detection.wiki

Detection rules › Splunk

Windows Defender ASR Rules Stacking

Author
Michael Haag, Splunk
Source
upstream

The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment, T1566.002 Phishing: Spearphishing Link
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Windows-Defender1121
Windows-Defender1122
Windows-Defender1125
Windows-Defender1126
Windows-Defender1129
Windows-Defender1131
Windows-Defender1132
Windows-Defender1133
Windows-Defender1134
Windows-Defender5007

Stages and Predicates

Stage 1: search

search EventCode IN (1121, 1122, 1125, 1126, 1129, 1131, 1132, 1133, 1134, 5007)

Stage 2: stats

stats BY host, Parent_Commandline, Process_Name, Path, ID, EventCode

Stage 3: lookup

lookup <lookup> ASR_Rule, ID

Stage 4: fillnull

fillnull

Stage 5: search

search

Stage 6: search

search

Stage 7: rename

rename

Stage 8: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodein
  • 1121 corpus 2 (splunk 2)
  • 1122 corpus 2 (splunk 2)
  • 1125 corpus 2 (splunk 2)
  • 1126 corpus 3 (splunk 3)
  • 1129 corpus 2 (splunk 2)
  • 1131 corpus 2 (splunk 2)
  • 1132 corpus 2 (splunk 2)
  • 1133 corpus 2 (splunk 2)
  • 1134 corpus 2 (splunk 2)
  • 5007 corpus 3 (splunk 3)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.