Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Suspicious NTLM Authentication on the Printer Spooler ServiceMar 2, 2023 · attack.privilege_escalation attack.credential_access attack.t1212 ·
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Guacamole Two Users Sharing Session AnomalyFeb 1, 2023 · attack.credential_access attack.t1212 ·
Detects suspicious session with two users present
Kerberos ManipulationFeb 1, 2023 · attack.credential_access attack.t1212 ·
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages