From 5bd0b33a3b18ffb32a401fdaa03fbff520ce54ea Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 25 Oct 2022 14:16:08 +0200 Subject: [PATCH] Add logsource definition --- .../file_access/file_access_win_browser_credential_stealing.yml | 1 + .../file_access/file_access_win_credential_manager_stealing.yml | 1 + .../file/file_access/file_access_win_dpapi_master_key_access.yml | 1 + .../file/file_access/file_access_win_susp_cred_hist_access.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml index 8e2b7bf82..4bedaab1b 100644 --- a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml +++ b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml @@ -14,6 +14,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: - FileName|contains: diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml index 7e69dc9ea..fceeac479 100644 --- a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml +++ b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml @@ -13,6 +13,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: FileName|contains: diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml index 46ab0a677..aa762c8ff 100644 --- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml @@ -13,6 +13,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: FileName|contains: diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml index bcd731435..d646e23cd 100644 --- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml @@ -13,6 +13,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: FileName|endswith: '\Microsoft\Protect\CREDHIST'