Analytics Story: Compromised Windows Host
Description
Monitor for activities and techniques associated with Compromised Windows Host attacks. A compromised Windows host refers to a computer system running the Windows operating system that has been infiltrated or attacked by unauthorized parties. Such compromises often result in security breaches, data theft, malware infections, or unauthorized access, posing risks to sensitive information and system integrity.
Why it matters
In a scenario of digital compromise, a Windows host becomes the target of sophisticated cyber attacks. Utilizing advanced persistent threat (APT) techniques, attackers bypass security measures and exploit system vulnerabilities to gain unauthorized access. Once inside the network, they execute a series of malicious activities, including exfiltrating sensitive data, deploying malware, and undermining the integrity of the cybersecurity infrastructure.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 3 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Windows Event Log Security 1102 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4624 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4627 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4662 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4663 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4672 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4698 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4699 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4738 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4741 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4742 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4768 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4769 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4781 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4798 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4887 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 5136 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 5137 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 5141 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log Security 5145 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log System 104 | XmlWinEventLog |
XmlWinEventLog:Security |
|
Windows Event Log System 7036 | XmlWinEventLog |
XmlWinEventLog:System |
|
Windows Event Log System 7040 | XmlWinEventLog |
XmlWinEventLog:System |
|
Windows Event Log System 7045 | XmlWinEventLog |
XmlWinEventLog:System |
References
Source: GitHub | Version: 1