security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed duplicate filter entries.

Browse Source
This commit is contained in:
David ANDRE
2021-12-21 10:23:23 +01:00
parent 2ce0529792
commit d5bfce1e36
1 changed files with 2 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_system_user_anomaly.yml
+2 -10
View File
@@ -84,15 +84,14 @@ detection:
- 'dpapi::wwman' #Mimikatz
- 'event::clear' #Mimikatz
- 'event::drop' #Mimikatz
- 'id::modify' #Mimikatz
- 'kerberos::ask' #Mimikatz
- 'kerberos::clist' #Mimikatz
- 'kerberos::golden' #Mimikatz
- 'kerberos::hash' #Mimikatz
- 'kerberos::list' #Mimikatz
- 'sekurlsa::tickets' #Mimikatz
- 'kerberos::ptc' #Mimikatz
- 'kerberos::ptt' #Mimikatz
- 'kerberos::ptt' #Mimikatz
- 'kerberos::purge' #Mimikatz
- 'kerberos::tgt' #Mimikatz
- 'lsadump::backupkeys' #Mimikatz
@@ -119,7 +118,6 @@ detection:
- 'misc::efs' #Mimikatz
- 'misc::lock' #Mimikatz
- 'misc::memssp' #Mimikatz
- 'misc::memssp' #Mimikatz
- 'misc::mflt' #Mimikatz
- 'misc::ncroutemon' #Mimikatz
- 'misc::ngcsign' #Mimikatz
@@ -176,19 +174,15 @@ detection:
- 'sekurlsa::kerberos' #Mimikatz
- 'sekurlsa::krbtgt' #Mimikatz
- 'sekurlsa::livessp' #Mimikatz
- 'sekurlsa::logonpasswords' #Mimikatz
- 'sekurlsa::minidump' #Mimikatz
- 'sekurlsa::msv' #Mimikatz
- 'sekurlsa::process' #Mimikatz
- 'sekurlsa::minidump' #Mimikatz
- 'sekurlsa::pth' #Mimikatz
- 'sekurlsa::ssp' #Mimikatz
- 'sekurlsa::tickets' #Mimikatz
- 'kerberos::list' #Mimikatz
- 'sekurlsa::trust' #Mimikatz
- 'sekurlsa::tspkg' #Mimikatz
- 'sekurlsa::wdigest' #Mimikatz
- 'rpc::server' #Mimikatz
- 'service::me' #Mimikatz
- 'service::preshutdown' #Mimikatz
- 'service::remove' #Mimikatz
@@ -202,8 +196,6 @@ detection:
- 'sid::lookup' #Mimikatz
- 'sid::modify' #Mimikatz
- 'sid::patch' #Mimikatz
- 'id::modify' #Mimikatz
- 'sid::add' #Mimikatz
- 'sid::query' #Mimikatz
- 'standard::answer' #Mimikatz
- 'standard::base64' #Mimikatz
@@ -227,7 +219,7 @@ detection:
- 'ts::remote' #Mimikatz
- 'ts::sessions' #Mimikatz
- 'vault::cred' #Mimikatz
- 'vault::list'
- 'vault::list' #Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump