Home
  •  

Atividade Suspeita de Downgrade de Criptografia (Ultrapassagem de Hash)

Microsoft.AdvancedThreatAnalytics.1_7.Center.EncryptionDowngradeSuspiciousActivity_OverpasstheHash (Rule)

Knowledge Base article:

Resumo

O Centro do ATA observou uma atividade suspeita.

Causas

Uma atividade suspeita foi detectada.

Resoluções

Analise a atividade suspeita no Console do ATA e comece os procedimentos de resposta.

Element properties:

TargetMicrosoft.AdvancedThreatAnalytics.1_7.Center
CategorySecurityHealth
EnabledFalse
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Alerta de Atividade Suspeita de Downgrade de Criptografia (Ultrapassagem de Hash)
Alerta da regra do Microsoft ATA 1.7 Center - EventID 2010 - Atividade Suspeita de Downgrade da Criptografia (Infringir o Hash)
Event LogMicrosoft ATA

Member Modules:

ID Module Type TypeId RunAs 
Microsoft.Windows.EventCollector DataSource Microsoft.Windows.EventProvider Default
System.Health.GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.AdvancedThreatAnalytics.1_7.Center.EncryptionDowngradeSuspiciousActivity_OverpasstheHash" Target="Microsoft.AdvancedThreatAnalytics.1_7.Center" Enabled="false" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>SecurityHealth</Category>

  <DataSources>

    <DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Microsoft ATA</LogName>

      <AllowProxying>false</AllowProxying>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">2010</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_7.Center.EncryptionDowngradeSuspiciousActivity_OverpasstheHash.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

    </WriteAction>

  </WriteActions>

</Rule>