security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Remove logs-windows.* index (#1928)

Browse Source 
* Remove `logs-windows.*` index

* Update discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2022-04-14 09:25:44 -03:00
committed by GitHub
parent 258418785f
commit 0943ffba5f
11 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_disable_kerberos_preauth.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/01/24"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies the modification of an account's Kerberos pre-authentication options.
the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kerberos Pre-authentication Disabled for User"
rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/01/27"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ SeEnableDelegationPrivilege "user right" enables computer and user accounts to b
abuse this right to compromise Active Directory accounts and elevate their privileges.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User"
rules/windows/credential_access_shadow_credentials.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/01/26"
maturity = "production"
updated_date = "2022/01/31"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Shadow Credentials added to AD Object"
rules/windows/defense_evasion_clearing_windows_security_logs.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/12"
maturity = "production"
updated_date = "2021/09/23"
updated_date = "2022/04/13"
[rule]
author = ["Elastic", "Anabella Cristaldi"]
@@ -10,7 +10,7 @@ Identifies attempts to clear Windows event log stores. This is often done by att
or destroy forensic evidence on a system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Windows Event Logs Cleared"
rules/windows/discovery_privileged_localgroup_membership.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/10/15"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies instances of an unusual process enumerating built-in Windows privileg
Administrators or Remote Desktop users.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Enumeration of Privileged Local Groups Membership"
rules/windows/persistence_ad_adminsdholder.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/01/31"
maturity = "production"
updated_date = "2022/01/31"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ the protected accounts and groups are reset to match those of the domain's Admin
Administrative Privileges.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "AdminSDHolder Backdoor"
rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/01/27"
maturity = "production"
updated_date = "2022/01/27"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -10,7 +10,7 @@ Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT.
maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "KRBTGT Delegation Backdoor"
rules/windows/persistence_remote_password_reset.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/10/18"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ access or evade password duration policies and preserve compromised credentials.
"""
false_positives = ["Legitimate remote account administration."]
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Account Password Reset Remotely"
rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
+1 -1
View File
@@ -11,7 +11,7 @@ Directory are those to which powerful rights, privileges, and permissions are gr
any action in Active Directory and on domain-joined systems.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "User Added to Privileged Group in Active Directory"
rules/windows/persistence_user_account_creation_event_logs.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/04"
maturity = "development"
updated_date = "2021/09/23"
updated_date = "2022/04/13"
[rule]
author = ["Skoetting"]
@@ -16,7 +16,7 @@ false_positives = [
behavior is causing false positives, it can be exempted from the rule.
""",
]
index = ["winlogbeat-*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Creation of a local user account"
rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/12/12"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/13"
[rule]
author = ["Elastic"]
@@ -11,7 +11,7 @@ elevate privileges from a standard domain user to a user with domain admin privi
vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privileged Escalation via SamAccountName Spoofing"