security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b6737aa2c3faa564487acfce60ccddf9c127a857
sigma-rules/etc
T
History
Samirbous a6582351b5 [New Rule] Potential Remote Credential Access via Registry (#1804) 
* [New Rule] Potential Remote Credential Access via Registry

4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).

Example of data :

* Delete workspace.xml

* Update credential_access_remote_sam_secretsdump.toml

* Update credential_access_remote_sam_secretsdump.toml

* add non ecs field

* Update non-ecs-schema.json

* Update credential_access_remote_sam_secretsdump.toml

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_remote_sam_secretsdump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-03-03 16:28:03 +01:00
..
api_schemas
Prep for creation of 8.2 branch (#1762)
2022-02-08 18:43:55 -09:00
beats_schemas
Prepare for creation of 8.1 branch (#1700)
2022-01-25 18:11:59 -09:00
ecs_schemas
Prepare for creation of 8.1 branch (#1700)
2022-01-25 18:11:59 -09:00
attack-crosswalk.json
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
attack-technique-redirects.json
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
attack-v10.1.json.gz
Refresh ATT&CK to v10.1 (#1791)
2022-02-24 16:37:23 -09:00
deprecated_rules.json
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 (#1732)
2022-01-26 13:54:18 -09:00
lock-multiple.sh
[CI] Add GitHub actions workflow to lock versions across branches (#1456)
2021-08-26 14:17:34 -06:00
non-ecs-schema.json
[New Rule] Potential Remote Credential Access via Registry (#1804)
2022-03-03 16:28:03 +01:00
packages.yml
Prep for creation of 8.2 branch (#1762)
2022-02-08 18:43:55 -09:00
rule_template_typosquatting_domain.json
Generate detection rule to alert on traffic to typosquatting/homonym domains (#1199)
2021-09-03 13:35:59 -07:00
rule-mapping.yml
[New Rule] AWS EC2 Snapshot Activity
2020-07-07 15:10:06 -06:00
security-logo-color-64px.svg
[Fleet] Update template and packaging code for fleet packages (#1280)
2021-06-15 07:54:50 -06:00
stack-schema-map.yaml
Prep for creation of 8.2 branch (#1762)
2022-02-08 18:43:55 -09:00
test_toml.json
[Bug] Fix toml-lint ordering of Mitre metadata #1249 (#1774)
2022-02-22 13:57:49 -05:00
version.lock.json
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1781)
2022-02-16 08:25:31 -09:00