security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated description

Browse Source
This commit is contained in:
terrancedejesus
2024-03-01 06:46:12 -05:00
parent 8e0ca421ca
commit b4a3702fcb
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_remote_password_reset.toml
+1 -1
View File
@@ -36,7 +36,7 @@ sequence by winlog.computer_name with maxspan=1m
[authentication where event.action == "logged-in" and
/* event 4624 need to be logged */
winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
source.ip != "127.0.0.1" and source.ip != "::1" and
source.ip != "127.0.0.1" and source.ip != "::1" and
not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
/* event 4724 need to be logged */
[iam where event.action == "reset-password" and