security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix field name

Browse Source
This commit is contained in:
frack113
2021-11-20 19:14:59 +01:00
parent ed4e771700
commit ebcfcfebf4
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_susp_ntlm_auth.yml
+2 -1
View File
@@ -7,6 +7,7 @@ references:
- https://goo.gl/PsqrhT
author: Florian Roth
date: 2018/06/08
modified: 2021/11/20
tags:
- attack.lateral_movement
- attack.t1075 # an old one
@@ -18,7 +19,7 @@ logsource:
detection:
selection:
EventID: 8002
CallingProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
ProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
condition: selection
falsepositives:
- Legacy hosts
rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml
+2 -2
View File
@@ -11,13 +11,13 @@ tags:
status: experimental
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
modified: 2020/08/28
modified: 2021/11/20
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetProcessAddress|endswith:
StartAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'