Sigma Rule Coverage

222 events across 47 providers with Sigma detection rules, 3700 rule mappings total.

Application-Error (1 event, 2 rules) #

Application - Event ID 1000 - Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name. #

Application-Popup (1 event, 1 rule) #

System - Event ID 26 - Application popup: Caption : Message. #
Sysmon Application Crashed(source) - Detects application popup reporting a failure of the Sysmon service

ESENT (4 events, 5 rules) #

Application - Event ID 216#
Ntdsutil Abuse(source) - Detects potential abuse of ntdsutil to dump ntds.dit database
Application - Event ID 325#
Also fires on: ESENT EID 216, ESENT EID 326, ESENT EID 327
Application - Event ID 326#
Ntdsutil Abuse(source) - Detects potential abuse of ntdsutil to dump ntds.dit database
Application - Event ID 327#
Ntdsutil Abuse(source) - Detects potential abuse of ntdsutil to dump ntds.dit database

LsaSrv (3 events, 3 rules) #

Operational - Event ID 300 - Groups assigned to a new logon. #
Standard User In High Privileged Group(source) - Detect standard users login that are part of high privileged groups such as the Administrator group
System - Event ID 6038 - Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. #
NTLMv1 Logon Between Client and Server(source) - Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
System - Event ID 6039 - Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server. #
NTLMv1 Logon Between Client and Server(source) - Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

Microsoft-Windows-AppLocker (4 events, 4 rules) #

EXE and DLL - Event ID 8004 - FilePathBuffer was prevented from running. #
AppLocker Prevented Application or Script from Running(source) - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
MSI and Script - Event ID 8007 - FilePathBuffer was prevented from running. #
AppLocker Prevented Application or Script from Running(source) - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
Packaged app-Execution - Event ID 8022 - PackageBuffer was prevented from running. #
AppLocker Prevented Application or Script from Running(source) - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
Packaged app-Deployment - Event ID 8025 - PackageBuffer was prevented from running. #
AppLocker Prevented Application or Script from Running(source) - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Microsoft-Windows-AppModel-Runtime (1 event, 1 rule) #

Admin - Event ID 201 - Created process ProcessID for application ApplicationName in package PackageName. #
Sysinternals Tools AppX Versions Execution(source) - Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

Microsoft-Windows-AppXDeployment-Server (9 events, 13 rules) #

Operational - Event ID 400 - Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully. #
Also fires on: AppXDeployment-Server EID 401
Operational - Event ID 401 - Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path failed with error ErrorCode. #
Also fires on: AppXDeployment-Server EID 400
Operational - Event ID 412 - error ErrorCode: Deployment of package PackageFullName was blocked by AppLocker. #
Deployment AppX Package Was Blocked By AppLocker(source) - Detects an appx package deployment that was blocked by AppLocker policy.
Operational - Event ID 441 - The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy. #
Deployment Of The AppX Package Was Blocked By The Policy(source) - Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
Operational - Event ID 442 - Deployment of package PackageFullName to volume MountPoint failed because deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps... #
Deployment Of The AppX Package Was Blocked By The Policy(source) - Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
Operational - Event ID 453 - Package PackageFullName is blocked by a platform policy: PolicyReason. #
Deployment Of The AppX Package Was Blocked By The Policy(source) - Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
Operational - Event ID 454 - Package PackageFullName is blocked by a platform policy: PolicyReason. #
Deployment Of The AppX Package Was Blocked By The Policy(source) - Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
Operational - Event ID 603 - Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh. #
Windows AppX Deployment Unsigned Package Installation(source) - Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
Operational - Event ID 854 - Successfully added the following uri(s) to be processed: Path. #

Microsoft-Windows-AppxPackagingOM (1 event, 1 rule) #

Operational - Event ID 157 - The app package signature was validated for core content of the app package published by subjectName. #
Suspicious Digital Signature Of AppX Package(source) - Detects execution of AppX packages with known suspicious or malicious signature

Microsoft-Windows-Audit-CVE (1 event, 1 rule) #

Application - Event ID 1 - Possible detection of CVE: PossibleDetectionOfCVE. #
Audit CVE Event(source) - Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Microsoft-Windows-Backup (1 event, 1 rule) #

Application - Event ID 524 - The system catalog has been deleted. #
Backup Catalog Deleted(source) - Detects backup catalog deletions

Microsoft-Windows-Bits-Client (2 events, 7 rules) #

Operational - Event ID 3 - The BITS service created a new job: jobTitle, with owner jobId. #
Operational - Event ID 16403#

Microsoft-Windows-CAPI2 (1 event, 1 rule) #

Operational - Event ID 70 - For more details for this event, please refer to the "Details" section #
Certificate Private Key Acquired(source) - Detects when an application acquires a certificate private key

Microsoft-Windows-CertificateServicesClient-Lifecycle-System (1 event, 1 rule) #

Operational - Event ID 1007 - A certificate has been exported. #
Certificate Exported From Local Certificate Store(source) - Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Microsoft-Windows-CertificationAuthority (1 event, 1 rule) #

Operational - Event ID 53#
Active Directory Certificate Services Denied Certificate Enrollment Request(source) - Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Microsoft-Windows-CodeIntegrity (14 events, 14 rules) #

Operational - Event ID 3001 - Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system. #
CodeIntegrity - Unsigned Kernel Module Loaded(source) - Detects the presence of a loaded unsigned kernel module on the system.
Operational - Event ID 3021 - Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. #
CodeIntegrity - Revoked Kernel Driver Loaded(source) - Detects the load of a revoked kernel driver
Operational - Event ID 3022 - Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. #
CodeIntegrity - Revoked Kernel Driver Loaded(source) - Detects the load of a revoked kernel driver
Operational - Event ID 3023 - The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft. #
CodeIntegrity - Blocked Driver Load With Revoked Certificate(source) - Detects blocked load attempts of revoked drivers
Operational - Event ID 3032 - Code Integrity determined a revoked image FileNameBuffer is loaded into the system. #
CodeIntegrity - Revoked Image Loaded(source) - Detects image load events with revoked certificates by code integrity.
Operational - Event ID 3033 - Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements. #
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation(source) - Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
Operational - Event ID 3034 - Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p... #
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation(source) - Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
Operational - Event ID 3035 - Code Integrity determined a revoked image FileNameBuffer is loaded into the system. #
CodeIntegrity - Revoked Image Loaded(source) - Detects image load events with revoked certificates by code integrity.
Operational - Event ID 3036 - Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked. #
CodeIntegrity - Blocked Image Load With Revoked Certificate(source) - Detects blocked image load events with revoked certificates by code integrity.
Operational - Event ID 3037 - Code Integrity determined an unsigned image FileNameBuffer is loaded into the system. #
CodeIntegrity - Unsigned Image Loaded(source) - Detects loaded unsigned image on the system
Operational - Event ID 3077 - Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p... #
CodeIntegrity - Blocked Image/Driver Load For Policy Violation(source) - Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
Operational - Event ID 3082 - Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. #
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module(source) - Detects loaded kernel modules that did not meet the WHQL signing requirements.
Operational - Event ID 3083 - Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. #
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module(source) - Detects loaded kernel modules that did not meet the WHQL signing requirements.
Operational - Event ID 3104 - Windows blocked file FileNameBuffer which has been disallowed for protected processes. #
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked(source) - Detects block events for files that are disallowed by code integrity for protected processes

Microsoft-Windows-DHCP-Server (4 events, 4 rules) #

Operational - Event ID 1031 - [EVENT_SERVER_CALLOUT_UNHANDLED_EXCEPTION] The installed server callout .dll file has caused an exception. #
DHCP Server Error Failed Loading the CallOut DLL(source) - This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Operational - Event ID 1032 - [EVENT_SERVER_CALLOUT_LOAD_EXCEPTION] The installed server callout .dll file has caused an exception. The .dll file couldn't be loaded. #
DHCP Server Error Failed Loading the CallOut DLL(source) - This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Operational - Event ID 1033 - [EVENT_SERVER_CALLOUT_LOAD_SUCCESS] The DHCP service has successfully loaded one or more callout DLLs. #
DHCP Server Loaded the CallOut DLL(source) - This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Operational - Event ID 1034 - [EVENT_SERVER_READ_ONLY_GROUP_ERROR] The DHCP service has failed to load one or more callout DLLs. #
DHCP Server Error Failed Loading the CallOut DLL(source) - This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Microsoft-Windows-Diagnosis-Scripted (1 event, 1 rule) #

Operational - Event ID 101 - The scripted diagnostic engine started initializing a diagnostic package located at PackagePath. #
Loading Diagcab Package From Remote Path(source) - Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Microsoft-Windows-DistributedCOM (1 event, 1 rule) #

Operational - Event ID 10001 - Unable to start a DCOM Server: param3 as param4/param5. #
Local Privilege Escalation Indicator TabTip(source) - Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Microsoft-Windows-DNS-Client (1 event, 6 rules) #

Operational - Event ID 3008 - DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults. #

Microsoft-Windows-DNS-Server-Service (4 events, 4 rules) #

DNS Server - Event ID 150 - The DNS server could not load or initialize the plug-in DLL Name. #
DNS Server Error Failed Loading the ServerLevelPluginDLL(source) - Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
DNS Server - Event ID 770 - A DNS server plugin DLL has been loaded from location param1 on server param2. #
DNS Server Error Failed Loading the ServerLevelPluginDLL(source) - Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
DNS Server - Event ID 771 - The V1 plugin interface has been implemented in server level plugin DLL. #
DNS Server Error Failed Loading the ServerLevelPluginDLL(source) - Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
DNS Server - Event ID 6004 - The DNS server received a zone transfer request from param1 for a non-existent or non-authoritative zone param2. #
Failed DNS Zone Transfer(source) - Detects when a DNS zone transfer failed.

Microsoft-Windows-DriverFrameworks-UserMode (3 events, 3 rules) #

Operational - Event ID 2003 - The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId. #
USB Device Plugged(source) - Detects plugged/unplugged USB devices
Operational - Event ID 2100 - Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId. #
USB Device Plugged(source) - Detects plugged/unplugged USB devices
Operational - Event ID 2102 - Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status. #
USB Device Plugged(source) - Detects plugged/unplugged USB devices

Microsoft-Windows-Eventlog (1 event, 2 rules) #

System - Event ID 104 - The LogFileCleared.Channel log file was cleared. #

Microsoft-Windows-IIS-Configuration (1 event, 4 rules) #

Operational - Event ID 29#

Microsoft-Windows-Iphlpsvc (1 event, 1 rule) #

System - Event ID 4100 - ISATAP router address IsatapRouter was set with status ErrorCode. #
ISATAP Router Address Was Set(source) - Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Microsoft-Windows-Kernel-General (1 event, 1 rule) #

System - Event ID 16 - The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages. #
Critical Hive In Suspicious Location Access Bits Cleared(source) - Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Microsoft-Windows-LDAP-Client (1 event, 1 rule) #

Debug - Event ID 30#
Potential Active Directory Reconnaissance/Enumeration Via LDAP(source) - Detects potential Active Directory enumeration via LDAP

Microsoft-Windows-Ntfs (1 event, 1 rule) #

System - Event ID 98 - Volume DriveName (DeviceName) CorruptionActionState. #
Volume Shadow Copy Mount(source) - Detects volume shadow copy mount via Windows event log

Microsoft-Windows-NTLM (2 events, 2 rules) #

Operational - Event ID 8001 - NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked. #
Potential Remote Desktop Connection to Non-Domain Host(source) - Detects logons using NTLM to hosts that are potentially not part of the domain.
Operational - Event ID 8002 - NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. #
NTLM Logon(source) - Detects logons using NTLM, which could be caused by a legacy source or attackers

Microsoft-Windows-PowerShell (2 events, 193 rules) #

Operational - Event ID 4103 - Payload Context: ContextInfo User Data: UserData. #
Operational - Event ID 4104 - Creating Scriptblock text (MessageNumber of MessageTotal). 160 rules#
Show 160 rules

Microsoft-Windows-Security-Auditing (63 events, 1346 rules) #

Security - Event ID 4611 - A trusted logon process has been registered with the Local Security Authority. #
Register new Logon Process by Rubeus(source) - Detects potential use of Rubeus via registered new trusted logon process
Security - Event ID 4616 - The system time was changed. #
Unauthorized System Time Modification(source) - Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Security - Event ID 4624 - An account was successfully logged on. #
Also fires on: Security-Auditing EID 4625, Security-Auditing EID 4776
Security - Event ID 4625 - An account failed to log on. #
Security - Event ID 4634 - An account was logged off. #
User Logoff Event(source) - Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
Security - Event ID 4647 - User initiated logoff. #
User Logoff Event(source) - Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
Security - Event ID 4648 - A logon was attempted using explicit credentials. #
Suspicious Remote Logon with Explicit Credentials(source) - Detects suspicious processes logging on with explicit credentials
Security - Event ID 4649 - A replay attack was detected. #
Replay Attack Detected(source) - Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
Security - Event ID 4656 - A handle to an object was requested. #
Security - Event ID 4657 - A registry value was modified. #
Security - Event ID 4658 - The handle to an object was closed. #
Potential Secure Deletion with SDelete(source) - Detects files that have extensions commonly seen while SDelete is used to wipe files.
Security - Event ID 4661 - A handle to an object was requested. #
Security - Event ID 4662 - An operation was performed on an object. #
Also fires on: Security-Auditing EID 5136, Security-Auditing EID 5137
Security - Event ID 4663 - An attempt was made to access an object. #
  • Azure AD Health Monitoring Agent Registry Keys Access (source) - This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.↳ also fires on: Security-Auditing EID 4656
  • Azure AD Health Service Agents Registry Keys Access (source) - This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.↳ also fires on: Security-Auditing EID 4656
  • Processes Accessing the Microphone and Webcam (source) - Potential adversaries accessing the microphone and webcam in an endpoint.↳ also fires on: Security-Auditing EID 4656, Security-Auditing EID 4657
  • ISO Image Mounted (source) - Detects the mount of an ISO image on an endpoint
  • LSASS Access From Non System Account (source) - Detects potential mimikatz-like tools accessing LSASS from non system account↳ also fires on: Security-Auditing EID 4656
  • WCE wceaux.dll Access (source) - Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host↳ also fires on: Security-Auditing EID 4656
  • Service Registry Key Read Access Request (source) - Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
  • Potential Secure Deletion with SDelete (source) - Detects files that have extensions commonly seen while SDelete is used to wipe files.↳ also fires on: Security-Auditing EID 4656, Security-Auditing EID 4658
  • File Access Of Signal Desktop Sensitive Data (source) - Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
  • Potentially Suspicious AccessMask Requested From LSASS (source) - Detects process handle on LSASS process with certain access mask↳ also fires on: Security-Auditing EID 4656
  • SysKey Registry Keys Access (source) - Detects handle requests and access operations to specific registry keys to calculate the SysKey↳ also fires on: Security-Auditing EID 4656
  • Sysmon Channel Reference Deletion (source) - Potential threat actor tampering with Sysmon manifest and eventually disabling it↳ also fires on: Security-Auditing EID 4657
  • Suspicious Teams Application Related ObjectAcess Event (source) - Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
  • Windows Defender Exclusion Registry Key - Write Access Requested (source) - Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.↳ also fires on: Security-Auditing EID 4656
Security - Event ID 4673 - A privileged service was called. #
  • User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' (source) - The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
  • Potential Privileged System Service Operation - SeLoadDriverPrivilege (source) - Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
Security - Event ID 4674 - An operation was attempted on a privileged object. #
SCM Database Privileged Operation(source) - Detects non-system users performing privileged operation os the SCM database
Security - Event ID 4688 - A new process has been created. 1167 rules#
Also fires on: Sysmon EID 1
Show 1167 rules
Security - Event ID 4692 - Backup of data protection master key was attempted. #
DPAPI Domain Master Key Backup Attempt(source) - Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
Security - Event ID 4697 - A service was installed in the system. #
Security - Event ID 4698 - A scheduled task was created. #
Suspicious Scheduled Task Creation(source) - Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Security - Event ID 4699 - A scheduled task was deleted. #
Important Scheduled Task Deleted/Disabled(source) - Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Security - Event ID 4701 - A scheduled task was disabled. #
Important Scheduled Task Deleted/Disabled(source) - Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Security - Event ID 4702 - A scheduled task was updated. #
Suspicious Scheduled Task Update(source) - Detects update to a scheduled task event that contain suspicious keywords.
Security - Event ID 4704 - A user right was assigned. #
Enabled User Right in AD to Control User Objects(source) - Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Security - Event ID 4706 - A new trust was created to a domain. #
A New Trust Was Created To A Domain(source) - Addition of domains is seldom and should be verified for legitimacy.
Security - Event ID 4719 - System audit policy was changed. #
  • Windows Event Auditing Disabled (source) - Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
  • Important Windows Event Auditing Disabled (source) - Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
Security - Event ID 4720 - A user account was created. #
Also fires on: Security-Auditing EID 4781
Security - Event ID 4728 - A member was added to a security-enabled global group. #
A Member Was Added to a Security-Enabled Global Group(source) - Detects activity when a member is added to a security-enabled global group
Security - Event ID 4729 - A member was removed from a security-enabled global group. #
A Member Was Removed From a Security-Enabled Global Group(source) - Detects activity when a member is removed from a security-enabled global group
Security - Event ID 4730 - A security-enabled global group was deleted. #
A Security-Enabled Global Group Was Deleted(source) - Detects activity when a security-enabled global group is deleted
Security - Event ID 4732 - A member was added to a security-enabled local group. #
User Added to Local Administrator Group(source) - Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Security - Event ID 4738 - A user account was changed. #
Security - Event ID 4741 - A computer account was created. #
Add or Remove Computer from DC(source) - Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Security - Event ID 4742 - A computer account was changed. #
Possible DC Shadow Attack(source) - Detects DCShadow via create new SPN
Security - Event ID 4743 - A computer account was deleted. #
Add or Remove Computer from DC(source) - Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Security - Event ID 4765 - SID History was added to an account. #
Addition of SID History to Active Directory Object(source) - An attacker can use the SID history attribute to gain additional privileges.
Security - Event ID 4766 - An attempt to add SID History to an account failed. #
Addition of SID History to Active Directory Object(source) - An attacker can use the SID history attribute to gain additional privileges.
Security - Event ID 4768 - A Kerberos authentication ticket (TGT) was requested. #
Also fires on: Security-Auditing EID 675, Security-Auditing EID 4769, Security-Auditing EID 4771
  • Potential AS-REP Roasting via Kerberos TGT Requests (source) - Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
  • PetitPotam Suspicious Kerberos TGT Request (source) - Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
  • Kerberos Manipulation (source) - Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Security - Event ID 4769 - A Kerberos service ticket was requested. #
Also fires on: Security-Auditing EID 675, Security-Auditing EID 4768, Security-Auditing EID 4771
  • Kerberoasting Activity - Initial Query (source) - This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
  • Kerberos Manipulation (source) - Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
  • Suspicious Kerberos RC4 Ticket Encryption (source) - Detects service ticket requests using RC4 encryption type
Security - Event ID 4771 - Kerberos pre-authentication failed. #
Kerberos Manipulation(source) - Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Security - Event ID 4776 - The domain controller attempted to validate the credentials for an account. #
Security - Event ID 4781 - The name of an account was changed. #
New or Renamed User Account with '$' Character(source) - Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
Security - Event ID 4794 - An attempt was made to set the Directory Services Restore Mode administrator password. #
Password Change on Directory Service Restore Mode (DSRM) Account(source) - Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Security - Event ID 4800 - The workstation was locked. #
Locked Workstation(source) - Detects locked workstation session events that occur automatically after a standard period of inactivity.
Security - Event ID 4825 - A user was denied the access to Remote Desktop. #
Denied Access To Remote Desktop(source) - This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Security - Event ID 4898 - Certificate Services loaded a template. #
Also fires on: Security-Auditing EID 4899
Security - Event ID 4899 - A Certificate Services template was updated. #
Also fires on: Security-Auditing EID 4898
Security - Event ID 4904 - An attempt was made to register a security event source. #
VSSAudit Security Event Source Registration(source) - Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
Security - Event ID 4905 - An attempt was made to unregister a security event source. #
VSSAudit Security Event Source Registration(source) - Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
Security - Event ID 5038 - Code integrity determined that the image hash of a file is not valid. #
Failed Code Integrity Checks(source) - Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Security - Event ID 5136 - A directory service object was modified. #
Security - Event ID 5137 - A directory service object was created. #
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation(source) - Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
Security - Event ID 5140 - A network share object was accessed. #
Access To ADMIN$ Network Share(source) - Detects access to ADMIN$ network share
Security - Event ID 5145 - A network share object was checked to see whether client can be granted desired access. #
Also fires on: Security-Auditing EID 5136
Security - Event ID 5156 - The Windows Filtering Platform has permitted a connection. #
Security - Event ID 5157 - The Windows Filtering Platform has blocked a connection. #
Windows Filtering Platform Blocked Connection From EDR Agent Binary(source) - Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Security - Event ID 5379 - Credential Manager credentials were read. #
Security - Event ID 5441 - The following filter was present when the Windows Filtering Platform Base Filtering Engine started. #
HackTool - EDRSilencer Execution - Filter Added(source) - Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
Security - Event ID 5447 - A Windows Filtering Platform filter has been changed. #
Security - Event ID 5449 - A Windows Filtering Platform provider context has been changed. #
HackTool - NoFilter Execution(source) - Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
Security - Event ID 6281 - Code Integrity determined that the page hashes of an image file are not valid. #
Failed Code Integrity Checks(source) - Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Security - Event ID 6416 - A new external device was recognized by the system. #
External Disk Drive Or USB Storage Device Was Recognized By The System(source) - Detects external disk drives or plugged-in USB devices.
Security - Event ID 6423 - The installation of this device is forbidden by system policy. #
Device Installation Blocked(source) - Detects an installation of a device that is forbidden by the system policy

Microsoft-Windows-Security-Kerberos (1 event, 1 rule) #

Operational - Event ID 16#
No Suitable Encryption Key Found For Generating Kerberos Ticket(source) - Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

Microsoft-Windows-Security-Mitigations (2 events, 4 rules) #

KernelMode - Event ID 11 - Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'. #
Also fires on: Security-Mitigations EID 12
KernelMode - Event ID 12 - Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'. #
Also fires on: Security-Mitigations EID 11

Microsoft-Windows-Shell-Core (1 event, 1 rule) #

Operational - Event ID 28115 - Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache. #
Suspicious Application Installed(source) - Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Microsoft-Windows-SMBServer (1 event, 1 rule) #

Operational - Event ID 4000#
Unsigned or Unencrypted SMB Connection to Share Established(source) - Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.

Microsoft-Windows-SoftwareRestrictionPolicies (5 events, 5 rules) #

Application - Event ID 865 - Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level. #
Restricted Software Access By SRP(source) - Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Application - Event ID 866 - Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath. #
Restricted Software Access By SRP(source) - Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Application - Event ID 867 - Access to AttemptedPath has been restricted by your Administrator by software publisher policy. #
Restricted Software Access By SRP(source) - Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Application - Event ID 868 - Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid. #
Restricted Software Access By SRP(source) - Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Application - Event ID 882 - Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid. #
Restricted Software Access By SRP(source) - Detects restricted access to applications by the Software Restriction Policies (SRP) policy

Microsoft-Windows-Sysmon (28 events, 1946 rules) #

Operational - Event ID 1 - Process creation 1167 rules#
Also fires on: Security-Auditing EID 4688
Show 1167 rules
Operational - Event ID 2 - A process changed a file creation time #
Unusual File Modification by dns.exe(source) - Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Operational - Event ID 3 - Network connection #
Operational - Event ID 4 - Sysmon service state changed #
Sysmon Configuration Modification(source) - Detects when an attacker tries to hide from Sysmon by disabling or stopping it
Operational - Event ID 6 - Driver loaded #
Operational - Event ID 7 - Image loaded 99 rules#
Show 99 rules
Operational - Event ID 8 - CreateRemoteThread #
Operational - Event ID 9 - RawAccessRead #
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools(source) - Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Operational - Event ID 10 - ProcessAccess #
Operational - Event ID 11 - FileCreate 165 rules#
Show 165 rules
Operational - Event ID 12 - RegistryEvent (Object create and delete) #
Also fires on: Sysmon EID 13, Sysmon EID 14
Operational - Event ID 13 - RegistryEvent (Value Set) 236 rules#
Also fires on: Sysmon EID 12, Sysmon EID 14
Show 236 rules
Operational - Event ID 14 - RegistryEvent (Key and Value Rename) #
Also fires on: Sysmon EID 12, Sysmon EID 13
Operational - Event ID 15 - FileCreateStreamHash #
Operational - Event ID 16 - ServiceConfigurationChange #
Also fires on: Sysmon EID 4
Operational - Event ID 17 - PipeEvent (Pipe Created) #
Also fires on: Sysmon EID 18
Operational - Event ID 18 - PipeEvent (Pipe Connected) #
Also fires on: Sysmon EID 17
Operational - Event ID 19 - WmiEvent (WmiEventFilter activity detected) #
Also fires on: Sysmon EID 20, Sysmon EID 21
Operational - Event ID 20 - WmiEvent (WmiEventConsumer activity detected) #
Also fires on: Sysmon EID 19, Sysmon EID 21
Operational - Event ID 21 - WmiEvent (WmiEventConsumerToFilter activity detected) #
Also fires on: Sysmon EID 19, Sysmon EID 20
Operational - Event ID 22 - DNSEvent (DNS query) #
Operational - Event ID 23 - FileDelete (File Delete archived) #
Also fires on: Sysmon EID 26
Operational - Event ID 25 - ProcessTampering (Process image change) #
Potential Process Hollowing Activity(source) - Detects when a memory process image does not match the disk image, indicative of process hollowing.
Operational - Event ID 26 - FileDeleteDetected (File Delete logged) #
Also fires on: Sysmon EID 23
Operational - Event ID 27 - FileBlockExecutable #
Sysmon Blocked Executable(source) - Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Operational - Event ID 28 - FileBlockShredding #
Sysmon Blocked File Shredding(source) - Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
Operational - Event ID 29 - FileExecutableDetected #
  • Potentially Suspicious Self Extraction Directive File Created (source) - Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
  • Sysmon File Executable Creation Detected (source) - Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
Operational - Event ID 255 - Error report: UtcTime: UtcTime ID: ID Description: Description. #
Sysmon Configuration Error(source) - Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages

Microsoft-Windows-TaskScheduler (2 events, 3 rules) #

Operational - Event ID 129 - Task Scheduler launch task "Name" , instance "TaskName" with process ID Path. #
Operational - Event ID 141 - User "TaskName" deleted Task Scheduler task "Name". #
Important Scheduled Task Deleted(source) - Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Microsoft-Windows-TerminalServices-LocalSessionManager (1 event, 1 rule) #

Operational - Event ID 21 - Remote Desktop Services: Session logon succeeded. #
Ngrok Usage with Remote Desktop Service(source) - Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Microsoft-Windows-Windows-Defender (14 events, 19 rules) #

Operational - Event ID 1006 - ProductName has detected malware or other potentially unwanted software. #
Windows Defender Threat Detected(source) - Detects actions taken by Windows Defender malware detection engines
Operational - Event ID 1009 - ProductName has restored an item from quarantine. #
Win Defender Restored Quarantine File(source) - Detects the restoration of files from the defender quarantine
Operational - Event ID 1013 - Product Name has removed history of malware and other potentially unwanted software. #
Windows Defender Malware Detection History Deletion(source) - Windows Defender logs when the history of detected infections is deleted.
Operational - Event ID 1015 - ProductName has detected a suspicious behavior. #
Windows Defender Threat Detected(source) - Detects actions taken by Windows Defender malware detection engines
Operational - Event ID 1116 - Product Name has detected malware or other potentially unwanted software. #
Also fires on: Windows-Defender EID 1006, Windows-Defender EID 1015, Windows-Defender EID 1117
Operational - Event ID 1117 - Product Name has taken action to protect this machine from malware or other potentially unwanted software. #
Windows Defender Threat Detected(source) - Detects actions taken by Windows Defender malware detection engines
Operational - Event ID 1121 - Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. #
Operational - Event ID 3002 - ProductName Real-Time Protection feature has encountered an error and failed. #
Windows Defender Real-Time Protection Failure/Restart(source) - Detects issues with Windows Defender Real-Time Protection features
Operational - Event ID 3007 - ProductName Real-time Protection feature has restarted. #
Windows Defender Real-Time Protection Failure/Restart(source) - Detects issues with Windows Defender Real-Time Protection features
Operational - Event ID 5001 - Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled. #
Windows Defender Real-time Protection Disabled(source) - Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Operational - Event ID 5007 - Product Name Configuration has changed. #
Operational - Event ID 5010 - ProductName scanning for spyware and other potentially unwanted software is disabled. #
Windows Defender Malware And PUA Scanning Disabled(source) - Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Operational - Event ID 5012 - ProductName scanning for viruses is disabled. #
Windows Defender Virus Scanning Feature Disabled(source) - Detects disabling of the Windows Defender virus scanning feature
Operational - Event ID 5013 - Tamper Protection Changed Type a change to Product Name. #
Microsoft Defender Tamper Protection Trigger(source) - Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Microsoft-Windows-Windows-Firewall-With-Advanced-Security (15 events, 21 rules) #

Firewall - Event ID 2002 - A Windows Defender Firewall setting has changed. #
Windows Firewall Settings Have Been Changed(source) - Detects activity when the settings of the Windows firewall have been changed
Firewall - Event ID 2003 - A Windows Defender Firewall setting in the Profiles profile has changed. #
Windows Firewall Settings Have Been Changed(source) - Detects activity when the settings of the Windows firewall have been changed
Firewall - Event ID 2004 - A rule has been added to the Windows Defender Firewall exception list. #
Also fires on: Windows-Firewall-With-Advanced-Security EID 2071, Windows-Firewall-With-Advanced-Security EID 2097
Firewall - Event ID 2006 - A rule has been deleted in the Windows Defender Firewall exception list. #
A Rule Has Been Deleted From The Windows Firewall Exception List(source) - Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
Firewall - Event ID 2008 - Windows Defender Firewall Group Policy settings have changed. #
Windows Firewall Settings Have Been Changed(source) - Detects activity when the settings of the Windows firewall have been changed
Firewall - Event ID 2009 - The Windows Defender Firewall service failed to load Group Policy. #
The Windows Defender Firewall Service Failed To Load Group Policy(source) - Detects activity when The Windows Defender Firewall service failed to load Group Policy
Firewall - Event ID 2032 - Windows Defender Firewall has been reset to its default configuration. #
Windows Defender Firewall Has Been Reset To Its Default Configuration(source) - Detects activity when Windows Defender Firewall has been reset to its default configuration
Firewall - Event ID 2033 - All rules have been deleted from the Windows Defender Firewall configuration on this computer. #
All Rules Have Been Deleted From The Windows Firewall Configuration(source) - Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Operational - Event ID 2052#
A Rule Has Been Deleted From The Windows Firewall Exception List(source) - Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
Operational - Event ID 2059#
All Rules Have Been Deleted From The Windows Firewall Configuration(source) - Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Operational - Event ID 2060#
Windows Defender Firewall Has Been Reset To Its Default Configuration(source) - Detects activity when Windows Defender Firewall has been reset to its default configuration
Operational - Event ID 2071#
Also fires on: Windows-Firewall-With-Advanced-Security EID 2004, Windows-Firewall-With-Advanced-Security EID 2097
Operational - Event ID 2082#
Windows Firewall Settings Have Been Changed(source) - Detects activity when the settings of the Windows firewall have been changed
Operational - Event ID 2083#
Windows Firewall Settings Have Been Changed(source) - Detects activity when the settings of the Windows firewall have been changed
Operational - Event ID 2097#
Also fires on: Windows-Firewall-With-Advanced-Security EID 2004, Windows-Firewall-With-Advanced-Security EID 2071

Microsoft-Windows-WindowsUpdateClient (5 events, 5 rules) #

System - Event ID 16 - Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the... #
Windows Update Error(source) - Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
System - Event ID 20 - Installation Failure: Windows failed to install the following update with error errorCode: updateTitle. #
Windows Update Error(source) - Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
System - Event ID 24 - Uninstallation Failure: Windows failed to uninstall the following update with error errorCode: updatelist. #
Windows Update Error(source) - Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
System - Event ID 213 - Revert Failure: Windows failed to revert the following update with error errorCode: updatelist. #
Windows Update Error(source) - Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
System - Event ID 217 - Commit Failure: Windows failed to commit the following update with error errorCode: updatelist. #
Windows Update Error(source) - Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Microsoft-Windows-WMI-Activity (2 events, 2 rules) #

Operational - Event ID 5859 - Namespace = Operation_EssStarted.NamespaceName; NotificationQuery = Operation_EssStarted.Query; OwnerName = Operation_EssStarted.User; HostProcessID = Operation_EssStarted.Processid; Provider= Operation_EssStarted.Provider, queryID = Operation_EssStarted.queryid; PossibleCause = Operation_EssStarted.PossibleCause. #
WMI Persistence(source) - Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Operational - Event ID 5861 - Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause. #
WMI Persistence(source) - Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

MsiInstaller (5 events, 7 rules) #

Application - Event ID 1033 - Windows Installer installed the product. #
Atera Agent Installation(source) - Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Application - Event ID 1034 - Product: Data_0. #
Application Uninstalled(source) - An application has been removed. Check if it is critical.
Application - Event ID 1040 - Beginning a Windows Installer transaction: C:\ProgramData\Package Cache\{5DF0B8D8-4E7F-43EB-AD16-30FFA931A905}v3. #
Also fires on: MsiInstaller EID 1042
Application - Event ID 1042 - Ending a Windows Installer transaction: C:\ProgramData\Package Cache\{0A9B38A7-D393-44A5-A94E-9FEC927DC39C}v3. #
Also fires on: MsiInstaller EID 1040
Application - Event ID 11724#
Application Uninstalled(source) - An application has been removed. Check if it is critical.

OpenSSH (1 event, 1 rule) #

Operational - Event ID 4 - process: payload. #
OpenSSH Server Listening On Socket(source) - Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

PowerShell (2 events, 10 rules) #

Windows PowerShell - Event ID 400#
Windows PowerShell - Event ID 600#
Tamper Windows Defender - PSClassic(source) - Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Service-Control-Manager (4 events, 45 rules) #

Important Windows Service Terminated Unexpectedly(source) - Detects important or interesting Windows services that got terminated unexpectedly.
System - Event ID 7036 - The Microsoft Software Shadow Copy Provider service entered the stopped state. #
Also fires on: Service-Control-Manager EID 7045
System - Event ID 7045 - A service was installed in the system. #
Also fires on: Service-Control-Manager EID 7036

Windows-Error-Reporting (1 event, 2 rules) #

Application - Event ID 1001 - Fault bucket , type. #