CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-01-12 11:11:24 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
055dd5d808f4e490190a4a713c8e44a46d767a00
WELA/config/security_rules.json
github-actions[bot] 5f2b5156fd Automated update
2025-03-12 09:09:23 +00:00

6295 lines
202 KiB
JSON
Raw Blame History

[
{
"description": "Displays the dialog box message that popped up in Office Activated App for the user.",
"event_ids": [
"300"
],
"id": "8cab5688-ca77-483d-a295-56dd6c1db944",
"level": "informational",
"subcategory_guids": [],
"title": "Office App PopUp"
},
{
"description": "Windows defender malware detection",
"event_ids": [
"1116"
],
"id": "810bfd3a-9fb3-44e0-9016-8cdf785fddbf",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Defender Alert (Severe)"
},
{
"description": "Windows defender malware detection",
"event_ids": [
"1116"
],
"id": "1e11c0f0-aecd-45d8-9229-da679c0265ea",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Defender Alert (High)"
},
{
"description": "Windows defender malware detection",
"event_ids": [
"1116"
],
"id": "3f5005fc-e354-4b0b-b1a1-3eec1d336023",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Defender Alert (Moderate)"
},
{
"description": "Windows defender malware detection",
"event_ids": [
"1116"
],
"id": "61056ed8-7be5-46e4-9015-c5f6bc8b93a1",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Defender Alert (Low)"
},
{
"description": "Somebody cleared an imporant event log.",
"event_ids": [
"104"
],
"id": "f481a1f3-969e-4187-b3a5-b47c272bfebd",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Important Log File Cleared"
},
{
"description": "",
"event_ids": [
"7045"
],
"id": "76355548-fa5a-4310-9610-0de4b11f4688",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Possible Metasploit Svc Installed"
},
{
"description": "Malware will often create services for persistence and use BASE64 encoded strings to execute malicious code or abuse legitimate binaries like cmd.exe, powershell, etc... inside the path to execute. Normally, services will not run built-in binaries, run from user or temp folders or contain encoded data.",
"event_ids": [
"7045"
],
"id": "dbbfd9f3-9508-478b-887e-03ddb9236909",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Service Path"
},
{
"description": "PSExec is a MS SysInternals tool often abused for lateral movement.",
"event_ids": [
"7045"
],
"id": "0694c340-3a46-40ac-acfc-c3444ae6572c",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PSExec Lateral Movement"
},
{
"description": "Tries to look for random-looking service names that are often used by malware for persistence.",
"event_ids": [
"7045"
],
"id": "cc429813-21db-4019-b520-2f19648e1ef1",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Service Name"
},
{
"description": "The shutdown operation is initiated automatically by a program that uses the InitiateSystemShutdownEx function with the force flag.",
"event_ids": [
"6008"
],
"id": "517c0b15-d2bf-48a3-926c-f7b4a96dcec3",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Unexpected Shutdown"
},
{
"description": "",
"event_ids": [
"7040"
],
"id": "ab3507cf-5231-4af6-ab1d-5d3b3ad467b5",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Event Log Service Startup Type Changed To Disabled"
},
{
"description": "",
"event_ids": [
"7031"
],
"id": "d869bf31-92b3-4e21-a447-708f10156e7c",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Service Crashed"
},
{
"description": "A new service was installed. (Possibly malware.)",
"event_ids": [
"7045"
],
"id": "64c5d39d-10a7-44f4-b5d6-fd0d93d0a69f",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Svc Installed"
},
{
"description": "Somebody cleared an imporant event log.",
"event_ids": [
"104"
],
"id": "ed90ed4f-0d93-4f1a-99a2-4b9003b750a7",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Log File Cleared"
},
{
"description": "",
"event_ids": [
"7034"
],
"id": "f5dc6a6d-fdf1-441a-a10c-aa10e2908aa4",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Service Crashed"
},
{
"description": "On Powershell v5+, Windows will automatically log suspicious powershell execution and mark the Level as Warning.",
"event_ids": [
"4104"
],
"id": "73be1519-4648-4ed7-b305-605504afc242",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potentially Malicious PwSh"
},
{
"description": "Powershell Module Loggong. Displays powershell execution",
"event_ids": [
"4103"
],
"id": "d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PwSh Pipeline Exec"
},
{
"description": "Powershell Scriptblock Logging. Windows 10+ will flag suspicious PwSh as level 3 (warning) so \nI am filtering out these events as they are being created with the \"Potentially Malicious PwSh\" rule.\n",
"event_ids": [
"4104"
],
"id": "0f3b1343-65a5-4879-b512-9d61b0e4e3ba",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PwSh Scriptblock"
},
{
"description": "An attacker may have started Powershell 2.0 to evade detection.",
"event_ids": [
"400"
],
"id": "bc082394-73e6-4d00-a9af-e7b524ef5085",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PwSh 2.0 Downgrade Attack"
},
{
"description": "Engine state is changed from None to Available.",
"event_ids": [
"400"
],
"id": "ac2ae63b-83e6-4d06-aeaf-07409bda92c9",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PwSh Engine Started"
},
{
"description": "The Windows Filtering Platform has allowed a connection.",
"event_ids": [
"5156"
],
"id": "d0a61a11-57c9-4afc-b940-3f19b60db08e",
"level": "informational",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Net Conn"
},
{
"description": "The Windows Filtering Platform has blocked a connection.",
"event_ids": [
"5157"
],
"id": "b793a8e6-28a4-4fb8-816e-17a99e4e7b40",
"level": "informational",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Net Conn Blocked"
},
{
"description": "",
"event_ids": [
"5145"
],
"id": "8c6ec2b2-8dad-4996-9aba-d659afc1b919",
"level": "informational",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "NetShare File Access"
},
{
"description": "",
"event_ids": [
"5140"
],
"id": "15d042c1-07c6-4e16-ae7d-e0e556ccd9a8",
"level": "informational",
"subcategory_guids": [
"0CCE9224-69AE-11D9-BED3-505054503030"
],
"title": "NetShare Access"
},
{
"description": "Scheduled task created. Malware often persists with tasks but also used legitimately often as well.",
"event_ids": [
"4698"
],
"id": "60d768ca-33e8-4f34-b967-14fd7aa18a22",
"level": "informational",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Task Created"
},
{
"description": "Scheduled task was deleted.",
"event_ids": [
"4699"
],
"id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4",
"level": "informational",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Task Deleted"
},
{
"description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.",
"event_ids": [
"6410"
],
"id": "c2eb9d20-ef9d-4b2d-bffe-d0a5d9616f30",
"level": "low",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Code Integrity Proble (Possible Modification)"
},
{
"description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.",
"event_ids": [
"6281"
],
"id": "d4757f63-cc0e-448e-8b5b-6cb02aeb918a",
"level": "low",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Code Integrity Error (Invalid Image Page Hash)"
},
{
"description": "Detects when hashes are not correct or a file does not meet Windows' security requirements.",
"event_ids": [
"5038"
],
"id": "0c871345-668e-4b71-bdad-61e42ecc31e3",
"level": "low",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Code Integrity Error (Invalid Image Hash)"
},
{
"description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)",
"event_ids": [
"4611"
],
"id": "41ca6049-dd12-462c-a772-7bba78d8e2f0",
"level": "informational",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Abnormal Logon Proc Registered With LSA"
},
{
"description": "A logon process has registered with the Local Security Authority (LSA). Logon requests will now be accepted from this source. Technically, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the OS that handles logon methods (network, interactive, etc.)",
"event_ids": [
"4611"
],
"id": "614c150b-905d-4071-9b8e-0425e370c493",
"level": "informational",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Logon Proc Registered With LSA"
},
{
"description": "A new service was installed. (Possibly malware.)",
"event_ids": [
"4697"
],
"id": "95fe88c9-5b9d-4454-97b4-957918b84208",
"level": "informational",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Svc Installed"
},
{
"description": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.",
"event_ids": [
"4825"
],
"id": "f97a152e-753c-4975-9375-19087fb66f8c",
"level": "informational",
"subcategory_guids": [],
"title": "RDP Denied"
},
{
"description": "Logged when NTLM authentication is used usually for local accounts but NTLM can also be used with domain accounts. The original event title says it is only generated on domain controllers but that is not true. This also gets logged on clients.",
"event_ids": [
"4776"
],
"id": "4fbe94b0-577a-4f77-9b13-250e27d440fa",
"level": "informational",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "NTLM Auth"
},
{
"description": "Prints logon information.",
"event_ids": [
"4769"
],
"id": "da6257f3-cf49-464a-96fc-c84a7ce20636",
"level": "informational",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos Service Ticket Requested"
},
{
"description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.",
"event_ids": [
"4769"
],
"id": "f19849e7-b5ba-404b-a731-9b624d7f6d19",
"level": "medium",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)"
},
{
"description": "For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.",
"event_ids": [
"4768"
],
"id": "dee2a01e-5d7c-45b4-aec3-ad9722f2165a",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)"
},
{
"description": "Prints logon information.",
"event_ids": [
"4768"
],
"id": "d9f336ea-bb16-4a35-8a9c-183216b8d59c",
"level": "informational",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos TGT Requested"
},
{
"description": "Directory Service Object Modified. Log written only to domain controllers (2008+)",
"event_ids": [
"5136"
],
"id": "22ee9fb7-64ca-4eed-92de-d1dbef1170b8",
"level": "informational",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Dir Svc Obj Modified"
},
{
"description": "Detects when there is a RDP session disconnect.",
"event_ids": [
"4779"
],
"id": "f3532729-5536-42b4-ad74-d061b61a3891",
"level": "informational",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "RDP Session Disconnect"
},
{
"description": "Detects when there is a RDP session reconnect.",
"event_ids": [
"4778"
],
"id": "db23f704-61c8-4c95-a5b7-4db61c89f41d",
"level": "informational",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "RDP Session Reconnect"
},
{
"description": "Originally \"Special privileges assigned to new logon\". This will create a seperate LID that is used when special admin-level privileges are used.",
"event_ids": [
"4672"
],
"id": "fdd0b325-8b89-469c-8b0c-e5ddfe39b62e",
"level": "informational",
"subcategory_guids": [
"0CCE921B-69AE-11D9-BED3-505054503030"
],
"title": "Admin Logon"
},
{
"description": "Prints logon information.",
"event_ids": [
"4647"
],
"id": "6bad16f1-02c4-4075-b414-3cd16944bc65",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "Logoff (User Initiated)"
},
{
"description": "Prints logon information.",
"event_ids": [
"4634"
],
"id": "84288799-8b61-4d98-bad0-4043c40cf992",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "Logoff (Noisy)"
},
{
"description": "Prints logon information.",
"event_ids": [
"4634"
],
"id": "7309e070-56b9-408b-a2f4-f1840f8f1ebf",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "Logoff"
},
{
"description": "Type 9 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.",
"event_ids": [
"4624"
],
"id": "d80facaa-ca97-47bb-aed2-66362416eb49",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (NewCredentials) *Creds in memory*"
},
{
"description": "Type 12 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.",
"event_ids": [
"4624"
],
"id": "f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (CachedRemoteInteractive) *Creds in memory*"
},
{
"description": "System Noise",
"event_ids": [
"4624"
],
"id": "84e5ff02-5f8f-48c4-a7e9-88aa1fb888f7",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Service) (Noisy)"
},
{
"description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n",
"event_ids": [
"4648"
],
"id": "8c1899fe-493d-4faf-aae1-0853a33a3278",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Explicit Logon Attempt"
},
{
"description": "(From ultimatewindowsecurity.com)\nThis log is generated when\n1. A user connects to a server or runs a program locally using alternate credentials.\n For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,\n selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.\n2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.\n3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.\n Unfortunately the Subject does not identify the end user.\n4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)\nThis logon event is unique in that it is logged on the source computer and not the target computer like most other logon events.\nAlso, it will be logged regardless of the logon being successful or not so consider it an attempt and not necessarily an actual successful logon.\n",
"event_ids": [
"4648"
],
"id": "a5b3ebf0-141a-4264-b2ff-400c0d515fca",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Explicit Logon Attempt (Noisy)"
},
{
"description": "Detects explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike or Mimikatz for user impersonation.",
"event_ids": [
"4648"
],
"id": "7616e857-8e41-4976-bc21-811d122b9fc9",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc"
},
{
"description": "Type 13 logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.",
"event_ids": [
"4624"
],
"id": "e50e3952-06d9-44a8-ab07-7a41c9801d78",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (CachedUnlock) *Creds in memory*"
},
{
"description": "Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.",
"event_ids": [
"4625"
],
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
{
"description": "Detects a failed logon event due to an incorrect username",
"event_ids": [
"4625"
],
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Non-Existent User"
},
{
"description": "Type 11 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.",
"event_ids": [
"4624"
],
"id": "fbbe9d3f-ed1f-49a9-9446-726e349f5fba",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (CachedInteractive) *Creds in memory*"
},
{
"description": "Tries to detect token impersonation by tools like Cobalt Strike.",
"event_ids": [
"4624"
],
"id": "46614e82-7926-41f9-85aa-006b98c5c2a3",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Possible Token Impersonation"
},
{
"description": "Prints logon type 5 service logons.",
"event_ids": [
"4624"
],
"id": "408e1304-51d7-4d3e-ab31-afd07192400b",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Service)"
},
{
"description": "Prints logon information.",
"event_ids": [
"4625"
],
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Unknown Reason)"
},
{
"description": "Prints logon information. Despite the naming NetworkCleartext, the password is not sent over the network in cleartext. It is usually for IIS Basic Authentication.",
"event_ids": [
"4624"
],
"id": "7ff51227-6a10-49e6-a58b-b9f4ac32b138",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (NetworkCleartext)"
},
{
"description": "This is filtered by default as it is usually system noise.",
"event_ids": [
"4624"
],
"id": "b1782e40-d247-4de1-86d1-37392cb62e3b",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Interactive) (Noisy)"
},
{
"description": "Detects a failed logon event due to a wrong password",
"event_ids": [
"4648"
],
"id": "ab1accc0-b6e2-4841-8dfb-5902581392c3",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Incorrect Password"
},
{
"description": "The logon event happens when the computer boots up.",
"event_ids": [
"4624"
],
"id": "9fa273cc-bcb2-4789-85e3-14ca253ac7f4",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (System) - Bootup"
},
{
"description": "Detects a failed logon event due to a wrong password",
"event_ids": [
"4625"
],
"id": "5b0b75dc-9190-4047-b9a8-14164cee8a31",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Incorrect Password"
},
{
"description": "Prints logon information",
"event_ids": [
"4624"
],
"id": "b61bfa39-48ec-4bdf-9d4e-e7205f49acd2",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Unlock)"
},
{
"description": "Prints failed logons",
"event_ids": [
"4625"
],
"id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (User Does Not Exist)"
},
{
"description": "Prints logon information",
"event_ids": [
"4624"
],
"id": "c7b22878-e5d8-4c30-b245-e51fd354359e",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Network)"
},
{
"description": "Tries to detect token impersonation by tools like Cobalt Strike.",
"event_ids": [
"4624"
],
"id": "9e8b6cdb-9991-488b-a7b3-2eec7aa64679",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "NewInteractive Logon (Suspicious Process)"
},
{
"description": "Type 2 Interactive logons can be dangerous as the credentials (plaintext or hashed passwords) are stored in memory (lsass process) and can be stolen by tools like mimikatz.",
"event_ids": [
"4624"
],
"id": "7beb4832-f357-47a4-afd8-803d69a5c85c",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Interactive) *Creds in memory*"
},
{
"description": "Prints logon information.",
"event_ids": [
"4625"
],
"id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Wrong Password)"
},
{
"description": "Outputs system noise",
"event_ids": [
"4624"
],
"id": "0266af4f-8825-495e-959c-bff801094349",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Network) (Noisy)"
},
{
"description": "Search for many 4625 wrong password failed logon attempts in a short period of time.",
"event_ids": [
"4625"
],
"id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "PW Guessing"
},
{
"description": "Prints logon information",
"event_ids": [
"4624"
],
"id": "8ad8b25f-6052-4cfd-9a50-717cb514af13",
"level": "informational",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Logon (Batch)"
},
{
"description": "Search for many 4648 explicit credential logon attempts in a short period of time.",
"event_ids": [
"4648"
],
"id": "ffd622af-d049-449f-af5a-0492fdcc3a58",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "PW Spray"
},
{
"description": "A process has enumerated credential information in Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.",
"event_ids": [
"5379"
],
"id": "d8e3afc5-fa0a-4063-a4af-55e014eb1936",
"level": "low",
"subcategory_guids": [],
"title": "Credential Manager Enumerated"
},
{
"description": "A process has read credentials in the Credential Manager. There will be many false positives so check if the Process ID (PID) is that of known malware on the system.",
"event_ids": [
"5379"
],
"id": "d478c070-8f84-4e65-9f45-cc432a000e93",
"level": "low",
"subcategory_guids": [],
"title": "Credential Manager Accessed"
},
{
"description": "A user has cleared the Security event log.",
"event_ids": [
"1102"
],
"id": "c2f690ac-53f8-4745-8cfe-7127dda28c74",
"level": "high",
"subcategory_guids": [],
"title": "Log Cleared"
},
{
"description": "",
"event_ids": [
"4688"
],
"id": "6c34b782-a5b5-4298-80f3-1918caf1f558",
"level": "low",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Possible LOLBIN"
},
{
"description": "Detects a suspicious RDP session redirect using tscon.exe",
"event_ids": [
"4688"
],
"id": "6be7f3fc-8917-11ec-a8a3-0242ac120002",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Possible RDP Hijacking"
},
{
"description": "Process execution.",
"event_ids": [
"4688"
],
"id": "ac933178-c222-430d-8dcf-17b4f3a2fed8",
"level": "informational",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Proc Exec"
},
{
"description": "",
"event_ids": [
"4688"
],
"id": "75744b7f-7e4a-47fe-afbe-1ee74ec2448e",
"level": "medium",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"title": "Susp CmdLine (Possible Meterpreter getsystem)"
},
{
"description": "User Added To Non-Admin Global Security Group. Only logged on DCs.",
"event_ids": [
"4728"
],
"id": "2f04e44e-1c79-4343-b4ab-ba670ee10aa0",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Non-Admin Global Grp"
},
{
"description": "A user was added to the local Domain Admins group.",
"event_ids": [
"4732"
],
"id": "bc58e432-959f-464d-812e-d60ce5d46fa1",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Local Domain Admins Grp"
},
{
"description": "A user was added to the Domain Admins group. Only logged on DCs.",
"event_ids": [
"4728"
],
"id": "4bb89c86-a138-42a0-baaf-fc2f777a4506",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Global Domain Admins Grp"
},
{
"description": "A user was added to the local Administrators group. Unfortunately the user name does not get recorded in the log, only the SID, so you need to look up the username via the SID.",
"event_ids": [
"4732"
],
"id": "611e2e76-a28f-4255-812c-eb8836b2f5bb",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Local Admin Grp"
},
{
"description": "A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subject user is the user that performed the action. Only logged on DCs.",
"event_ids": [
"4728"
],
"id": "0db443ba-561c-4a04-b349-d74ce1c5fc8b",
"level": "medium",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added To Global Security Grp"
},
{
"description": "A computer account was created.",
"event_ids": [
"4741"
],
"id": "42a0a842-2b82-4b2d-8e44-5580fb6c38db",
"level": "informational",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Computer Account Created"
},
{
"description": "A user accounts password was changed by another account. The current password is not required to reset the password. An adversary might change the password of another account to lock out legitimate users or gain access to the account. This could be done if the account controlled by the attacker has permission to change the password, or as a step in attacks like Pass the Cert.",
"event_ids": [
"4724"
],
"id": "0b78aca4-35f0-4bec-acce-c5743ff26614",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Password Reset By Admin"
},
{
"description": "A local user account was created.",
"event_ids": [
"4720"
],
"id": "13edce80-2b02-4469-8de4-a3e37271dcdb",
"level": "low",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Local User Account Created"
},
{
"description": "A user account changed it's own password. Adversaries might change the password to lockout legitimate user or set the password to a known clear text passwort via Pass the Hash if only the password hash is known. This will allow an adversary to access services where Pass the Hash is not an option.",
"event_ids": [
"4723"
],
"id": "3b3046f3-a51c-4378-b059-c716aaa865b4",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "User Password Changed"
},
{
"description": "A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.",
"event_ids": [
"4720"
],
"id": "70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Hidden User Account Created"
},
{
"description": "Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk. \nFor example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.) \nDisk wipers like bcwipe will also generate this.\nMore legitimate filepaths may have to be added to the filter.\nThis is marked as a medium alert as there is a high possibility for false positives.\n",
"event_ids": [
"4673"
],
"id": "5b6e58ee-c231-4a54-9eee-af2577802e08",
"level": "medium",
"subcategory_guids": [
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Process Ran With High Privilege"
},
{
"description": "User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.",
"event_ids": [
"4674"
],
"id": "15db3cc7-30bd-47a0-bd75-66208ce8e3fe",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Possible Hidden Service Created"
},
{
"description": "",
"event_ids": [
"5860"
],
"id": "d96164c4-9e15-4d48-964f-153ac0dab6e9",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Temporary WMI Event Consumer"
},
{
"description": "The time wmiprvse was executed and path to the provider DLL. Attackers may sometimes install malicious WMI provider DLLs.",
"event_ids": [
"5857"
],
"id": "547aec97-2635-474a-a36c-7a3a46b07fde",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "WMI Provider Started"
},
{
"description": "Detects when powershell or cmd is used in WMI. (For persistence, lateral movement, etc...)",
"event_ids": [
"5861"
],
"id": "ab4852ca-3e27-4dbb-af6b-5f8458d5717a",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "WMI Filter To Consumer Binding_Command Execution"
},
{
"description": "Created when a EventFilterToConsumerBinding event happens.",
"event_ids": [
"5861"
],
"id": "ac9f0a2a-e9c5-4d19-b69e-e3d518ca6797",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Permanent WMI Event Consumer"
},
{
"description": "",
"event_ids": [
"106"
],
"id": "33599dfb-f3e4-4298-8d3f-59407f65f4e7",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Task Created"
},
{
"description": "",
"event_ids": [
"141"
],
"id": "ff6ada24-c7f0-4ae5-a7a6-f20ddb7b591f",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Task Deleted"
},
{
"description": "",
"event_ids": [
"200"
],
"id": "d1923809-955b-47c4-b3e5-37c0e461919c",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Task Executed"
},
{
"description": "",
"event_ids": [
"140"
],
"id": "aba04101-e439-4e2f-b051-4be561993c31",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Task Updated"
},
{
"description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.",
"event_ids": [
"59"
],
"id": "18e6fa4a-353d-42b6-975c-bb05dbf4a004",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Bits Job Created"
},
{
"description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group",
"event_ids": [
"4701"
],
"id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Defrag Deactivation - Security"
},
{
"description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report",
"event_ids": [
"7045"
],
"id": "afa88090-3c0b-17fc-7061-2259abc82d2b",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "OilRig APT Schedule Task Persistence - System"
},
{
"description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report",
"event_ids": [
"4698"
],
"id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
{
"description": "Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on \"Application Error\" log where the faulting application is \"lsass.exe\" and the faulting module is \"WLDAP32.dll\".\n",
"event_ids": [
"1000"
],
"id": "1117f6c7-1c68-9c6e-c3e8-191e9d687387",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare"
},
{
"description": "This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.\nThis will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n",
"event_ids": [
"4663"
],
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
},
{
"description": "This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\nThis requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\n",
"event_ids": [
"4663"
],
"id": "74d067bc-3f42-3855-c13d-771d589cf11c",
"level": "critical",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
},
{
"description": "Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\nThis could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\nVMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\n",
"event_ids": [
"4728",
"4737",
"4727",
"4754",
"4755",
"4756",
"4731"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity"
},
{
"description": "Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.",
"event_ids": [
"4698"
],
"id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Scheduled Task Creation"
},
{
"description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET",
"event_ids": [
"7045"
],
"id": "665e3be1-3ec1-2e79-bd0f-dca344762794",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Turla Service Install"
},
{
"description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018",
"event_ids": [
"7045"
],
"id": "75a0da35-0e7f-e313-f974-d812b44295a4",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Turla PNG Dropper Service"
},
{
"description": "Detects the installation of a service named \"javamtsup\" on the system.\nThe CosmicDuke info stealer uses Windows services typically named \"javamtsup\" for persistence.\n",
"event_ids": [
"4697"
],
"id": "8428d90d-a928-f70a-c46e-f08457d6b01f",
"level": "critical",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "CosmicDuke Service Installation"
},
{
"description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky",
"event_ids": [
"7045"
],
"id": "c1362f8e-594e-72a7-d9a9-6fe6c74334ef",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "StoneDrill Service Install"
},
{
"description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688",
"event_ids": [
"4"
],
"id": "b1a2ae27-889c-aa26-1bd3-21f277008048",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CVE-2020-0688 Exploitation via Eventlog"
},
{
"description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.",
"event_ids": [
"257"
],
"id": "c8e0edae-2335-591c-7057-1ac58f03e06c",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "GALLIUM Artefacts - Builtin"
},
{
"description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.",
"event_ids": [
"4663",
"4656"
],
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-23397 Exploitation Attempt"
},
{
"description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.",
"event_ids": [
"30803",
"30804",
"30806"
],
"id": "de290ecb-3279-dd5b-2f6c-7d3f22a752d8",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential CVE-2023-23397 Exploitation Attempt - SMB"
},
{
"description": "Detects a crash of \"WinRAR.exe\" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477",
"event_ids": [
"1000"
],
"id": "f33feae7-db95-01a2-c35f-a6361e690ebb",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash"
},
{
"description": "Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884",
"event_ids": [
"5140"
],
"id": "5a3b13ed-8700-5d72-5592-4dbeacbeeb64",
"level": "high",
"subcategory_guids": [
"0CCE9224-69AE-11D9-BED3-505054503030"
],
"title": "Potential CVE-2023-36884 Exploitation - Share Access"
},
{
"description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation",
"event_ids": [
"2027"
],
"id": "0bcc2c11-231f-f491-7985-3571fee7f2c5",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSMQ Corrupted Packet Encountered"
},
{
"description": "Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\n",
"event_ids": [
"4698"
],
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
"level": "critical",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Scheduled Task Creation"
},
{
"description": "Hunts for known SVR-specific scheduled task names",
"event_ids": [
"129",
"140",
"141"
],
"id": "51850e92-9de2-230e-98f6-5775d63df091",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler"
},
{
"description": "Hunts for known SVR-specific scheduled task names",
"event_ids": [
"4699",
"4698",
"4702"
],
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
},
{
"description": "Detects the creation of new services potentially related to COLDSTEEL RAT",
"event_ids": [
"7045"
],
"id": "d8f1ace1-c01b-3f95-34ed-993d29f876f5",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "COLDSTEEL Persistence Service Creation"
},
{
"description": "Detects the creation of a service named \"WerFaultSvc\" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report",
"event_ids": [
"7045"
],
"id": "abdb2e55-7d24-7f3d-6091-2b42abca2e67",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "SNAKE Malware Service Persistence"
},
{
"description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n",
"event_ids": [
"35",
"37",
"38",
"36"
],
"id": "8a194220-2afd-d5a9-0644-0a2d76019999",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential CVE-2021-42278 Exploitation Attempt"
},
{
"description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527",
"event_ids": [
"5145"
],
"id": "52b5923e-1ef2-aaad-5513-3c830f3c5850",
"level": "critical",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2021-1675 Print Spooler Exploitation IPC Access"
},
{
"description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .",
"event_ids": [
"1007",
"1019",
"1009",
"1008",
"1010",
"1006",
"1116",
"1115",
"1012",
"1018",
"1017",
"1011"
],
"id": "aef0711e-c055-e870-92bc-ea130059eed1",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection"
},
{
"description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675",
"event_ids": [
"316"
],
"id": "ae207e8e-3dfd-bd05-1161-e0472778f2be",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CVE-2021-1675 Print Spooler Exploitation"
},
{
"description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675",
"event_ids": [
"808"
],
"id": "5c10c39e-b9f6-d321-3598-62095b34b663",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Possible CVE-2021-1675 Print Spooler Exploitation"
},
{
"description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321",
"event_ids": [
"8",
"6"
],
"id": "429ee035-2f74-8a92-ad19-a448e450bb5e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Possible Exploitation of Exchange RCE CVE-2021-42321"
},
{
"description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379",
"event_ids": [
"1033"
],
"id": "8e38887f-8e20-477d-26c1-0862951ae91b",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "LPE InstallerFileTakeOver PoC CVE-2021-41379"
},
{
"description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287",
"event_ids": [
"4781"
],
"id": "17662114-5bee-2566-359c-68d830193830",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Computer Account Name Change CVE-2021-42287"
},
{
"description": "Detects service creation persistence used by the Goofy Guineapig backdoor",
"event_ids": [
"7045"
],
"id": "0375abd6-f86e-a665-27a0-501b2a1621a8",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Goofy Guineapig Backdoor Service Creation"
},
{
"description": "Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.",
"event_ids": [
"4656",
"5145",
"4663"
],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
},
{
"description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server",
"event_ids": [
"8128"
],
"id": "e177969a-73cc-a32c-b948-cb580287057a",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL Extended Stored Procedure Backdoor Maggie"
},
{
"description": "Detects activity mentioned in Operation Wocao report",
"event_ids": [
"4799"
],
"id": "c9b5cb6f-906f-3a15-b77e-1b634b1d4e55",
"level": "high",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "Operation Wocao Activity - Security"
},
{
"description": "Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.\n",
"event_ids": [
"53"
],
"id": "817138f1-cfd3-c653-7392-a3c61051a8d3",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Active Directory Certificate Services Denied Certificate Enrollment Request"
},
{
"description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode",
"event_ids": [
"10001"
],
"id": "cd12f5c0-9798-3928-58bf-34b2816ea898",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Local Privilege Escalation Indicator TabTip"
},
{
"description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n",
"event_ids": [
"16990",
"16991"
],
"id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential CVE-2021-42287 Exploitation Attempt"
},
{
"description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.",
"event_ids": [
"5829"
],
"id": "a82f6b3b-324f-7234-9092-289117234d31",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Vulnerable Netlogon Secure Channel Connection Allowed"
},
{
"description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.",
"event_ids": [
"5805",
"5723"
],
"id": "4d943318-24e9-7318-6951-fdf8cb235652",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Zerologon Exploitation Using Well-known Tools"
},
{
"description": "Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\nThis could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\nEvents where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\n",
"event_ids": [
"39",
"41"
],
"id": "470e08fc-0b52-8769-10d3-5b5c1920327e",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Certificate Use With No Strong Mapping"
},
{
"description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation",
"event_ids": [
"42"
],
"id": "87515290-bf9f-09a4-af0e-bac22cb017f6",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "KDC RC4-HMAC Downgrade CVE-2022-37966"
},
{
"description": "Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.\n",
"event_ids": [
"16",
"27"
],
"id": "e10c99fe-7559-5ae3-9c5c-9fd0a70bd4a6",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "No Suitable Encryption Key Found For Generating Kerberos Ticket"
},
{
"description": "Detects suspicious service installation commands",
"event_ids": [
"7045"
],
"id": "ebfad3e2-5025-b233-20ef-71fc2ada8fe7",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Service Installation"
},
{
"description": "Detects Obfuscated Powershell via VAR++ LAUNCHER",
"event_ids": [
"7045"
],
"id": "f5581097-47d5-fd2b-1a94-37dd36318706",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System"
},
{
"description": "Detects the use of smbexec.py tool by detecting a specific service installation",
"event_ids": [
"7045"
],
"id": "384155f0-8906-ff64-5188-211c9a98274e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "smbexec.py Service Installation"
},
{
"description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques",
"event_ids": [
"7045"
],
"id": "6cda0359-f921-911b-a724-cc2f00d661f8",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Tap Driver Installation"
},
{
"description": "Detects service installation with suspicious folder patterns",
"event_ids": [
"7045"
],
"id": "1702910b-83b9-ce95-4ae8-2405c2e9faf7",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Service Installation with Suspicious Folder Pattern"
},
{
"description": "Detects Obfuscated use of Clip.exe to execute PowerShell",
"event_ids": [
"7045"
],
"id": "414e0fbd-67a8-17e4-371e-4f9f6a8799d0",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation CLIP+ Launcher - System"
},
{
"description": "Detects well-known credential dumping tools execution via service execution events",
"event_ids": [
"7045"
],
"id": "81562732-3278-cd48-1db2-581bc7158b6e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Credential Dumping Tools Service Execution - System"
},
{
"description": "Detects CSExec service installation and execution events",
"event_ids": [
"7045"
],
"id": "efef064b-d350-a96b-fe1e-ef4cfe657066",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CSExec Service Installation"
},
{
"description": "Detects when the \"Windows Defender Threat Protection\" service is disabled.",
"event_ids": [
"7036"
],
"id": "07c5c883-1da4-d066-f69b-6caadbd1d6f9",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Threat Detection Service Disabled"
},
{
"description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION",
"event_ids": [
"7045"
],
"id": "6623b0c3-f904-2d2e-9c24-4cbb81bf55aa",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System"
},
{
"description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references",
"event_ids": [
"7045"
],
"id": "af2b45c1-ed61-0866-791a-13ae39ff80c3",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation - System"
},
{
"description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform",
"event_ids": [
"7036",
"7045"
],
"id": "cd1c0081-d0c8-369f-2ed1-dcc058b08b9c",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Remote Access Tool Services Have Been Installed - System"
},
{
"description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands",
"event_ids": [
"7045"
],
"id": "e38955da-ce8e-7137-94e5-7890c0bab131",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Sliver C2 Default Service Installation"
},
{
"description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)",
"event_ids": [
"7045"
],
"id": "8623dcbf-e828-afb3-eb29-42cade82b39a",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "KrbRelayUp Service Installation"
},
{
"description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n",
"event_ids": [
"7045"
],
"id": "8682ea60-89d6-e616-7cdd-410a05ed1611",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New PDQDeploy Service - Server Side"
},
{
"description": "Detects powershell script installed as a Service",
"event_ids": [
"7045"
],
"id": "be1b026a-db82-4f10-0739-68c60f1261c9",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PowerShell Scripts Installed as Services"
},
{
"description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.",
"event_ids": [
"7045"
],
"id": "a36af175-0d96-acc8-c2f7-f5bb57c974fe",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "TacticalRMM Service Installation"
},
{
"description": "Detects important or interesting Windows services that got terminated for whatever reason",
"event_ids": [
"7023"
],
"id": "bf2272c8-bc92-d925-4fb6-aeb1fe9283aa",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Important Windows Service Terminated With Error"
},
{
"description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n",
"event_ids": [
"7045"
],
"id": "c5b232f5-bd0a-c0ea-585f-c54fbe370580",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New PDQDeploy Service - Client Side"
},
{
"description": "Detects Obfuscated use of stdin to execute PowerShell",
"event_ids": [
"7045"
],
"id": "9d5e9ea9-180b-0d92-6e5a-645275e94267",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation STDIN+ Launcher - System"
},
{
"description": "Detects NetSupport Manager service installation on the target system.",
"event_ids": [
"7045"
],
"id": "ee415dc3-b7c0-9568-e6dd-878777ff237a",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "NetSupport Manager Service Install"
},
{
"description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement",
"event_ids": [
"7045"
],
"id": "51ba8477-86a4-6ff0-35fa-7b7f1b1e3f83",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CobaltStrike Service Installations - System"
},
{
"description": "Detects important or interesting Windows services that got terminated unexpectedly.",
"event_ids": [
"7034"
],
"id": "d3c329c7-54bd-4896-cc7d-e04077eba081",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Important Windows Service Terminated Unexpectedly"
},
{
"description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers",
"event_ids": [
"7045"
],
"id": "cd204548-409b-e025-4fde-4a8fb1fe5332",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Mesh Agent Service Installation"
},
{
"description": "Detects Windows services that got terminated for whatever reason",
"event_ids": [
"7023"
],
"id": "c002ec31-f147-d591-b2f2-253774fd4248",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Service Terminated With Error"
},
{
"description": "Detects RemCom service installation and execution events",
"event_ids": [
"7045"
],
"id": "1ae1cb63-2c82-d95d-a200-533f229715b2",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "RemCom Service Installation"
},
{
"description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER",
"event_ids": [
"7045"
],
"id": "686d9481-474f-2b85-7c51-e69967c1afcc",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER - System"
},
{
"description": "Detects Remote Utilities Host service installation on the target system.",
"event_ids": [
"7045"
],
"id": "97bd461f-b35e-a243-c697-06cc0539d7e3",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Remote Utilities Host Service Install"
},
{
"description": "Detects PAExec service installation",
"event_ids": [
"7045"
],
"id": "19b4e2a1-4499-8c65-e93a-5f675df202d8",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PAExec Service Installation"
},
{
"description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0",
"event_ids": [
"7045"
],
"id": "97b97d4d-e03c-ace5-3215-fa2f51ec5fd5",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Service Installed By Unusual Client - System"
},
{
"description": "Detects suspicious service installation scripts",
"event_ids": [
"7045"
],
"id": "778c7f2b-32f5-e591-5c4a-01e47388475c",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Service Installation Script"
},
{
"description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.",
"event_ids": [
"7045"
],
"id": "87d5cdc0-24c5-8411-1230-d717dd6a47e8",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Anydesk Remote Access Software Service Installation"
},
{
"description": "Detects installation or execution of services",
"event_ids": [
"7045",
"7036"
],
"id": "fde28f27-a4fa-d3a4-a714-0ef2dfacb36c",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "HackTool Service Registration or Execution"
},
{
"description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation",
"event_ids": [
"7045"
],
"id": "4639745f-a91a-d296-8935-4c694a97f938",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System"
},
{
"description": "Detects Obfuscated Powershell via Stdin in Scripts",
"event_ids": [
"7045"
],
"id": "8aef41c8-fc2b-f490-5a9b-a683fe107829",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation Via Stdin - System"
},
{
"description": "Detects PsExec service installation and execution events",
"event_ids": [
"7045"
],
"id": "cb7a40d5-f1de-9dd4-465d-eada7e316d8f",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PsExec Service Installation"
},
{
"description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
"event_ids": [
"7045"
],
"id": "7ca6e518-decb-de46-861e-5673c026b257",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Moriya Rootkit - System"
},
{
"description": "Detects Obfuscated Powershell via use Clip.exe in Scripts",
"event_ids": [
"7045"
],
"id": "e92121bb-a1c1-5d5a-6abb-3a25fe37fb41",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation Via Use Clip - System"
},
{
"description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\n",
"event_ids": [
"7045"
],
"id": "4de4ea24-8c0c-75ed-78c3-bf620ec06fd5",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Uncommon Service Installation Image Path"
},
{
"description": "Detects Obfuscated Powershell via use Rundll32 in Scripts",
"event_ids": [
"7045"
],
"id": "f1988b01-7f12-1851-58b5-8a4d63743183",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation Via Use Rundll32 - System"
},
{
"description": "Detects Obfuscated use of Environment Variables to execute PowerShell",
"event_ids": [
"7045"
],
"id": "19adbb05-25d8-44fe-3721-1590be735426",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation VAR+ Launcher - System"
},
{
"description": "Detects service installation in suspicious folder appdata",
"event_ids": [
"7045"
],
"id": "60ddd708-71a3-e524-27b1-4cdeda02ce46",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Service Installation in Suspicious Folder"
},
{
"description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse",
"event_ids": [
"7045"
],
"id": "6218888e-3b1f-f6be-b9f8-9fd758caa380",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "RTCore Suspicious Service Installation"
},
{
"description": "Detects Obfuscated Powershell via use MSHTA in Scripts",
"event_ids": [
"7045"
],
"id": "e0aa759a-fa97-fb3b-1b02-82aa44f8c068",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Invoke-Obfuscation Via Use MSHTA - System"
},
{
"description": "Detects a ProcessHacker tool that elevated privileges to a very high level",
"event_ids": [
"7045"
],
"id": "9e870183-fbbc-e736-c380-d20bd74d7dbe",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "ProcessHacker Privilege Elevation"
},
{
"description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\n",
"event_ids": [
"16"
],
"id": "625954f8-9cc1-bc90-d5bd-4d1d82849d37",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Critical Hive In Suspicious Location Access Bits Cleared"
},
{
"description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708",
"event_ids": [
"56",
"50"
],
"id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential RDP Exploit CVE-2019-0708"
},
{
"description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server",
"event_ids": [
"1511"
],
"id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919"
},
{
"description": "Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.",
"event_ids": [
"6039",
"6038"
],
"id": "cb063566-b04b-c7e4-316b-c69075ed08f5",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "NTLMv1 Logon Between Client and Server"
},
{
"description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded",
"event_ids": [
"1032",
"1034",
"1031"
],
"id": "a6878a7f-9fcd-9b29-ba67-ca05b11dc4aa",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DHCP Server Error Failed Loading the CallOut DLL"
},
{
"description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded",
"event_ids": [
"1033"
],
"id": "87ade82b-7e03-f378-c163-59adb06640ae",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DHCP Server Loaded the CallOut DLL"
},
{
"description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter",
"event_ids": [
"55"
],
"id": "73b6342c-c17a-d447-2fd3-119ed3cf61ca",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "NTFS Vulnerability Exploitation"
},
{
"description": "Detects volume shadow copy mount via Windows event log",
"event_ids": [
"98"
],
"id": "15b42b84-becb-a48c-8971-28895065fbd3",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Volume Shadow Copy Mount"
},
{
"description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\n",
"event_ids": [
"217",
"24",
"16",
"213",
"20"
],
"id": "8f9f7490-f99e-ff64-4b60-ac3f06a2262b",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Update Error"
},
{
"description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution",
"event_ids": [
"104"
],
"id": "30966a3a-2224-0e1a-d28d-c0f7e84cfed3",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Important Windows Eventlog Cleared"
},
{
"description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution",
"event_ids": [
"104"
],
"id": "8617b59c-812e-c88e-0bd4-5267e0e825f0",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Eventlog Cleared"
},
{
"description": "Detects application popup reporting a failure of the Sysmon service",
"event_ids": [
"26"
],
"id": "e064a7a6-e709-1464-34e4-626106c91d98",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Sysmon Application Crashed"
},
{
"description": "Remote registry management using REG utility from non-admin workstation",
"event_ids": [
"5145"
],
"id": "e9f405d3-e7ea-9adf-2f31-9ab2a7a90f5a",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Remote Registry Management Using Reg Utility"
},
{
"description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
"event_ids": [
"4625",
"4624"
],
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pass the Hash Activity"
},
{
"description": "Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)",
"event_ids": [
"4742"
],
"id": "7d4b25c3-0cef-1638-1d47-bb18acda0e6c",
"level": "high",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Potential Zerologon (CVE-2020-1472) Exploitation"
},
{
"description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.",
"event_ids": [
"4964",
"4672"
],
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
"level": "low",
"subcategory_guids": [
"0CCE921B-69AE-11D9-BED3-505054503030"
],
"title": "User with Privileges Logon"
},
{
"description": "Detects interactive console logons to Server Systems",
"event_ids": [
"4625",
"528",
"529",
"4624"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Interactive Logon to Server Systems"
},
{
"description": "Detects execution of AppX packages with known suspicious or malicious signature",
"event_ids": [
"157"
],
"id": "e6dd8206-87ca-b6e9-3c8f-9e097bfc4e31",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Digital Signature Of AppX Package"
},
{
"description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n",
"event_ids": [
"1007",
"1116",
"1009",
"1011",
"1019",
"1115",
"1010",
"1012",
"1017",
"1008",
"1018",
"1006"
],
"id": "a1be9170-2ada-e8bb-285c-3e1ff336189e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus Relevant File Paths Alerts"
},
{
"description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n",
"event_ids": [
"1018",
"1012",
"1115",
"1006",
"1008",
"1009",
"1116",
"1007",
"1010",
"1019",
"1017",
"1011"
],
"id": "f3d20838-65fe-0575-52a9-fd41ce2a5fdd",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus Hacktool Detection"
},
{
"description": "Detects a highly relevant Antivirus alert that reports an exploitation framework.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n",
"event_ids": [
"1009",
"1115",
"1010",
"1116",
"1007",
"1018",
"1006",
"1011",
"1012",
"1017",
"1019",
"1008"
],
"id": "1868a1c5-30e8-dffd-a373-90c72ea4921a",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus Exploitation Framework Detection"
},
{
"description": "Detects a highly relevant Antivirus alert that reports a password dumper.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n",
"event_ids": [
"1019",
"1012",
"1008",
"1010",
"1011",
"1017",
"1116",
"1018",
"1115",
"1007",
"1006",
"1009"
],
"id": "46fc2e9f-df4e-8628-05d5-39bc97b56bab",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus Password Dumper Detection"
},
{
"description": "Detects a highly relevant Antivirus alert that reports ransomware.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n",
"event_ids": [
"1007",
"1017",
"1009",
"1115",
"1008",
"1011",
"1018",
"1019",
"1012",
"1116",
"1006",
"1010"
],
"id": "22f82564-4b51-e901-bf00-ea94ff39b468",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus Ransomware Detection"
},
{
"description": "Detects a highly relevant Antivirus alert that reports a web shell.\nIt's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\nThis event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\n",
"event_ids": [
"1008",
"1017",
"1007",
"1006",
"1018",
"1019",
"1012",
"1010",
"1011",
"1116",
"1115",
"1009"
],
"id": "207b56b3-b44d-dcee-c171-c8f3f4eb3cf6",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Antivirus Web Shell Detection"
},
{
"description": "Detects DNS queries for subdomains related to \"Put.io\" sharing website.",
"event_ids": [
"3008"
],
"id": "9b3ffe56-a479-9b35-d590-9b94c2f7fa35",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DNS Query To Put.io - DNS Client"
},
{
"description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons",
"event_ids": [
"3008"
],
"id": "f0b3a5e9-e4ee-ed23-3b27-4dd30c5974c8",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client"
},
{
"description": "Detects DNS resolution of an .onion address related to Tor routing networks",
"event_ids": [
"3008"
],
"id": "e1b0fd63-1017-1597-ec08-3f9e1021e564",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Query Tor Onion Address - DNS Client"
},
{
"description": "Detects DNS queries for subdomains related to MEGA sharing website",
"event_ids": [
"3008"
],
"id": "14b17417-8ae7-ff8e-fe36-28aaa337ccd5",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DNS Query To MEGA Hosting Website - DNS Client"
},
{
"description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes",
"event_ids": [
"3008"
],
"id": "2abf05fa-98f2-d00b-6a6a-12d07e55233e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DNS Query for Anonfiles.com Domain - DNS Client"
},
{
"description": "Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration",
"event_ids": [
"3008"
],
"id": "ec3b018a-d4dd-2d51-4a63-50d078f737dd",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DNS Query To Ufile.io - DNS Client"
},
{
"description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.",
"event_ids": [
"4"
],
"id": "12800c31-cb60-9d63-bcc2-9ad342585c3a",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "OpenSSH Server Listening On Socket"
},
{
"description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.",
"event_ids": [
"5861",
"5859"
],
"id": "efac5da1-1be2-d8d6-863e-d61125c1cbbd",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "WMI Persistence"
},
{
"description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.\nThis event is best correlated and used as an enrichment to determine the potential lateral movement activity.\n",
"event_ids": [
"4624"
],
"id": "910ec16d-6957-01b7-39a8-5e676e459cac",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Remote WMI ActiveScriptEventConsumers Activity"
},
{
"description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME",
"event_ids": [
"4699"
],
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Deletion"
},
{
"description": "Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\n",
"event_ids": [
"4663"
],
"id": "7619b716-8052-6323-d9c7-87923ef591e6",
"level": "low",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Access To Browser Credential Files By Uncommon Applications - Security"
},
{
"description": "Detects when a rule has been modified in the Windows firewall exception list",
"event_ids": [
"2073",
"2005"
],
"id": "5d551ac6-b825-b536-7ec6-75339fc57a25",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Firewall Rule Modified In The Windows Firewall Exception List"
},
{
"description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability",
"event_ids": [
"101"
],
"id": "b0e8486c-73f6-e1ba-9684-acba841c2719",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Loading Diagcab Package From Remote Path"
},
{
"description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache",
"event_ids": [
"28115"
],
"id": "487f5b43-6155-d21c-7189-1a6108974f1b",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Application Installed"
},
{
"description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.",
"event_ids": [],
"id": "aedc0f64-b9e7-36d1-fd92-838fdf33eac3",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Non PowerShell WSMAN COM Provider"
},
{
"description": "Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\n",
"event_ids": [],
"id": "ee9681d0-6ba5-5eaf-9c8b-fe39afe542b9",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell"
},
{
"description": "Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.",
"event_ids": [],
"id": "29a3935d-0428-4f39-d39e-ec43c598b272",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential RemoteFXvGPUDisablement.EXE Abuse"
},
{
"description": "Detects Obfuscated Powershell via use Clip.exe in Scripts",
"event_ids": [
"4697"
],
"id": "8ec23dfa-00a7-2b09-1756-678e941d69b2",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use Clip - Security"
},
{
"description": "Detects external disk drives or plugged-in USB devices.",
"event_ids": [
"6416"
],
"id": "eab514f7-3f9b-a705-4d1d-8fee3d81c4b5",
"level": "low",
"subcategory_guids": [
"0CCE9248-69AE-11D9-BED3-505054503030"
],
"title": "External Disk Drive Or USB Storage Device Was Recognized By The System"
},
{
"description": "Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\n",
"event_ids": [
"5156"
],
"id": "1ee90f6c-2d09-5bcf-b8fd-06fe14f86746",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Uncommon Outbound Kerberos Connection - Security"
},
{
"description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.",
"event_ids": [
"4662"
],
"id": "5c8e2537-5c7f-56d8-de80-1f0746b61067",
"level": "critical",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory Replication from Non Machine Account"
},
{
"description": "Detects the mount of an ISO image on an endpoint",
"event_ids": [
"4663"
],
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
},
{
"description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.",
"event_ids": [
"4698"
],
"id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Creation"
},
{
"description": "Detects service ticket requests using RC4 encryption type",
"event_ids": [
"4769"
],
"id": "2d20edf4-6141-35c5-e54f-3c578082d1d3",
"level": "medium",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Kerberos RC4 Ticket Encryption"
},
{
"description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.",
"event_ids": [
"4616"
],
"id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0",
"level": "low",
"subcategory_guids": [
"0CCE9210-69AE-11D9-BED3-505054503030",
"69979849-797A-11D9-BED3-505054503030"
],
"title": "Unauthorized System Time Modification"
},
{
"description": "An attacker can use the SID history attribute to gain additional privileges.",
"event_ids": [
"4766",
"4738",
"4765"
],
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Addition of SID History to Active Directory Object"
},
{
"description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.",
"event_ids": [
"4692"
],
"id": "725b729a-b3ea-fb14-9cad-a4e944af8b5d",
"level": "medium",
"subcategory_guids": [
"0CCE922D-69AE-11D9-BED3-505054503030"
],
"title": "DPAPI Domain Master Key Backup Attempt"
},
{
"description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n",
"event_ids": [
"4673"
],
"id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7",
"level": "medium",
"subcategory_guids": [
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege"
},
{
"description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.",
"event_ids": [
"5379"
],
"id": "586bcb8e-f698-f372-54cf-ff08727352e7",
"level": "high",
"subcategory_guids": [],
"title": "Password Protected ZIP File Opened (Suspicious Filenames)"
},
{
"description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares",
"event_ids": [
"5145"
],
"id": "73d3720b-e4f3-d7e1-2a3f-8ca0a5e1fc1b",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Transferring Files with Credential Data via Network Shares"
},
{
"description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.",
"event_ids": [
"4771",
"4769",
"675",
"4768"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030",
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Kerberos Manipulation"
},
{
"description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.",
"event_ids": [
"4800"
],
"id": "c4d03743-7286-15e4-d317-c86d1b5fdc09",
"level": "informational",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "Locked Workstation"
},
{
"description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\n",
"event_ids": [
"5038",
"6281"
],
"id": "4f738466-2a14-5842-1eb3-481614770a49",
"level": "informational",
"subcategory_guids": [
"0CCE9212-69AE-11D9-BED3-505054503030"
],
"title": "Failed Code Integrity Checks"
},
{
"description": "Detects Obfuscated Powershell via VAR++ LAUNCHER",
"event_ids": [
"4697"
],
"id": "eb15263a-80e1-a789-18a9-ec45f9a6edfc",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security"
},
{
"description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.",
"event_ids": [
"4720"
],
"id": "23013005-3d59-4dbe-dabd-d17a54e6c6cf",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Hidden Local User Creation"
},
{
"description": "Detects Obfuscated Powershell via use Rundll32 in Scripts",
"event_ids": [
"4697"
],
"id": "89d88072-7a24-8218-a044-0c071bf36bf6",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use Rundll32 - Security"
},
{
"description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs",
"event_ids": [
"4661"
],
"id": "93c95eee-748a-e1db-18a5-f40035167086",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
],
"title": "AD Privileged Users or Groups Reconnaissance"
},
{
"description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.",
"event_ids": [
"4719"
],
"id": "5fa54162-0bc4-710e-5dec-7ccc99ee4d52",
"level": "high",
"subcategory_guids": [
"0CCE922F-69AE-11D9-BED3-505054503030"
],
"title": "Important Windows Event Auditing Disabled"
},
{
"description": "Detects known sensitive file extensions accessed on a network share",
"event_ids": [
"5145"
],
"id": "4af39497-9655-9586-817d-94f0df38913f",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Access to Sensitive File Extensions"
},
{
"description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation",
"event_ids": [
"4697"
],
"id": "1b037a84-214e-b58a-53ae-949542063f1f",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
},
{
"description": "Detects DCShadow via create new SPN",
"event_ids": [
"4742",
"5136"
],
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Possible DC Shadow Attack"
},
{
"description": "Detects process handle on LSASS process with certain access mask",
"event_ids": [
"4663",
"4656"
],
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
},
{
"description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0",
"event_ids": [
"4697"
],
"id": "df47c51b-2738-8866-a1d7-86b96fb5b5ca",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Service Installed By Unusual Client - Security"
},
{
"description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n",
"event_ids": [
"4656",
"4663"
],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
},
{
"description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.",
"event_ids": [
"5145"
],
"id": "85e72fe3-83af-8ed9-39d3-2883e46059f1",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security"
},
{
"description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986",
"event_ids": [
"5156"
],
"id": "cc1d9970-7c17-d738-f5cb-8fb12f02d0fd",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Remote PowerShell Sessions Network Connections (WinRM)"
},
{
"description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform",
"event_ids": [
"4697"
],
"id": "85e291ec-b85b-2553-1aba-03c9ad116b61",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Remote Access Tool Services Have Been Installed - Security"
},
{
"description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale",
"event_ids": [
"5145",
"5136"
],
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
},
{
"description": "Detects Obfuscated use of Environment Variables to execute PowerShell",
"event_ids": [
"4697"
],
"id": "fbc9679a-a1f8-33c7-5a85-c6e7a3c2363f",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation VAR+ Launcher - Security"
},
{
"description": "Detects read access to a domain user from a non-machine account",
"event_ids": [
"4662"
],
"id": "fe814c5a-505f-a313-7d8c-030187c24e8e",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Potential AD User Enumeration From Non-Machine Account"
},
{
"description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.",
"event_ids": [
"5379"
],
"id": "7e1daab0-3263-403e-ec26-de48e3bf22c3",
"level": "medium",
"subcategory_guids": [],
"title": "Password Protected ZIP File Opened"
},
{
"description": "Detects powershell script installed as a Service",
"event_ids": [
"4697"
],
"id": "8c3523c1-357b-5653-335a-9db3ecfcbc2a",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "PowerShell Scripts Installed as Services - Security"
},
{
"description": "Detects WRITE_DAC access to a domain object",
"event_ids": [
"4662"
],
"id": "09c08048-5eab-303f-dfe3-706a6052b6f9",
"level": "critical",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "AD Object WriteDAC Access"
},
{
"description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.",
"event_ids": [
"4738"
],
"id": "2ea71437-cb4d-5a41-2431-1773fce76de8",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Weak Encryption Enabled and Kerberoast"
},
{
"description": "Addition of domains is seldom and should be verified for legitimacy.",
"event_ids": [
"4706"
],
"id": "5a3e5a2f-bdf8-d6d0-f439-5543b54d5ba5",
"level": "medium",
"subcategory_guids": [
"0CCE9230-69AE-11D9-BED3-505054503030"
],
"title": "A New Trust Was Created To A Domain"
},
{
"description": "Detects access to ADMIN$ network share",
"event_ids": [
"5140"
],
"id": "37b219bc-37bb-1261-f179-64307c1a1829",
"level": "low",
"subcategory_guids": [
"0CCE9224-69AE-11D9-BED3-505054503030"
],
"title": "Access To ADMIN$ Network Share"
},
{
"description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",
"event_ids": [
"4625",
"4776"
],
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Account Tampering - Suspicious Failed Logon Reasons"
},
{
"description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it",
"event_ids": [
"4663",
"4657"
],
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
},
{
"description": "Potential adversaries accessing the microphone and webcam in an endpoint.",
"event_ids": [
"4656",
"4663",
"4657"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
},
{
"description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey",
"event_ids": [
"4663",
"4656"
],
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
},
{
"description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".",
"event_ids": [
"4624"
],
"id": "e8c130a4-cf04-543d-919b-76947bde76b8",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Access Token Abuse"
},
{
"description": "Detects the default \"UserName\" used by the DiagTrackEoP POC",
"event_ids": [
"4624"
],
"id": "dd648614-9dd8-fab8-92d6-be7dfa1b393c",
"level": "critical",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "DiagTrackEoP Default Login Username"
},
{
"description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.",
"event_ids": [
"4625"
],
"id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon From Public IP"
},
{
"description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep",
"event_ids": [
"4625"
],
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
},
{
"description": "Detect remote login by Administrator user (depending on internal pattern).",
"event_ids": [
"4624"
],
"id": "de5d0dd7-b73e-7f18-02b0-6b1acb7e9f52",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Admin User Remote Logon"
},
{
"description": "Detects activity when a member is removed from a security-enabled global group",
"event_ids": [
"633",
"4729"
],
"id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "A Member Was Removed From a Security-Enabled Global Group"
},
{
"description": "Detects successful logon attempts performed with WMI",
"event_ids": [
"4624"
],
"id": "c310cab1-252e-1d98-6b6f-e6e60c88a374",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Successful Account Login Via WMI"
},
{
"description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.",
"event_ids": [
"4624"
],
"id": "56a1bb6f-e039-3f65-3ea0-de425cefa8a7",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "External Remote RDP Logon from Public IP"
},
{
"description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like",
"event_ids": [
"4624"
],
"id": "a1f9fad3-d563-5f3f-de09-e4ca03b97522",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "RottenPotato Like Attack Pattern"
},
{
"description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
"event_ids": [
"4624"
],
"id": "059e7255-411c-1666-a2e5-2e99e294e614",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Pass the Hash Activity 2"
},
{
"description": "Detects logon events that specify new credentials",
"event_ids": [
"4624"
],
"id": "897e25ba-f935-3fd3-c6d5-f9abf379e831",
"level": "low",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Outgoing Logon with New Credentials"
},
{
"description": "RDP login with localhost source address may be a tunnelled login",
"event_ids": [
"4624"
],
"id": "b3f33f69-1331-d3d0-eb62-81f477abad86",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "RDP Login from Localhost"
},
{
"description": "Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\n",
"event_ids": [
"4624"
],
"id": "96896e3a-28de-da11-c7fd-0040868e3a2f",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP"
},
{
"description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.",
"event_ids": [
"4624"
],
"id": "20f4e87b-c272-42da-9a1f-ad54206e3622",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Successful Overpass the Hash Attempt"
},
{
"description": "Detects activity when a security-enabled global group is deleted",
"event_ids": [
"634",
"4730"
],
"id": "ae7d8d1c-f75b-d952-e84e-a7981b861590",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "A Security-Enabled Global Group Was Deleted"
},
{
"description": "Detects activity when a member is added to a security-enabled global group",
"event_ids": [
"4728",
"632"
],
"id": "26767093-828c-2f39-bdd8-d0439e87307c",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "A Member Was Added to a Security-Enabled Global Group"
},
{
"description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.",
"event_ids": [
"4624"
],
"id": "5c67a566-7829-eb05-4a1f-0eb292ef993f",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "External Remote SMB Logon from Public IP"
},
{
"description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",
"event_ids": [
"4656",
"4663"
],
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
},
{
"description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity",
"event_ids": [
"4732"
],
"id": "6695d6a2-9365-ee87-ccdd-966b0e1cdbd4",
"level": "medium",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "User Added to Local Administrator Group"
},
{
"description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.",
"event_ids": [
"4663"
],
"id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
},
{
"description": "Detects suspicious processes logging on with explicit credentials",
"event_ids": [
"4648"
],
"id": "250cf413-1d30-38fd-4b41-ae5a92452700",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Remote Logon with Explicit Credentials"
},
{
"description": "Detects update to a scheduled task event that contain suspicious keywords.",
"event_ids": [
"4702"
],
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
{
"description": "Detect PetitPotam coerced authentication activity.",
"event_ids": [
"5145"
],
"id": "bcc12e55-1578-5174-2a47-98a6211a1c6c",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Possible PetitPotam Coerce Authentication Attempt"
},
{
"description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations",
"event_ids": [
"4647",
"4634"
],
"id": "73f64ce7-a76d-0208-ea75-dd26a09d719b",
"level": "informational",
"subcategory_guids": [
"0CCE9216-69AE-11D9-BED3-505054503030"
],
"title": "User Logoff Event"
},
{
"description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.",
"event_ids": [
"5145"
],
"id": "f252afa3-fe83-562c-01c0-1334f55af84c",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "T1047 Wmiprvse Wbemcomn DLL Hijack"
},
{
"description": "Detects Obfuscated use of stdin to execute PowerShell",
"event_ids": [
"4697"
],
"id": "3ae69c7e-e865-c0e2-05b7-553ab8979ac0",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation STDIN+ Launcher - Security"
},
{
"description": "Detects non-system users performing privileged operation os the SCM database",
"event_ids": [
"4674"
],
"id": "ec9c7ea2-54d7-3a55-caa8-4741f099505a",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Privileged Operation"
},
{
"description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers",
"event_ids": [
"4662"
],
"id": "c42c534d-16ae-877f-0722-6d6914090855",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "DPAPI Domain Backup Key Extraction"
},
{
"description": "Detects an installation of a device that is forbidden by the system policy",
"event_ids": [
"6423"
],
"id": "53f7ff98-38dd-f02c-0658-1debbf8deddc",
"level": "medium",
"subcategory_guids": [
"0CCE9248-69AE-11D9-BED3-505054503030"
],
"title": "Device Installation Blocked"
},
{
"description": "Detects potential use of Rubeus via registered new trusted logon process",
"event_ids": [
"4611"
],
"id": "a5498e1f-e40d-d8b1-bceb-5931f5169dbd",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Register new Logon Process by Rubeus"
},
{
"description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.",
"event_ids": [
"4704"
],
"id": "eaafcd7e-3303-38d1-9cff-fcfbae177f4d",
"level": "high",
"subcategory_guids": [
"0CCE9231-69AE-11D9-BED3-505054503030"
],
"title": "Enabled User Right in AD to Control User Objects"
},
{
"description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.",
"event_ids": [
"5379"
],
"id": "77366099-d04a-214d-365c-c62c537df3ba",
"level": "high",
"subcategory_guids": [],
"title": "Password Protected ZIP File Opened (Email Attachment)"
},
{
"description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one",
"event_ids": [
"5145"
],
"id": "426009da-814c-c1c0-cf41-6631c9ff6a8e",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious PsExec Execution"
},
{
"description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement",
"event_ids": [
"4697"
],
"id": "3d2e9eef-8851-f3ed-49e1-53e350e277cb",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "CobaltStrike Service Installations - Security"
},
{
"description": "Detects NetNTLM downgrade attack",
"event_ids": [
"4657"
],
"id": "68f0908b-8434-9199-f0a3-350c27ac97c4",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "NetNTLM Downgrade Attack"
},
{
"description": "Detects files that have extensions commonly seen while SDelete is used to wipe files.",
"event_ids": [
"4663",
"4656",
"4658"
],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
},
{
"description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes",
"event_ids": [
"5145"
],
"id": "308a3356-4624-7c95-24df-cf5a02e5eb56",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "First Time Seen Remote Named Pipe"
},
{
"description": "Detects well-known credential dumping tools execution via service execution events",
"event_ids": [
"4697"
],
"id": "633bd649-4b18-b5bd-d923-07caeccd1ee0",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Credential Dumping Tools Service Execution - Security"
},
{
"description": "Detects handles requested to SAM registry hive",
"event_ids": [
"4656"
],
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
{
"description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\n",
"event_ids": [
"5136",
"5145"
],
"id": "bc613d09-5a80-cad3-6f65-c5020f960511",
"level": "medium",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Startup/Logon Script Added to Group Policy Object"
},
{
"description": "Detects certificate creation with template allowing risk permission subject",
"event_ids": [
"4899",
"4898"
],
"id": "3a655a7c-a830-77ad-fc8b-f054fb713304",
"level": "low",
"subcategory_guids": [
"0CCE9221-69AE-11D9-BED3-505054503030"
],
"title": "ADCS Certificate Template Configuration Vulnerability"
},
{
"description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"",
"event_ids": [
"4661"
],
"id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
"level": "high",
"subcategory_guids": [
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Reconnaissance Activity"
},
{
"description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n",
"event_ids": [
"4768"
],
"id": "cd01c787-aad1-bbed-5842-aa8e58410aad",
"level": "high",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "PetitPotam Suspicious Kerberos TGT Request"
},
{
"description": "Detects Windows Pcap driver installation based on a list of associated .sys files.",
"event_ids": [
"4697"
],
"id": "566fa294-85f7-af27-80c7-753d9941729b",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Windows Pcap Drivers"
},
{
"description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n",
"event_ids": [
"5441",
"5447"
],
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
"level": "high",
"subcategory_guids": [
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - EDRSilencer Execution - Filter Added"
},
{
"description": "Detects Obfuscated Powershell via Stdin in Scripts",
"event_ids": [
"4697"
],
"id": "b073cf4b-ed38-0a6f-38d3-50997892d7e7",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Stdin - Security"
},
{
"description": "Detects when the password policy is enumerated.",
"event_ids": [
"4661"
],
"id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
],
"title": "Password Policy Enumerated"
},
{
"description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.",
"event_ids": [
"5136"
],
"id": "925d441a-37b4-0afa-1d98-809b5df5fd06",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious LDAP-Attributes Used"
},
{
"description": "Detects execution of Impacket's psexec.py.",
"event_ids": [
"5145"
],
"id": "24e370e0-b9f0-5851-0261-f984742ff2a1",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Impacket PsExec Execution"
},
{
"description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers",
"event_ids": [
"5145"
],
"id": "7695295d-281f-23ce-d52e-8336ebd47532",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Protected Storage Service Access"
},
{
"description": "Detects possible addition of shadow credentials to an active directory object.",
"event_ids": [
"5136"
],
"id": "8bcf1772-4335-28e1-e320-5ce48b15ae9f",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Possible Shadow Credentials Added"
},
{
"description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.",
"event_ids": [
"4657"
],
"id": "107a403c-5a05-2568-95a7-a7329d714440",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "ETW Logging Disabled In .NET Processes - Registry"
},
{
"description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\n",
"event_ids": [
"4720"
],
"id": "5ecd226b-563f-4723-7a1e-d637d81f0a1f",
"level": "low",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Local User Creation"
},
{
"description": "Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.\n",
"event_ids": [
"4794"
],
"id": "4592ea29-1b0e-0cc3-7735-b7f264c0a5b8",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Password Change on Directory Service Restore Mode (DSRM) Account"
},
{
"description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation",
"event_ids": [
"4697"
],
"id": "e2755f38-e817-94c0-afef-acff29676b43",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security"
},
{
"description": "This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.\n",
"event_ids": [
"4769"
],
"id": "4386b4e0-f268-42a6-b91d-e3bb768976d6",
"level": "medium",
"subcategory_guids": [
"0CCE9240-69AE-11D9-BED3-505054503030"
],
"title": "Kerberoasting Activity - Initial Query"
},
{
"description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client",
"event_ids": [
"4649"
],
"id": "167784ae-8d7f-ca00-e9d9-586a4c8469e8",
"level": "high",
"subcategory_guids": [
"0CCE921C-69AE-11D9-BED3-505054503030"
],
"title": "Replay Attack Detected"
},
{
"description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.",
"event_ids": [
"4720"
],
"id": "e5c627ea-fa27-df99-0573-e47092dc4a98",
"level": "high",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Windows ANONYMOUS LOGON Local Account Created"
},
{
"description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION",
"event_ids": [
"4697"
],
"id": "d0c8e98d-0746-a43c-9170-c04e7f7a3867",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security"
},
{
"description": "Alerts on Metasploit host's authentications on the domain.",
"event_ids": [
"4776",
"4624",
"4625"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit SMB Authentication"
},
{
"description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.",
"event_ids": [
"4662"
],
"id": "ec2275df-3a0a-933f-0573-490938cc47ef",
"level": "medium",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "WMI Persistence - Security"
},
{
"description": "Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\n",
"event_ids": [
"4657"
],
"id": "8948f034-2d45-47bc-c04b-14ab124247f3",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion List Modified"
},
{
"description": "Detects Obfuscated Powershell via use MSHTA in Scripts",
"event_ids": [
"4697"
],
"id": "3dc2d411-4f0e-6564-d243-8351afd3d375",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Via Use MSHTA - Security"
},
{
"description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).",
"event_ids": [
"5145"
],
"id": "37f5d188-182d-7a53-dca7-4bebbb6ce43e",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "SMB Create Remote File Admin Share"
},
{
"description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\n",
"event_ids": [
"4697"
],
"id": "15284efb-90de-5675-59c5-433d34675e8e",
"level": "low",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Tap Driver Installation - Security"
},
{
"description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe",
"event_ids": [
"5145"
],
"id": "93fd0f77-62da-26fb-3e96-71cde45a9680",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Remote Task Creation via ATSVC Named Pipe"
},
{
"description": "Detects potential mimikatz-like tools accessing LSASS from non system account",
"event_ids": [
"4663",
"4656"
],
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
},
{
"description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n",
"event_ids": [
"4825"
],
"id": "c0c9db9a-0a47-c9fd-13fd-965eadb10a6f",
"level": "medium",
"subcategory_guids": [],
"title": "Denied Access To Remote Desktop"
},
{
"description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references",
"event_ids": [
"4697"
],
"id": "9ab29a5b-d66d-a41e-bdaf-8c718011875c",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security"
},
{
"description": "Detects non-system users failing to get a handle of the SCM database.",
"event_ids": [
"4656"
],
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
{
"description": "Detect AD credential dumping using impacket secretdump HKTL",
"event_ids": [
"5145"
],
"id": "677980bc-7dcc-1f9a-e161-a7f310ec9652",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Possible Impacket SecretDump Remote Activity"
},
{
"description": "Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.\n",
"event_ids": [
"5157"
],
"id": "764518e5-4160-b679-1946-cbd0e76705da",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary"
},
{
"description": "Rule to detect the Hybrid Connection Manager service installation.",
"event_ids": [
"4697"
],
"id": "54f9b4d2-3f4a-675f-58d6-9995ae58f988",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "HybridConnectionManager Service Installation"
},
{
"description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.",
"event_ids": [
"5145"
],
"id": "192d9d70-11ad-70e5-9d6c-d32a1ec74857",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Windows Network Access Suspicious desktop.ini Action"
},
{
"description": "Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\n",
"event_ids": [
"4663"
],
"id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Read Access Request"
},
{
"description": "Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\n",
"event_ids": [
"4663",
"4656"
],
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"description": "Detects certificate creation with template allowing risk permission subject and risky EKU",
"event_ids": [
"4899",
"4898"
],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high",
"subcategory_guids": [
"0CCE9221-69AE-11D9-BED3-505054503030"
],
"title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU"
},
{
"description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution",
"event_ids": [
"517",
"1102"
],
"id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9",
"level": "high",
"subcategory_guids": [],
"title": "Security Eventlog Cleared"
},
{
"description": "Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\n",
"event_ids": [
"5447",
"5449"
],
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
"subcategory_guids": [
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - NoFilter Execution"
},
{
"description": "Detects svchost hosting RDP termsvcs communicating with the loopback address",
"event_ids": [
"5156"
],
"id": "810804a5-98c3-7e56-e8ed-8a95d72ad829",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "RDP over Reverse SSH Tunnel WFP"
},
{
"description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.",
"event_ids": [
"4673"
],
"id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
"level": "high",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
],
"title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
},
{
"description": "This events that are generated when using the hacktool Ruler by Sensepost",
"event_ids": [
"4625",
"4776",
"4624"
],
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
{
"description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER",
"event_ids": [
"4697"
],
"id": "826feb8b-536b-0302-0b4e-bd34cc5c4923",
"level": "medium",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security"
},
{
"description": "Detects Mimikatz DC sync security events",
"event_ids": [
"4662"
],
"id": "daad2203-665f-294c-6d2f-f9272c3214f2",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Mimikatz DC Sync"
},
{
"description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n",
"event_ids": [
"4720",
"4781"
],
"id": "ec77919c-1169-6640-23e7-91c6f27ddc91",
"level": "medium",
"subcategory_guids": [
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "New or Renamed User Account with '$' Character"
},
{
"description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN",
"event_ids": [
"4656"
],
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
},
{
"description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities",
"event_ids": [
"4701",
"4699"
],
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Important Scheduled Task Deleted/Disabled"
},
{
"description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\n",
"event_ids": [
"5136"
],
"id": "6e3066ef-54e1-9d1b-5bc6-9ae6947ae271",
"level": "medium",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Group Policy Abuse for Privilege Addition"
},
{
"description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",
"event_ids": [
"4738",
"5136"
],
"id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9235-69AE-11D9-BED3-505054503030"
],
"title": "Active Directory User Backdoors"
},
{
"description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n",
"event_ids": [
"4663",
"4656"
],
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
},
{
"description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool",
"event_ids": [],
"id": "2875c85a-58eb-ca3b-80a3-4cdd8ffa41a8",
"level": "critical",
"subcategory_guids": [],
"title": "Win Susp Computer Name Containing Samtheadmin"
},
{
"description": "Detects remote service activity via remote access to the svcctl named pipe",
"event_ids": [
"5145"
],
"id": "9a0e08fc-d50e-2539-9da0-f2b04439c414",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Remote Service Activity via SVCCTL Named Pipe"
},
{
"description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\n",
"event_ids": [
"4719"
],
"id": "83d7b3c2-220e-60e8-4aad-98e206e841ba",
"level": "low",
"subcategory_guids": [
"0CCE922F-69AE-11D9-BED3-505054503030"
],
"title": "Windows Event Auditing Disabled"
},
{
"description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.",
"event_ids": [
"5145"
],
"id": "d415c82b-814d-5cdc-c2f2-a138115b878e",
"level": "medium",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "DCERPC SMB Spoolss Named Pipe"
},
{
"description": "Detects Obfuscated use of Clip.exe to execute PowerShell",
"event_ids": [
"4697"
],
"id": "660a0229-700e-8e43-40c7-fafe60c29491",
"level": "high",
"subcategory_guids": [
"0CCE9211-69AE-11D9-BED3-505054503030"
],
"title": "Invoke-Obfuscation CLIP+ Launcher - Security"
},
{
"description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer",
"event_ids": [
"5136"
],
"id": "e92d7fea-4127-4b6c-a889-3f0b89f7b567",
"level": "high",
"subcategory_guids": [
"0CCE923C-69AE-11D9-BED3-505054503030"
],
"title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right"
},
{
"description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.",
"event_ids": [
"4743",
"4741"
],
"id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
"level": "low",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Add or Remove Computer from DC"
},
{
"description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.",
"event_ids": [
"4905",
"4904"
],
"id": "00f253a0-1035-e450-7f6e-e2291dee27ec",
"level": "informational",
"subcategory_guids": [
"0CCE922F-69AE-11D9-BED3-505054503030"
],
"title": "VSSAudit Security Event Source Registration"
},
{
"description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service",
"event_ids": [
"31017"
],
"id": "610c6a10-ca67-69c5-0f6d-761487fb3b37",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Rejected SMB Guest Logon From IP"
},
{
"description": "Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.",
"event_ids": [
"2004",
"2071",
"2097"
],
"id": "bf17c34a-7b9d-65a8-a143-afa9c13e1fe4",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application"
},
{
"description": "Detects when a rule has been added to the Windows Firewall exception list",
"event_ids": [
"2004",
"2071",
"2097"
],
"id": "a1dbd390-a4c5-755a-1b1f-a76aabbecbbc",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List"
},
{
"description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration",
"event_ids": [
"2033",
"2059"
],
"id": "3623c339-f1c5-67f2-a5a2-ddb078d75f69",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "All Rules Have Been Deleted From The Windows Firewall Configuration"
},
{
"description": "Detects activity when Windows Defender Firewall has been reset to its default configuration",
"event_ids": [
"2032",
"2060"
],
"id": "e2592615-38d5-5099-c59f-83ab34a11d9a",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Firewall Has Been Reset To Its Default Configuration"
},
{
"description": "Detects activity when the settings of the Windows firewall have been changed",
"event_ids": [
"2002",
"2082",
"2083",
"2003",
"2008"
],
"id": "a0062bfc-2eba-05df-e231-f4a44b1317ab",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Firewall Settings Have Been Changed"
},
{
"description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall",
"event_ids": [
"2052",
"2006"
],
"id": "55827aab-4062-032f-35e7-2406dc57c35e",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "A Rule Has Been Deleted From The Windows Firewall Exception List"
},
{
"description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy",
"event_ids": [
"2009"
],
"id": "33a69619-460b-90f5-19b1-2f34036caf0a",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "The Windows Defender Firewall Service Failed To Load Group Policy"
},
{
"description": "Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\n",
"event_ids": [
"2004",
"2097",
"2071"
],
"id": "ac6e5dab-06d1-5064-a91c-0eb6246d22bd",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE"
},
{
"description": "Detects a service installation that uses a suspicious double ampersand used in the image path value",
"event_ids": [
"7045"
],
"id": "22b90bac-a283-6153-761c-7b6059f8f250",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New Service Uses Double Ampersand in Path"
},
{
"description": "Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\n",
"event_ids": [
"4660"
],
"id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Deleted"
},
{
"description": "Detects suspicious PowerShell download command",
"event_ids": [],
"id": "12f93a4e-cd0e-18d7-6969-b345ecc8d40a",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious PowerShell Download"
},
{
"description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.",
"event_ids": [
"4689"
],
"id": "83c2f19e-f588-1826-fc7d-cf7f4db7031a",
"level": "high",
"subcategory_guids": [
"0CCE922C-69AE-11D9-BED3-505054503030"
],
"title": "Correct Execution of Nltest.exe"
},
{
"description": "This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.",
"event_ids": [
"4674"
],
"id": "6683ccd7-da7a-b988-1683-7f7a1bf72bf6",
"level": "low",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Lateral Movement Indicator ConDrv"
},
{
"description": "Checks for event id 1102 which indicates the security event log was cleared.",
"event_ids": [
"1102"
],
"id": "23f0b75b-66c0-4895-ae63-4243fa898109",
"level": "medium",
"subcategory_guids": [],
"title": "Security Event Log Cleared"
},
{
"description": "Detects suspicious PowerShell invocation command parameters",
"event_ids": [],
"id": "391b98f2-3f42-0d06-a295-18a2aa29d39a",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious PowerShell Invocations - Generic"
},
{
"description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.",
"event_ids": [],
"id": "349e3bb4-b72b-193d-810e-7d9c145b863e",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
},
{
"description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \"Member is added to a Security Group\".\nEvent ID 4729 indicates a \"Member is removed from a Security enabled-group\".\nEvent ID 4730 indicates a \"Security Group is deleted\".\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n",
"event_ids": [
"4730",
"4729",
"4728",
"632",
"633",
"634"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
"subcategory_guids": [
"0CCE9237-69AE-11D9-BED3-505054503030"
],
"title": "Group Modification Logging"
},
{
"description": "Detects suspicious PowerShell invocation command parameters",
"event_ids": [],
"id": "3db961f4-6217-4957-b717-e5955c82d6e5",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious PowerShell Invocations - Specific"
},
{
"description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers",
"event_ids": [
"16"
],
"id": "f224a2b6-2db1-a1a2-42d4-25df0c460915",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "SAM Dump to AppData"
},
{
"description": "Detects disabling Windows Defender threat protection",
"event_ids": [
"5010",
"5101",
"5012",
"5001"
],
"id": "7424bd72-6b38-f5a1-7f25-4665452ec72b",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Threat Detection Disabled"
},
{
"description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour",
"event_ids": [
"21"
],
"id": "cfba8e23-d224-ff3b-7cb7-dbc6085172a0",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Ngrok Usage with Remote Desktop Service"
},
{
"description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL",
"event_ids": [
"12",
"11"
],
"id": "838d17f1-63ba-03c4-f8ae-2bdfd74a6a08",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Microsoft Defender Blocked from Loading Unsigned DLL"
},
{
"description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations",
"event_ids": [
"11",
"12"
],
"id": "15277aa1-7b5b-9e3b-cca8-52c21a36d06c",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Unsigned Binary Loaded From Suspicious Location"
},
{
"description": "Detects repeated failed (outgoing) attempts to mount a hidden share",
"event_ids": [
"31010"
],
"id": "624e39e1-5bc5-13fe-0b2d-5d988a416f24",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Failed Mounting of Hidden Share"
},
{
"description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.",
"event_ids": [
"4771"
],
"id": "32ce2d24-3d1c-2f81-cddb-d64b33fe9247",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Valid Users Failing to Authenticate From Single Source Using Kerberos"
},
{
"description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation",
"event_ids": [
"7045"
],
"id": "c953a767-8b94-df03-dd53-611baad380fd",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
},
{
"description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.",
"event_ids": [
"106"
],
"id": "696cf23d-d3f2-0a4d-6aff-b162d692a778",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Rare Scheduled Task Creations"
},
{
"description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.",
"event_ids": [
"4768"
],
"id": "c6c2c3e3-44ee-516c-9e48-63b304511787",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Disabled Users Failing To Authenticate From Source Using Kerberos"
},
{
"description": "Detects remote execution via scheduled task creation or update on the destination host",
"event_ids": [
"4698",
"4624",
"4702"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Remote Schtasks Creation"
},
{
"description": "Detects failed logins with multiple accounts from a single process on the system.",
"event_ids": [
"4625"
],
"id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Failing to Authenticate from Single Process"
},
{
"description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code",
"event_ids": [
"4698"
],
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Rare Schtasks Creations"
},
{
"description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.",
"event_ids": [
"4768"
],
"id": "74eaa0ee-05a7-86a5-a7a8-076952aa764d",
"level": "medium",
"subcategory_guids": [
"0CCE9242-69AE-11D9-BED3-505054503030"
],
"title": "Invalid Users Failing To Authenticate From Source Using Kerberos"
},
{
"description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.",
"event_ids": [
"5156"
],
"id": "ffaf246b-f54a-05ba-d9b0-fba6626c7822",
"level": "medium",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Enumeration via the Global Catalog"
},
{
"description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services",
"event_ids": [
"7045"
],
"id": "e9acc9e9-8b91-7859-2d0c-446a2c40b937",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Rare Service Installations"
},
{
"description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.",
"event_ids": [
"7045"
],
"id": "a5f841a8-5dcb-5ee4-73ea-5331859bf763",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Malicious Service Installations"
},
{
"description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.",
"event_ids": [
"4776"
],
"id": "bbd02091-a432-94b3-8041-9f776b681fc2",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Invalid Users Failing To Authenticate From Single Source Using NTLM"
},
{
"description": "Search for accessing of fake files with stored credentials",
"event_ids": [
"4663"
],
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
},
{
"description": "Detects a source system failing to authenticate against a remote host with multiple users.",
"event_ids": [
"4625"
],
"id": "30e70d43-6368-123c-a3c8-d23309a3ff97",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Remotely Failing To Authenticate From Single Source"
},
{
"description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.",
"event_ids": [
"4776"
],
"id": "ddbbe639-21f9-7b39-ae7d-821e490d6130",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Valid Users Failing to Authenticate from Single Source Using NTLM"
},
{
"description": "Detects suspicious failed logins with different user accounts from a single source system",
"event_ids": [
"529",
"4625"
],
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logins with Different Accounts from Single Source System"
},
{
"description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).",
"event_ids": [
"4663"
],
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Multiple File Rename Or Delete Occurred"
},
{
"description": "Detects suspicious failed logins with different user accounts from a single source system",
"event_ids": [
"4776"
],
"id": "203aaec0-5613-4fdc-42b3-a021d6f853dc",
"level": "medium",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Failed NTLM Logins with Different Accounts from Single Source System"
},
{
"description": "Detects a single user failing to authenticate to multiple users using explicit credentials.",
"event_ids": [
"4648"
],
"id": "27124590-ab3f-79b8-7dfa-b82820dbb1cc",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Password Spraying via Explicit Credentials"
},
{
"description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine",
"event_ids": [
"1001"
],
"id": "ea429061-e3b4-fabd-8bd6-cb98772aeeba",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Microsoft Malware Protection Engine Crash - WER"
},
{
"description": "Detects plugged/unplugged USB devices",
"event_ids": [
"2100",
"2102",
"2003"
],
"id": "12717514-9380-dabc-12b9-113f524ec3ac",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "USB Device Plugged"
},
{
"description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.",
"event_ids": [
"8022",
"8025",
"8004",
"8007"
],
"id": "da0e47f5-493f-9da4-b041-8eb762761118",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "File Was Not Allowed To Run"
},
{
"description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations",
"event_ids": [
"854"
],
"id": "a3dbb89a-aebc-03c7-295b-ad18d5c7924b",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Uncommon AppX Package Locations"
},
{
"description": "Detects an appx package added to the pipeline of the \"to be processed\" packages which was downloaded from a suspicious domain.\n",
"event_ids": [
"854"
],
"id": "7de9c1d0-7b8e-8196-8137-8dcc13c6e960",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious Remote AppX Package Locations"
},
{
"description": "Detects potential installation or installation attempts of known malicious appx packages",
"event_ids": [
"400",
"401"
],
"id": "8f46b318-b8a3-d268-911f-318d0b43c0f9",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential Malicious AppX Package Installation Attempts"
},
{
"description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations",
"event_ids": [
"854"
],
"id": "5bb0ef8b-3b9d-8a3c-30c2-0a787e54184a",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious AppX Package Locations"
},
{
"description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious",
"event_ids": [
"401"
],
"id": "5cfde458-a9e1-f4b7-92cd-959ead47bdd3",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Suspicious AppX Package Installation Attempt"
},
{
"description": "Detects an appx package deployment that was blocked by the local computer policy",
"event_ids": [
"453",
"441",
"442",
"454"
],
"id": "c01e61dd-7cb7-acd0-c6e5-bda4c93b330c",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Deployment Of The AppX Package Was Blocked By The Policy"
},
{
"description": "Detects an appx package deployment that was blocked by AppLocker policy",
"event_ids": [
"412"
],
"id": "a902397c-6118-0a8f-7fab-3f8142297d80",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Deployment AppX Package Was Blocked By AppLocker"
},
{
"description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit",
"event_ids": [],
"id": "47e67dfc-354a-0989-f6b1-f3f888a31278",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Remove Exported Mailbox from Exchange Webserver"
},
{
"description": "Detects a failed installation of a Exchange Transport Agent",
"event_ids": [
"6"
],
"id": "29ec9279-2899-b0a0-0b41-6bf40cdda885",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Failed MSExchange Transport Agent Installation"
},
{
"description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory",
"event_ids": [],
"id": "469804e4-bb11-7cb1-96ce-f7687daa98a0",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "ProxyLogon MSExchange OabVirtualDirectory"
},
{
"description": "Detects the Installation of a Exchange Transport Agent",
"event_ids": [],
"id": "31aa27f1-7ac6-a316-2786-b13400c130f5",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSExchange Transport Agent Installation - Builtin"
},
{
"description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell",
"event_ids": [],
"id": "9c8f1614-f386-ea28-e870-75e3daf99adc",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Certificate Request Export to Exchange Webserver"
},
{
"description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log",
"event_ids": [],
"id": "30eb1897-ab7e-5cc9-6f83-cd5abd8ee0dc",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Exchange Set OabVirtualDirectory ExternalUrl Property"
},
{
"description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it",
"event_ids": [],
"id": "684f5f59-5de0-7d7a-e983-1e2758d383d6",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Mailbox Export to Exchange Webserver"
},
{
"description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n",
"event_ids": [
"141"
],
"id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Important Scheduled Task Deleted"
},
{
"description": "Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task",
"event_ids": [
"129"
],
"id": "d5a3d13e-7db3-bcf5-824a-789488ab40fd",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Scheduled Task Executed Uncommon LOLBIN"
},
{
"description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task",
"event_ids": [
"129"
],
"id": "c1fd9ca2-a3f8-1adc-0f1d-1d6099f5d827",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Scheduled Task Executed From A Suspicious Location"
},
{
"description": "Detects when an application acquires a certificate private key",
"event_ids": [
"70"
],
"id": "dadaca47-d760-88a9-fd35-cbe8a6237499",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Certificate Private Key Acquired"
},
{
"description": "Detect standard users login that are part of high privileged groups such as the Administrator group",
"event_ids": [
"300"
],
"id": "7536b3d3-6765-4433-9269-2d460cb10adf",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Standard User In High Privileged Group"
},
{
"description": "Detects installation of a remote msi file from web.",
"event_ids": [
"1040",
"1042"
],
"id": "1af7877b-8512-f49c-c11e-a048888c68fa",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSI Installation From Web"
},
{
"description": "Detects MSI package installation from suspicious locations",
"event_ids": [
"1040",
"1042"
],
"id": "96acd930-342e-66ca-9855-1285ba8a40ed",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSI Installation From Suspicious Locations"
},
{
"description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators",
"event_ids": [
"1033"
],
"id": "655bf214-78ac-5d4f-27ac-4e0ede9b68a5",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Atera Agent Installation"
},
{
"description": "An application has been removed. Check if it is critical.",
"event_ids": [
"1034",
"11724"
],
"id": "33c276a1-2475-2f1f-aa3d-ec5d61dbe94c",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Application Uninstalled"
},
{
"description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy",
"event_ids": [
"865",
"868",
"866",
"882",
"867"
],
"id": "2ebb1619-89c0-1a11-2b58-53ef8c2cb863",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Restricted Software Access By SRP"
},
{
"description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n",
"event_ids": [
"1"
],
"id": "f1c99d55-8f38-1ae5-19b6-71d4124f4c46",
"level": "critical",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Audit CVE Event"
},
{
"description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential",
"event_ids": [
"1000"
],
"id": "fcc29ed2-c7fa-1b44-6db4-de352c7cf1b8",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential Credential Dumping Via WER - Application"
},
{
"description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine",
"event_ids": [
"1000"
],
"id": "24cdd840-5da1-6c12-5b58-4da49cc4b11a",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Microsoft Malware Protection Engine Crash"
},
{
"description": "Detects command execution via ScreenConnect RMM",
"event_ids": [
"200"
],
"id": "8df2af03-bf29-1ee2-5e6e-476326c561d7",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Remote Access Tool - ScreenConnect Command Execution"
},
{
"description": "Detects file being transferred via ScreenConnect RMM",
"event_ids": [
"201"
],
"id": "98bb59e9-ce78-f18f-8355-8a6750afb314",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Remote Access Tool - ScreenConnect File Transfer"
},
{
"description": "Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.\n",
"event_ids": [],
"id": "b0f698cd-af36-2a37-ce9f-2ab614a8b808",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Relevant Anti-Virus Signature Keywords In Application Log"
},
{
"description": "Detects backup catalog deletions",
"event_ids": [
"524"
],
"id": "9abb29b7-6fca-9563-2f87-11926d64e17d",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Backup Catalog Deleted"
},
{
"description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location",
"event_ids": [
"325"
],
"id": "a050e701-373d-fc52-c345-8fbf933e1b82",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Dump Ntds.dit To Suspicious Location"
},
{
"description": "Detects potential abuse of ntdsutil to dump ntds.dit database",
"event_ids": [
"216",
"326",
"327",
"325"
],
"id": "b8d0d560-906d-670f-cd10-32ed9179f21a",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Ntdsutil Abuse"
},
{
"description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands",
"event_ids": [
"33205"
],
"id": "bc1445fe-1749-b913-f147-64575e1d9ac1",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL XPCmdshell Suspicious Execution"
},
{
"description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started",
"event_ids": [
"33205"
],
"id": "824a7eb7-81e3-6b27-2ede-6fd2d58348b4",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL SPProcoption Set"
},
{
"description": "Detects failed logon attempts from clients to MSSQL server.",
"event_ids": [
"18456"
],
"id": "03e217c6-de25-3afa-3833-6c534a6576f0",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL Server Failed Logon"
},
{
"description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role",
"event_ids": [
"33205"
],
"id": "d17d99ad-18e9-67e1-6163-054f210fee16",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL Add Account To Sysadmin Role"
},
{
"description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\n",
"event_ids": [
"15457"
],
"id": "11635209-eef1-b93a-98bf-33b80e5065a1",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL XPCmdshell Option Change"
},
{
"description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server",
"event_ids": [
"33205"
],
"id": "e485c12e-8840-1b24-61f7-697e480d63b1",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL Disable Audit Settings"
},
{
"description": "Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.",
"event_ids": [
"18456"
],
"id": "2aec0e1c-e7f6-3837-d7f2-ee1c5cac7032",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "MSSQL Server Failed Logon From External Network"
},
{
"description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.",
"event_ids": [
"3077"
],
"id": "a4736e84-f507-2e6b-bc7a-573328447cbf",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation"
},
{
"description": "Detects block events for files that are disallowed by code integrity for protected processes",
"event_ids": [
"3104"
],
"id": "c2644e00-b2a8-1e98-7dfc-bbef3a929767",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked"
},
{
"description": "Detects loaded unsigned image on the system",
"event_ids": [
"3037"
],
"id": "d6ea0e4a-9918-a082-1c5d-bd5d2a4f0b76",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Unsigned Image Loaded"
},
{
"description": "Detects image load events with revoked certificates by code integrity.",
"event_ids": [
"3035",
"3032"
],
"id": "4d4c3fb7-504c-7089-2bb3-26781191b7eb",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Revoked Image Loaded"
},
{
"description": "Detects the presence of a loaded unsigned kernel module on the system.",
"event_ids": [
"3001"
],
"id": "23f17a2b-73ca-e465-e823-bb1d47543f6d",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Unsigned Kernel Module Loaded"
},
{
"description": "Detects loaded kernel modules that did not meet the WHQL signing requirements.",
"event_ids": [
"3083",
"3082"
],
"id": "b1f60092-6ced-8775-b5dd-ac15a042e292",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module"
},
{
"description": "Detects blocked image load events with revoked certificates by code integrity.",
"event_ids": [
"3036"
],
"id": "6f9f7b5c-f44b-fe0a-bcb2-ff4a09bd4ccf",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Blocked Image Load With Revoked Certificate"
},
{
"description": "Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.\n",
"event_ids": [
"3034",
"3033"
],
"id": "f45ca591-7575-818e-9a07-7493461a33c3",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation"
},
{
"description": "Detects the load of a revoked kernel driver",
"event_ids": [
"3021",
"3022"
],
"id": "4764bb53-3383-ae11-5351-b67f0001d2a5",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Revoked Kernel Driver Loaded"
},
{
"description": "Detects blocked load attempts of revoked drivers",
"event_ids": [
"3023"
],
"id": "3838c754-9c4c-f500-6c7d-4c73b29717a9",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate"
},
{
"description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded",
"event_ids": [
"771",
"150",
"770"
],
"id": "40077f9e-f597-1087-0c4f-8901d1a07af4",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "DNS Server Error Failed Loading the ServerLevelPluginDLL"
},
{
"description": "Detects when a DNS zone transfer failed.",
"event_ids": [
"6004"
],
"id": "04768e11-3acf-895f-9193-daae77c4678f",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Failed DNS Zone Transfer"
},
{
"description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.",
"event_ids": [
"40300",
"40301",
"40302"
],
"id": "871bc844-4977-a864-457b-46cfba6ddb65",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "HybridConnectionManager Service Running"
},
{
"description": "Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.",
"event_ids": [
"1007"
],
"id": "aec05047-d4cd-8eed-6c67-40b018f64c6e",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Certificate Exported From Local Certificate Store"
},
{
"description": "Detects Access to LSASS Process",
"event_ids": [
"1121"
],
"id": "db45bac6-e4cf-df15-bb73-abdc2bb5b466",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "LSASS Access Detected via Attack Surface Reduction"
},
{
"description": "Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"\n",
"event_ids": [
"5007"
],
"id": "2b57cd91-079d-5f13-07f4-82d7435acd38",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Exploit Guard Tamper"
},
{
"description": "Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.",
"event_ids": [
"5007"
],
"id": "f8be1673-da49-5b78-517b-16094864fab7",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Submit Sample Feature Disabled"
},
{
"description": "Detects the Setting of Windows Defender Exclusions",
"event_ids": [
"5007"
],
"id": "13020ca6-8f32-26e1-25d6-1f727e58de89",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Exclusions Added"
},
{
"description": "Detects suspicious changes to the Windows Defender configuration",
"event_ids": [
"5007"
],
"id": "36d5c11e-504a-a3a6-2704-4d6f5f35be41",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Configuration Changes"
},
{
"description": "Detects triggering of AMSI by Windows Defender.",
"event_ids": [
"1116"
],
"id": "4947e388-9eb4-8e77-4de7-17accc04246e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender AMSI Trigger Detected"
},
{
"description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"",
"event_ids": [
"5013"
],
"id": "f0a75367-1237-98a3-79c3-c4e7e4f5bacc",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Microsoft Defender Tamper Protection Trigger"
},
{
"description": "Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.\n",
"event_ids": [
"5101"
],
"id": "5a62f5a9-71eb-a0e2-496d-e062350225df",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Grace Period Expired"
},
{
"description": "Detects issues with Windows Defender Real-Time Protection features",
"event_ids": [
"3007",
"3002"
],
"id": "73176728-033d-ef77-a174-554a0bf61f94",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Real-Time Protection Failure/Restart"
},
{
"description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"event_ids": [
"5001"
],
"id": "e6c2628d-e4dc-0b32-e087-1c205385af72",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Real-time Protection Disabled"
},
{
"description": "Detects the restoration of files from the defender quarantine",
"event_ids": [
"1009"
],
"id": "77f49adb-372a-8c7c-0bee-7e361b09b30e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Win Defender Restored Quarantine File"
},
{
"description": "Detects actions taken by Windows Defender malware detection engines",
"event_ids": [
"1006",
"1117",
"1015",
"1116"
],
"id": "c70d7033-8146-fe73-8430-90b23c296f9d",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Threat Detected"
},
{
"description": "Detects blocking of process creations originating from PSExec and WMI commands",
"event_ids": [
"1121"
],
"id": "c73d596d-c719-ab68-1753-6aa80ff340d7",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "PSExec and WMI Process Creations Block"
},
{
"description": "Detects disabling of the Windows Defender virus scanning feature",
"event_ids": [
"5012"
],
"id": "a325b024-9641-6ee4-56c1-20eb9fc4324a",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Virus Scanning Feature Disabled"
},
{
"description": "Windows Defender logs when the history of detected infections is deleted.",
"event_ids": [
"1013"
],
"id": "e9310b5d-113f-86dc-a3e0-3ed5cefa6088",
"level": "informational",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Malware Detection History Deletion"
},
{
"description": "Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software",
"event_ids": [
"5010"
],
"id": "ac622fde-5d5a-e064-bfd2-55cbb5f1eacb",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Windows Defender Malware And PUA Scanning Disabled"
},
{
"description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location",
"event_ids": [
"16403"
],
"id": "26844668-ef48-7a97-5687-9533e59288b7",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "BITS Transfer Job Download To Potential Suspicious Folder"
},
{
"description": "Detects the creation of a new bits job by PowerShell",
"event_ids": [
"3"
],
"id": "23d76ee6-e5fc-fb90-961a-4b412b97cc94",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New BITS Job Created Via PowerShell"
},
{
"description": "Detects new BITS transfer job saving local files with potential suspicious extensions",
"event_ids": [
"16403"
],
"id": "b37c7d8f-22b8-a92d-1d1c-593de0fa759e",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "BITS Transfer Job Downloading File Potential Suspicious Extension"
},
{
"description": "Detects BITS transfer job downloading files from a file sharing domain.",
"event_ids": [
"16403"
],
"id": "4f9e9e60-c580-dd4e-4f06-42a016217d0e",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "BITS Transfer Job Download From File Sharing Domains"
},
{
"description": "Detects the creation of a new bits job by Bitsadmin",
"event_ids": [
"3"
],
"id": "f72c1543-44f6-f836-c0da-9bab33600dac",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "New BITS Job Created Via Bitsadmin"
},
{
"description": "Detects a BITS transfer job downloading file(s) from a direct IP address.",
"event_ids": [
"16403"
],
"id": "5e8a986a-7579-0482-f86e-ad63f6341cd1",
"level": "high",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "BITS Transfer Job Download From Direct IP"
},
{
"description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.",
"event_ids": [
"16403"
],
"id": "8a389ad3-d0c7-ef8c-1fb3-5bb7e31bcf7f",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD"
},
{
"description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths",
"event_ids": [
"201"
],
"id": "a3ffcde3-a83d-3d16-0b83-72f4758207cd",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Sysinternals Tools AppX Versions Execution"
},
{
"description": "Detects common NTLM brute force device names",
"event_ids": [
"8004"
],
"id": "b7a0fd59-bab8-fec2-28ad-548b2635d87f",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "NTLM Brute Force"
},
{
"description": "Detects logons using NTLM to hosts that are potentially not part of the domain.",
"event_ids": [
"8001"
],
"id": "b416a5b9-a282-2826-bc58-8b8481d865f6",
"level": "medium",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "Potential Remote Desktop Connection to Non-Domain Host"
},
{
"description": "Detects logons using NTLM, which could be caused by a legacy source or attackers",
"event_ids": [
"8002"
],
"id": "c043d322-c767-faa8-92d4-381dcc35cab3",
"level": "low",
"subcategory_guids": [
"00000000-0000-0000-0000-000000000000"
],
"title": "NTLM Logon"
}
]
Reference in New Issue View Git Blame Copy Permalink