Update win_alert_ad_user_backdoors.yml

the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
cyb3rplis · Jun 7, 2019 · 41f5ebc · 41f5ebc
1 parent a0c9f15
commit 41f5ebc
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -19,6 +19,7 @@ detection:
         EventID: 4738
     filter1:
         AllowedToDelegateTo: null
+        AllowedToDelegateTo: '-'
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'