valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
abe353de66
SigmaHQ/rules/windows/builtin/win_net_ntlm_downgrade.yml

53 lines
1.4 KiB
YAML
Raw Normal View History

Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
action: global
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
2018-03-20 10:07:21 +00:00
title: NetNTLM Downgrade Attack
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-24 23:09:17 +00:00
description: Detects NetNTLM downgrade attack
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
references:
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
2018-03-20 10:07:21 +00:00
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
date: 2018/03/20
fix: Sysmon NTLM downgrade attack - too many fps
2021-02-24 12:22:25 +00:00
modified: 2021/02/24
Add tags to windows builtin rules
2018-07-24 05:50:32 +00:00
tags:
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-24 23:09:17 +00:00
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
- attack.t1112
Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
detection:
condition: 1 of them
falsepositives:
- Unknown
level: critical
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-24 23:09:17 +00:00
---
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
2018-03-20 10:07:21 +00:00
logsource:
product: windows
Clean-up service: sysmon as it will be replaced by filling the category
2021-04-15 00:02:25 +00:00
category: registry_event
Rule: NetNTLM Downgrade Attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
2018-03-20 10:07:21 +00:00
detection:
Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
selection1:
Update win_net_ntlm_downgrade.yml
2020-10-28 00:59:49 +00:00
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'
- '\Control\Lsa'
TargetObject|endswith:
- '\lmcompatibilitylevel'
- '\NtlmMinClientSec'
- '\RestrictSendingNTLMTraffic'
Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
Replace "logsource: description" with "definition" to match the specs
2018-11-15 06:00:06 +00:00
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
detection:
fix: rule
2021-02-24 12:44:13 +00:00
selection:
Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
EventID: 4657
Update win_net_ntlm_downgrade.yml
2020-11-20 01:14:37 +00:00
ObjectName|startswith: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
Improved NetNTLM downgrade rule
2018-03-20 14:03:55 +00:00
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
fix: rule
2021-02-24 12:44:13 +00:00
condition: selection
fix: Sysmon NTLM downgrade attack - too many fps
2021-02-24 12:22:25 +00:00
falsepositives:
- Unknown
Added missed changes in win_net_ntlm_downgrade and merged duplicate rules
2021-03-02 20:34:34 +00:00
level: critical
Reference in New Issue Copy Permalink