Added Sigma Rules
This commit is contained in:
Tanaka Zakku
@@ -0,0 +1,30 @@
|
||||
title: External Disk Drive Or USB Storage Device
|
||||
author: Keith Wright
|
||||
date: 2019/11/20
|
||||
description: Detects external diskdrives or plugged in USB devices , EventID 6416
|
||||
on windows 10 or later
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 6416
|
||||
SELECTION_2:
|
||||
ClassName: DiskDrive
|
||||
SELECTION_3:
|
||||
DeviceDescription: USB Mass Storage Device
|
||||
condition: ((SELECTION_1 and SELECTION_2) or SELECTION_3)
|
||||
falsepositives:
|
||||
- Legitimate administrative activity
|
||||
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
|
||||
level: low
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
modified: 2021/08/09
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.t1091
|
||||
- attack.t1200
|
||||
- attack.lateral_movement
|
||||
- attack.initial_access
|
||||
yml_filename: win_external_device.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
||||
|
||||
Reference in New Issue
Block a user