Detection rules › By event

Microsoft-Windows-Security-Auditing event 4656

13 detection rules reference this event. View event page.

Sigma (12)

Azure AD Health Monitoring Agent Registry Keys Access severity medium T1012
Azure AD Health Service Agents Registry Keys Access severity medium T1012
LSASS Access From Non System Account severity medium T1003.001
Password Dumper Activity on LSASS severity high T1003.001
Potential Secure Deletion with SDelete severity medium T1027.005, T1070.004, T1485, T1553.002
Potentially Suspicious AccessMask Requested From LSASS severity medium T1003.001
Processes Accessing the Microphone and Webcam severity medium T1123
SAM Registry Hive Handle Request severity high T1012, T1552.002
SCM Database Handle Failure severity medium T1010
SysKey Registry Keys Access severity high T1012
WCE wceaux.dll Access severity critical T1003
Windows Defender Exclusion Registry Key - Write Access Requested severity medium T1562.001

Elastic (1)

LSASS Memory Dump Handle Access T1003, T1003.001