SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
Yugoslavskiy Daniil	42c4079ed8	att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other	2020-08-25 01:09:17 +02:00
Maxime Thiebaut	73a6428345	Update the NTLM downgrade registry paths Recent windows versions rely on the ["MSV1_0" authentication package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package). Production environment tests have shown that NTLM downgrade attacks can be performed as detected by this rule although some of the registry keys are located in an "Lsa" subkey ("MSV1_0"). This commit introduces additionnal wildcards to handle these cases to ensure the previous detection rules are still included.	2020-04-07 17:14:45 +02:00
Thomas Patzke	0592cbb67a	Added UUIDs to rules	2019-11-12 23:12:27 +01:00
Thomas Patzke	3ef930b094	Escaped '\' to '\\' where required	2019-02-03 00:24:57 +01:00
Tareq AlKhatib	f318f328d6	Corrected reference to references as per Sigma's standard	2018-12-25 16:25:12 +03:00
Sherif Eldeeb	23eddafb39	Replace "logsource: description" with "definition" to match the specs	2018-11-15 09:00:06 +03:00
David Spautz	e275d44462	Add tags to windows builtin rules	2018-07-24 07:50:32 +02:00
Thomas Patzke	2dc5295abf	Removed redundant attribute from rule	2018-07-10 22:50:02 +02:00
Thomas Patzke	df6ad82770	Removed redundant attribute from rule EventID 4657 already implies the modification.	2018-06-21 23:59:55 +02:00
Florian Roth	f220e61adc	Fixed second selection in rule	2018-03-21 10:47:14 +01:00
Florian Roth	3c968d4ec6	Fixed rule for any ControlSets	2018-03-21 10:44:37 +01:00
Florian Roth	e9fcfcba7f	Improved NetNTLM downgrade rule	2018-03-20 15:03:55 +01:00

12 Commits