security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JPCERT rules

Browse Source 
* Addition of ntdsutil.exe rule
* Added new link to existing rules
This commit is contained in:
Thomas Patzke
2018-03-08 00:10:19 +01:00
parent 8ee24bf150
commit ada1ca94ea
4 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_mal_wceaux_dll.yml
+1
View File
@@ -4,6 +4,7 @@ description: Detects wceaux.dll access while WCE pass-the-hash remote command ex
author: Thomas Patzke
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
logsource:
product: windows
service: security
rules/windows/builtin/win_susp_ntdsutil.yml
+31
View File
@@ -0,0 +1,31 @@
---
action: global
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
status: experimental
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
detection:
selection:
CommandLine: '*\ntdsutil.exe *'
condition: selection
falsepositives:
- NTDS maintenance
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_sdelete.yml
+1
View File
@@ -3,6 +3,7 @@ status: experimental
description: Detects renaming of file while deletion with SDelete tool
author: Thomas Patzke
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
logsource:
rules/windows/other/win_tool_psexec.yml
+1
View File
@@ -4,6 +4,7 @@ description: Detects PsExec service installation and execution events (service a
author: Thomas Patzke
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
logsource:
product: windows
detection: