valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5b95ef0872
SigmaHQ/rules/windows/process_creation/win_nltest_query.yml
yugoslavskiy ff373b0f33
Update win_nltest_query.yml
2021-01-05 23:03:41 +03:00

25 lines
757 B
YAML
Raw Blame History

title: Nltest Credential Hash Theft
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
description: Detects nltest query commands which may leak credential hashes
references:
- https://twitter.com/sysopfb/status/986799053668139009
- https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
date: 2018/04/18
modified: 2021/01/05
tags:
- attack.credential_access
- attack.t1003
status: experimental
author: Craig Young, oscd.community
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\nltest.exe'
CommandLine|contains: '\query'
condition: selection
falsepositives:
- Legitimate administration
level: medium
Reference in New Issue View Git Blame Copy Permalink