security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f29ffc06974c0e5e80d83bb013ae8a6accedc708
blue-team-tools/rules/windows/builtin/win_admin_share_access.yml
T
David Spautz e275d44462 Add tags to windows builtin rules
2018-07-24 07:50:32 +02:00

22 lines
577 B
YAML
Raw Blame History

title: Access to ADMIN$ Share
description: Detects access to $ADMIN share
tags:
- attack.lateral_movement
- attack.t1077
status: experimental
author: Florian Roth
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5140
ShareName: Admin$
filter:
SubjectUserName: '*$'
condition: selection and not filter
falsepositives:
- Legitimate administrative activity
level: low
Reference in New Issue View Git Blame Copy Permalink