Detection rules › Sigma
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4611 | A trusted logon process has been registered with the Local Security Authority. |
Stages and Predicates
Stage 1: selection
LogonProcessName: User32LogonProcesss
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
LogonProcessName | eq |
|