Rules referencing Microsoft-Windows-Security-Auditing Event ID 5145

Sigma (43)

Active Directory honeypot used for lateral movement severity high T1021
Azure Active Directory Connect credentials dump via network share severity high T1555
BlueSky Ransomware Artefacts severity high T1486
CrackMaxpExec share permission enumeration severity medium
Credentials (protected by DPAPI) dump via network share severity high T1555, T1555.004
CVE-2021-1675 Print Spooler Exploitation IPC Access severity critical T1569
DCERPC SMB Spoolss Named Pipe severity medium T1021, T1021.002
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security severity high T1021, T1021.002, T1021.003
Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe severity high T1557, T1557.001
DNS hosts file accessed via network share severity high T1018
First Time Seen Remote Named Pipe severity high T1021, T1021.002
Impacket PsExec Execution severity high T1021, T1021.002
Impacket WMIexec execution via SMB admin share severity high T1021, T1021.002
LSASS credential dump with LSASSY (admin share) severity high T1003, T1003.001
Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) severity medium T1053, T1053.005
Massive remote service creation via named pipes (TChopper, CME) severity high T1569
Massive remote service creation via named pipes - Tchopper severity high T1569
NetSYnc attack severity high T1003, T1003.006
Persistence and Execution at Scale via GPO Scheduled Task severity high T1053, T1053.005
Possible Impacket SecretDump Remote Activity severity high T1003, T1003.002, T1003.003, T1003.004
Possible PetitPotam Coerce Authentication Attempt severity high T1187
Protected Storage Service Access severity high T1021, T1021.002
PSexec execution over SMB share severity medium T1021, T1021.002
Remote schedule task creation via named pipes (ATexec) severity medium T1053, T1053.005
Remote Service Activity via SVCCTL Named Pipe severity medium T1021, T1021.002
Remote service creation via named pipes severity medium T1569
Remote shell execution via SMB admin share severity high T1021, T1021.002
Remote Task Creation via ATSVC Named Pipe severity medium T1053, T1053.002
Secretdump password dumping via SMB admin share severity high T1003, T1003.002
Shared folder access with forged Golden ticket severity high T1558, T1558.001
SharpHound enumeration via SMB named pipes severity medium T1135
SMB admin share accessed severity medium T1021, T1021.002
SMB Create Remote File Admin Share severity high T1021, T1021.002
Startup/Logon Script Added to Group Policy Object severity medium T1484, T1484.001, T1547
Suspicious Access to Sensitive File Extensions severity medium T1039
Suspicious PsExec Execution severity high T1021, T1021.002
T1047 Wmiprvse Wbemcomn DLL Hijack severity high T1021, T1021.002, T1047
Transferring Files with Credential Data via Network Shares severity medium T1003, T1003.001, T1003.002, T1003.003
User application credentials dump via network share (DonPapi, Lazagne) severity high T1555
User browser credentials dump via network share (DonPapi, Lazagne) severity high T1555, T1555.003
User files dump via network share (DonPapi, Lazagne) severity high T1555
User password change without previous password known - SetNTLM (Mimikatz) severity high T1098
Windows Network Access Suspicious desktop.ini Action severity medium T1547, T1547.009

Elastic (8)

Active Directory Forced Authentication from Linux Host - SMB Named Pipes severity medium T1187
Potential Kerberos Relay Attack against a Computer Account severity high T1187, T1550, T1557, T1557.001
Potential Machine Account Relay Attack via SMB severity high T1021, T1021.002, T1187, T1557, T1557.001
Potential Network Share Discovery severity low building block T1021, T1021.002, T1039, T1135
Potential NTLM Relay Attack against a Computer Account severity high T1187, T1557, T1557.001
Scheduled Task Execution at Scale via GPO severity medium T1053, T1053.005, T1484, T1484.001, T1570
Startup/Logon Script added to Group Policy Object severity medium T1037, T1484, T1484.001, T1547
Suspicious Remote Registry Access via SeBackupPrivilege severity medium T1003, T1003.002, T1003.004, T1021, T1021.002

Splunk (16)

Kusto (2)

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task severity medium T1210
Solorigate Named Pipe severity high T1055

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Security-Auditing Event ID 5145

Sigma (43)

Elastic (8)

Splunk (16)

Kusto (2)

Keyboard shortcuts

Search operators