valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0592cbb67a
SigmaHQ/rules/windows/builtin/win_alert_mimikatz_keywords.yml

35 lines
911 B
YAML
Raw Normal View History

Massive Title Cleanup
2018-01-27 09:57:30 +00:00
title: Mimikatz Use
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different
threat groups)
Added "logsource" sections and new rule
2017-02-18 23:31:59 +00:00
author: Florian Roth
rule: mimikatz use extended
2019-10-11 16:50:33 +00:00
date: 2017/01/10
modified: 2019/10/11
Add tags to windows builtin rules
2018-07-24 05:50:32 +00:00
tags:
- attack.s0002
ATT&CK tagging QA
2018-09-20 10:44:44 +00:00
- attack.t1003
Add tags to windows builtin rules
2018-07-24 05:50:32 +00:00
- attack.lateral_movement
- attack.credential_access
First Pass
2019-06-14 04:15:38 +00:00
- car.2013-07-001
- car.2019-04-004
Added "logsource" sections and new rule
2017-02-18 23:31:59 +00:00
logsource:
Removed lists from log source section
2017-02-19 10:08:23 +00:00
product: windows
Example Updates
2016-12-27 13:49:54 +00:00
detection:
keywords:
fix: bound windows event log rules to message field Fixed rules - rules/windows/builtin/win_susp_msmpeng_crash.yml - rules/windows/builtin/win_alert_active_directory_user_control.yml - rules/windows/builtin/win_av_relevant_match.yml - rules/windows/builtin/win_mal_creddumper.yml - rules/windows/builtin/win_susp_sam_dump.yml - rules/windows/builtin/win_alert_mimikatz_keywords.yml - rules/windows/builtin/win_alert_enable_weak_encryption.yml
2019-11-02 10:25:29 +00:00
Message:
Added wildcards to rule values These values appear somewhere in a log message, therefore wildcards are required.
2019-05-20 23:03:20 +00:00
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
- "* eo.oe.kiwi *"
- "* privilege::debug *"
- "* sekurlsa::logonpasswords *"
- "* lsadump::sam *"
- "* mimidrv.sys *"
rule: mimikatz use extended
2019-10-11 16:50:33 +00:00
- "* p::d *"
- "* s::l *"
Windows Built-In rules > LogSource definition
2017-03-05 22:55:52 +00:00
condition: keywords
Example Updates
2016-12-27 13:49:54 +00:00
falsepositives:
- Naughty administrators
Rule review * Typos * Added false positive descriptions
2017-02-24 22:44:42 +00:00
- Penetration test
Levels to low, medium, high, critical
2017-02-16 17:02:26 +00:00
level: critical
Reference in New Issue Copy Permalink