-
Notifications
You must be signed in to change notification settings - Fork 28
/
azureEventHub_windows-misc.rules
153 lines (123 loc) · 28.2 KB
/
azureEventHub_windows-misc.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Sagan windows-misc.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Windows based rules.
# Eventlog to syslog service. This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Detection of net listening application [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5154,861; threshold: type suppress, track by_username, count 5, seconds 300; classtype: network-event; program: *Security*; sid:5009219; metadata: created_on 2022_11_22, old_sid 5000306; rev:10;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Privileged Service Called"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4673,577; classtype: successful-admin; program: *Security*; sid:5009220; metadata: created_on 2022_11_22, old_sid 5000307; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?]"; classtype: policy-violation; program: Bonjour; sid:5009221; metadata: created_on 2022_11_22, old_sid 5000308; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application error"; content: " 1001|3a| "; classtype: program-error; program: Application; sid:5009222; metadata: created_on 2022_11_22, old_sid 5000309; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application hang"; content: " 1002|3a| "; classtype: program-error; program: Application; sid:5009223; metadata: created_on 2022_11_22, old_sid 5000310; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application popup"; content: " 333|3a| "; classtype: program-error; program: Application; sid:5009224; metadata: created_on 2022_11_22, old_sid 5000311; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SCSI bug fault occurred"; content: "SCSI bus fault"; classtype: hardware-event; program: CPQCISSE; sid:5009225; metadata: created_on 2022_11_22, old_sid 5000316; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job completed with exceptions"; content: " 57755|3a| "; classtype: program-error; program: Backup; sid:5009226; metadata: created_on 2022_11_22, old_sid 5000312; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job cancellation"; content: " 34114|3a| "; classtype: program-error; program: Backup; sid:5009227; metadata: created_on 2022_11_22, old_sid 5000313; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Alert - insert media"; content: " 58061|3a| "; classtype: hardware-event; program: Backup; sid:5009228; metadata: created_on 2022_11_22, old_sid 5000314; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Service started"; content: " 57996|3a| "; classtype: system-event; program: Backup; sid:5009229; metadata: created_on 2022_11_22, old_sid 5000315; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Citrix message"; classtype: system-event; program: Citrix; sid:5009230; metadata: created_on 2022_11_22, old_sid 5000317; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Trusted Platform Module [TPM] Error. User name not found"; content: " 17150|3a| "; classtype: unsuccessful-user; program: DAC; sid:5009231; metadata: created_on 2022_11_22, old_sid 5000318; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was corrupted"; content: "was corrupted"; classtype: program-error; program: Eventlog; sid:5009232; metadata: created_on 2022_11_22, old_sid 5000319; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was stopped"; content: "Service Stopped"; classtype: system-event; program: Eventlog; sid:5009233; metadata: created_on 2022_11_22, old_sid 5000320; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service returned error"; content: "returned error"; classtype: program-error; program: Eventlog; sid:5009234; metadata: created_on 2022_11_22, old_sid 5000322; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service reporting uptime [in seconds]"; content: "The system uptime"; classtype: not-suspicious; program: Eventlog; sid:5009235; metadata: created_on 2022_11_22, old_sid 5000323; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] IPSec message"; classtype: not-suspicious; program: IPSec; sid:5009236; metadata: created_on 2022_11_22, old_sid 5000324; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] LSASRV - Could not establish a secure connection"; content: " 40961|3a| "; classtype: network-event; program: LSASRV; sid:5009237; metadata: created_on 2022_11_22, old_sid 5000381; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server started"; content: "Microsoft SQL Server"; classtype: system-event; program: MSSQLSERVER; sid:5009238; metadata: created_on 2022_11_22, old_sid 5000325; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server listening on network"; content: "SQL server listening"; classtype: network-event; program: MSSQLSERVER; parse_src_ip: 1; parse_port; sid:5009239; metadata: created_on 2022_11_22, old_sid 5000326; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully installed software"; content: "installed successfully"; nocase; classtype: not-suspicious; program: MsiInstaller; sid:5009240; metadata: created_on 2022_11_22, old_sid 5000327; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar installed"; content: "Google Toolbar"; content: "installed successfully"; nocase; classtype: policy-violation; program: MsiInstaller; sid:5009241; metadata: created_on 2022_11_22, old_sid 5000328; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Toolbar"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; sid:5009242; metadata: created_on 2022_11_22, old_sid 5000329; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Update Helper"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; sid:5009243; metadata: created_on 2022_11_22, old_sid 5000331; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - RegWork - Registry clearner"; content: "RegWork"; content: "Product"; classtype: policy-violation; program: MsiInstaller; sid:5009244; metadata: created_on 2022_11_22, old_sid 5000330; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully updated software"; content: "Update"; nocase; classtype: not-suspicious; program: MsiInstaller; sid:5009245; metadata: created_on 2022_11_22, old_sid 5000332; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] NtServicePack messsage - package or hotfix installed"; content: "was installed"; classtype: not-suspicious; program: NtServicePack; sid:5009246; metadata: created_on 2022_11_22, old_sid 5000334; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SNMP Service has started successfully"; content: " 1001|3a| "; classtype: system-event; program: SNMP; sid:5009247; metadata: created_on 2022_11_22, old_sid 5000335; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google Software Updater service is active"; content: "Google Software Updater service"; classtype: policy-violation; program: Service; sid:5009248; metadata: created_on 2022_11_22, old_sid 5000336; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; sid:5009249; metadata: created_on 2022_11_22, old_sid 5000337; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; sid:5009250; metadata: created_on 2022_11_22, old_sid 5000338; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus service is active [pen-test tool]"; content: "Tenable Nessus"; classtype: policy-violation; program: Service; sid:5009251; metadata: created_on 2022_11_22, old_sid 5000339; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Remote Access Connection Manager service is active"; content: "Remote Access Connection Manager"; classtype: network-event; program: Service; sid:5009252; metadata: created_on 2022_11_22, old_sid 5000340; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Bonjour service is active [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Service; sid:5009253; metadata: created_on 2022_11_22, old_sid 5000382; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus startup successful"; content: "startup was successful"; classtype: system-event; program: Symantec; sid:5009254; metadata: created_on 2022_11_22, old_sid 5000341; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus couldn't scan some files or directories"; content: "Could not scan"; classtype: program-error; program: Symantec; sid:5009255; metadata: created_on 2022_11_22, old_sid 5000342; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus New virus definition file loaded"; content: "New virus definition file loaded"; classtype: not-suspicious; program: Symantec; sid:5009256; metadata: created_on 2022_11_22, old_sid 5000343; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus Successful remote connect by administrator"; content: "with Admin role"; content: "User"; content: "connected from"; classtype: successful-admin; program: Symantec; sid:5009257; metadata: created_on 2022_11_22, old_sid 5000344; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus started [pen-test tool]"; content: "started successfully"; classtype: suspicious-traffic; program: Tenable; sid:5009258; metadata: created_on 2022_11_22, old_sid 5000345; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinRM [Windows Remote Management] is started and listening"; content: " 10148|3a| "; classtype: network-event; program: WinRM; sid:5009259; metadata: created_on 2022_11_22, old_sid 5000346; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection accepted"; content: "Connections"; content: "accepted"; default_proto: tcp; default_dst_port: 5900; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; sid:5009260; metadata: created_on 2022_11_22, old_sid 5000347; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection closed - Requested security type not available"; content: "Requested security type not available"; content: "closed"; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; parse_src_ip: 1; parse_port; sid:5009261; metadata: created_on 2022_11_22, old_sid 5000348; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection blacklisted"; content: "blacklisted"; content: "Connections"; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; parse_src_ip: 1; parse_port; program: WinVNC4; sid:5009262; metadata: created_on 2022_11_22, old_sid 5000349; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection Authentication failure"; content: "Authentication failure"; default_proto: tcp; default_dst_port: 5900; classtype: unsuccessful-user; program: WinVNC4; parse_src_ip: 1; parse_port; sid:5009263; metadata: created_on 2022_11_22, old_sid 5000350; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer"; content: "Connection reset by peer"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: not-suspicious; program: WinVNC4; sid:5009264; metadata: created_on 2022_11_22, old_sid 5000351; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer [Non-shared]"; content: "Non-shared connection requested"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; sid:5009265; metadata: created_on 2022_11_22, old_sid 5000352; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reading version failed"; content: "reading version failed"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; sid:5009266; metadata: created_on 2022_11_22, old_sid 5000353; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection closed"; content: "Clean disconnection"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: not-suspicious; program: WinVNC4; sid:5009267; metadata: created_on 2022_11_22, old_sid 5000354; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 HTTPServer event"; content: "HTTPServer"; default_proto: tcp; default_dst_port: 5900; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; sid:5009268; metadata: created_on 2022_11_22, old_sid 5000355; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Crypt32 Failed to extract third-party root list"; content: " 4107|3a| "; classtype: program-error; program: crypt32; sid:5009269; metadata: created_on 2022_11_22, old_sid 5000356; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Disk corruption [0/2]"; content: " 55|3a| "; classtype: hardware-event; program: Ntfs; threshold:suppress, track by_username, count 1, seconds 300; sid:5009270; metadata: created_on 2022_11_22, old_sid 5001056; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MSSQLServer I/O error"; content: " 823|3a| "; classtype: program-error; program: Ntfs; sid:5009271; metadata: created_on 2022_11_22, old_sid 5001096; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application uninstall"; content: " 11724|3a| "; classtype: program-error; program: MsiInstaller; sid:5009272; metadata: created_on 2022_11_22, old_sid 5001182; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application install"; content: " 11707|3a| "; classtype: program-error; program: MsiInstaller; sid:5009273; metadata: created_on 2022_11_22, old_sid 5001183; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows is shutting down"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4609,513; classtype: program-error; program: *Security*; sid:5009274; metadata: created_on 2022_11_22, old_sid 5001184; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] File system full"; content: " 13570|3a| "; classtype: system-error; program: NtFrs|Ntfs; sid:5009275; metadata: created_on 2022_11_22, old_sid 5001191; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] System time has changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4616,520; content:!"|3a|\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"; classtype: system-event; program: *Security*; sid:5009276; metadata: created_on 2022_11_22, old_sid 5001194; rev:11;)
# DHCP-Server| 1063: There are no IP addresses available for lease in the scope or superscope "VLAN_311_Example".
# DHCP-Server| 1020: Scope, 10.100.1.0, is 97 percent full with only 2 IP addresses remaining.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is almost full"; content: " 1020|3a| "; classtype: program-error; program: DHCP-Server; threshold: type suppress, track by_username, count 1, seconds 900; sid:5009277; metadata: created_on 2022_11_22, old_sid 5001649; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is FULL"; content: "100 percent full"; content: " 1020|3a| "; classtype: program-error; program: DHCP-Server; threshold: type suppress, track by_username, count 1, seconds 900; sid:5009278; metadata: created_on 2022_11_22, old_sid 5001716; rev:5;)
# BAD RULE BELOW
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope if full. No IP addresses left"; content: " 5001650|3a| "; classtype: network-event; program: DHCP-Server; sid:5009279; metadata: created_on 2022_11_22, old_sid 5001650; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit log was cleared"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1102,517; content: "audit log was cleared"; classtype: system-event; program: *Security*|Eventlog; sid:5009280; metadata: created_on 2022_11_22, old_sid 5001185; rev:10;)
# Brian Echeverry - 05/07/2015
# SID 5002272 and 5002273 are noisy.
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was modified"; content: " 5136|3a| "; classtype: configuration-change; program: *Security*; sid:5009281; metadata: created_on 2022_11_22, old_sid 5002272; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was created"; content: " 5137|3a| "; classtype: configuration-change; program: *Security*; sid:5009282; metadata: created_on 2022_11_22, old_sid 5002273; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was undeleted"; content: " 5138|3a| "; classtype: configuration-change; program: *Security*; sid:5009283; metadata: created_on 2022_11_22, old_sid 5002274; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: *Security*; sid:5009284; metadata: created_on 2022_11_22, old_sid 5002275; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [XBIT SET]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1074,6006,41,6008,1076; program: *System*|*USER32*; flexbits: set,reboot.windows,3600; flexbits:noeve; classtype: system-event; sid:5009285; metadata: created_on 2022_11_22, old_sid 5002014; rev:31;)
# Added by Brian Echeverry (09/22/2015)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures"; program: *Microsoft_Antimalware*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 2001; threshold: type suppress, track by_username, count 1, seconds 86400; classtype: program-error; sid:5009286; metadata: created_on 2022_11_22, old_sid 5002392; rev:5;)
# Rules added by Brian Echeverry ( [email protected]) - 10/21/2015
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Unable to log events to security log"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 521; threshold: type suppress, track by_username, count 1, seconds 86400; classtype: program-error; program: *Security*; sid:5009287; metadata: created_on 2022_11_22, old_sid 5002564; rev:5;)
# Added by Champ Clark III (04/20/2016) - Great read at http://pastebin.com/raw/0SNSvyjJ
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of service via SCM"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 7045; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: System|Service_Control_Manager; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5009288; metadata: created_on 2022_11_22, old_sid 5002817; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of new service via Security Audit "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4697,601; classtype: suspicious-traffic; program: *Security*; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5009289; metadata: created_on 2022_11_22, old_sid 5002818; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] VSS shutdown [XBIT SET]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 8225; flexbits: set,vss_shutdown,1200; flexbits:noeve; classtype: program-error; program: *Application*; sid:5009290; metadata: created_on 2022_11_22, old_sid 5005745; rev:2;)
# Added by Champ Clark III (08/19/2016)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Suspicious event logging service shutdown."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1100; flexbits: isnotset,by_src,reboot.windows; flexbits: isnotset,by_src,nxlog_shutdown; flexbits: isnotset,by_src,vss_shutdown; flexbits_pause: 1200; classtype: suspicious-traffic; program: *Security*; sid:5009291; metadata: created_on 2022_11_22, old_sid 5002941; rev:11;)
# Added by Champ Clark III (09/01/2016)
# These target strange errors seen by evtsys.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Event log has been cleared."; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 104; content: "cleared"; classtype: suspicious-traffic; program: *Eventlog*; sid:5009292; metadata: created_on 2022_11_22, old_sid 5002954; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Logging has been stopped on this device"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 570; content: "callback"; classtype: suspicious-traffic; program: The; sid:5009293; metadata: created_on 2022_11_22, old_sid 5002955; rev:4;)
#alert any $HOME_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Fan failure detected"; content:" 10|3a| Fan "; content:" has failed"; classtype: hardware-event; program: System; sid:5009294; metadata: created_on 2022_11_22, old_sid 5003040; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of PSEXEC service via Security Audit "; content: "PSEXEC"; nocase; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4697,601; classtype: suspicious-traffic; program: *Security*; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5009295; metadata: created_on 2022_11_22, old_sid 5003105; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of PSEXEC service via SCM"; content: "PSEXEC"; nocase; content: " 7045|3a| "; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: System|Service_Control_Manager; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5009296; metadata: created_on 2022_11_22, old_sid 5003106; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Potential Kerberoasting Activity Detected - EID 4769 [10/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4769; content: !"Ticket Encryption Type|3a| 0x12"; content: !"Ticket Encryption Type|3a| 0xFFFFFFFF"; nocase; content: !"|24|"; content:"Ticket Options: 0x40810000"; nocase; after:track by_username, count 10, seconds 60; threshold:type suppress, track by_username, count 1, seconds 3600; classtype:successful-admin; reference: url,adsecurity.org/?p=3458; sid:5009297; metadata: created_on 2022_11_22, old_sid 5006529; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Rubeus successful TGT Enumeration"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4611; content: "Logon Process Name|3a| User32LogonProcesss"; nocase; classtype:successful-admin; reference: url,posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1;sid:5009298; metadata: created_on 2022_11_22, old_sid 5006530; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Potential Kerberoasting Activity Detected - EID 4768 [10/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4768; content: !"Ticket Encryption Type|3a| 0x12"; content: !"Ticket Encryption Type|3a| 0xFFFFFFFF"; nocase; content: !"|24|"; after:track by_username, count 10, seconds 60; threshold:type suppress, track by_username, count 1, seconds 3600; classtype:successful-admin; reference:url,redsiege.com/tools-techniques/2020/10/detecting-kerberoasting/; sid:5009299; metadata: created_on 2022_11_22, old_sid 5008394; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Pass the Hash Detected"; json_map:"message",".Message"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4624; content:!"Account Name: SYSTEM"; content:!"Network Account Name: netwrix-svc"; content:"Logon Type: 9"; content:"Logon Process: seclogo"; content:"Authentication Package: Negotiate"; classtype:trojan-activity; reference:url,thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/; reference:url,blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/; sid:5009300; metadata: created_on 2022_11_22, old_sid 5008395; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Potential AS-REP Roasting Activity Detected - EID 4768"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4768; content:"Ticket Options|3a| 0x4080010"; content:"Ticket Encryption Type|3a| 0x17"; content: !"|24|"; content:"Pre-Authentication Type|3a| 0"; classtype:successful-admin; reference:url,https://blog.certcube.com/as-rep-roasting-attack/; sid:5009301; metadata: created_on 2022_11_22, old_sid 5008405; rev:1;)