UTMSTACK logoUTMSTACK logo
Microsoft Windows

Detection rules for Windows data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 34 detection rules.

RuleCategoryTechniqueImpact (C/I/A)
ADFS Authentication AnomaliesDefense Evasion, Persistence, Privilege Escalation, Initial AccessT1078 - Valid AccountsC:3 / I:2 / A:2
AS-REP Roasting Attack DetectionCredential AccessT1558.004 - Steal or Forge Kerberos Tickets: AS-REP RoastingC:3 / I:2 / A:1
AdminSDHolder Abuse DetectionPersistence, Privilege EscalationT1098 - Account ManipulationC:3 / I:3 / A:2
Certificate Services Abuse DetectionCredential AccessT1558 - Steal or Forge Kerberos TicketsC:3 / I:3 / A:1
Golden Ticket Attack DetectionCredential AccessT1558.001 - Steal or Forge Kerberos Tickets: Golden TicketC:3 / I:3 / A:3
Kerberoasting Attack DetectionCredential AccessT1558.003 - Steal or Forge Kerberos Tickets: KerberoastingC:3 / I:2 / A:1
NTDS.dit Extraction AttemptCredential AccessT1003.003 - OS Credential Dumping: NTDSC:3 / I:3 / A:1
NTLM Authentication Downgrade AttackDefense EvasionT1562.001 - Impair Defenses: Disable or Modify ToolsC:3 / I:3 / A:1
Pass-the-Hash Attack DetectionLateral MovementT1550.002 - Use Alternate Authentication Material: Pass the HashC:3 / I:3 / A:2
PowerShell Empire DetectionExecutionT1059.001 - Command and Scripting Interpreter: PowerShellC:3 / I:3 / A:2
Process Masquerading DetectionDefense EvasionT1036.005 - Masquerading: Match Legitimate Name or LocationC:2 / I:3 / A:2
RDP Brute Force AttackCredential AccessT1110.001 - Brute Force: Password GuessingC:3 / I:2 / A:2
SAM Database Access AttemptCredential AccessT1003.002 - OS Credential Dumping: Security Account ManagerC:3 / I:3 / A:1
SID History Injection AttemptDefense Evasion, Privilege EscalationT1134.005 - Access Token Manipulation: SID-History InjectionC:3 / I:3 / A:1
SMBv1 Usage DetectionLateral MovementT1210 - Exploitation of Remote ServicesC:3 / I:2 / A:2
Silver Ticket Attack DetectionCredential AccessT1558.002 - Steal or Forge Kerberos Tickets: Silver TicketC:3 / I:3 / A:2
Windows Remote Management (WinRM) AbuseLateral MovementT1021.006 - Remote Services: Windows Remote ManagementC:3 / I:3 / A:2
Windows audit log was clearedDefense EvasionT1070.001 - Indicator Removal: Clear Windows Event LogsC:1 / I:2 / A:3
Windows: LSASS Memory Dump Handle AccessCredential AccessT1003.001 - OS Credential Dumping: LSASS MemoryC:2 / I:3 / A:3
Windows: Multiple Logon Failure Followed by Logon SuccessCredential AccessT1110 - Brute ForceC:2 / I:2 / A:3
Windows: New Windows Service Created to start from windows root path. Suspicious event as the binary may have been dropped using Windows Admin SharesExecutionT1021.002 - Remote Services: SMB/Windows Admin SharesC:1 / I:2 / A:3
Windows: Persistence via PowerShell profilePersistenceT1546.013 - Event Triggered Execution: PowerShell ProfileC:2 / I:3 / A:1
Windows: Possible Brute Force AttackCredential AccessT1110 - Brute ForceC:2 / I:2 / A:3
Windows: Possible ransomware attack detected. Multiple File Deletion.ImpactT1486 - Data Encrypted for ImpactC:1 / I:3 / A:2
Windows: Possible ransomware attack detected. Ransomware Note Creation.ImpactT1486 - Data Encrypted for ImpactC:3 / I:3 / A:2
Windows: Possible ransomware attack detected. Unusual File Extensions.ImpactT1486 - Data Encrypted for ImpactC:3 / I:3 / A:3
Windows: Printer driver failed to load, possible remote code execution using PrinterNightmare exploit: CVE-2021-34527Lateral MovementT1210 - Exploitation of Remote ServicesC:3 / I:2 / A:1
Windows: Remote File Download via Desktopimgdownldr UtilityCommand and ControlT1105 - Ingress Tool TransferC:2 / I:3 / A:1
Windows: Suspicious Print Spooler SPL File CreatedPrivilege EscalationT1068 - Exploitation for Privilege EscalationC:1 / I:3 / A:2
Windows: Suspicious PrintSpooler Service Executable File CreationPrivilege EscalationT1068 - Exploitation for Privilege EscalationC:2 / I:3 / A:1
Windows: UAC Bypass Attempt via Privileged IFileOperation COM InterfacePrivilege EscalationT1548.002 - Abuse Elevation Control Mechanism: Bypass User Account ControlC:1 / I:3 / A:2
Windows: Unusual File Modification by dns.exeLateral MovementT1210 - Exploitation of Remote ServicesC:1 / I:3 / A:2
Windows: Unusual Process Network ConnectionDefense EvasionTrusted Developer Utilities Proxy ExecutionC:3 / I:3 / A:2
Windows: User logged using Remote Desktop Connection from loopback address, possible exploit over reverse tunneling using stolen credentialsCredential AccessT1021.001 - Remote Services: Remote Desktop ProtocolC:3 / I:2 / A:1

Rule Example

Below is an example of a rule definition for ADFS Authentication Anomalies (view in repository):

# Rule version v1.0.0

dataTypes:
  - wineventlog
name: ADFS Authentication Anomalies
impact:
  confidentiality: 3
  integrity: 2
  availability: 2
category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
technique: "T1078 - Valid Accounts"
adversary: origin
references:
  - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
  - https://attack.mitre.org/techniques/T1078/
description: |
  Detects anomalous authentication attempts against Active Directory Federation Services (ADFS) including multiple failed attempts that could indicate password spraying or brute force attacks. This rule monitors for authentication failures, token validation failures, and other ADFS security events that may indicate malicious activity.

  Next Steps:
  1. Review the source IP address and determine if it's from a known/trusted location
  2. Check for patterns of failed authentication attempts across multiple users
  3. Examine ADFS audit logs for additional context around the authentication failures
  4. Verify if the targeted user accounts are valid and active
  5. Consider implementing IP-based blocking if malicious activity is confirmed
  6. Review ADFS configuration for security hardening opportunities
  7. Correlate with other authentication events across the domain
where: equals("log.providerName", "AD FS") && (equals("log.eventId", "411") || equals("log.eventId", "342") || equals("log.eventId", "516")) && contains("log.message", "token validation failed")
afterEvents:
  - indexPattern: v11-log-wineventlog-*
    with:
      - field: origin.ip.keyword
        operator: filter_term
        value: '{{.origin.ip}}'
    within: now-10m
    count: 10
groupBy:
  - origin.ip
  - target.user

Rule Details

ADFS Authentication Anomalies

Detects anomalous authentication attempts against Active Directory Federation Services (ADFS) including multiple failed attempts that could indicate password spraying or brute force attacks. This rule monitors for authentication failures, token validation failures, and other ADFS security events that may indicate malicious activity.

AS-REP Roasting Attack Detection

Detects AS-REP Roasting attacks targeting accounts with Kerberos pre-authentication disabled.
Attackers request AS-REP messages encrypted with RC4 (0x17) for accounts that do not require
pre-authentication, enabling offline password cracking. This is a companion technique to Kerberoasting
and targets a different set of vulnerable accounts.

AdminSDHolder Abuse Detection

Detects modifications to the AdminSDHolder object which can be used for persistence by granting elevated privileges. The SDProp process propagates these permissions to protected groups every 60 minutes, making this a critical security event.

Certificate Services Abuse Detection

Detects suspicious certificate requests and issuance that could indicate Golden Certificate attacks or unauthorized certificate generation for persistence. This rule monitors Windows Certificate Services events for potentially malicious certificate operations, particularly those involving machine accounts or anonymous logons that could be leveraged for persistence and privilege escalation.

Golden Ticket Attack Detection

Detects Golden Ticket attacks where adversaries forge Kerberos TGTs using the KRBTGT account
hash, granting unlimited domain access. The rule detects anomalous TGT usage patterns including
TGS requests with unusual encryption types, tickets with abnormally long lifetimes, and Kerberos
authentication from non-domain-controller sources for the KRBTGT service.

Kerberoasting Attack Detection

Detects Kerberoasting attacks where adversaries request Kerberos TGS tickets encrypted with RC4 (0x17) for
service accounts in order to crack them offline and obtain plaintext credentials. This is the most common
Active Directory credential theft technique used in real-world compromises. The rule monitors Event ID 4769
(Kerberos Service Ticket Operations) for RC4 encryption requests while excluding machine accounts (ending in $)
and legitimate system services.

NTDS.dit Extraction Attempt

Detects attempts to access or copy the Active Directory domain database (NTDS.dit) which contains password hashes for all domain users. This is a critical indicator of credential theft attempts and potential domain compromise.

NTLM Authentication Downgrade Attack

Detects NTLM authentication downgrade attacks via registry modifications to LMCompatibilityLevel,
NtlmMinClientSec, and NtlmMinServerSec. Attackers modify these registry values to weaken NTLM
authentication security, enabling credential interception, relay attacks, and offline cracking
of captured NTLM hashes. Downgrading to LM or NTLMv1 authentication makes credential theft
significantly easier.

Pass-the-Hash Attack Detection

Detects Pass-the-Hash attacks by monitoring for NTLM authentication (Event ID 4624) with
LogonType 9 (NewCredentials) or LogonType 3 (Network) from unusual sources, combined with
the use of Seclogon service. Attackers use stolen NTLM hashes to authenticate without
knowing the plaintext password, commonly through tools like Mimikatz sekurlsa::pth,
Impacket, or CrackMapExec.

PowerShell Empire Detection

Detects potential PowerShell Empire framework usage based on characteristic command patterns, obfuscation techniques, and encoded payloads commonly used by this post-exploitation framework. PowerShell Empire is a post-exploitation framework that uses PowerShell and Python agents to maintain persistence and execute commands on compromised systems.

Process Masquerading Detection

Detects executables masquerading as legitimate Windows system processes but running from
incorrect locations. For example, svchost.exe should only run from C:\Windows\System32,
and explorer.exe should only run from C:\Windows. Malware commonly uses legitimate process
names to avoid detection by analysts and automated tools.

RDP Brute Force Attack

Detects multiple failed RDP login attempts from the same source IP address, indicating a potential brute force attack. This rule monitors Windows Event ID 4625 (failed logon) with focus on network logon types (type 3) which are commonly used for RDP connections. The rule triggers when 10 or more failed attempts occur from the same IP within 15 minutes.

SAM Database Access Attempt

Detects attempts to access the Security Account Manager (SAM) database, which contains local user account hashes. This activity may indicate credential dumping attempts by attackers trying to extract password hashes for offline cracking or lateral movement.

SID History Injection Attempt

Detects attempts to add SID History to an account, which can be used for privilege escalation. SID History injection allows attackers to inherit permissions from privileged accounts without being members of privileged groups. Both successful (4765) and failed (4766) attempts are monitored.

SMBv1 Usage Detection

Detects usage of the deprecated and vulnerable SMBv1 protocol which could be exploited for lateral movement or ransomware propagation. SMBv1 is susceptible to numerous security vulnerabilities including EternalBlue and should be disabled in favor of SMBv2/SMBv3.

Silver Ticket Attack Detection

Detects Silver Ticket attacks where adversaries forge Kerberos TGS tickets using a service
account's NTLM hash, bypassing the KDC entirely. Unlike Golden Tickets, Silver Tickets target
specific services. The rule detects TGS tickets presented without corresponding TGT requests,
and service access events with anomalous Kerberos authentication patterns.

Windows Remote Management (WinRM) Abuse

Detects potential abuse of Windows Remote Management (WinRM) for lateral movement. Monitors for successful logon events (4624) with network logon type 3 combined with privilege escalation (4672) and WinRM-related process activity, indicating remote command execution via WinRM.

Windows audit log was cleared

Detects when the Windows audit log (Security event log) has been cleared. Adversaries may clear event logs to remove evidence of an intrusion.

Windows: LSASS Memory Dump Handle Access

Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.

Windows: Multiple Logon Failure Followed by Logon Success

This rule is triggered when a sequence of multiple failed login attempts followed immediately by a successful login from the same IP address or source is detected. This unusual sequence of events may indicate a possible unauthorized access attempt using a brute force or password guessing technique. The purpose of this rule is to identify suspicious patterns of login activity and alert you to potential unauthorized access attempts.

Windows: New Windows Service Created to start from windows root path. Suspicious event as the binary may have been dropped using Windows Admin Shares

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Windows: Persistence via PowerShell profile

Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.

Windows: Possible Brute Force Attack

This rule is triggered when a pattern of repeated and rapid login attempts from the same IP address or source is detected. These login attempts may target specific user accounts or services in an attempt to crack passwords through automated brute force. The purpose of this rule is to identify possible malicious unauthorized access attempts and prevent a brute force attack against the system.

Windows: Possible ransomware attack detected. Multiple File Deletion.

Detects potential ransomware activity by monitoring multiple file write/modification events (Event ID 4663) with write access masks in user directories within a short timeframe. Modern ransomware typically encrypts files in-place rather than deleting them, making write access monitoring more effective than deletion monitoring alone.

Windows: Possible ransomware attack detected. Ransomware Note Creation.

Ransomware, is a type of malware that prevents users from accessing their system or personal files and requires payment of a ransom in order to gain access to them again. Identifies ransomware attempts. A known ransomware note file has been detected, potentially indicating an active ransomware infection.

Windows: Possible ransomware attack detected. Unusual File Extensions.

Ransomware, is a type of malware that prevents users from accessing their system or personal files and requires payment of a ransom in order to gain access to them again. Identifies ransomware attempts. Files with unusual file extensions have been detected, potentially indicating encrypted files created by ransomware.

Windows: Printer driver failed to load, possible remote code execution using PrinterNightmare exploit: CVE-2021-34527

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

Windows: Remote File Download via Desktopimgdownldr Utility

Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.

Windows: Suspicious Print Spooler SPL File Created

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.

Windows: Suspicious PrintSpooler Service Executable File Creation

Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched

Windows: UAC Bypass Attempt via Privileged IFileOperation COM Interface

Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.

Windows: Unusual File Modification by dns.exe

Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.

Windows: Unusual Process Network Connection

Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.

Windows: User logged using Remote Desktop Connection from loopback address, possible exploit over reverse tunneling using stolen credentials

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.