security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: unnecessary performance impact

Browse Source
This commit is contained in:
Florian Roth
2022-01-05 14:18:42 +01:00
parent 3386a3649e
commit d61b0c0120
1 changed files with 9 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_system_user_anomaly.yml
+9 -168
View File
@@ -47,177 +47,18 @@ detection:
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'sekurlsa::logonpasswords' #Mimikatz
- 'crypto::capi' #Mimikatz
- 'crypto::certificates' #Mimikatz
- 'crypto::certtohw' #Mimikatz
- 'crypto::cng' #Mimikatz
- 'crypto::extract' #Mimikatz
- 'crypto::hash' #Mimikatz
- 'crypto::keys' #Mimikatz
- 'crypto::providers' #Mimikatz
- 'crypto::sc' #Mimikatz
- 'crypto::scauth' #Mimikatz
- 'crypto::stores' #Mimikatz
- 'crypto::system' #Mimikatz
- 'crypto::tpminfo' #Mimikatz
- 'dpapi::blob' #Mimikatz
- 'dpapi::cache' #Mimikatz
- 'dpapi::capi' #Mimikatz
- 'dpapi::chrome' #Mimikatz
- 'dpapi::cloudapkd' #Mimikatz
- 'dpapi::cloudapreg' #Mimikatz
- 'dpapi::cng' #Mimikatz
- 'dpapi::create' #Mimikatz
- 'dpapi::cred' #Mimikatz
- 'dpapi::credhist' #Mimikatz
- 'dpapi::luna' #Mimikatz
- 'dpapi::masterkey' #Mimikatz
- 'dpapi::protect' #Mimikatz
- 'dpapi::ps' #Mimikatz
- 'dpapi::rdg' #Mimikatz
- 'dpapi::sccm' #Mimikatz
- 'dpapi::ssh' #Mimikatz
- 'dpapi::tpm' #Mimikatz
- 'dpapi::vault' #Mimikatz
- 'dpapi::wifi' #Mimikatz
- 'dpapi::wwman' #Mimikatz
- 'dpapi::' #Mimikatz
- 'event::clear' #Mimikatz
- 'event::drop' #Mimikatz
- 'id::modify' #Mimikatz
- 'kerberos::ask' #Mimikatz
- 'kerberos::clist' #Mimikatz
- 'kerberos::golden' #Mimikatz
- 'kerberos::hash' #Mimikatz
- 'kerberos::list' #Mimikatz
- 'kerberos::ptc' #Mimikatz
- 'kerberos::ptt' #Mimikatz
- 'kerberos::purge' #Mimikatz
- 'kerberos::tgt' #Mimikatz
- 'lsadump::backupkeys' #Mimikatz
- 'lsadump::cache' #Mimikatz
- 'lsadump::changentlm' #Mimikatz
- 'lsadump::dcshadow' #Mimikatz
- 'lsadump::dcsync' #Mimikatz
- 'lsadump::lsa' #Mimikatz
- 'lsadump::mbc' #Mimikatz
- 'lsadump::netsync' #Mimikatz
- 'lsadump::packages' #Mimikatz
- 'lsadump::postzerologon' #Mimikatz
- 'lsadump::RpData' #Mimikatz
- 'lsadump::sam' #Mimikatz
- 'lsadump::secrets' #Mimikatz
- 'lsadump::setntlm' #Mimikatz
- 'lsadump::trust' #Mimikatz
- 'lsadump::zerologon' #Mimikatz
- 'misc::aadcookie' #Mimikatz
- 'misc::clip' #Mimikatz
- 'misc::cmd' #Mimikatz
- 'misc::compress' #Mimikatz
- 'misc::detours' #Mimikatz
- 'misc::efs' #Mimikatz
- 'misc::lock' #Mimikatz
- 'misc::memssp' #Mimikatz
- 'misc::mflt' #Mimikatz
- 'misc::ncroutemon' #Mimikatz
- 'misc::ngcsign' #Mimikatz
- 'misc::printnightmare' #Mimikatz
- 'misc::regedit' #Mimikatz
- 'misc::sccm' #Mimikatz
- 'misc::shadowcopies' #Mimikatz
- 'misc::skeleton' #Mimikatz
- 'misc::spooler' #Mimikatz
- 'misc::taskmgr' #Mimikatz
- 'misc::wp' #Mimikatz
- 'misc::xor' #Mimikatz
- 'net::alias' #Mimikatz
- 'net::deleg' #Mimikatz
- 'net::group' #Mimikatz
- 'net::if' #Mimikatz
- 'net::serverinfo' #Mimikatz
- 'net::session' #Mimikatz
- 'net::share' #Mimikatz
- 'net::stats' #Mimikatz
- 'net::tod' #Mimikatz
- 'net::trust' #Mimikatz
- 'net::user' #Mimikatz
- 'net::wsession' #Mimikatz
- 'privilege::backup' #Mimikatz
- 'privilege::debug' #Mimikatz
- 'privilege::driver' #Mimikatz
- 'privilege::id' #Mimikatz
- 'privilege::name' #Mimikatz
- 'privilege::restore' #Mimikatz
- 'privilege::security' #Mimikatz
- 'privilege::sysenv' #Mimikatz
- 'privilege::tcb' #Mimikatz
- 'process::exports' #Mimikatz
- 'process::imports' #Mimikatz
- 'process::list' #Mimikatz
- 'process::resume' #Mimikatz
- 'process::run' #Mimikatz
- 'process::runp' #Mimikatz
- 'process::start' #Mimikatz
- 'process::stop' #Mimikatz
- 'process::suspend' #Mimikatz
- 'rpc::close' #Mimikatz
- 'rpc::connect' #Mimikatz
- 'rpc::enum' #Mimikatz
- 'rpc::server' #Mimikatz
- 'sekurlsa::backupkeys' #Mimikatz
- 'sekurlsa::bootkey' #Mimikatz
- 'sekurlsa::cloudap' #Mimikatz
- 'sekurlsa::credman' #Mimikatz
- 'sekurlsa::dpapi' #Mimikatz
- 'sekurlsa::dpapisystem' #Mimikatz
- 'sekurlsa::ekeys' #Mimikatz
- 'sekurlsa::kerberos' #Mimikatz
- 'sekurlsa::krbtgt' #Mimikatz
- 'sekurlsa::livessp' #Mimikatz
- 'sekurlsa::minidump' #Mimikatz
- 'sekurlsa::msv' #Mimikatz
- 'sekurlsa::process' #Mimikatz
- 'sekurlsa::pth' #Mimikatz
- 'sekurlsa::ssp' #Mimikatz
- 'sekurlsa::tickets' #Mimikatz
- 'sekurlsa::trust' #Mimikatz
- 'sekurlsa::tspkg' #Mimikatz
- 'sekurlsa::wdigest' #Mimikatz
- 'service::me' #Mimikatz
- 'service::preshutdown' #Mimikatz
- 'service::remove' #Mimikatz
- 'service::resume' #Mimikatz
- 'service::shutdown' #Mimikatz
- 'service::start' #Mimikatz
- 'service::stop' #Mimikatz
- 'service::suspend' #Mimikatz
- 'sid::add' #Mimikatz
- 'sid::clear' #Mimikatz
- 'sid::lookup' #Mimikatz
- 'sid::modify' #Mimikatz
- 'sid::patch' #Mimikatz
- 'sid::query' #Mimikatz
- 'standard::answer' #Mimikatz
- 'standard::base64' #Mimikatz
- 'standard::cd' #Mimikatz
- 'standard::cls' #Mimikatz
- 'standard::coffee' #Mimikatz
- 'standard::exit' #Mimikatz
- 'standard::hostname' #Mimikatz
- 'standard::localtime' #Mimikatz
- 'standard::log' #Mimikatz
- 'standard::sleep' #Mimikatz
- 'standard::version' #Mimikatz
- 'token::elevate' #Mimikatz
- 'token::list' #Mimikatz
- 'token::revert' #Mimikatz
- 'token::run' #Mimikatz
- 'token::whoami' #Mimikatz
- 'ts::logonpasswords' #Mimikatz
- 'ts::mstsc' #Mimikatz
- 'ts::multirdp' #Mimikatz
- 'ts::remote' #Mimikatz
- 'ts::sessions' #Mimikatz
- 'kerberos::' #Mimikatz
- 'lsadump::' #Mimikatz
- 'misc::' #Mimikatz
- 'privilege::' #Mimikatz
- 'rpc::' #Mimikatz
- 'sekurlsa::' #Mimikatz
- 'sid::' #Mimikatz
- 'token::' #Mimikatz
- 'vault::cred' #Mimikatz
- 'vault::list' #Mimikatz
- ' p::d ' # Mimikatz