Read More

Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions

Read More

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Read More

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Read More

Detects the mount of an ISO image on an endpoint

Read More

Detects read access to a domain user from a non-machine account

Read More

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Read More

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Read More

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Read More

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects possible addition of shadow credentials to an active directory object.

Read More

Detects non-system users failing to get a handle of the SCM database.

Read More

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Read More

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Read More

Detects an installation of a device that is forbidden by the system policy

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Read More

Detects potential mimikatz-like tools accessing LSASS from non system account

Read More

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Read More

Detects Mimikatz DC sync security events

Read More

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Read More

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Read More

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Read More

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

Read More

Detects DCShadow via create new SPN

Read More

Detect AD credential dumping using impacket secretdump HKTL

Read More

Detect PetitPotam coerced authentication activity.

Read More

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address

Read More

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Read More

Detects service ticket requests using RC4 encryption type

Read More

Detects suspicious processes logging on with explicit credentials

Read More

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Read More

Detects update to a scheduled task event that contain suspicious keywords.

Read More

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Read More

Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Read More

Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.

Read More

Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Read More

Detects process handle on LSASS process with certain access mask

Read More

Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.

Read More

Detects well-known credential dumping tools execution via service execution events

Read More

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Read More

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

Read More

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More

Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).

Read More

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

Read More

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Read More

Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later

Read More

Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Read More

Detects when the password policy is enumerated.

Read More

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Read More

Detects Windows Pcap driver installation based on a list of associated .sys files.

Read More

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Read More

This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes

Read More

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Read More

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Read More

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Read More

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Read More

Detects WRITE_DAC access to a domain object

Read More

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Read More

Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

Read More

Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers

Read More

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Read More

Detects handles requested to SAM registry hive

Read More

Detects non-system users performing privileged operation os the SCM database

Read More

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Read More

Detects access to $ADMIN share

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

This events that are generated when using the hacktool Ruler by Sensepost

Read More

This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

Read More

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Read More

Detects NetNTLM downgrade attack

Read More

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Read More

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Read More

Detects known sensitive file extensions accessed on a network share

Read More

Detects certificate creation with template allowing risk permission subject

Read More

Detects certificate creation with template allowing risk permission subject and risky EKU

Read More

Checks for event id 1102 which indicates the security event log was cleared.

Read More

Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Read More

Detects powershell script installed as a Service

Read More

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Read More

Detects possible bypass EDR and SIEM via abnormal user account name.

Read More

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

Read More

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Read More

Rule to detect the Hybrid Connection Manager service installation.

Read More

Detects execution of Impacket's psexec.py.

Read More

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Read More

Potential adversaries accessing the microphone and webcam in an endpoint.

Read More

Detects remote service activity via remote access to the svcctl named pipe

Read More

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Read More

Detects renaming of file while deletion with SDelete tool.

Read More

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

Read More

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Read More

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Read More

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Read More

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Read More

Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Read More

Addition of domains is seldom and should be verified for legitimacy.

Read More

An attacker can use the SID history attribute to gain additional privileges.

Read More

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Read More

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Read More

Alerts on Metasploit host's authentications on the domain.

Read More

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Read More

Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Read More

Detects potential use of Rubeus via registered new trusted logon process

Read More

Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.

Read More