title: Hacktool Use
description: This method detects well-known keywords, certain field combination that appear in Windows Eventlog when certain hack tools are used
author: Florian Roth
logsource:
    product: windows
    service: system
detection:
    # Ruler https://github.com/sensepost/ruler
    selection1:
        EventID: 
          - 4776
          - 4624
          - 4625
        WorkstationName: 'RULER'
    condition: selection1
falsepositives:
    - Unlikely
level: critical