Jonhnathan
6ed9769eb6
* AdminSDHolder Backdoor
* Update rules/windows/persistence_ad_adminsdholder.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 9ce5d0b92a)
50 lines
1.4 KiB
JSON
50 lines
1.4 KiB
JSON
{
|
|
"endgame-*": {
|
|
"endgame": {
|
|
"metadata": {
|
|
"type": "keyword"
|
|
},
|
|
"event_subtype_full": "keyword"
|
|
}
|
|
},
|
|
"winlogbeat-*": {
|
|
"winlog": {
|
|
"event_data": {
|
|
"AccessList": "keyword",
|
|
"AllowedToDelegateTo": "keyword",
|
|
"AttributeLDAPDisplayName": "keyword",
|
|
"AttributeValue": "keyword",
|
|
"CallerProcessName": "keyword",
|
|
"CallTrace": "keyword",
|
|
"GrantedAccess": "keyword",
|
|
"ObjectDN": "keyword",
|
|
"OriginalFileName": "keyword",
|
|
"RelativeTargetName": "keyword",
|
|
"ShareName": "keyword",
|
|
"SubjectLogonId": "keyword",
|
|
"TargetImage": "keyword",
|
|
"TargetLogonId": "keyword",
|
|
"TargetProcessGUID": "keyword",
|
|
"TargetSid": "keyword",
|
|
"OldTargetUserName": "keyword",
|
|
"NewTargetUserName": "keyword"
|
|
}
|
|
},
|
|
"winlog.logon.type": "keyword",
|
|
"powershell.file.script_block_text": "text"
|
|
},
|
|
"filebeat-*": {
|
|
"o365.audit.NewValue": "keyword",
|
|
"o365audit.Parameters.ForwardTo": "keyword",
|
|
"o365audit.Parameters.ForwardAsAttachmentTo": "keyword",
|
|
"o365audit.Parameters.RedirectTo": "keyword"
|
|
},
|
|
"logs-endpoint.events.*": {
|
|
"process.Ext.token.integrity_level_name": "keyword",
|
|
"process.parent.Ext.real.pid": "long"
|
|
},
|
|
"logs-windows.*": {
|
|
"powershell.file.script_block_text": "text"
|
|
}
|
|
}
|