Check out WatchAD2.0 by Qihoo360

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

GNU General Public License v3.0

2.17k stars 189 forks source link

Check out WatchAD2.0 by Qihoo360 #1328

Open K4ack2013 opened 4 months ago

K4ack2013 commented 4 months ago

Strengthen the log detection of domain control, and recommend you a https://github.com/Qihoo360/WatchAD2.0 item There are domain-related attack detections here, and I hope the next version of the tool will be updated.

Shortcoming: Currently, the tool cannot detect common domain attack tools such as mimikatz and Impacket, including log detection of common domain control attacks.

YamatoSecurity commented 4 months ago

Thank you for sharing. Currently Hayabusa does detect all of the attacks mentioned here: https://github.com/Qihoo360/WatchAD2.0/blob/master/README_EN.md#iii-currently-supported-specific-detection-functions But of course the proper logging has to be turned on. If you want to share any specific .evtx files with us, we can write rules to detect them. We will look into if we can incorporate any methods in WatchAD into Hayabusa.