valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
82916f0cff
SigmaHQ/rules/windows/sysmon/sysmon_quarkspw_filedump.yml
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00

21 lines
524 B
YAML
Raw Blame History

title: QuarksPwDump Dump File
status: experimental
description: Detects a dump file written by QuarksPwDump password dumper
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth
date: 2018/02/10
level: critical
logsource:
product: windows
service: sysmon
detection:
selection:
# Sysmon: File Creation (ID 11)
EventID: 11
TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
condition: selection
falsepositives:
- Unknown
Reference in New Issue View Git Blame Copy Permalink