valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_susp_net_recon_activity.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-11-26 22:39:49 -03:00 committed by GitHub
parent 31e0cfb13f
commit 48f16a0ca8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/builtin/win_susp_net_recon_activity.yml
View File

@ -18,10 +18,16 @@ logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
- EventID: 4661
ObjectType: 'SAM_USER'
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
AccessMask: '0x2d'
selection2: