Windows Alerts

Deleted Windows Important Scheduled Task.


Category: Taskscheduler

This alert Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Critical

Alert Rule


title: Deleted Windows Important Scheduled Task Deleted
author: Admin
description: The Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities.
detection:
condition: selection and not filter
filter:
UserName|contains:
- AUTHORI
- AUTORI
selection:
EventID: 141
TaskName|contains:
- \Windows\SystemRestore\SR
- \Windows\Windows Defender\
- \Windows\BitLocker
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
- \Windows\UpdateOrchestrator\
- \Windows\ExploitGuard
level: Critical
product: windows
service: taskscheduler
logtype: windows

Alert Data


agent.type : wineventlog
event.action : Task registration deleted
event.channel : taskscheduler
event.code : 141
event.dataset : taskscheduler
event.module : windows
event.provider : Microsoft-Windows-TaskScheduler
host.name : BHC000112
log.type : windows
observer.product : windows
observer.vendor: microsoft
related.domains : NT AUTHORITY
user.name : SYSTEM
winlog.computer_name : BHC000112.test.LOCAL
winlog.event_data.taskname : \Microsoft\Windows\UpdateOrchestrator\AC Power Install
winlog.event_id : 141
winlog.process.pid : 1356
winlog.provider_name : Microsoft-Windows-TaskScheduler
winlog.task : Task registration deleted
winlog.user.domain : NT AUTHORITY

Provide a Dismiss Comment


Dismissed Reason:

A User Cleared Security Eventlog.


Category: Security

This alert indicates that One of the Windows Eventlogs has been cleared.

High

Alert Rule


title: Security Eventlog Cleared
author: Admin
description: One of the Windows Eventlogs has been cleared.
detection:
condition: 1 of selection_*
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
selection_517:
EventID: 517
Provider_Name: Security
level: high
logsource:
product: windows
service: security
logtype: windows

Alert Data


agent.type : wineventlog
event.action : audit-log-cleared
event.channel : security
event.code : 1102
event.dataset : security
event.outcome : success
event.provider : Microsoft-Windows-Eventlog
event.type : admin
host.name : D-Robin
log.type : windows
observer.product : windows
observer.vendor: microsoft
user.domain : D-Robin
user.name : Hoobo
winlog.channel : Security
winlog.computer name : D-Robin.Hoobo.com
winlog.event_id : 1102
winlog.logon.id 0xff4a5
winlog.process.pid : 1560
winlog.provider_name : Microsoft-Windows-Eventlog
winlog.task : Log clear

Provide a Dismiss Comment


Dismissed Reason:

New or Renamed User Account with $ in Attribute SamAccountName.


Category: Security

This alert Detects possible bypass EDR and SIEM via abnormal user account name.

Medium

Alert Rule


title: New or Renamed User Account with '$' in Attribute 'SamAccountName'
author: Admin
description: This Alert indicates Detects possible bypass EDR and SIEM via abnormal user account name.
detection:
condition: 1 of selection*
selection1:
EventID: 4720
SamAccountName|contains: $
selection2:
EventID: 4781
NewTargetUserName|contains: $
level: Medium
logsource:
product: windows
service: security
logtype: windows

Alert Data


event.action : renamed-user-account
event.channel : security
event.code : 4781
event.module : windows
event.outcome : success
event.provider : Microsoft-Windows-Security-Auditing
event.type : user
host.name : BHCN01
log.type : windows
observer.product : windows
observer.vendor : microsoft
user.domain : BHCSDA
user.name : Rajaram$
winlog.channel : Security
winlog.computer_name : BHCN01.BHCSDA.LOCAL
winlog.event_id : 4781
winlog.logon.id : 0x19020b222
winlog.process.pid : 748
winlog.provider_name : Microsoft-Windows-Security-Auditing
winlog.task : User Account Management

Provide a Dismiss Comment


Dismissed Reason: