valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_account_discovery.yml

Browse Source 
Getting rid of '*' use
This commit is contained in:
Jonhnathan 2020-10-15 15:01:31 -03:00 committed by GitHub
parent fdd9234acc
commit 9c7a23e432
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
rules/windows/builtin/win_account_discovery.yml
View File

@ -21,17 +21,18 @@ detection:
ObjectType: ObjectType:
- 'SAM_USER' - 'SAM_USER'
- 'SAM_GROUP' - 'SAM_GROUP'
ObjectName: ObjectName|endswith:
- '*-512' - '-512'
- '*-502' - '-502'
- '*-500' - '-500'
- '*-505' - '-505'
- '*-519' - '-519'
- '*-520' - '-520'
- '*-544' - '-544'
- '*-551' - '-551'
- '*-555' - '-555'
- '*admin*' ObjectName|contains:
- 'admin'
condition: selection condition: selection
falsepositives: falsepositives:
- if source account name is not an admin then its super suspicious - if source account name is not an admin then its super suspicious