From 9f91dc5632ab5bc14c10a2e4bc2bba13b1c4ba1c Mon Sep 17 00:00:00 2001
From: SOCFortress <95670863+socfortress@users.noreply.github.com>
Date: Mon, 8 Aug 2022 22:10:02 -0500
Subject: [PATCH] Create 300001-win_sigma_rules_builtin.xml

---
 .../300001-win_sigma_rules_builtin.xml        | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 Windows Sigma Rules/300001-win_sigma_rules_builtin.xml

diff --git a/Windows Sigma Rules/300001-win_sigma_rules_builtin.xml b/Windows Sigma Rules/300001-win_sigma_rules_builtin.xml
new file mode 100644
index 0000000..ad3cf64
--- /dev/null
+++ b/Windows Sigma Rules/300001-win_sigma_rules_builtin.xml	
@@ -0,0 +1,87 @@
+<group name="windows,security,">
+<rule id="300001" level="15">
+<if_sid>60001</if_sid>
+<description>Powerview Add-DomainObjectAcl DCSync AD Extend Right</description>
+<mitre>
+<id>T1098</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.AttributeLDAPDisplayName">^ntSecurityDescriptor$</field>
+<field name="win.eventdata.EventID">^5136$</field>
+<field name="win.eventdata.AttributeValue">1131f6ad-9c07-11d1-f79f-00c04fc2dcd2|1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|89e95b76-444d-4c62-991a-0facbeda640c</field>
+<group>sigma_rules,</group>
+</rule>
+<rule id="300002" level="15">
+<if_sid>60001</if_sid>
+<description>AD Object WriteDAC Access</description>
+<mitre>
+<id>T1222</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.EventID">^4662$</field>
+<field name="win.eventdata.ObjectServer">^DS$</field>
+<field name="win.eventdata.AccessMask">^0x40000$</field>
+<field name="win.eventdata.ObjectType">19195a5b-6da0-11d0-afd3-00c04fd930c9|domainDNS</field>
+<group>sigma_rules,</group>
+</rule>
+<rule id="300003" level="15">
+<if_sid>60001</if_sid>
+<description>Active Directory Replication from Non Machine Account</description>
+<mitre>
+<id>T1003</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.EventID">^4662$</field>
+<field name="win.eventdata.AccessMask">^0x100$</field>
+<field name="win.eventdata.Properties">1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|1131f6ad-9c07-11d1-f79f-00c04fc2dcd2|89e95b76-444d-4c62-991a-0facbeda640c</field>
+<field name="win.eventdata.SubjectUserName" negate="yes">\$$|^MSOL_</field>
+<group>sigma_rules,</group>
+</rule>
+<rule id="300004" level="15">
+<if_sid>60001</if_sid>
+<description>Chafer Activity</description>
+<mitre>
+<id>T1112</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.EventID">^4698$</field>
+<field name="win.eventdata.TaskName">^SC Scheduled Scan$|^UpdatMachine$</field>
+<group>sigma_rules,</group>
+</rule>
+</group>
+<group name="windows,system,">
+<rule id="300005" level="15">
+<if_sid>60002</if_sid>
+<description>Chafer Activity</description>
+<mitre>
+<id>T1112</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.EventID">^7045$</field>
+<field name="win.eventdata.TaskName">^SC Scheduled Scan$|^UpdatMachine$</field>
+<group>sigma_rules,</group>
+</rule>
+<rule id="300006" level="15">
+<if_sid>60002</if_sid>
+<description>Turla PNG Dropper Service</description>
+<mitre>
+<id>T1543</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.EventID">^7045$</field>
+<field name="win.eventdata.ServiceName">^WerFaultSvc$</field>
+<group>sigma_rules,</group>
+</rule>
+</group>
+<group name="windows,application,">
+<rule id="300007" level="15">
+<if_sid>60003</if_sid>
+<description>Audit CVE Event</description>
+<mitre>
+<id>T1203</id>
+</mitre>
+<options>no_full_log</options>
+<field name="win.eventdata.ProviderName">^Microsoft-Windows-Audit-CVE$</field>
+<group>sigma_rules,</group>
+</rule>
+</group>