Rule Library

Sigma Rules

2 rules found for "keepwatch"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Potential SPN Enumeration Via Setspn.EXE

Detects service principal name (SPN) enumeration used for Kerberoasting

WindowsProcess Creation

TA0006 · Credential AccessT1558.003 · Kerberoasting

Markus Neis+1Wed Nov 14windows

Detectionhightest

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

WindowsRegistry Event

TA0004 · Privilege EscalationTA0003 · PersistenceT1547.005 · Security Support Provider

iwillkeepwatchFri Jan 18windows