Windows detections

Detects attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

Source table → box.all.win

Detects the use of reg.exe to access Windows Registry SAM, system, or security hives containing credentials. Adversaries may use this technique to export registry hives for offline credential-access attacks.

Source table → box.all.win

Detects the use of nbtstat.exe or arp.exe that may be used to attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

Source table → box.all.win

Detects the WMI standard event consumer launching a script. Validate the running script as this is a rare occurrence in Windows environments.

Source table → box.all.win

Multiple Windows account lockouts were detected on the same endpoint.

Detects multiple accounts locked out on a single Windows endpoint within a short period. This may indicate an attacker has limited knowledge of valid accounts and is attempting password spraying.

Source table → box.all.win

Detects the creation of suspicious user accounts similar to ANONYMOUS LOGON. These accounts can be created as a means to evade defenses and monitoring by masquerading as a third party service.

Source table → box.all.win

Detects users enabling the DisableAntiSpyware registry key. Attackers may utilize this technique for evasion.

DisableAntiSpyware is intended to be used by OEMs and IT Pros to disable Microsoft Defender Antivirus, and deploy another antivirus product during deployment, but attackers may leverage this action for evasion purposes.

Source table → box.all.win

Detects child processes spawned by WMIPRVSE. Adversaries can use this to obscure parent-child relationships or launch cmd.exe or PowerShell.

Source table → box.all.win

Detects when a user performs a significant number of Windows interactive logins to multiple destination hosts in a 24-hour period.

This behavior can be expected for some accounts such as administrators in a Windows environment. Tuning this rule is highly recommended to filter out usernames where applicable.

Source table → box.all.win

Detects a local system executing whoami.exe on the command prompt. Adversaries often run this command to understand account privileges. Investigate the parent process and user account for other related, suspicious activity.

Source table → box.all.win

Monitors for changes to lsass.exe related registry keys that are often edited to enable or obfuscate activity related to dumping the process.

Source table → box.all.win

Identifies queries to the registry. Adversaries often query the registry to gather information about the system, configuration, and installed software.

Source table → box.all.win

Detects when a scheduled task is created in Windows.

Adversaries are known to use this for persistence within a Windows environment. The rule is disabled by default due to the volume of events it can produce. Users should filter, or exclude, allowed scheduled tasks according to their environment before enabling the rule. Look for tasks running from temporary folders. The scheduled task name is logged in the "commandLine" field.

Source table → box.all.win

Detects usage of WMI to create processes on the local or remote hosts. WMI is a native Windows tool and can be used to bypass application whitelisting.

Source table → box.all.win

Detects WMI creating a child process of cmd.exe or PowerShell. An attacker can use WMI to launch a shell on the local or remote host to bypass application whitelisting, since WMI is a native Windows management tool.

Source table → box.all.win

Detects suspicious usage of wbadmin.exe (Windows Backup Administrator Tool) to delete backup files.

Source table → box.all.win

Attackers may attempt to escalate privileges to a user account by adding it to a local security enabled group. This could indicate privilege abuse or potential malicious activity.

Note that often times the `memberName` key will have a value of "-". Per Windows: Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

Source table → box.all.win

Detects suspicious file execution by wscript and cscript. Adversaries can use this mechanism to execute malicious code for persistence or privilege escalation.

Source table → box.all.win