Rule tuning
This commit is contained in:
Tanaka Zakku
@@ -12,7 +12,7 @@ detection:
|
||||
EventID: 59
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Job Title:%JobTitle% URL:%Url%'
|
||||
output_jp: 'Job名:%JobTitle% URL:%Url%'
|
||||
output: 'Job Title:%JobTitle% : URL:%Url%'
|
||||
output_jp: 'Job名:%JobTitle% : URL:%Url%'
|
||||
creation_date: 2021/07/15
|
||||
updated_date: 2021/11/06
|
||||
updated_date: 2021/11/18
|
||||
|
||||
@@ -16,7 +16,7 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Command = %CommandLine%'
|
||||
output_jp: 'コマンド = %CommandLine%'
|
||||
output: 'Command:%CommandLine%'
|
||||
output_jp: 'コマンド:%CommandLine%'
|
||||
creation_date: 2020/11/08
|
||||
updated_date: 2021/11/06
|
||||
updated_date: 2021/11/18
|
||||
|
||||
@@ -2,7 +2,7 @@ title: Security log was cleared
|
||||
title_jp: セキュリティログがクリアされた
|
||||
description: Somebody has cleared the Security event log.
|
||||
description_jp: 誰かがセキュリティログをクリアした。
|
||||
author: Eric Contrad
|
||||
author: Eric Conrad
|
||||
contributor: Zach Mathis, Akira Nishikawa, James Takai
|
||||
mitre_attack: T1070.001
|
||||
level: high
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: Sensitive Privilede Use (Mimikatz)
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: medium
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: An Operation was attempted on a privileged object
|
||||
title: An operation was attempted on a privileged object
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
|
||||
@@ -1,13 +0,0 @@
|
||||
title: A user account was created.
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
EventID: 4720
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2020/11/8
|
||||
@@ -0,0 +1,15 @@
|
||||
title: Hidden computer account created! (Possible Backdoor)
|
||||
description: A local user account was created
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: high
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
EventID: 4720
|
||||
TargetUserName|endswith: "$"
|
||||
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'User: %TargetUserName% : SID:%TargetSid%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2021/11/18
|
||||
@@ -0,0 +1,16 @@
|
||||
title: User account created
|
||||
description: A local user account was created
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: low
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
EventID: 4720
|
||||
filter:
|
||||
TargetUserName|endswith: "$"
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'User: %TargetUserName% : SID:%TargetSid%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2021/11/18
|
||||
@@ -1,6 +1,7 @@
|
||||
title: A member was added to a security-enabled global group.
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: User added to local Administrators group
|
||||
description: A user was added to a group.
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: high
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +10,6 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
|
||||
output: 'User: %MemberName% : SID: %MemberSid%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2020/11/8
|
||||
updated_date: 2021/11/18
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: A member was added to a security-enabled local group.
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: User added to local Administrators group
|
||||
description: User added to local Administrators group
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: high
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +10,6 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
|
||||
output: 'UserName: %MemberName% : SID: %MemberSid%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2020/11/8
|
||||
updated_date: 2021/11/18
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: A member was added to a security-enabled universal group.
|
||||
title: User added to Administrators universal group.
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: high
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +10,6 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
|
||||
output: 'UserName: %MemberName% : SID: %MemberSid%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2020/11/8
|
||||
updated_date: 2021/11/8
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: AS-REP Roasting
|
||||
title_jp: AS-REPロースティング
|
||||
title: Possible AS-REP Roasting
|
||||
title_jp: AS-REPロースティングの可能性
|
||||
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
|
||||
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
|
||||
author: Matsui
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: An account failed to log on
|
||||
description: hogehoge
|
||||
description: Logon Failure
|
||||
ignore: true
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
author: Eric Conrad, Zach Mathis
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: An account failed to log on
|
||||
description: hogehoge
|
||||
ignore: true
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
author: Eric Conrad, Zach Mathis
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Command Line Logging
|
||||
description: hogehoge
|
||||
description: Command Line Logging
|
||||
ignore: true
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
author: Eric Conrad, Zach Mathis
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
|
||||
output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%'
|
||||
creation_date: 2020/11/8
|
||||
updated_date: 2020/11/8
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Sysmon Check command lines
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: Command line execution
|
||||
description: Command line execution
|
||||
author: Eric Conrad, Zach Mathis
|
||||
detection:
|
||||
selection:
|
||||
Channel: Sysmon
|
||||
@@ -9,7 +9,7 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
|
||||
output: 'CommandLine: %CommandLine% : ParentImage:%ParentImage%'
|
||||
creation_date: 2020/11/8
|
||||
uodated_date: 2020/11/8
|
||||
uodated_date: 2021/11/8
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Check for unsigned EXEs/DLLs
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: Unsigned EXEs/DLLs
|
||||
description: Detects usage of unsigned exe and dlls.
|
||||
author: Eric Conrad, Zach Mathis
|
||||
detection:
|
||||
selection:
|
||||
Channel: Sysmon
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'Message: Unsigned Image(DLL)¥n Result : Loaded by: %event_data.Image%¥nCommand : %event_data.ImageLoaded%'
|
||||
output: 'Unsigned Image(DLL): %event_data.Image : Command: %event_data.ImageLoaded%'
|
||||
creation_date: 2020/11/8
|
||||
uodated_date: 2020/11/8
|
||||
uodated_date: 2021/11/8
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: This service may not function properly
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: Interactive service may not function properly
|
||||
description: Uses a blocklist of suspicious services to detect malware. 7030 happens when a service is marked as an interactive service but the system is not configured to allow interactive services so it might not function properly.
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: low
|
||||
detection:
|
||||
selection:
|
||||
Channel: System
|
||||
@@ -10,6 +11,6 @@ detection:
|
||||
# condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'Interactive service warning¥nService name: %ServiceName%¥nMalware (and some third party software) trigger this warning'
|
||||
output: 'Service: %ServiceName%'
|
||||
creation_date: 2020/11/8
|
||||
uodated_date: 2020/11/8
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: The start type of the Windows Event Log service was changed from auto start to disabled
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: Windows Event Log service start type changed from auto start to disabled
|
||||
description: Possible anti-forensics disabling the log service.
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: high
|
||||
detection:
|
||||
selection:
|
||||
Channel: System
|
||||
@@ -12,6 +13,6 @@ detection:
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
|
||||
output: 'Service: %param1%'
|
||||
creation_date: 2020/11/8
|
||||
uodated_date: 2020/11/8
|
||||
uodated_date: 2021/11/8
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
title: A service was installed in the system
|
||||
description: hogehoge
|
||||
author: DeepblueCLI, Zach Mathis
|
||||
title: Service installed
|
||||
description: A service was installed. Malware often will install itself as malware.
|
||||
author: Eric Conrad, Zach Mathis
|
||||
level: low
|
||||
detection:
|
||||
selection:
|
||||
Channel: System
|
||||
@@ -13,6 +14,6 @@ detection:
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- unknown
|
||||
output: 'New Service Created¥n%ImagePath¥nService name: %ServiceName%'
|
||||
output: 'Service: %ServiceName% : Image path: %ImagePath'
|
||||
creation_date: 2020/11/8
|
||||
uodated_date: 2020/11/8
|
||||
uodated_date: 2021/11/8
|
||||
|
||||
@@ -1,30 +0,0 @@
|
||||
title: Hidden Local User Creation
|
||||
author: Christian Burkard
|
||||
date: 2021/05/03
|
||||
description: Detects the creation of a local hidden user account which should not
|
||||
happen for event ID 4720.
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 4720
|
||||
SELECTION_2:
|
||||
TargetUserName: '*$'
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- unknown
|
||||
fields:
|
||||
- EventCode
|
||||
- AccountName
|
||||
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
|
||||
level: high
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
references:
|
||||
- https://twitter.com/SBousseaden/status/1387743867663958021
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136.001
|
||||
yml_filename: win_hidden_user_creation.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
title: User Added to Local Administrators
|
||||
author: Florian Roth
|
||||
date: 2017/03/14
|
||||
description: This rule triggers on user accounts that are added to the local Administrators
|
||||
group, which could be legitimate activity or a sign of privilege escalation activity
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 4732
|
||||
SELECTION_2:
|
||||
TargetUserName: Administr*
|
||||
SELECTION_3:
|
||||
TargetSid: S-1-5-32-544
|
||||
SELECTION_4:
|
||||
SubjectUserName: '*$'
|
||||
condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and not (SELECTION_4))
|
||||
falsepositives:
|
||||
- Legitimate administrative activity
|
||||
id: c265cf08-3f99-46c1-8d59-328247057d57
|
||||
level: medium
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
modified: 2021/07/07
|
||||
status: stable
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.t1078
|
||||
- attack.persistence
|
||||
- attack.t1098
|
||||
yml_filename: win_user_added_to_local_administrators.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
title: Local User Creation
|
||||
author: Patrick Bareiss
|
||||
date: 2019/04/18
|
||||
description: Detects local user creation on windows servers, which shouldn't happen
|
||||
in an Active Directory environment. Apply this Sigma Use Case on your windows
|
||||
server logs and not on your DC logs.
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 4720
|
||||
condition: SELECTION_1
|
||||
falsepositives:
|
||||
- Domain Controller Logs
|
||||
- Local accounts managed by privileged account management tools
|
||||
fields:
|
||||
- EventCode
|
||||
- AccountName
|
||||
- AccountDomain
|
||||
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
|
||||
level: low
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
modified: 2020/08/23
|
||||
references:
|
||||
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136
|
||||
- attack.t1136.001
|
||||
yml_filename: win_user_creation.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 0 - System
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 10 - RDP (Remote Interactive)
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 11 - CachedInteractive
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 12 - CachedRemoteInteractive
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 13 - CachedUnlock
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 2 - Interactive
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 3 - Network
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -17,6 +17,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 4 - Batch
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 5 - Service
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -17,6 +17,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 7 - Unlock
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 9 - NewCredentials
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Type: %LogonType% Workstation: %Workstation% IP Address: %IpAddress% SubStatus: %SubStatus% AuthPackage: %AuthenticationPackageName%'
|
||||
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %Workstation% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logoff
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -14,6 +14,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
|
||||
output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logoff - User Initiated
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
|
||||
output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Admin Logon
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -17,6 +17,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %SubjectUserName% LogonID: %SubjectLogonId%'
|
||||
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Kerberos TGT was requested
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status% PreAuthType: %PreAuthType%'
|
||||
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Kerberos Service Ticket Requested
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status%'
|
||||
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: NTLM Logon to Local Account
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Username: %TargetUserName% Workstation %WorkstationName% Status: %Status%'
|
||||
output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
Reference in New Issue
Block a user