security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into devel-sigmac

Browse Source
This commit is contained in:
Thomas Patzke
2017-02-22 22:47:12 +01:00
parent ec9f42410a fdbadb8e6e
commit 0e5eb513a2
4 changed files with 34 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -89,7 +89,7 @@ Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single So
* Creation of a reasonable set of sample rules
* Release of the first rule converters for Elastic Search and Splunk
* Integration of feedback into the rule specifications
* Collecting rule input from fellow researchers and analysts
* Integration into Threat Intel Exchanges, e.g. MISP
* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
# Credits
rules/web/web_webshell_keyword.yml
+1 -1
View File
@@ -8,7 +8,7 @@ detection:
- '=whoami'
- '=net%20user'
- '=cmd%20/c%20'
condition: selection and keywords
condition: keywords
falsepositives:
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
- User searches in search boxes of the respective website
rules/windows/builtin/win_susp_add_sid_history.yml
+17
View File
@@ -0,0 +1,17 @@
title: Addition of SID History to Active Directory Object
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
reference: https://adsecurity.org/?p=1772
author: Thomas Patzke
logsource:
product: windows
detection:
selection:
EventLog: Security
EventID:
- 4765
- 4766
condition: selection
falsepositives:
- Migration of an account into a new domain
level: medium
rules/windows/builtin/win_susp_dsrm_password_change.yml
+15
View File
@@ -0,0 +1,15 @@
title: Password Change on Directory Service Restore Mode (DSRM) Account
status: stable
description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
reference: https://adsecurity.org/?p=1714
author: Thomas Patzke
logsource:
product: windows
detection:
selection:
EventLog: Security
EventID: 4794
condition: selection
falsepositives:
- Initial installation of a domain controller
level: high