Stages and Predicates
Stage 1: selection_regkey
TargetObject|contains: ControlSet
TargetObject|contains: 'SYSTEM\'
TargetObject|contains: '\Control\Lsa'
Stage 2: 1 of selection_value_lmcompatibilitylevel
Details: ['DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)']
TargetObject|endswith: '\lmcompatibilitylevel'
Stage 3: 1 of selection_value_ntlmminclientsec
Details: ['DWORD (0x00000000)', 'DWORD (0x00000010)', 'DWORD (0x00000020)', 'DWORD (0x00000030)']
TargetObject|endswith: '\NtlmMinClientSec'
Stage 4: 1 of selection_value_restrictsendingntlmtraffic
TargetObject|endswith: '\RestrictSendingNTLMTraffic'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|
Details | eq | DWORD (0x00000000) corpus 38 (sigma 38)DWORD (0x00000001) corpus 37 (sigma 37)DWORD (0x00000002) corpus 9 (sigma 9)DWORD (0x00000010)DWORD (0x00000020)DWORD (0x00000030)
|
TargetObject | ends_with | \NtlmMinClientSec\RestrictSendingNTLMTraffic\lmcompatibilitylevel
|
TargetObject | match | ControlSet corpus 2 (sigma 2)SYSTEM\ corpus 2 (sigma 2)\Control\Lsa
|