Detectionhightest

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Wed May 31Updated Sun Oct 0924549159-ac1b-479c-8175-d42aea947caewindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection1:
        EventID: 4776
        Workstation: 'RULER'
    selection2:
        EventID:
            - 4624
            - 4625
        WorkstationName: 'RULER'
    condition: (1 of selection*)

False Positives

Go utilities that use staaldraad awesome NTLM library

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0007 · Discovery TA0002 · Execution TA0009 · Collection TA0008 · Lateral Movement

Techniques

T1087 · Account Discovery T1114 · Email Collection T1059 · Command and Scripting Interpreter

Sub-techniques

T1550.002 · Pass the Hash

Rule Metadata

Rule ID

24549159-ac1b-479c-8175-d42aea947cae

Status

test

Level

high

Type

Detection

Created

Wed May 31

Modified

Sun Oct 09

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/security/win_security_alert_ruler.yml

Raw Tags

attack.defense-evasionattack.discoveryattack.executionattack.collectionattack.lateral-movementattack.t1087attack.t1114attack.t1059attack.t1550.002

View on GitHub