From a4611d6dc686058baf8136a312fd27133912a997 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 19 Feb 2017 22:43:27 +0100 Subject: [PATCH 1/4] Added new rules From adsecurity.org: * https://adsecurity.org/?p=1772 * https://adsecurity.org/?p=1714 --- .../builtin/win_susp_add_sid_history.yml | 17 +++++++++++++++++ .../builtin/win_susp_dsrm_password_change.yml | 15 +++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 rules/windows/builtin/win_susp_add_sid_history.yml create mode 100644 rules/windows/builtin/win_susp_dsrm_password_change.yml diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml new file mode 100644 index 000000000..8837b72b2 --- /dev/null +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -0,0 +1,17 @@ +title: Addition of SID History to Active Directory Object +status: stable +description: An attacker can use the SID history attribute to gain additional privileges. +reference: https://adsecurity.org/?p=1772 +author: Thomas Patzke +logsource: + product: windows +detection: + selection: + EventLog: Security + EventID: + - 4765 + - 4766 + condition: selection +falsepositives: + - Migration of an account into a new domain +level: medium diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/win_susp_dsrm_password_change.yml new file mode 100644 index 000000000..0c8cacfc1 --- /dev/null +++ b/rules/windows/builtin/win_susp_dsrm_password_change.yml @@ -0,0 +1,15 @@ +title: Password Change on Directory Service Restore Mode (DSRM) Account +status: stable +description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. +reference: https://adsecurity.org/?p=1714 +author: Thomas Patzke +logsource: + product: windows +detection: + selection: + EventLog: Security + EventID: 4794 + condition: selection +falsepositives: + - Initial installation of a domain controller +level: high From a57d8347b2dc38cc8793d767bb529f598fe92b2d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Feb 2017 10:37:23 +0100 Subject: [PATCH 2/4] Link to Sigma Converter in Devel Branch --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f7eafab1..b023dccdb 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ This repository contains: # Sigma Converters -We are already working on the first converters in the 'devel' branch of this project. They are not ready yet, but you can already read the base rule set and create searches and panels in your SIEM system based on these rules. The first converters will be for Elastic Search and Splunk as those +We are already working on the first converters in the '[devel](https://github.com/Neo23x0/sigma/tree/devel-sigmac/tools)' branch of this project. They are not ready yet, but you can already read the base rule set and create searches and panels in your SIEM system based on these rules. The first converters will be for Elastic Search and Splunk as those ![sigma_description](./images/Sigma-description.png) From b5b5296c5f8d8bebcaa6e05ca36863aff42d6b20 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 22 Feb 2017 18:16:20 +0100 Subject: [PATCH 3/4] Fixed unfinished sentence, changed 'next steps' --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b023dccdb..218317d81 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ This repository contains: # Sigma Converters -We are already working on the first converters in the '[devel](https://github.com/Neo23x0/sigma/tree/devel-sigmac/tools)' branch of this project. They are not ready yet, but you can already read the base rule set and create searches and panels in your SIEM system based on these rules. The first converters will be for Elastic Search and Splunk as those +We are already working on the first converters in the '[devel](https://github.com/Neo23x0/sigma/tree/devel-sigmac/tools)' branch of this project. They are not ready yet, but you can already read the base rule set and create searches and panels in your SIEM system based on these rules. The first converters will convert Sigma rules for ElasticSearch and Splunk as those are the most accessible ones. ![sigma_description](./images/Sigma-description.png) @@ -78,7 +78,7 @@ Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single So * Creation of a reasonable set of sample rules * Release of the first rule converters for Elastic Search and Splunk * Integration of feedback into the rule specifications -* Collecting rule input from fellow researchers and analysts +* Integration into Threat Intel Exchanges, e.g. MISP * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms # Credits From fdbadb8e6ef14749e347c1b8720cde199406b1a1 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 22 Feb 2017 22:42:35 +0100 Subject: [PATCH 4/4] Rule fix Fixed condition in webshell keyowrd rule. --- rules/web/web_webshell_keyword.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_webshell_keyword.yml b/rules/web/web_webshell_keyword.yml index f2cf40427..c0e6f7103 100644 --- a/rules/web/web_webshell_keyword.yml +++ b/rules/web/web_webshell_keyword.yml @@ -8,7 +8,7 @@ detection: - '=whoami' - '=net%20user' - '=cmd%20/c%20' - condition: selection and keywords + condition: keywords falsepositives: - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs - User searches in search boxes of the respective website