paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 00:02:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create 300001-win_sigma_rules_builtin.xml

Browse Source
This commit is contained in:
SOCFortress
2022-08-08 22:10:02 -05:00
committed by GitHub
parent 6220fdd911
commit 9f91dc5632
1 changed files with 87 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
Windows Sigma Rules/300001-win_sigma_rules_builtin.xml Normal file
View File

@@ -0,0 +1,87 @@
<group name="windows,security,">
<rule id="300001" level="15">
<if_sid>60001</if_sid>
<description>Powerview Add-DomainObjectAcl DCSync AD Extend Right</description>
<mitre>
<id>T1098</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.AttributeLDAPDisplayName">^ntSecurityDescriptor$</field>
<field name="win.eventdata.EventID">^5136$</field>
<field name="win.eventdata.AttributeValue">1131f6ad-9c07-11d1-f79f-00c04fc2dcd2|1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|89e95b76-444d-4c62-991a-0facbeda640c</field>
<group>sigma_rules,</group>
</rule>
<rule id="300002" level="15">
<if_sid>60001</if_sid>
<description>AD Object WriteDAC Access</description>
<mitre>
<id>T1222</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.EventID">^4662$</field>
<field name="win.eventdata.ObjectServer">^DS$</field>
<field name="win.eventdata.AccessMask">^0x40000$</field>
<field name="win.eventdata.ObjectType">19195a5b-6da0-11d0-afd3-00c04fd930c9|domainDNS</field>
<group>sigma_rules,</group>
</rule>
<rule id="300003" level="15">
<if_sid>60001</if_sid>
<description>Active Directory Replication from Non Machine Account</description>
<mitre>
<id>T1003</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.EventID">^4662$</field>
<field name="win.eventdata.AccessMask">^0x100$</field>
<field name="win.eventdata.Properties">1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|1131f6ad-9c07-11d1-f79f-00c04fc2dcd2|89e95b76-444d-4c62-991a-0facbeda640c</field>
<field name="win.eventdata.SubjectUserName" negate="yes">\$$|^MSOL_</field>
<group>sigma_rules,</group>
</rule>
<rule id="300004" level="15">
<if_sid>60001</if_sid>
<description>Chafer Activity</description>
<mitre>
<id>T1112</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.EventID">^4698$</field>
<field name="win.eventdata.TaskName">^SC Scheduled Scan$|^UpdatMachine$</field>
<group>sigma_rules,</group>
</rule>
</group>
<group name="windows,system,">
<rule id="300005" level="15">
<if_sid>60002</if_sid>
<description>Chafer Activity</description>
<mitre>
<id>T1112</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.EventID">^7045$</field>
<field name="win.eventdata.TaskName">^SC Scheduled Scan$|^UpdatMachine$</field>
<group>sigma_rules,</group>
</rule>
<rule id="300006" level="15">
<if_sid>60002</if_sid>
<description>Turla PNG Dropper Service</description>
<mitre>
<id>T1543</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.EventID">^7045$</field>
<field name="win.eventdata.ServiceName">^WerFaultSvc$</field>
<group>sigma_rules,</group>
</rule>
</group>
<group name="windows,application,">
<rule id="300007" level="15">
<if_sid>60003</if_sid>
<description>Audit CVE Event</description>
<mitre>
<id>T1203</id>
</mitre>
<options>no_full_log</options>
<field name="win.eventdata.ProviderName">^Microsoft-Windows-Audit-CVE$</field>
<group>sigma_rules,</group>
</rule>
</group>