security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
Jonhnathan 1a4510c9d4 [Security Content] Add Investigation Guides to Windows Rules - 2 (#2534) 
* [Security Content] Add Investigation Guides to Windows Rules - 2

* tags

* Adjust some phrasing based on the review

* Update credential_access_bruteforce_admin_account.toml

* Missing Osquery Note

* Missing note
 2023-03-01 21:23:09 -03:00
Jonhnathan c3d8bac402 [Security Content] Add Investigation Guides to Windows rules (#2521) 
* [Security Content] Add Investigation Guides to Windows rules

* .

* Add IG tag

* Apply suggestions from review

* Address reviews

* address note

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_powershell.toml
 2023-02-22 18:13:13 -03:00
Jonhnathan f17b6f1702 [Security Content] Fix verbiage used on Osquery Note (#2513) 
* [Security Content] Fix verbiage used on Osquery Note

* Adjust verbiage

* date bump

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-02-22 12:33:23 -03:00
Isai 9bef3857f9 [Rule Tuning] Remote System Discovery Commands (#2500) 
* [Rule Tuning] Remote System Discovery Commands

- Added to query to add additional remote system discovery tools : nltest, dsquery, net

* Update discovery_remote_system_discovery_commands_windows.toml

-added dsget.exe

* update date

* removed git comments

* removed extra ( from query
 2023-02-21 18:39:51 -05:00
Isai f04ebf277c [Rule Tuning] (#2537) 
add t1018 Remote system discovery
 2023-02-15 14:58:29 -05:00
Isai 7df801f5c2 [Rule Tuning] Add missing techniques (#2482) 
* tune for missing techniques

-added missing techniques to rules

* added same missing techniques to another rule

- updated_date for all files - added missing techniques to a 3rd rule

* added T1057 technique

added T1057 technique for Process discovery
 2023-02-10 15:07:19 -05:00
shashank-elastic f8e97da549 Rule Tuning Update MITRE Details (#2526) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-02-10 23:05:28 +05:30
Nic 54b2f7582e Update defense_evasion_unusual_ads_file_creation.toml (#2522) 2023-02-07 09:40:42 -03:00
Mika Ayenson 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) 2023-02-02 16:22:44 -05:00
Samirbous cd2307ba7d [New Rule] FirstTimeSeen User Performing DCSync (#2433) 
* Create credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_newterm_subjectuser.toml

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-02-02 15:44:31 +00:00
Jonhnathan 4bfcbeab36 [Rule Tuning] Unusual Network Activity from a Windows System Binary (#2509) 
* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml
 2023-02-01 13:19:28 -03:00
Isai 748bdbf8b1 [New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508) 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 10:27:42 -05:00
Samirbous c6125004c1 [New Rules] WSL Related Rules (#2463) 
* Create defense_evasion_wsl_registry_modification.toml

* Create defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_filesystem.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_child_process.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_kalilinux.toml

* Create defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Create defense_evasion_wsl_bash_exec.toml

* Delete defense_evasion_wsl_bash_exec.toml

* Create defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_registry_modification.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update defense_evasion_wsl_kalilinux.toml
 2023-02-01 15:10:28 +00:00
Samirbous 7fe08e7856 Update persistence_service_windows_service_winlog.toml (#2516) 2023-02-01 14:34:30 +00:00
Ruben Groenewoud be5cd23a64 [New Rules] Code Signing Policy Modification (#2510) 
* [New Rules] Code Signing Policy Modification

* Fixed description & tags

* cleaned the query syntax

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-02-01 15:30:15 +01:00
Jonhnathan 5a31cb250d [Rule Tuning] Unusual File Modification by dns.exe (#2505) 2023-02-01 11:10:05 -03:00
Jonhnathan 8c2cbae5a8 [New Rule] Potential PowerShell HackTool Script by Function Names (#2474) 
* [New Rule] Potential PowerShell HackTool Script by Function Names

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml

* Update execution_posh_hacktool_functions.toml
 2023-01-31 17:21:36 -03:00
Jonhnathan 8e02c60ef6 [Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486) 2023-01-31 16:56:19 -03:00
Jonhnathan 99f177a5ae [Rule Tuning] Potential Credential Access via DCSync (#2501) 2023-01-31 16:50:39 -03:00
Jonhnathan 8519fad243 [Rule Tuning] Potential Remote Credential Access via Registry (#2511) 
* [Rule Tuning] Potential Remote Credential Access via Registry

* Remove WEF index
 2023-01-31 15:09:32 -03:00
Isai d636f2d465 [Rule Tuning] T1069 and T1087 - admin wildcard (#2484) 
Tuned both rules:relax the conditions by adding a wildcard to admin
 2023-01-30 22:01:52 -05:00
Jonhnathan 54f65abdb0 [Rule Tuning] Potential Shadow Credentials added to AD Object (#2498) 2023-01-30 09:14:23 -03:00
Ruben Groenewoud b8adffa469 [New Rule] System Service Discovery through built-in Windows Utilities (#2491) 
* [New Rule] System Service Discovery through built-in Windows Utilities

* added pe.original_file_name to net.exe

* fixed query style mistake

* fixed detection logic mistake

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-29 19:15:17 +01:00
Samirbous c5ce910d3a Create defense_evasion_timestomp_sysmon.toml (#2476) 2023-01-27 21:32:03 +00:00
Samirbous b8dcc6ab4b [New Rules] C2 via BITS and CertReq (#2466) 
* Create command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Create command_and_control_ingress_transfer_bits.toml

* Update non-ecs-schema.json

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_ingress_transfer_bits.toml

* Update rules/windows/command_and_control_certreq_postdata.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-27 20:17:36 +00:00
Samirbous e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml
 2023-01-27 19:51:22 +00:00
Samirbous a1df310e56 [New Rule] T1553.006 - Untrusted Driver Loaded (#2499) 
* Create defense_evasion_untrusted_driver_loaded.toml

* Update defense_evasion_untrusted_driver_loaded.toml
 2023-01-27 19:46:35 +00:00
Samirbous 2372602c4e [New Rules] Amsi Bypass (#2473) 
* Create defense_evasion_amsi_bypass_powershell.toml

* Create defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml
 2023-01-26 06:03:53 +00:00
Samirbous 1c6e5a3448 [New Rule] Suspicious Inter-Process Communication via Outlook (#2458) 
* Create collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:44:32 +00:00
Samirbous 1a5e64ce13 [New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477) 
* Create persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

* Update persistence_service_dll_unsigned.toml

* Update rules/windows/persistence_service_dll_unsigned.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update persistence_service_dll_unsigned.toml

* Update persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:11:38 +00:00
Samirbous bcd8ef15ba [New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409) 
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update non-ecs-schema.json

* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 13:23:20 +00:00
Samirbous 8427c8cd22 Create credential_access_suspicious_lsass_access_generic.toml (#2487) 2023-01-25 09:43:35 +00:00
Jonhnathan f804c29f6d [New Rule] PowerShell Script with Encryption/Decryption Capabilities (#2489) 
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities

* Update defense_evasion_posh_encryption.toml
 2023-01-24 12:26:11 -03:00
Ruben Groenewoud 644a094503 Group Policy Object Discovery through gpresult.exe (#2483) 
* [New  Rule] Group Policy Discovery Through gpresult.exe

* Fixed typo

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_group_policy_object_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-24 12:10:57 +01:00
Jonhnathan fc30b5881f [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities (#2465) 
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities

* Bump sev

* Update rules/windows/collection_posh_clipboard_capture.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-24 07:58:48 -03:00
Jonhnathan 92ae27600f [New Rule] PowerShell Mailbox Collection Script (#2461) 2023-01-24 07:54:55 -03:00
Jonhnathan 7cde7901e3 [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions (#2478) 
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions

* Update discovery_posh_suspicious_api_functions.toml
 2023-01-23 20:35:43 -03:00
Jonhnathan 729ecf8b58 [New Rule] PowerShell Invoke-NinjaCopy script (#2488) 
* [New Rule] PowerShell Invoke-NinjaCopy script

* Update credential_access_posh_invoke_ninjacopy.toml

* Update credential_access_posh_invoke_ninjacopy.toml
 2023-01-23 20:00:57 -03:00
Ruben Groenewoud e3ff45e20c [New Rule] System Time Discovery (#2475) 
* [New Rule] System Time Discovery

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-18 13:01:57 +01:00
Samirbous cb88ad715c [New Rule] Exchange Mailbox via PowerShell (#2459) 
* Create collection_mailbox_export_winlog.toml

* Update collection_mailbox_export_winlog.toml

* Update collection_mailbox_export_winlog.toml

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/collection_mailbox_export_winlog.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-11 16:45:20 +00:00
Samirbous 8afda66487 [Rule Tuning] Suspicious WerFault Child Process (#2437) 
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
 2023-01-11 16:41:57 +00:00
Samirbous 9121a25b02 Update collection_email_powershell_exchange_mailbox.toml (#2457) 2023-01-11 16:29:01 +00:00
Jonhnathan 4124a82496 [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules (#2449) 
* [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules

* Update privilege_escalation_posh_token_impersonation.toml

* Update privilege_escalation_posh_token_impersonation.toml

* Adjust severity
 2023-01-10 09:37:07 -03:00
Jonhnathan 7725e32126 [Security Content] Fix Osquery Markdown Plugin Escaped queries (#2447) 
* [Security Content] Fix Osquery Markdown Plugin Escaped queries

* Re-add line

* Update credential_access_credential_dumping_msbuild.toml

* Update command_and_control_common_webservices.toml
 2023-01-09 14:45:31 -03:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Samirbous 46eccea704 [New Rule] Suspicious Module Loaded by LSASS (#2441) 
* Create credential_access_lsass_loaded_susp_dll.toml

* Update credential_access_lsass_loaded_susp_dll.toml

* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-04 07:56:07 +00:00
Samirbous 3dbb87e46c Update credential_access_kerberoasting_unusual_process.toml (#2444) 2023-01-04 07:50:04 +00:00