Removed lists from log source section

2017-02-19 11:08:23 +01:00
parent 6fbc1dcd32
commit 52d04e52ac
21 changed files with 20 additions and 17 deletions
@@ -2,7 +2,7 @@ title: Mimikatz Usage
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog:
@@ -2,7 +2,7 @@ title: Relevant Anti-Virus Event
 description: This detection method points out highly relevant Antivirus events
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Application
@@ -3,7 +3,7 @@ description: One of the Windows Eventlogs has been cleared
 reference: https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: System
@@ -2,7 +2,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Security
@@ -2,7 +2,7 @@ title: Multiple Failed Logins with Different Accounts from Single Source System
 description: Detects suspicious failed logins with different user accounts from a single source system 
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Security
@@ -20,3 +20,5 @@ falsepositives:
    - Other multiuser systems like Citrix server farms
    - Workstations with frequently changing users 
 level: medium
+
+
@@ -2,7 +2,7 @@ title: Kerberos Manipulation
 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Security
@@ -3,7 +3,7 @@ description: Detects process handle on LSASS process with certain access mask an
 status: experimental
 reference: https://twitter.com/jackcr/status/807385668833968128
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Security
@@ -15,3 +15,4 @@ detection:
 falsepositives:
    - Unkown
 level: high
+
@@ -3,7 +3,7 @@ status: experimental
 reference: https://adsecurity.org/?p=3458
 description: Detects logons using RC4 encryption type
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Security
@@ -2,7 +2,7 @@ title: Security Eventlog Cleared
 description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
 author: Florian Roth
 logsource:
-    - product: windows
+    product: windows
 detection:
    selection:
        EventLog: Security
@@ -3,7 +3,7 @@ status: experimental
 description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
 reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        - EventLog: Microsoft-Windows-Sysmon/Operational
@@ -3,7 +3,7 @@ status: experimental
 description: Detects certain DLL loads when Mimikatz gets executed
 reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    dllload1:
        EventLog: Microsoft-Windows-Sysmon/Operational
@@ -2,7 +2,7 @@ title: Password Dumper Remote Thread in LSASS
 description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events.
 author: Thomas Patzke
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational
@@ -2,7 +2,7 @@ title: Suspicious Driver Load from Temp
 description: Detetcs a driver load from a temporary directory
 author: Florian Roth
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational
@@ -3,7 +3,7 @@ status: experimental
 description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
 reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational
@@ -2,7 +2,7 @@ title: Java running with Remote Debugging
 description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect
 author: Florian Roth
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational
@@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords
 description: Detects certain command line parameters often used during reconnissaince activity via web shells
 author: Florian Roth
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational
@@ -3,7 +3,7 @@ status: experimental
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
 author: Thomas Patzke
 logsource:
-    - product: sysmon
+    product: sysmon
 detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational