security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

split the rule by LogonType

Browse Source
This commit is contained in:
frack113
2023-01-22 21:14:10 +01:00
parent f5197d20d1
commit 299fe649a2
2 changed files with 43 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/security/win_security_successful_external_remote_svc_login.yml → rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml
+6 -5
View File
@@ -1,5 +1,8 @@
title: External Remote Service Logon from Public IP
title: External Remote RDP Logon from Public IP
id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
related:
- id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
type: derived
status: experimental
description: Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.
references:
@@ -19,9 +22,7 @@ logsource:
detection:
selection:
EventID: 4624
LogonType:
- 3 # Network logon such as SMB
- 10 # RemoteInteractive logon such as RDP
LogonType: 10
filter_username:
SubjectUserName: '-'
filter_src_ip:
@@ -33,4 +34,4 @@ detection:
condition: selection and not filter_username and not filter_src_ip
falsepositives:
- Legitimate or intentional inbound connections from public IP addresses on RDP or SMB ports.
level: medium
level: medium
rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml
+37
View File
@@ -0,0 +1,37 @@
title: External Remote SMB Logon from Public IP
id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
related:
- id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
type: derived
status: experimental
description: Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.
references:
- https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
- https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski, @micahbabinski
date: 2023/01/19
tags:
- attack.initial_access
- attack.credential_access
- attack.t1133
- attack.t1078
- attack.t1110
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
filter_username:
SubjectUserName: '-'
filter_src_ip:
- IpAddress|cidr: 10.0.0.0/8
- IpAddress|cidr: 172.16.0.0/12
- IpAddress|cidr: 192.168.0.0/16
- IpAddress|cidr: 224.0.0.0/4
- IpAddress|cidr: 127.0.0.0/8
condition: selection and not filter_username and not filter_src_ip
falsepositives:
- Legitimate or intentional inbound connections from public IP addresses on RDP or SMB ports.
level: high