-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPossible BloodHound Attack.yml
39 lines (39 loc) · 1.08 KB
/
Possible BloodHound Attack.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
title: Possible BloodHound Attack
status: produção
author: A.W. Networksecure Segurança da Informação LTDA.
date: 2023/09/08
description: Possible attack through tool bloodhound.
references:
- https://bloodhound.readthedocs.io/en/latest/
- https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/
- https://www.100security.com.br/bloodhound
- https://www.linkedin.com/pulse/detectando-ferramenta-bloodhound-sharphound-threat-hunting-santos/?originalSubdomain=pt
tags:
- tool hacking
- attack.S0521
logsource:
product: windows
category: security
detection:
selection:
eventID: 5145
Target Name:
- srvsvc
- lsarpc
- samr
filter:
condition:
- not account_name_contains_dollar
- Contain Relative Target Names in 1 min interval
- With at least 3 occurrences of the same Account Name, source address and source port in 1 min
- or
- and
fields:
- eventID
- Account Name
- Target Name
- Source Address
- Source Port
falsepositives:
- System administrator Usage
level: medium