Merge pull request SigmaHQ#1665 from frack113/hope_last_windows_field…

…_fix

Last fix invalid windows field name

rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

@@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn
     Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
-modified: 2020/08/23
+modified: 2021/07/09
 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
 references:
     - https://twitter.com/menasec1/status/1111556090137903104
@@ -18,8 +18,8 @@ logsource:
 detection:
     selection:
         EventID: 5136
-        LDAPDisplayName: 'ntSecurityDescriptor'
-        Value|contains: 
+        AttributeLDAPDisplayName: 'ntSecurityDescriptor'
+        AttributeValue|contains: 
          - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
          - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
          - '89e95b76-444d-4c62-991a-0facbeda640c'

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,3 +1,4 @@
+action: global
 title: Eventlog Cleared
 id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
@@ -6,26 +7,34 @@ references:
     - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 author: Florian Roth
 date: 2017/01/10
-modified: 2020/08/23
+modified: 2021/07/09
 tags:
     - attack.defense_evasion
     - attack.t1070           # an old one
     - attack.t1070.001
     - car.2016-04-002
+falsepositives:
+    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
+    - System provisioning (system reset before the golden image creation)
+level: high
+
+---
 logsource:
     product: windows
+    service: security
 detection:
-    selection1:
-        service: security
+    selection:
         EventID:
             - 517
             - 1102
-    selection2:
-        service: system
+    condition: selection
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
         EventID: 104
         Source: Microsoft-Windows-Eventlog
-    condition: selection1 or selection2
-falsepositives:
-    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
-    - System provisioning (system reset before the golden image creation)
-level: high
+    condition: selection
+

rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml

@@ -5,6 +5,7 @@ author: Mauricio Velazco
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 date: 2021/06/01
+modified: 2021/07/09
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection1:
-        EventID: '4625'
-        Logon_Type: '3'
+        EventID: 4625
+        LogonType: 3
     filter:
-        Source_Network_Address: '-'
+        IpAddress: '-'
     timeframe: 24h
     condition:
-        - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10
+        - selection1 and not filter | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Terminal servers
     - Jump servers