security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc8a89b6792ba7671d45c255e3042fba5df7cadf
blue-team-tools/rules/windows/builtin/win_susp_sysvol_access.yml
T
Thomas Patzke 3ef930b094 Escaped '\*' to '\\*' where required
2019-02-03 00:24:57 +01:00

37 lines
1.0 KiB
YAML
Raw Blame History

---
action: global
title: Suspicious SYSVOL Domain Group Policy Access
status: experimental
description: Detects Access to Domain Group Policies stored in SYSVOL
references:
- https://adsecurity.org/?p=2288
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis
date: 2018/04/09
modified: 2018/12/11
tags:
- attack.credential_access
- attack.t1003
detection:
condition: selection
falsepositives:
- administrative activity
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*\SYSVOL\\*\policies\\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\SYSVOL\\*\policies\\*'
Reference in New Issue View Git Blame Copy Permalink