security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_susp_net_recon_activity.yml

Browse Source
This commit is contained in:
Jonhnathan
2020-11-26 22:39:49 -03:00
committed by GitHub
parent 31e0cfb13f
commit 48f16a0ca8
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_susp_net_recon_activity.yml
+8 -2
View File
@@ -18,10 +18,16 @@ logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
- EventID: 4661
ObjectType: 'SAM_USER'
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
AccessMask: '0x2d'
selection2: