valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Delete sysmon_mimikatz_сreds_dump.yml

Browse Source 
merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml
This commit is contained in:
yugoslavskiy 2019-11-08 02:06:31 +03:00 committed by GitHub
parent 6d61401b12
commit 98f32e9098
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml
View File

@ -1,25 +0,0 @@
title: Mimikatz сred access dump
description: Detects process access to LSASS which is typical for like Mimikatz tools different version
references:
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
tags:
- attack.credential_access
- attack.t1003
status: experimental
author: Aleksey Potapov, oscd.community
date: 2019/10/23
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
GrantedAccess:
- '0x1410'
- '0x1010'
- '0x143a'
condition: selection
falsepositives:
- unknown
level: high