hayabusa/rules/deep_blue_cli/security/4673.yml

title: Sensitive Privilede Use (Mimikatz)
description: hogehoge
author: Yea
logsource: 
    product: windows
detection:
    selection:
        Channel: Security
        EventID: 4673
    # condition: selection | count(EventID) >  4
falsepositives:
    - unknown
level: medium
output: |
    Sensitive Privilege Use Exceeds Threshold
    Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.
    UserName:%SubjectUserName% Domain Name:%DomainName%
creation_date: 2020/11/8
updated_date: 2020/11/8