Techniques
Sample rules
Metasploit SMB Authentication
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Alerts on Metasploit host’s authentications on the domain.
Detection logic
condition: 1 of selection*
selection1:
AuthenticationPackageName: NTLM
EventID:
- 4625
- 4624
LogonType: 3
WorkstationName|re: ^[A-Za-z0-9]{16}$
selection2:
EventID: 4776
Workstation|re: ^[A-Za-z0-9]{16}$