Issue on page /notebooks/windows/06_credential_access/WIN-180815210510.html

OTRF / ThreatHunter-Playbook

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

MIT License

3.97k stars 803 forks source link

Issue on page /notebooks/windows/06_credential_access/WIN-180815210510.html #52

Open damyanor opened 2 years ago

damyanor commented 2 years ago

Modification of query to exclude Azure sync via Azure AD Connect in hybrid environment.

Cyb3rWard0g commented 2 years ago

https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html

Cyb3rWard0g commented 2 years ago

Thank you @damyanor ! Would you mind providing an example of the filter you are proposing? Is that something maybe that we can add under the playbook Hunter Notes section? Please and thank you!

Cyb3rWard0g commented 2 years ago

Oh something like this? : https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml#L23