-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathazureEventHub_windows-correlated.rules
61 lines (43 loc) · 9.06 KB
/
azureEventHub_windows-correlated.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Sagan windows-correlated.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after brute force activity"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4624,528,540; content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits: isset,brute_force,track ip_src; parse_src_ip: 1; default_proto: tcp; threshold: type suppress, track by_username, count 5, seconds 3600; classtype: correlated-attack; sid:5008654; metadata: created_on 2022_11_22, old_sid 5002336; rev:12;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after recon activity"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4624,528,540; content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits: isset,recon,track ip_src; parse_src_ip: 1; default_proto: tcp; threshold: type suppress, track by_username, count 5, seconds 3600; classtype: correlated-attack; sid:5008655; metadata: created_on 2022_11_22, old_sid 5002957; rev:9;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after exploit attempt"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4624,528,540; content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits: isset,exploit_attempt,track ip_src; parse_src_ip: 1; default_proto: tcp; threshold: type suppress, track by_username, count 5, seconds 3600; classtype: correlated-attack; sid:5008656; metadata: created_on 2022_11_22, old_sid 5002958; rev:9;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after honeypot activity"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4624,528,540; content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits: isset,honeypot,track ip_src; parse_src_ip: 1; default_proto: tcp; threshold: type suppress, track by_username, count 5, seconds 3600; classtype: correlated-attack; sid:5008657; metadata: created_on 2022_11_22, old_sid 5003341; rev:6;)
# 2017-02-22 - Rule create by Champ Clark III based off Jack Crook's work. See:
# From Jack Crook via https://www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/
# -- dst -> src
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [dst -> src]"; program: *Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5145; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100180,0x80,0x130197; xbits: isset,dst_src_suscopy,track ip_src; threshold: type suppress, track by_username, count 1, seconds 3600; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5008658; metadata: created_on 2022_11_22, old_sid 5003381; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [XBIT SET]"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5145; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100180,0x80,0x130197; xbits: set,dst_src_suscopy,track ip_src, expire 1; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5008659; metadata: created_on 2022_11_22, old_sid 5003382; rev:2;)
# -- src -> dst
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [src -> dst]"; program: *Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5145; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ Relative Target Name:/"; meta_content: "Access Mask|3a| %sagan%",0x100181,0x80,0x120089; xbits: isset,none,src_dst_suscopy; threshold: type suppress, track by_username, count 1, seconds 3600; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5008660; metadata: created_on 2022_11_22, old_sid 5003383; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [XBIT SET]"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5145; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100181,0x80,0x120089; xbits: set,src_dst_suscopy,1; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5008661; metadata: created_on 2022_11_22, old_sid 5003384; rev:2;)
# -- WMIC commands/execution across a network
# These rules use a lot of CPU in active networks. They need to use "flexbits" to use mmap() files
# since the flexbit life is only 1 sec. It doesn't scale with Redis xbits.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4688; pcre: "/Process Name: (.*)wmiprvse\.exe(.*)/i"; flexbits: set,web-attack,1; flexbits:nounified2; flexbits:noeve; classtype: suspicious-command; program: *Security*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5008662; metadata: created_on 2022_11_22, old_sid 5003385; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4624; content: "Logon Type|3a| 3"; meta_content:!"Source Network Address|3a| %sagan%",-,127.0.0.1,|3a 3a|1; flexbits: isset, by_username,wmiprvse; parse_src_ip: 1; parse_port; threshold: type suppress, track by_username, count 5, seconds 3600; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5008663; metadata: created_on 2022_11_22, old_sid 5003386; classtype:suspicious-login; rev:10;)