Feathers 8014c477cd Update win_dcsync.yml ...

Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set

2022-03-15 12:37:07 +01:00

..

application

fix: FP fix

2022-03-11 11:46:25 +01:00

applocker

move to builtin

2022-01-21 11:59:13 +01:00

bits_client

Add Bits-Client rules

2022-03-03 06:27:00 +01:00

code_integrity

move to builtin

2022-01-21 11:59:13 +01:00

dns_server

move to builtin

2022-01-21 11:59:13 +01:00

driverframeworks

move to builtin

2022-01-21 11:59:13 +01:00

firewall_as

fix: TiWorker.exe FW change

2022-02-22 13:58:21 +01:00

ldap

move to builtin

2022-01-21 11:59:13 +01:00

msexchange

fix: unescaped double back slashes

2022-02-01 15:57:15 +01:00

ntlm

Update win_susp_ntlm_brute_force.yml

2022-02-03 22:02:33 +01:00

printservice

move to builtin

2022-01-21 11:59:13 +01:00

security

Update win_dcsync.yml

2022-03-15 12:37:07 +01:00

servicebus

move to builtin

2022-01-21 11:59:13 +01:00

smbclient

move to builtin

2022-01-21 11:59:13 +01:00

system

Refactor regex

2022-03-07 19:08:30 +01:00

taskscheduler

move to builtin

2022-01-21 11:59:13 +01:00

windefend

Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing

2022-02-09 18:18:59 +01:00

wmi

fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2

2022-02-10 16:12:17 +01:00

win_alert_mimikatz_keywords.yml

remove invalid tag

2022-01-19 18:23:30 +01:00