valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_user_added_to_local_administrators.yml

Browse Source
This commit is contained in:
mlp1515 2021-07-07 06:30:33 +00:00 committed by GitHub
parent 29a6a2d5fb
commit aec9fac276
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/windows/builtin/win_user_added_to_local_administrators.yml
View File

@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm
status: stable
author: Florian Roth
date: 2017/03/14
modified: 2021/06/25
modified: 2021/07/07
tags:
- attack.privilege_escalation
- attack.t1078
@ -18,9 +18,9 @@ detection:
selection:
EventID: 4732
selection_group1:
GroupName|startswith: 'Administr'
TargetUserName|startswith: 'Administr'
selection_group2:
GroupSid: 'S-1-5-32-544'
TargetSid: 'S-1-5-32-544'
filter:
SubjectUserName|endswith: '$'
condition: selection and (1 of selection_group*) and not filter