detection.wiki

Elastic Detection Rules Reference

30 events across 5 providers with Elastic detection rules, 89 rule mappings total.

Microsoft-Windows-PowerShell (1 event, 12 rules) #

Operational - Event ID 4104 - Creating Scriptblock text (MessageNumber of MessageTotal). #
  • Potential PowerShell Obfuscation via Invalid Escape Sequences medium - Detects PowerShell scripts with repeated invalid backtick escapes between word characters (letters, digits, underscore, or dash), splitting tokens while preserving execution. Attackers use this obfuscation to fragment keywords and evade pattern-based detection and AMSI.
  • Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion high - Detects PowerShell scripts that uses backtick-escaped characters inside `${}` variable expansion (multiple backticks between word characters) to reconstruct strings at runtime. Attackers use variable-expansion obfuscation to split keywords, hide commands, and evade static analysis and AMSI.
  • Potential PowerShell Obfuscation via Character Array Reconstruction high - Detects PowerShell scripts that reconstructs strings from char[] arrays, index lookups, or repeated ([char]NN)+ concatenation/join logic. Attackers use character-array reconstruction to hide commands, URLs, or payloads and evade static analysis and AMSI.
  • Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation high - Detects PowerShell scripts that builds commands from concatenated string literals inside dynamic invocation constructs like &() or .(). Attackers use concatenated dynamic invocation to obscure execution intent, bypass keyword-based detections, and evade AMSI.
  • Potential PowerShell Obfuscation via High Numeric Character Proportion low - Detects long PowerShell script block content with unusually high numeric character density (high digit-to-length ratio), often produced by byte arrays, character-code reconstruction, or embedded encoded blobs. Attackers use numeric-heavy obfuscation to conceal payloads and rebuild them at runtime to avoid static inspection.
  • Potential Dynamic IEX Reconstruction via Environment Variables medium - Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related `.name[...]` slices and joining characters at runtime. Attackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI.
  • Dynamic IEX Reconstruction via Method String Access low - Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example, ''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string reconstruction to conceal dynamic execution and bypass static detections and AMSI.
  • PowerShell Obfuscation via Negative Index String Reversal low - Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and rebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static analysis and AMSI.
  • Potential PowerShell Obfuscation via Reverse Keywords low - Detects PowerShell scripts containing reversed keyword strings associated with execution or network activity (for example, ekovni, noisserpxe, daolnwod, tcejbo-wen, tcejboimw, etc.). Attackers reverse keywords and reconstruct them at runtime to hide intent and evade static detection and AMSI.
  • Potential PowerShell Obfuscation via String Concatenation high - Detects PowerShell scripts that repeatedly concatenates multiple quoted string literals with + to assemble commands or tokens at runtime. Attackers use string concatenation to fragment keywords or URLs and evade static analysis and AMSI.
  • Potential PowerShell Obfuscation via String Reordering medium - Detects PowerShell scripts that uses format placeholders like "{0}{1}" with the -f operator or ::Format to reorder strings at runtime. Attackers use format-based reconstruction to hide commands or payload strings and evade static analysis and AMSI.
  • Potential PowerShell Obfuscation via Special Character Overuse medium - Detects PowerShell scripts dominated by whitespace and special characters with low symbol diversity, a profile often produced by formatting or encoding obfuscation. Attackers use symbol-heavy encoding or formatting (for example, SecureString-style blobs or character-level transforms) to hide payloads and evade static analysis and AMSI.

Microsoft-Windows-Security-Auditing (20 events, 55 rules) #

Security - Event ID 4624 - An account was successfully logged on. #
  • Potential Computer Account NTLM Relay Activity medium - Identifies potential relay activities against a Computer account by identifying authentication events using the computer account coming from from hosts other than the server that owns the account. Attackers may relay the computer account hash after capturing it using forced authentication.↳ also fires on: Security-Auditing EID 4625
  • Potential Kerberos Relay Attack against a Computer Account high - Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.↳ also fires on: Security-Auditing EID 4625, Security-Auditing EID 5145
  • Potential NTLM Relay Attack against a Computer Account high - Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.↳ also fires on: Security-Auditing EID 4625, Security-Auditing EID 5145
  • Potential Account Takeover - Mixed Logon Types medium - Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).
  • Service Creation via Local Kerberos Authentication high - Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.
  • Potential Account Takeover - Logon from New Source IP medium - Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.
Security - Event ID 4625 - An account failed to log on. #
  • Potential Computer Account NTLM Relay Activity medium - Identifies potential relay activities against a Computer account by identifying authentication events using the computer account coming from from hosts other than the server that owns the account. Attackers may relay the computer account hash after capturing it using forced authentication.↳ also fires on: Security-Auditing EID 4624
  • Potential Kerberos Relay Attack against a Computer Account high - Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 5145
  • Potential NTLM Relay Attack against a Computer Account high - Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 5145
Security - Event ID 4656 - A handle to an object was requested. #
LSASS Memory Dump Handle Accessmedium - Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
Security - Event ID 4662 - An operation was performed on an object. #
Also fires on: Security-Auditing EID 5137
  • FirstTime Seen Account Performing DCSync high - This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
  • Potential Credential Access via DCSync medium - This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
  • Potential Kerberos Coercion via DNS-Based SPN Spoofing high - Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback.
  • Access to a Sensitive LDAP Attribute medium - Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
  • Suspicious Access to LDAP Attributes low - Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
Security - Event ID 4674 - An operation was attempted on a privileged object. #
Suspicious SeIncreaseBasePriorityPrivilege Usehigh - Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to hijack execution flow of a process via threats priority manipulation.
Security - Event ID 4688 - A new process has been created. #
Potential LSASS Clone Creation via PssCaptureSnapShothigh - Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Security - Event ID 4697 - A service was installed in the system. #
Also fires on: Security-Auditing EID 7045, Service-Control-Manager EID 7045
  • Suspicious Service was Installed in the System medium - Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.
  • Remote Windows Service Installed medium - Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."
  • Windows Service Installed via an Unusual Client high - Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Security - Event ID 4702 - A scheduled task was updated. #
Unusual Scheduled Task Updatelow - Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.
Security - Event ID 4703 - A user right was adjusted. #
SeDebugPrivilege Enabled by a Suspicious Processmedium - Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.
Security - Event ID 4704 - A user right was assigned. #
Sensitive Privilege SeEnableDelegationPrivilege assigned to a Userhigh - Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.
Security - Event ID 4719 - System audit policy was changed. #
Sensitive Audit Policy Sub-Category Disabledmedium - Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by attackers in an attempt to evade detection and forensics on a system.
Security - Event ID 4728 - A member was added to a security-enabled global group. #
Active Directory Group Modification by SYSTEMmedium - Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.
Security - Event ID 4738 - A user account was changed. #
Also fires on: Security-Auditing EID 5136
  • Kerberos Pre-authentication Disabled for User medium - Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
  • Account Configured with Never-Expiring Password medium - Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.
  • KRBTGT Delegation Backdoor high - Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
Security - Event ID 4768 - A Kerberos authentication ticket (TGT) was requested. #
Suspicious Kerberos Authentication Ticket Requesthigh - Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.
Security - Event ID 4769 - A Kerberos service ticket was requested. #
Suspicious Kerberos Authentication Ticket Requesthigh - Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.
Security - Event ID 4781 - The name of an account was changed. #
Potential Privileged Escalation via SamAccountName Spoofinghigh - Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Security - Event ID 5136 - A directory service object was modified. #
  • Potential Active Directory Replication Account Backdoor medium - Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
  • Potential Shadow Credentials added to AD Object high - Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.
  • User account exposed to Kerberoasting medium - Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.
  • AdminSDHolder Backdoor high - Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.
  • Account Configured with Never-Expiring Password medium - Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.↳ also fires on: Security-Auditing EID 4738
  • AdminSDHolder SDProp Exclusion Added high - Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
  • Delegated Managed Service Account Modification by an Unusual User high - Detects modifications in the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an unusual subject account. Attackers can abuse this attribute to take over the permission of a target account and inherit it's permissions allowing them to further elevate privileges.
  • Modification of the msPKIAccountCredentials medium - Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.
  • Startup/Logon Script added to Group Policy Object medium - Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.↳ also fires on: Security-Auditing EID 5145
  • Group Policy Abuse for Privilege Addition high - Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
  • Scheduled Task Execution at Scale via GPO medium - Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.↳ also fires on: Security-Auditing EID 5145
Security - Event ID 5137 - A directory service object was created. #
Also fires on: Security-Auditing EID 4662
  • Potential ADIDNS Poisoning via Wildcard Record Creation high - Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
  • Potential WPAD Spoofing via DNS Record Creation medium - Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.
  • Creation of a DNS-Named Record low - Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.
  • Potential Kerberos Coercion via DNS-Based SPN Spoofing high - Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in privileged access such as NT AUTHORITY\SYSTEM, without relying on NTLM fallback.
  • dMSA Account Creation by an Unusual User high - Detects the creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse the dMSA account migration feature to elevate privileges abusing weak persmission allowing users child objects rights or msDS-DelegatedManagedServiceAccount rights.
Security - Event ID 5145 - A network share object was checked to see whether client can be granted desired access. #
  • Potential Kerberos Relay Attack against a Computer Account high - Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 4625
  • Potential NTLM Relay Attack against a Computer Account high - Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 4625
  • Potential Machine Account Relay Attack via SMB high - Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack.
  • Suspicious Remote Registry Access via SeBackupPrivilege medium - Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.
  • Startup/Logon Script added to Group Policy Object medium - Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.↳ also fires on: Security-Auditing EID 5136
  • Scheduled Task Execution at Scale via GPO medium - Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.↳ also fires on: Security-Auditing EID 5136
  • Active Directory Forced Authentication from Linux Host - SMB Named Pipes medium - Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.
Security - Event ID 5382 - Vault credentials were read. #
Multiple Vault Web Credentials Readmedium - Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

Microsoft-Windows-Sysmon (7 events, 20 rules) #

Operational - Event ID 1 - Process creation #
Also fires on: Sysmon EID 10
  • Suspicious Process Creation CallTrace medium - Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.
  • Potential File Transfer via Curl for Windows low - Identifies Curl for Windows making an HTTP request. Adversaries could abuse Curl to download files or upload data to a remote URL.
  • Account Discovery Command via SYSTEM Account low - Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.
  • Whoami Process Activity low - Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.
  • Network Connection via Registration Utility low - Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.
  • WMI Incoming Lateral Movement medium - Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
  • Local Scheduled Task Creation low - Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
  • Unusual Print Spooler Child Process medium - Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.
Operational - Event ID 2 - A process changed a file creation time #
Potential Timestomp in Executable Filesmedium - Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.
Operational - Event ID 7 - Image loaded #
Potential Credential Access via Renamed COM+ Services DLLhigh - Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.
Operational - Event ID 8 - CreateRemoteThread #
Process Injection by the Microsoft Build Enginelow - An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.
Operational - Event ID 10 - ProcessAccess #
Also fires on: Sysmon EID 1
  • Suspicious LSASS Access via MalSecLogon high - Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.
  • Potential Credential Access via DuplicateHandle in LSASS medium - Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
  • Suspicious Lsass Process Access medium - Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.
  • Potential Credential Access via LSASS Memory Dump high - Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.
  • Potential LSASS Memory Dump via PssCaptureSnapShot high - Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
  • Suspicious Process Access via Direct System Call high - Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.
  • Suspicious Process Creation CallTrace medium - Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.
Operational - Event ID 17 - PipeEvent (Pipe Created) #
Privilege Escalation via Rogue Named Pipe Impersonationhigh - Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.
Operational - Event ID 21 - WmiEvent (WmiEventConsumerToFilter activity detected) #
Suspicious WMI Event Subscription Createdmedium - Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.

Microsoft-Windows-WMI-Activity (1 event, 1 rule) #

Trace - Event ID 21 - WMI Events were bound. #
Suspicious WMI Event Subscription Createdmedium - Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.

Service-Control-Manager (1 event, 1 rule) #

System - Event ID 7045 - A service was installed in the system. #
Suspicious Service was Installed in the Systemmedium - Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.