From e1ef8f40559a7c54f94aa1065893fdfa79fd61fa Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 13 Aug 2021 10:28:34 +0200 Subject: [PATCH] fix: Rewrite another message rule Rewrites another message rule. This one is a bit more complex since a bitmap is used and the string representation is not available. --- .../win_alert_enable_weak_encryption.yml | 70 ++++++++++++++++--- 1 file changed, 61 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index c0904ce53..90af91660 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -17,15 +17,67 @@ logsource: detection: selection: EventID: 4738 - keywords: - Message|contains: - - 'DES' - - 'Preauth' - - 'Encrypted' - filters: - Message|contains: - - 'Enabled' - condition: selection and keywords and filters + olduac_des: # 0x8000 + OldUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + newuac_des: + NewUacValue|endswith: + - 8??? + - 9??? + - A??? + - B??? + - C??? + - D??? + - E??? + - F??? + olduac_preauth: # 0x10000 + OldUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + newuac_preauth: + NewUacValue|endswith: + - 1???? + - 3???? + - 5???? + - 7???? + - 9???? + - B???? + - D???? + - F???? + olduac_encrypted: # 0x800 + OldUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + newuac_encrypted: + NewUacValue|endswith: + - 8?? + - 9?? + - A?? + - B?? + - C?? + - D?? + - E?? + - F?? + condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted)) falsepositives: - Unknown level: high