security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
889efd1663f0781e110f32e8e81e88a311e6c500
blue-team-tools/rules/compliance/default_credentials_usage.yml
T
Nasreddine Bencherchali be359ef3f2
Create Release / Create Release (push) Has been cancelled
Details
Merge PR #4681 from @nasbench - Add Missing Ref & Tags 
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode"
fix: Metasploit SMB Authentication - Remove unnecessary field
fix: Service Installation in Suspicious Folder - Update FP filter
update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2"
remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules
remove: SAM Dump to AppData
update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic
update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2"
update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2"
update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1"
update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1"
update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only
update: New or Renamed User Account with '$' Character - Reduced level to "medium"
update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives
update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium"
update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic
update: Prefetch File Deleted - Update selection to remove 'C:' prefix
update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule)
update: Shell Process Spawned by Java.EXE - Add "bash.exe"
update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions
update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic
update: Sysmon Application Crashed - Add 32bit version of sysmon binary
update: Tap Driver Installation - Security - Reduce level to "low"
update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2024-01-29 13:37:20 +01:00

112 lines
2.7 KiB
YAML
Raw Blame History

title: Default Credentials Usage
id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
status: stable
description: |
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/26
tags:
- attack.initial_access
# - CSC4
# - CSC4.2
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
logsource:
product: qualys
detection:
selection:
host.scan.vuln:
- 10693
- 11507
- 11633
- 11804
- 11821
- 11847
- 11867
- 11931
- 11935
- 11950
- 12541
- 12558
- 12559
- 12560
- 12562
- 12563
- 12565
- 12587
- 12590
- 12599
- 12702
- 12705
- 12706
- 12907
- 12928
- 12929
- 13053
- 13178
- 13200
- 13218
- 13241
- 13253
- 13274
- 13296
- 13301
- 13327
- 13373
- 13374
- 13409
- 13530
- 13532
- 20065
- 20073
- 20081
- 27202
- 27358
- 38702
- 38719
- 42045
- 42417
- 43029
- 43220
- 43221
- 43222
- 43223
- 43225
- 43246
- 43431
- 43484
- 86857
- 87098
- 87106
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink