valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f07c368ae0
SigmaHQ/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml
Thomas Patzke a10db2df89 Fixes&improvements
2021-04-08 01:06:40 +02:00

22 lines
761 B
YAML
Raw Blame History

title: Wdigest Enable UseLogonCredential
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
status: experimental
date: 2019/09/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.defense_evasion
- attack.t1112
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: 'WDigest\UseLogonCredential'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink