valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e275d44462
SigmaHQ/rules/windows/builtin/win_susp_ntlm_auth.yml
David Spautz e275d44462 Add tags to windows builtin rules
2018-07-24 07:50:32 +02:00

24 lines
715 B
YAML
Raw Blame History

title: NTLM Logon
status: experimental
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
- https://twitter.com/JohnLaTwC/status/1004895028995477505
- https://goo.gl/PsqrhT
author: Florian Roth
date: 2018/06/08
tags:
- attack.credential_access
- attack.t1208
logsource:
product: windows
service: ntlm
description: Reqiures events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8002
CallingProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
condition: selection
falsepositives:
- Legacy hosts
level: low
Reference in New Issue View Git Blame Copy Permalink