Driver Installation - Security" - }, - { - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "event_ids": [ - "5145" - ], - "id": "93fd0f77-62da-26fb-3e96-71cde45a9680", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Task Creation via ATSVC Named Pipe" - }, - { - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "event_ids": [ - "4663", - "4656" - ], - "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "LSASS Access From Non System Account" - }, - { - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "event_ids": [ - "4825" - ], - "id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f", - "level": "medium", - "subcategory_guids": [], - "title": "Denied Access To Remote Desktop" - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "event_ids": [ - "4697" - ], - "id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" - }, - { - "description": "Detects non-system users failing to get a handle of the SCM database.", - "event_ids": [ - "4656" - ], - "id": "474caaa9-3115-c838-1509-59ffb6caecfc", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "SCM Database Handle Failure" - }, - { - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "event_ids": [ - "5145" - ], - "id": "677980bc-7dcc-1f9a-e161-a7f310ec9652", - "level": "high", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Possible Impacket SecretDump Remote Activity" - }, - { - "description": "Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.\n", - "event_ids": [ - "5157" - ], - "id": "764518e5-4160-b679-1946-cbd0e76705da", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" - }, - { - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "event_ids": [ - "4697" - ], - "id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "HybridConnectionManager Service Installation" - }, - { - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "event_ids": [ - "5145" - ], - "id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Network Access Suspicious desktop.ini Action" - }, - { - "description": "Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\n", - "event_ids": [ - "4663" - ], - "id": "d1909400-93d7-de3c-ba13-153c64499c7c", - "level": "low", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "Service Registry Key Read Access Request" - }, - { - "description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n", - "event_ids": [ - "4656", - "4663" - ], - "id": "777523b0-14f8-1ca2-12c9-d668153661ff", - "level": "medium", - "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusion Registry Key - Write Access Requested" - }, - { - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "event_ids": [ - "4898", - "4899" - ], - "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", - "level": "high", - "subcategory_guids": [ - "0CCE9221-69AE-11D9-BED3-505054503030" - ], - "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" - }, - { - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "event_ids": [ - "1102", - "517" - ], - "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", - "level": "high", - "subcategory_guids": [], - "title": "Security Eventlog Cleared" - }, - { - "description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n", - "event_ids": [ - "5447", - "5449" - ], - "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", - "level": "high", - "subcategory_guids": [ - "0CCE9233-69AE-11D9-BED3-505054503030", - "0CCE9234-69AE-11D9-BED3-505054503030" - ], - "title": "HackTool - NoFilter Execution" - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "event_ids": [ - "5156" - ], - "id": "810804a5-98c3-7e56-e8ed-8a95d72ad829", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "RDP over Reverse SSH Tunnel WFP" - }, - { - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "event_ids": [ - "4673" - ], - "id": "cd93b6ed-961d-ed36-92db-bd44bccda695", - "level": "high", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" - ], - "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" - }, - { - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "event_ids": [ - "4625", - "4624", - "4776" - ], - "id": "8b40829b-4556-9bec-a8ad-905688497639", - "level": "high", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Hacktool Ruler" - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "event_ids": [ - "4697" - ], - "id": "826feb8b-536b-0302-0b4e-bd34cc5c4923", - "level": "medium", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" - }, - { - "description": "Detects Mimikatz DC sync security events", - "event_ids": [ - "4662" - ], - "id": "daad2203-665f-294c-6d2f-f9272c3214f2", - "level": "high", - "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030" - ], - "title": "Mimikatz DC Sync" - }, - { - "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n", - "event_ids": [ - "4781", - "4720" - ], - "id": "ec77919c-1169-6640-23e7-91c6f27ddc91", - "level": "medium", - "subcategory_guids": [ - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "New or Renamed User Account with '$' Character" - }, - { - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "event_ids": [ - "4656" - ], - "id": "d81faa44-ff28-8f61-097b-92727b8af44b", - "level": "high", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "Password Dumper Activity on LSASS" - }, - { - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", - "event_ids": [ - "4701", - "4699" - ], - "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", - "level": "high", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Important Scheduled Task Deleted/Disabled" - }, - { - "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\n", - "event_ids": [ - "5136" - ], - "id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271", - "level": "medium", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Group Policy Abuse for Privilege Addition" - }, - { - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "event_ids": [ - "4738", - "5136" - ], - "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9235-69AE-11D9-BED3-505054503030" - ], - "title": "Active Directory User Backdoors" - }, - { - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "event_ids": [ - "4656", - "4663" - ], - "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "Azure AD Health Service Agents Registry Keys Access" - }, - { - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "event_ids": [], - "id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8", - "level": "critical", - "subcategory_guids": [], - "title": "Win Susp Computer Name Containing Samtheadmin" - }, - { - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "event_ids": [ - "5145" - ], - "id": "9a0e08fc-d50e-2539-9da0-f2b04439c414", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Service Activity via SVCCTL Named Pipe" - }, - { - "description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\n", - "event_ids": [ - "4719" - ], - "id": "83d7b3c2-220e-60e8-4aad-98e206e841ba", - "level": "low", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Event Auditing Disabled" - }, - { - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "event_ids": [ - "5145" - ], - "id": "d415c82b-814d-5cdc-c2f2-a138115b878e", - "level": "medium", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "title": "DCERPC SMB Spoolss Named Pipe" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "event_ids": [ - "4697" - ], - "id": "660a0229-700e-8e43-40c7-fafe60c29491", - "level": "high", - "subcategory_guids": [ - "0CCE9211-69AE-11D9-BED3-505054503030" - ], - "title": "Invoke-Obfuscation CLIP+ Launcher - Security" - }, - { - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "event_ids": [ - "5136" - ], - "id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567", - "level": "high", - "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030" - ], - "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" - }, - { - "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", - "event_ids": [ - "4741", - "4743" - ], - "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", - "level": "low", - "subcategory_guids": [ - "0CCE9236-69AE-11D9-BED3-505054503030" - ], - "title": "Add or Remove Computer from DC" - }, - { - "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", - "event_ids": [ - "4905", - "4904" - ], - "id": "00f253a0-1035-e450-7f6e-e2291dee27ec", - "level": "informational", - "subcategory_guids": [ - "0CCE922F-69AE-11D9-BED3-505054503030" - ], - "title": "VSSAudit Security Event Source Registration" - }, - { - "description": "Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\n", - "event_ids": [ - "4660" - ], - "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", - "level": "medium", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" - ], - "title": "Windows Defender Exclusion Deleted" - }, - { - "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", - "event_ids": [ - "4689" - ], - "id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a", - "level": "high", - "subcategory_guids": [ - "0CCE922C-69AE-11D9-BED3-505054503030" - ], - "title": "Correct Execution of Nltest.exe" - }, - { - "description": "This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.", - "event_ids": [ - "4674" - ], - "id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6", - "level": "low", - "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030" - ], - "title": "Lateral Movement Indicator ConDrv" - }, - { - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "event_ids": [ - "1102" - ], - "id": "23f0b75b-66c0-4895-ae63-4243fa898109", - "level": "medium", - "subcategory_guids": [], - "title": "Security Event Log Cleared" - }, - { - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", - "event_ids": [ - "634", - "4728", - "4730", - "632", - "4729", - "633" - ], - "id": "506379d9-8545-c010-e9a3-693119ab9261", - "level": "low", - "subcategory_guids": [ - "0CCE9237-69AE-11D9-BED3-505054503030" - ], - "title": "Group Modification Logging" - }, - { - "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", - "event_ids": [ - "4771" - ], - "id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247", - "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" - }, - { - "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", - "event_ids": [ - "4768" - ], - "id": "c6c2c3e3-44ee-516c-9e48-63b304511787", - "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" - }, - { - "description": "Detects remote execution via scheduled task creation or update on the destination host", - "event_ids": [ - "4624", - "4698", - "4702" - ], - "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Remote Schtasks Creation" - }, - { - "description": "Detects failed logins with multiple accounts from a single process on the system.", - "event_ids": [ - "4625" - ], - "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", - "level": "medium", - "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Multiple Users Failing to Authenticate from Single Process" - }, - { - "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", - "event_ids": [ - "4698" - ], - "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", - "level": "low", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" - ], - "title": "Rare Schtasks Creations" - }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", - "event_ids": [ - "4768" - ], - "id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d", - "level": "medium", - "subcategory_guids": [ - "0CCE9242-69AE-11D9-BED3-505054503030" - ], - "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" - }, - { - "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", - "event_ids": [ - "5156" - ], - "id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822", - "level": "medium", - "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030" - ], - "title": "Enumeration via the Global Catalog" - }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", - "event_ids": [ - "4776" - ], - "id": "bbd02091-a432-94b3-8041-9f776b681fc2", - "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" - }, - { - "description": "Search for accessing of fake files with stored credentials", - "event_ids": [ - "4663" - ], - "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", - "level": "high", - "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" - ], - "title": "Stored Credentials in Fake Files" - }, - { - "description": "Detects a source system failing to authenticate against a remote host with multiple users.", - "event_ids": [ - "4625" - ], - "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Multiple Users Remotely Failing To Authenticate From Single Source" - }, - { - "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", - "event_ids": [ - "4776" - ], - "id": "ddbbe639-21f9-7b39-ae7d-821e490d6130", - "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "event_ids": [ - "529", - "4625" - ], - "id": "428d3964-3241-1ceb-8f93-b31d8490c822", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "title": "Failed Logins with Different Accounts from Single Source System" - }, - { - "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", - "event_ids": [ - "4663" - ], - "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", - "level": "medium", - "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" - ], - "title": "Suspicious Multiple File Rename Or Delete Occurred" - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "event_ids": [ - "4776" - ], - "id": "203aaec0-5613-4fdc-42b3-a021d6f853dc", - "level": "medium", - "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030" - ], - "title": "Failed NTLM Logins with Different Accounts from Single Source System" - }, - { - "description": "Detects a single user failing to authenticate to multiple users using explicit credentials.", - "event_ids": [ - "4648" - ], - "id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc", - "level": "medium", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030" - ], - "title": "Password Spraying via Explicit Credentials" - } -] \ No newline at end of file