Description
This is a collection of Elastic SIEM detection rules in Elastic Security for Windows based on the Sigma project.
The inbuilt detection rules are based on the windows events that are created by Windows per default. Every rule checks for specific misbehaviours based on this windows event logs.
The collection of the windows event logs can be done with Winlogbeat or the Elastic Agent.
Elastic SIEM detection rules
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Admin User Remote Logon
Detect remote login by Administrator user depending on internal pattern
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
AD User Enumeration
Detects access to a domain user from a non-machine account
Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Turla Service Install
This method detects a service install of malicious services mentioned in Carbon Paper – Turla report by ESET
StoneDrill Service Install
This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Audit CVE Event
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
Relevant Anti-Virus Event
This detection method points out highly relevant Antivirus events
Mimikatz DC Sync
Detects Mimikatz DC sync security events
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
External Disk Drive or USB Storage Device
Detects external diskdrives or plugged in USB devices
smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL
LSASS Access from Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
NTFS Vulnerability Exploitation
This the exploitation of a NTFS vulnerability as reported without many details via Twitter
Pass the Hash Activity
Detects the attack technique pass the hash which is used to move laterally inside the network
Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
Possible DC Shadow
Detects DCShadow via create new SPN
QuarksPwDump Clearing Access History
Detects QuarksPwDump clearing access history in hive
Scanner PoC for CVE-2019-0708 RDP RCE Vuln
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
Remote PowerShell Sessions
Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
Remote Registry Management Using Reg Utility
Remote registry management using REG utility from non-admin workstation
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
SCM Database Handle Failure
Detects non-system users failing to get a handle of the SCM database.
SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
Suspicious Outbound Kerberos Connection
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Addition of Domain Trusts
Addition of domains is seldom and should be verified for legitimacy.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Backup Catalog Deleted
Detects backup catalog deletions
Failed Code Integrity Checks
Code integrity failures may indicate tampered executables.
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
DNS Server Error Failed Loading the ServerLevelPluginDLL
This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Password Change on Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
Account Tampering – Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Failed Logon From Public IP
A login from a public IP can indicate a misconfigured firewall or network boundary.
Interactive Logon to Server Systems
Detects interactive console logons to Server Systems
Kerberos Manipulation
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
Generic Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask
MSHTA Suspicious Execution 01
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share
Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
SAM Dump to AppData
Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
Secure Deletion with SDelete
Detects renaming of file while deletion with SDelete tool
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Login with WMI
Detection of logins performed with WMI
Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
USB Device Plugged
Detects plugged USB devices
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Source
These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.
The translation was made with SIEGMA
Tested versions | 7.12 |
ECS compliant |
You must log in to submit a review.