security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrected CrackMapExec rule

Browse Source
This commit is contained in:
Florian Roth
2018-04-09 08:40:03 +02:00
parent a9c7fe202e
commit 56172ae174
1 changed files with 1 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/apt/apt_dragonfly.yml
+1 -10
View File
@@ -1,4 +1,4 @@
---
action: global
title: CrackMapExecWin
description: Detects CrackMapExecWin Activity as Described by NCSC
@@ -7,9 +7,6 @@ references:
- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
author: Markus Neis
detection:
selection1:
CommandLine:
- '*\crackmapexec.exe'
condition: 1 of them
falsepositives:
- None
@@ -22,9 +19,6 @@ logsource:
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
NewProcessName:
@@ -36,9 +30,6 @@ logsource:
service: sysmon
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
Image: