Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Sigma rule (View on GitHub)

 1title: Hacktool Ruler
 2id: 24549159-ac1b-479c-8175-d42aea947cae
 3status: test
 4description: This events that are generated when using the hacktool Ruler by Sensepost
 5references:
 6    - https://github.com/sensepost/ruler
 7    - https://github.com/sensepost/ruler/issues/47
 8    - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
 9    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
10    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
11author: Florian Roth (Nextron Systems)
12date: 2017-05-31
13modified: 2022-10-09
14tags:
15    - attack.defense-evasion
16    - attack.discovery
17    - attack.execution
18    - attack.collection
19    - attack.lateral-movement
20    - attack.t1087
21    - attack.t1114
22    - attack.t1059
23    - attack.t1550.002
24logsource:
25    product: windows
26    service: security
27detection:
28    selection1:
29        EventID: 4776
30        Workstation: 'RULER'
31    selection2:
32        EventID:
33            - 4624
34            - 4625
35        WorkstationName: 'RULER'
36    condition: (1 of selection*)
37falsepositives:
38    - Go utilities that use staaldraad awesome NTLM library
39level: high

References

Related rules

to-top