Chronicle Rule Coverage

28 events across 5 providers with Chronicle/YARA-L detection rules, 186 rule mappings total.

Microsoft-Windows-Security-Auditing (11 events, 91 rules) #

Security-Auditing - Event ID 4624 - An account was successfully logged on. #
Security-Auditing - Event ID 4625 - An account failed to log on. #
Security-Auditing - Event ID 4648 - A logon was attempted using explicit credentials. #
Security-Auditing - Event ID 4656 - A handle to an object was requested. #
MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report(source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Security-Auditing - Event ID 4657 - A registry value was modified. #
Security-Auditing - Event ID 4662 - An operation was performed on an object. #
ADFS DKM Key Access(source) high - Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value
Security-Auditing - Event ID 4688 - A new process has been created. #
Security-Auditing - Event ID 4697 - A service was installed in the system. #
Suspicious Windows Service Installation Detected(source) medium - This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (`A service was installed in the system`). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation....
Security-Auditing - Event ID 4720 - A user account was created. #
Windows Short Term Account Use(source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 4726 - A user account was deleted. #
Windows Short Term Account Use(source) medium - Detects the creation, login, and deletion of a user account over a predefined timeframe
Security-Auditing - Event ID 5156 - The Windows Filtering Platform has permitted a connection. #
Potential Remote PowerShell Session Initiated(source) high - Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.

Microsoft-Windows-Sysmon (11 events, 89 rules) #

Sysmon - Event ID 1 - Process creation #
Sysmon - Event ID 2 - A process changed a file creation time #
Suspicious Unusual Location LNK File(source) low - Detects creation and movement of .lnk files to specific folders
Sysmon - Event ID 3 - Network connection #
Potential Remote PowerShell Session Initiated(source) high - Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
Sysmon - Event ID 10 - ProcessAccess #
Sysmon - Event ID 11 - FileCreate #
Sysmon - Event ID 12 - RegistryEvent (Object create and delete) #
MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report(source) low - Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4
Sysmon - Event ID 13 - RegistryEvent (Value Set) #
Sysmon - Event ID 17 - PipeEvent (Pipe Created) #
ADFS DB Suspicious Named Pipe Connection(source) medium - Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes
Sysmon - Event ID 18 - PipeEvent (Pipe Connected) #
ADFS DB Suspicious Named Pipe Connection(source) medium - Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes
Sysmon - Event ID 22 - DNSEvent (DNS query) #
Recon Environment Enumeration Network CISA Report(source) low - Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
Sysmon - Event ID 23 - FileDelete (File Delete archived) #
Suspicious Unusual Location LNK File(source) low - Detects creation and movement of .lnk files to specific folders

ESENT (4 events, 4 rules) #

ESENT - Event ID 216 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
ESENT - Event ID 325 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
ESENT - Event ID 326 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf
ESENT - Event ID 327 - #
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report(source) high - Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf

Microsoft-Windows-Eventlog (1 event, 1 rule) #

Eventlog - Event ID 1102 - The audit log was cleared. #
Windows Event Log Cleared(source) medium - Detects the clearing of event logs within the Windows Event Viewer.

Service-Control-Manager (1 event, 1 rule) #

Service-Control-Manager - Event ID 7045 - A service was installed in the system. #
Suspicious Windows Service Installation Detected(source) medium - This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (`A service was installed in the system`). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation....