security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove implicit selection number, first Sysmon example

Browse Source
This commit is contained in:
Florian Roth
2017-01-10 15:05:19 +01:00
parent bb02bf93d4
commit ffda754d53
6 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
windows/builtin/alert_mimikatz_keywords.yml
+1 -1
View File
@@ -14,7 +14,7 @@ detection:
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
condition: selection[0] and 1 of keywords
condition: selection and 1 of keywords
falsepositives:
- Naughty administrators
- Penetraion test
windows/builtin/av_relevant_match.yml
+1 -1
View File
@@ -28,7 +28,7 @@ detection:
- Keygen
- Crack
condition:
selection[0] and 1 of keywords and not 1 of filters
selection and 1 of keywords and not 1 of filters
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: 70
windows/builtin/susp_eventlog_cleared.yml
+1 -1
View File
@@ -6,7 +6,7 @@ detection:
EventID:
- 517
- 1102
condition: selection[0]
condition: selection
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
windows/builtin/susp_failed_logon_reasons.yml
+1 -1
View File
@@ -12,7 +12,7 @@ detection:
- 0xC0000070
- 0xC0000413
- 0xC000018C
condition: selection[0]
condition: selection
falsepositives:
- User using a disabled account
level: 70
windows/builtin/susp_failed_logons_single_source.yml
+1 -1
View File
@@ -10,7 +10,7 @@ detection:
UserName: not null
SourceWorkstation: not null
timeframe: last 24h
condition: selection[0] | ( count(UserName) by SourceWorkstation ) > 3
condition: selection | ( count(UserName) by SourceWorkstation ) > 3
falsepositives:
- Terminal servers
- Jump servers
windows/sysmon/susp_mmc_source.yml
+15
View File
@@ -0,0 +1,15 @@
description: Proceses created by MMC
comment: Processes started by MMC could by a sign of lateral movement using MMC application COM object
reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
detection:
selection:
- EventLog: Microsoft-Windows-Sysmon/Operational
EventID: 1
ParentImage: '*\mmc.exe'
Image: '*\cmd.exe'
exclusion:
- CommandLine: '*\RunCmd.cmd'
condition: selection and not exclusion
falsepositives:
- unknown
level: 70