Detectionhightest

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), Ilyas Ochkov, oscd.communityCreated Thu Oct 24Updated Sun Oct 0912e6d621-194f-4f59-90cc-1959e21e69f7windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4611
        LogonProcessName: 'User32LogonProcesss'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

12e6d621-194f-4f59-90cc-1959e21e69f7

Status

test

Level

high

Type

Detection

Created

Thu Oct 24

Modified

Sun Oct 09

Author

Path

rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml

Raw Tags

attack.lateral-movementattack.privilege-escalationattack.credential-accessattack.t1558.003