Elastic security


This is a collection of Elastic SIEM detection rules in Elastic Security for Windows based on the Sigma project.

The inbuilt detection rules are based on the windows events that are created by Windows per default. Every rule checks for specific misbehaviours based on this windows event logs.

The collection of the windows event logs can be done with Winlogbeat or the Elastic Agent.

Elastic SIEM detection rules

AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Admin User Remote Logon
Detect remote login by Administrator user depending on internal pattern

Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

AD User Enumeration
Detects access to a domain user from a non-machine account

Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.

LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process

Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost

Turla Service Install
This method detects a service install of malicious services mentioned in Carbon Paper – Turla report by ESET

StoneDrill Service Install
This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky

Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018

Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Audit CVE Event
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)

Relevant Anti-Virus Event
This detection method points out highly relevant Antivirus events

Mimikatz DC Sync
Detects Mimikatz DC sync security events

DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers

DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

External Disk Drive or USB Storage Device
Detects external diskdrives or plugged in USB devices

smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation

Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL

LSASS Access from Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account

WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

NTFS Vulnerability Exploitation
This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Pass the Hash Activity
Detects the attack technique pass the hash which is used to move laterally inside the network

Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network

Possible DC Shadow
Detects DCShadow via create new SPN

QuarksPwDump Clearing Access History
Detects QuarksPwDump clearing access history in hive

Scanner PoC for CVE-2019-0708 RDP RCE Vuln
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login

RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address

Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process

Remote PowerShell Sessions
Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986

Remote Registry Management Using Reg Utility
Remote registry management using REG utility from non-admin workstation

SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive

SCM Database Handle Failure
Detects non-system users failing to get a handle of the SCM database.

SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database

Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script

Suspicious Outbound Kerberos Connection
Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Addition of Domain Trusts
Addition of domains is seldom and should be verified for legitimacy.

Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.

Backup Catalog Deleted
Detects backup catalog deletions

Failed Code Integrity Checks
Code integrity failures may indicate tampered executables.

DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

DNS Server Error Failed Loading the ServerLevelPluginDLL
This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Password Change on Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Account Tampering – Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Failed Logon From Public IP
A login from a public IP can indicate a misconfigured firewall or network boundary.

Interactive Logon to Server Systems
Detects interactive console logons to Server Systems

Kerberos Manipulation
This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages

Generic Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask

MSHTA Suspicious Execution 01
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.

Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share

Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type

RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

SAM Dump to AppData
Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers

Secure Deletion with SDelete
Detects renaming of file while deletion with SDelete tool

Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Login with WMI
Detection of logins performed with WMI

Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe

SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey

Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares

USB Device Plugged
Detects plugged USB devices

CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688


These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.

The translation was made with SIEGMA 

Tested versions 7.12
ECS compliant
Category , ,
Tags ,

You must log in to submit a review.