valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ef6e0c5a4c
SigmaHQ/rules/windows/builtin/win_susp_ntlm_auth.yml
Jonhnathan ea385767b9
Update win_susp_ntlm_auth.yml
2020-11-19 22:40:43 -03:00

26 lines
799 B
YAML
Raw Blame History

title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: experimental
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
- https://twitter.com/JohnLaTwC/status/1004895028995477505
- https://goo.gl/PsqrhT
author: Florian Roth
date: 2018/06/08
tags:
- attack.lateral_movement
- attack.t1075 # an old one
- attack.t1550.002
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8002
CallingProcessName: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
condition: selection
falsepositives:
- Legacy hosts
level: low
Reference in New Issue View Git Blame Copy Permalink