valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_nltest_query.yml

Browse Source
This commit is contained in:
yugoslavskiy 2021-01-05 23:03:41 +03:00 committed by GitHub
parent 192bca814b
commit ff373b0f33
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
rules/windows/process_creation/win_nltest_query.yml
View File

@ -5,7 +5,7 @@ references:
- https://twitter.com/sysopfb/status/986799053668139009
- https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
date: 2018/04/18
modified: 2020/10/06
modified: 2021/01/05
tags:
- attack.credential_access
- attack.t1003
@ -16,10 +16,8 @@ logsource:
product: windows
detection:
selection:
Image|endswith:
- '/nltest.exe'
CommandLine|contains:
- \query
Image|endswith: '\nltest.exe'
CommandLine|contains: '\query'
condition: selection
falsepositives:
- Legitimate administration