Detection rules › By event
Microsoft-Windows-Security-Auditing event 5145
Sigma (17)
- DCERPC SMB Spoolss Named Pipe
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- First Time Seen Remote Named Pipe
- Impacket PsExec Execution
- Persistence and Execution at Scale via GPO Scheduled Task
- Possible Impacket SecretDump Remote Activity
- Possible PetitPotam Coerce Authentication Attempt
- Protected Storage Service Access
- Remote Service Activity via SVCCTL Named Pipe
- Remote Task Creation via ATSVC Named Pipe
- SMB Create Remote File Admin Share
- Startup/Logon Script Added to Group Policy Object
- Suspicious Access to Sensitive File Extensions
- Suspicious PsExec Execution
- T1047 Wmiprvse Wbemcomn DLL Hijack
- Transferring Files with Credential Data via Network Shares
- Windows Network Access Suspicious desktop.ini Action
Elastic (6)
- Potential Kerberos Relay Attack against a Computer Account
- Potential Machine Account Relay Attack via SMB
- Potential NTLM Relay Attack against a Computer Account
- Scheduled Task Execution at Scale via GPO
- Startup/Logon Script added to Group Policy Object
- Suspicious Remote Registry Access via SeBackupPrivilege