valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Corrected CrackMapExec rule

Browse Source
This commit is contained in:
Florian Roth 2018-04-09 08:40:03 +02:00
parent a9c7fe202e
commit 56172ae174
1 changed files with 1 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
rules/apt/apt_dragonfly.yml
View File

@ -1,4 +1,4 @@
---
action: global
title: CrackMapExecWin
description: Detects CrackMapExecWin Activity as Described by NCSC
@ -7,9 +7,6 @@ references:
- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
author: Markus Neis
detection:
selection1:
CommandLine:
- '*\crackmapexec.exe'
condition: 1 of them
falsepositives:
- None
@ -22,9 +19,6 @@ logsource:
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 4688
NewProcessName:
@ -36,9 +30,6 @@ logsource:
service: sysmon
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
selection2:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
EventID: 1
Image: