valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
736eeabf9f
SigmaHQ/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml

23 lines
782 B
YAML
Raw Normal View History

13 Rules from THP - Backlog Rules (old)
2020-10-13 07:33:55 +00:00
title: Wdigest Enable UseLogonCredential
duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 - sysmon_susp_webdav_client_execution.yml - sysmon_wdigest_enable_uselogoncredential.yml
2021-05-27 18:59:26 +00:00
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
status: experimental
date: 2019/09/12
duplicate uuid 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 - sysmon_susp_webdav_client_execution.yml - sysmon_wdigest_enable_uselogoncredential.yml
2021-05-27 18:59:26 +00:00
modified: 2021/05/27
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.defense_evasion
- attack.t1112
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
logsource:
13 Rules from THP - Backlog Rules (old)
2020-10-13 07:33:55 +00:00
category: registry_event
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
product: windows
detection:
Fixes&improvements
2021-04-07 22:32:01 +00:00
selection:
TargetObject|endswith: 'WDigest\UseLogonCredential'
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
condition: selection
falsepositives:
- Unknown
Fixes&improvements
2021-04-07 22:32:01 +00:00
level: high
Reference in New Issue Copy Permalink