valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
295 Commits 20 Branches 25 Tags 21 MiB
d35b6c0353
Commit Graph

7 Commits

Author SHA1 Message Date
yugoslavskiy
f83d0e36b8 improved win_pass_the_hash.yml rule 
— deleted useless KeyLength: '0'
— added filter condition to exclude AccountName='ANONYMOUS LOGON',
because of false positives [1]

[1]
http://serverfault.com/questions/338644/what-are-anonymous-logons-in-win
dows-event-log
 2017-04-04 02:57:58 +03:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Florian Roth
a66955013c Update win_pass_the_hash.yml 2017-03-13 16:16:34 +01:00
IeM
9f5e5a2366 Update win_pass_the_hash.yml 
Added placeholders for WorkstationName to detect network logons between Workstations.
 2017-03-13 16:09:32 +01:00
IeM
4d5ded46e6 Update win_pass_the_hash.yml 2017-03-08 20:35:26 +01:00
IeM
381b85fd94 Update win_pass_the_hash.yml 
Edited, added additional indicators.
Reference: https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
 2017-03-08 18:48:06 +01:00
IeM
e4d764ceba Create win_pass_the_hash.yml 
Rule to detects the attack technique pass the hash which is used to move laterally inside the network
 2017-03-08 18:04:31 +01:00