valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_account_discovery.yml

Browse Source 
Getting rid of '*' use
This commit is contained in:
Jonhnathan 2020-10-15 15:01:31 -03:00 committed by GitHub
parent fdd9234acc
commit 9c7a23e432
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
rules/windows/builtin/win_account_discovery.yml
View File

@ -21,17 +21,18 @@ detection:
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
- '*admin*'
ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
ObjectName|contains:
- 'admin'
condition: selection
falsepositives:
- if source account name is not an admin then its super suspicious