Update and rename win_nltest_query.yml to win_nltest_recon.yml
changes based on feedback added Update and rename win_nltest_query.yml to win_nltest_recon.yml
This commit is contained in:
gs3cl
+4
-3
@@ -1,4 +1,5 @@
|
||||
title: Nltest Usage
|
||||
title: Detect Recon Activity with nltest
|
||||
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
|
||||
description: Detects nltest commands that can be used for information discovery
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
|
||||
@@ -9,7 +10,7 @@ references:
|
||||
status: experimental
|
||||
author: Craig Young, oscd.community, Georg Lauenstein
|
||||
date: 2021/07/24
|
||||
modified: 2021/08/17
|
||||
modified: 2021/08/19
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.T1016
|
||||
@@ -32,7 +33,7 @@ detection:
|
||||
- '/user'
|
||||
condition: selection_nltest AND (selection_recon1 OR selection_recon2)
|
||||
falsepositives:
|
||||
- To be determined
|
||||
- Legitimate administration use but user must be check out
|
||||
level: medium
|
||||
fields:
|
||||
- Image
|
||||
Reference in New Issue
Block a user