Detection rules › By event

Microsoft-Windows-Security-Auditing Event ID 4663

78 detection rules reference this event. View event page.

Sigma (22)

Access To Browser Credential Files By Uncommon Applications - Security severity low T1555, T1555.003
Azure AD Health Monitoring Agent Registry Keys Access severity medium T1012
Azure AD Health Service Agents Registry Keys Access severity medium T1012
BlueSky Ransomware Artefacts severity high T1486
CVE-2023-23397 Exploitation Attempt severity critical
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security severity critical
File Access Of Signal Desktop Sensitive Data severity medium T1003
ISO Image Mounted severity medium T1566, T1566.001
LSASS Access From Non System Account severity medium T1003, T1003.001
LSASS credential dump with LSASSY (kernel access) severity high T1003, T1003.001
LSASS process dump by a non system account severity high T1003, T1003.001
Potential Secure Deletion with SDelete severity medium T1027, T1027.005, T1070, T1070.004, T1485, T1553
Potentially Suspicious AccessMask Requested From LSASS severity medium T1003, T1003.001
Processes Accessing the Microphone and Webcam severity medium T1123
ScreenConnect User Database Modification - Security severity medium
Service Registry Key Read Access Request severity low T1574, T1574.011
Suspicious Teams Application Related ObjectAcess Event severity high T1528
SysKey Registry Keys Access severity high T1012
Sysmon Channel Reference Deletion severity high T1112
Task Manager used for LSASS dump (kernel) severity high T1003, T1003.001
WCE wceaux.dll Access severity critical T1003
Windows Defender Exclusion Registry Key - Write Access Requested severity medium T1685

Splunk (30)

Browser Credential File Accessed - Windows (Windows Event Log) T1003, T1555, T1555.003
ConnectWise ScreenConnect Path Traversal Windows SACL severity medium T1190
ISO File in Temp Folder (Windows Event Log) T1204, T1204.002
ISO Image Mounted - Windows (Windows Event Log) T1204, T1204.002, T1553, T1553.005
Non Chrome Process Accessing Chrome Default Dir severity low T1555, T1555.003
Non Firefox Process Access Firefox Profile Dir severity low T1555, T1555.003
Potential Credential Dumping of LSASS (Windows Event Log) T1003
Potential nanodump execution (Windows Event Log) T1003
Rare dll called by Spoolsv.exe (Windows Event Log) T1547, T1547.010
RDP File Written by Outlook (Windows Event Log) T1021, T1021.001, T1566, T1566.001
Rename System Utilities (Windows Event Log) T1036, T1036.003
SAM Database File Access Attempt T1003, T1003.002
SAM, System, Security Files Accessed (Windows Event Log) T1003, T1003.002
Task Manager lsass Dump (Windows Event Log) T1003, T1003.001
Temporary ConnectWise xml File Activity (Windows Event Log) T1133, T1219
Windows Credential Access From Browser Password Store severity low T1012
Windows Credentials from Password Stores Chrome Extension Access severity low T1012
Windows Credentials from Password Stores Chrome LocalState Access severity low T1012
Windows Credentials from Password Stores Chrome Login Data Access severity low T1012
Windows GrimResource - MMC Process Accessing APDS DLL severity medium T1059, T1059.007, T1218, T1218.014
Windows Hosts File Access severity low T1012
Windows Increase in Group or Object Modification Activity severity medium T1098, T1685
Windows Non Discord App Access Discord LevelDB severity low T1012
Windows Process Accessing Windows Recall Directory severity low T1059, T1119
Windows Product Key Registry Query severity low T1012
Windows Query Registry Browser List Application severity low T1012
Windows Query Registry UnInstall Program List severity low T1012
Windows Unsecured Outlook Credentials Access In Registry severity low T1552
Windows Unusual FileZilla XML Config Access severity low T1552, T1552.001
Windows Unusual Intelliform Storage Registry Access severity low T1552, T1552.001

Kusto (26)

Detect executable drops via Azure custom script extension T1021, T1021.008, T1651
Detect Print Processors Registry Driver Key Creation/Modification severity medium T1547
Detect Registry Run Key Creation/Modification severity medium T1112, T1547
Detect Windows Allow Firewall Rule Addition/Modification severity medium T1562
Detect Windows Update Disabled from Registry severity medium T1562
Dev-0530 File Extension Rename severity high T1486
Files Copied to USB Drives severity high T1041
Google Threat Intelligence - Threat Hunting Hash severity medium T1059
Identify SysAid Server web shell creation severity high T1190
Microsoft Entra ID Health Monitoring Agent Registry Keys Access severity medium T1005
Microsoft Entra ID Health Service Agents Registry Keys Access severity medium T1005
Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access severity medium T1012
Microsoft Recommended Driver Block List
PE file dropped in Color Profile Folder severity medium T1203
Potential Build Process Compromise severity medium T1554
Potential Fodhelper UAC Bypass (ASIM Version) severity medium T1548, T1548.002
RecordedFuture Threat Hunting Hash All Actors severity medium T1059, T1189, T1554
Remote File Creation with PsExec severity high T1570
Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint)
SUNBURST and SUPERNOVA backdoor hashes severity high T1059, T1195, T1546
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) severity high T1059, T1195, T1546
Suspicious access of BEC related documents severity medium T1530
Suspicious MSC File Launched T1218, T1218.014, T1566
Suspicious office child process created T1204
VTI - High Severity SHA1 Collision Detection severity high T1204
WinRM Plugin Lateral Movement T1021, T1021.006

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Security-Auditing Event ID 4663

Sigma (22)

Splunk (30)

Kusto (26)

Keyboard shortcuts

Search operators