From 49f68a327a88bf7c6d527e12885941c894670619 Mon Sep 17 00:00:00 2001
From: Tatsuya Ito <t_ito@cyberdefense.jp>
Date: Tue, 19 May 2020 18:00:50 +0900
Subject: [PATCH 1/3] enhancement rule

---
 rules/windows/builtin/win_alert_ad_user_backdoors.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index 217b73a47..d29647c13 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -19,6 +19,8 @@ logsource:
 detection:
     selection1:
         EventID: 4738
+    filter_null:
+        AllowedToDelegateTo: null
     filter1:
         AllowedToDelegateTo: 
             - null
@@ -33,7 +35,7 @@ detection:
     selection4:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
-    condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4
+    condition: (selection1 and not filter1 and not filter_null) or selection2 or selection3 or selection4
 falsepositives:
     - Unknown
 level: high

From c815773b1abf32ef2ba94f333b8421a389362875 Mon Sep 17 00:00:00 2001
From: Tatsuya Ito <t_ito@cyberdefense.jp>
Date: Tue, 19 May 2020 18:05:51 +0900
Subject: [PATCH 2/3] enhancement rule

---
 rules/windows/builtin/win_susp_add_sid_history.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml
index 21ac8c611..0a407a6e0 100644
--- a/rules/windows/builtin/win_susp_add_sid_history.yml
+++ b/rules/windows/builtin/win_susp_add_sid_history.yml
@@ -24,7 +24,9 @@ detection:
         SidHistory:
             - '-'
             - '%%1793'
-    condition: selection1 or (selection2 and not selection3)
+    filter_null:
+        SidHistory: null
+    condition: selection1 or (selection2 and not selection3 and not filter_null)
 falsepositives:
     - Migration of an account into a new domain
 level: medium

From 9ab65cd1c73a9225a2090f81d07064761df487c1 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 19 May 2020 14:50:22 +0200
Subject: [PATCH 3/3] Update win_alert_ad_user_backdoors.yml

---
 rules/windows/builtin/win_alert_ad_user_backdoors.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index d29647c13..9ce1e7e78 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -22,9 +22,7 @@ detection:
     filter_null:
         AllowedToDelegateTo: null
     filter1:
-        AllowedToDelegateTo: 
-            - null
-            - '-'
+        AllowedToDelegateTo: '-'
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'