Merge pull request #159 from t0x1c-1/t0x1c-devel

Suspicious SYSVOL Domain Group Policy Access

rules/windows/builtin/win_susp_sysvol_access.yml

@@ -0,0 +1,35 @@
+---
+action: global
+title: Suspicious SYSVOL Domain Group Policy Access
+status: experimental
+description: Detects Access to Domain Group Policies stored in SYSVOL
+references:
+    - https://adsecurity.org/?p=2288
+    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
+author: Markus Neis
+date: 2018/04/09
+tags:
+    - attack.credential_access
+    - attack.t1003
+detection:
+    selection:
+        CommandLine: '*\SYSVOL\*\policies\*'
+    condition: selection
+falsepositives: 
+    - administrative activity 
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688