From 14322393f7d5a0fdee20dd357490b1b72341e84a Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 9 Jul 2021 10:02:05 +0200 Subject: [PATCH] fix more invalid windows field name --- .../win_account_backdoor_dcsync_rights.yml | 6 ++-- .../builtin/win_susp_eventlog_cleared.yml | 29 ++++++++++++------- ...usp_failed_remote_logons_single_source.yml | 9 +++--- 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml index a5caf16d826..aecc527f289 100644 --- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml @@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -modified: 2020/08/23 +modified: 2021/07/09 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community references: - https://twitter.com/menasec1/status/1111556090137903104 @@ -18,8 +18,8 @@ logsource: detection: selection: EventID: 5136 - LDAPDisplayName: 'ntSecurityDescriptor' - Value|contains: + AttributeLDAPDisplayName: 'ntSecurityDescriptor' + AttributeValue|contains: - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - '89e95b76-444d-4c62-991a-0facbeda640c' diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 1153dbc7ed9..2bb184528cc 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -1,3 +1,4 @@ +action: global title: Eventlog Cleared id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution @@ -6,26 +7,34 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2020/08/23 +modified: 2021/07/09 tags: - attack.defense_evasion - attack.t1070 # an old one - attack.t1070.001 - car.2016-04-002 +falsepositives: + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) + - System provisioning (system reset before the golden image creation) +level: high + +--- logsource: product: windows + service: security detection: - selection1: - service: security + selection: EventID: - 517 - 1102 - selection2: - service: system + condition: selection +--- +logsource: + product: windows + service: system +detection: + selection: EventID: 104 Source: Microsoft-Windows-Eventlog - condition: selection1 or selection2 -falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - - System provisioning (system reset before the golden image creation) -level: high + condition: selection + diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml index 1f574e94299..c7905c43bc1 100644 --- a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml @@ -5,6 +5,7 @@ author: Mauricio Velazco references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying date: 2021/06/01 +modified: 2021/07/09 tags: - attack.t1110.003 - attack.initial_access @@ -14,13 +15,13 @@ logsource: service: security detection: selection1: - EventID: '4625' - Logon_Type: '3' + EventID: 4625 + LogonType: 3 filter: - Source_Network_Address: '-' + IpAddress: '-' timeframe: 24h condition: - - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10 + - selection1 and not filter | count(TargetUserName) by IpAddress > 10 falsepositives: - Terminal servers - Jump servers