fix: Rewrite another message rule
Rewrites another message rule. This one is a bit more complex since a bitmap is used and the string representation is not available.
This commit is contained in:
Max Altgelt
@@ -17,15 +17,67 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4738
|
||||
keywords:
|
||||
Message|contains:
|
||||
- 'DES'
|
||||
- 'Preauth'
|
||||
- 'Encrypted'
|
||||
filters:
|
||||
Message|contains:
|
||||
- 'Enabled'
|
||||
condition: selection and keywords and filters
|
||||
olduac_des: # 0x8000
|
||||
OldUacValue|endswith:
|
||||
- 8???
|
||||
- 9???
|
||||
- A???
|
||||
- B???
|
||||
- C???
|
||||
- D???
|
||||
- E???
|
||||
- F???
|
||||
newuac_des:
|
||||
NewUacValue|endswith:
|
||||
- 8???
|
||||
- 9???
|
||||
- A???
|
||||
- B???
|
||||
- C???
|
||||
- D???
|
||||
- E???
|
||||
- F???
|
||||
olduac_preauth: # 0x10000
|
||||
OldUacValue|endswith:
|
||||
- 1????
|
||||
- 3????
|
||||
- 5????
|
||||
- 7????
|
||||
- 9????
|
||||
- B????
|
||||
- D????
|
||||
- F????
|
||||
newuac_preauth:
|
||||
NewUacValue|endswith:
|
||||
- 1????
|
||||
- 3????
|
||||
- 5????
|
||||
- 7????
|
||||
- 9????
|
||||
- B????
|
||||
- D????
|
||||
- F????
|
||||
olduac_encrypted: # 0x800
|
||||
OldUacValue|endswith:
|
||||
- 8??
|
||||
- 9??
|
||||
- A??
|
||||
- B??
|
||||
- C??
|
||||
- D??
|
||||
- E??
|
||||
- F??
|
||||
newuac_encrypted:
|
||||
NewUacValue|endswith:
|
||||
- 8??
|
||||
- 9??
|
||||
- A??
|
||||
- B??
|
||||
- C??
|
||||
- D??
|
||||
- E??
|
||||
- F??
|
||||
condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
|
||||
Reference in New Issue
Block a user