valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_mal_creddumper.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

44 lines
2.1 KiB
YAML
Raw Permalink Blame History

alert:
- debug
description: Detects well-known credential dumping tools execution via service execution events
filter:
- query:
query_string:
query: (data.win.system.eventID:"7045" AND (service_name.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
index: wazuh-alerts-3.x-*
name: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed_0
priority: 2
realert:
minutes: 0
type: any
alert:
- debug
description: Detects well-known credential dumping tools execution via service execution events
filter:
- query:
query_string:
query: (data.win.system.eventID:"6" AND (service_name.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
index: wazuh-alerts-3.x-*
name: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed-2_0
priority: 2
realert:
minutes: 0
type: any
alert:
- debug
description: Detects well-known credential dumping tools execution via service execution events
filter:
- query:
query_string:
query: (data.win.system.eventID:"4697" AND (service_name.keyword:(*fgexec* OR *wceservice* OR *wce\ service* OR *pwdump* OR *gsecdump* OR *cachedump* OR *mimikatz* OR *mimidrv*) OR ImagePath.keyword:(*fgexec* OR *dumpsvc* OR *cachedump* OR *mimidrv* OR *gsecdump* OR *servpw* OR *pwdump*) OR ImagePath:/((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)/))
index: wazuh-alerts-3.x-*
name: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed-3_0
priority: 2
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink