Skip to content

Commit

Permalink
fixing yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
@dluxtron
dluxtron committed Jun 26, 2024
1 parent 7b9d0de commit be162b9
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
5 changes: 3 additions & 2 deletions detections/application/windows_ad_dangerous_deny_acl_modification.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ type: TTP
data_source:
- Windows Security 5136
description: ACL modification event denying the ability to enumerate permissions.
search: '`wineventlog_security` EventCode=5136
search: >-
`wineventlog_security` EventCode=5136
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
Expand All @@ -29,7 +30,7 @@ search: '`wineventlog_security` EventCode=5136
| stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
| search aceType IN ("Access denied",D) AND aceAccessRights IN ("Full control","Read permissions",RC)
| `windows_ad_dangerous_deny_acl_modification_filter`'
| `windows_ad_dangerous_deny_acl_modification_filter`
how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
known_false_positives: None.
references:
Expand Down
2 changes: 1 addition & 1 deletion detections/cloud/azure_ad_privileged_role_assigned.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Azure AD Privileged Role Assigned
id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
version: 4
date: '2024-06-25'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
status: production
type: TTP
description: The following analytic identifies the assignment of sensitive and privileged
Expand Down

0 comments on commit be162b9

Please sign in to comment.