Update win_dsquery_domain_trust_discovery.yml

2024-11-07 17:58:52 +00:00 · 2019-11-08 02:58:32 +03:00 · 2019-11-08 02:58:32 +03:00 · 5861664d0f
commit 5861664d0f
parent 3624a7d5da
1 changed files with 9 additions and 12 deletions
--- a/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml
+++ b/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml
@ -2,10 +2,10 @@ title: Domain Trust Discovery
 status: experimental
 description: Detects a discovery of domain trusts
 references:
-    - https://attack.mitre.org/techniques/T1482/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml
 author: Jakob Weinzettl, oscd.community
 date: 2019/10/23
+modified: 2019/11/08
 tags:
    - attack.discovery
    - attack.t1482
@ -13,17 +13,14 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
-        CommandLine: 'dsquery'
-    selection2:
-        CommandLine: '-filter'
-    selection3:
-        CommandLine: '(objectClass=trustedDomain)'
-    selection4:
-        CommandLine: 'nltest'
-    selection5:
-        CommandLine: 'domain_trusts'
-    condition: selection1 and selection2 and selection3 or selection4 and selection5
+    selection:
+      - Image|endswith: '\dsquery.exe'
+        CommandLine|contains|all:
+            - '-filter'
+            - 'trustedDomain'
+      - Image|endswith: '\nltest.exe'
+        CommandLine|contains: 'domain_trusts'
+    condition: selection
 falsepositives:
    - Administrators script of some sort
 level: medium