Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
Sigma rule (View on GitHub)
1title: Register new Logon Process by Rubeus
2id: 12e6d621-194f-4f59-90cc-1959e21e69f7
3status: test
4description: Detects potential use of Rubeus via registered new trusted logon process
5references:
6 - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
7author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
8date: 2019/10/24
9modified: 2022/10/09
10tags:
11 - attack.lateral_movement
12 - attack.privilege_escalation
13 - attack.t1558.003
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4611
20 LogonProcessName: 'User32LogonProcesss'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
During DerbyCon 2018 this past October, my teammates @tifkin_, @enigma0x3 and @harmj0y gave an awesome presentation titled “The Unintended…
Read More
Related rules
- Addition of SID History to Active Directory Object
- SMB Spoolss Name Piped Usage
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- Linux Doas Tool Execution
- KrbRelayUp local privilege escalation.