valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_susp_office_kerberos_dll_load.yml

Browse Source
This commit is contained in:
Antonlovesdnb 2020-02-19 14:51:50 -05:00 committed by GitHub
parent 1f01fe446f
commit 328858279f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml
View File

@ -5,9 +5,9 @@ description: Detects Kerberos DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2019/12/26
date: 2020/02/19
tags:
- attack.initial.access
- attack.initial_access
- attack.t1193
logsource:
product: windows
@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high
level: high