security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add logsource definition

Browse Source
This commit is contained in:
frack113
2022-10-25 14:16:08 +02:00
parent dfdaecc52c
commit 5bd0b33a3b
4 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
+1
View File
@@ -14,6 +14,7 @@ tags:
logsource:
category: file_access
product: windows
definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
- FileName|contains:
rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
+1
View File
@@ -13,6 +13,7 @@ tags:
logsource:
category: file_access
product: windows
definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|contains:
rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
+1
View File
@@ -13,6 +13,7 @@ tags:
logsource:
category: file_access
product: windows
definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|contains:
rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
+1
View File
@@ -13,6 +13,7 @@ tags:
logsource:
category: file_access
product: windows
definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|endswith: '\Microsoft\Protect\CREDHIST'