valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: rule

Browse Source
This commit is contained in:
Florian Roth 2021-02-24 13:44:13 +01:00
parent 9eb55016bf
commit 0489d4bfa4
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/builtin/win_net_ntlm_downgrade.yml
View File

@ -18,14 +18,14 @@ logsource:
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
selection2:
selection:
EventID: 4657
ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
condition: 1 of them
condition: selection
falsepositives:
- Unknown
level: critical