diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index c0904ce53..90af91660 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -17,15 +17,67 @@ logsource: detection: selection: EventID: 4738 - keywords: - Message|contains: - - 'DES' - - 'Preauth' - - 'Encrypted' - filters: - Message|contains: - - 'Enabled' - condition: selection and keywords and filters + olduac_des: # 0x8000 + OldUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + newuac_des: + NewUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + olduac_preauth: # 0x10000 + OldUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + newuac_preauth: + NewUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + olduac_encrypted: # 0x800 + OldUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + newuac_encrypted: + NewUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted)) falsepositives: - Unknown level: high