From bebeedb6239570017d0235592c012817bfaef530 Mon Sep 17 00:00:00 2001 From: Ben4FH <98482457+Ben4FH@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:28:48 +0100 Subject: [PATCH] Update EID 5156 field names Update to keep field names consistent for all rules using EID 5156 --- .../builtin/security/win_global_catalog_enumeration.yml | 4 ++-- .../security/win_susp_outbound_kerberos_connection.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 6659a8c0c..6738b172e 100644 --- a/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -4,7 +4,7 @@ status: experimental author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 -modified: 2021/06/01 +modified: 2022/08/15 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 5156 - DestinationPort: + DestPort: - 3268 - 3269 timeframe: 1h diff --git a/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml index 8f331063c..785337246 100644 --- a/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml @@ -6,16 +6,16 @@ author: Ilyas Ochkov, oscd.community references: - https://github.com/GhostPack/Rubeus date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/08/15 logsource: product: windows service: security detection: selection: EventID: 5156 - DestinationPort: 88 + DestPort: 88 filter: - Image|endswith: + Application|endswith: - '\lsass.exe' - '\opera.exe' - '\chrome.exe'