security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2 from Neo23x0/master

Browse Source 
Pull updates
This commit is contained in:
socprime
2018-07-16 18:49:16 +03:00
committed by GitHub
parent 86cbab5190 7a031709bb
commit eee5a1b1df
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_susp_net_recon_activity.yml
+1 -1
View File
@@ -7,7 +7,7 @@ author: Florian Roth (rule), Jack Croock (method)
logsource:
product: windows
service: security
description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
detection:
selection:
- EventID: 4661
rules/windows/sysmon/sysmon_susp_driver_load.yml
+1 -1
View File
@@ -10,5 +10,5 @@ detection:
ImageLoaded: '*\Temp\*'
condition: selection
falsepositives:
- there is a relevant set of false positives depending on applications in the envirnment
- there is a relevant set of false positives depending on applications in the environment
level: medium
rules/windows/sysmon/sysmon_susp_mmc_source.yml
+1 -1
View File
@@ -1,6 +1,6 @@
title: Processes created by MMC
status: experimental
description: Processes started by MMC could by a sign of lateral movement using MMC application COM object
description: Processes started by MMC could be a sign of lateral movement using MMC application COM object
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
logsource: