Permalink
Browse files

Rule updates / Added new trendmicro rules...

  • Loading branch information...
Champ Clark III
Champ Clark III committed Sep 12, 2018
1 parent 1b23aba commit 16a4a394a07423c5d1891a275f0907631c761d8e
Showing with 52 additions and 7 deletions.
  1. +10 −0 sagan-sid-msg.map
  2. +1 −1 su.rules
  3. +18 −1 trendmicro.rules
  4. +1 −1 windows-auth.rules
  5. +1 −1 windows-correlated.rules
  6. +21 −3 windows-security.rules
@@ -3620,3 +3620,13 @@
5003785 || [DYNAMIC] Cisco ISE detected via program || url,wiki.quadrantsec.com/bin/view/Main/5003785
5003786 || [WINDOWS-AUTH] LDAP authentication error - Account expired. || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003786
5003787 || [WINDOWS-AUTH] LDAP authentication error - Account locked. || url,wiki.quadrantsec.com/bin/view/Main/5003787
5003788 || [Trendmicro] Application Control Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003788
5003789 || [Trendmicro] Device Control Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003789
5003790 || [Trendmicro] Behavior Monitoring Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003790
5003791 || [Trendmicro] Network Virus Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003791
5003792 || [Trendmicro] Outbreak Defense Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003792
5003793 || [Trendmicro] Predictive Machine Learning Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003793
5003794 || [Trendmicro] Spyware Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003794
5003795 || [Trendmicro] Url Filtering Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003795
5003796 || [Trendmicro] Virus Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003796
5003797 || [Trendmicro] Web Reputation Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003797
@@ -33,7 +33,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root";
drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; pcre: !"/su\s-\s[A-za-z0-9]+/"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize; sid: 5000409; rev:4;)
# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015
@@ -23,6 +23,23 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# Trendmicro rules by Corey Fisher - 02/18/2016
# Trendmicro rules by Corey Fisher - 02/18/2016 (first rule)
# Other rules by Jennifer Shannon
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Trendmicro] Virus Found Unable to Quarantine"; content: "SLF_INCIDENT_EVT_VIRUS_FOUND_PASS_THRU"; content: "Unable to quarantine file"; program: TMCM; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002797; classtype: suspicious-traffic; sid:5002797; rev:3;)
alert any any any -> any any (msg: "[Trendmicro] Application Control Logs Detected"; content: "LogApplicationControl; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003788; sid:5003788; rev:1 ;)
alert any any any -> any any (msg: "[Trendmicro] Device Control Logs Detected"; content: "LogDeviceControl; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003789; sid:5003789; rev:1 ;)
alert any any any -> any any (msg: "[Trendmicro] Behavior Monitoring Logs Detected"; content: "LogBehaviorMonitoring; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003790; sid:5003790; rev:1 ;)
# Not enough data to complete these.
#alert any any any -> any any (msg: "[Trendmicro] Network Virus Logs Detected"; content: "xxxxxxxxx; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003791; sid:5003791; rev:1 ;)
#alert any any any -> any any (msg: "[Trendmicro] Outbreak Defense Logs Detected"; content: "xxxxxxxxx; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003792; sid:5003792; rev:1 ;)
#alert any any any -> any any (msg: "[Trendmicro] Predictive Machine Learning Logs Detected"; content: "xxxxxxxxx; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003793; sid:5003793; rev:1 ;)
alert any any any -> any any (msg: "[Trendmicro] Spyware Logs Detected"; content: "LogSpyware; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003794; sid:5003794; rev:1 ;)
alert any any any -> any any (msg: "[Trendmicro] Url Filtering Logs Detected"; content: "LogUrlFiltering; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003795; sid:5003795; rev:1 ;)
alert any any any -> any any (msg: "[Trendmicro] Virus Logs Detected"; content: "LogVirus; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003796; sid:5003796; rev:1 ;)
alert any any any -> any any (msg: "[Trendmicro] Web Reputation Logs Detected"; content: "LogWebReputation; classtype: suspicious-traffic; program: TRENDMICRO; reference: url,wiki.quadrantsec.com/bin/view/Main/5003797; sid:5003797; rev:1 ;)
@@ -262,7 +262,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious ne
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious WMIC/Net/Powershell execution"; program: *Security*; content: " 4648|3a| "; content:!"Account Name|3a| -"; content:!"Target Server Name|3a| localhost"; pcre: "/Target Server Name: (.*)\$ /"; pcre: "/Process Name: (.*)(net\.exe|wmic\.exe|powershell\.exe)(.*)/i"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003387; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003387; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; content: " 5140|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003389; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003389; rev:1;)
##alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; content: " 5140|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003389; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003389; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account expired."; program: *System*; content: " 40960|3a| "; content: "0xc0000193"; reference: url,wiki.quadrantsec.com/bin/view/Main/5003786; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5003786; rev:1;)
@@ -53,6 +53,6 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspici
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET]"; content: " 4688|3a| "; pcre: "/Process Name: (.*)wmiprvse\.exe(.*)/i"; xbits: set,wmiprvse,1; xbits:nounified2; xbits:noeve; classtype: suspicious-command; program: *Security*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003385; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003385; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; content:!"Source Network Address|3a| -"; xbits: isset,src_xbitdst,wmiprvse; parse_src_ip: 1; parse_port; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003386; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003386; classtype:suspicious-login; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; meta_content:!"Source Network Address|3a| %sagan%",-,127.0.0.1,::1; xbits: isset,src_xbitdst,wmiprvse; parse_src_ip: 1; parse_port; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003386; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003386; classtype:suspicious-login; rev:2;)
@@ -43,8 +43,26 @@ alert any any any -> any any (msg: "[WINDOWS-SECURITY] Possible denial-of-servic
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit log was cleared"; meta_content: " %sagan%|3a| ",1102,517; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003392; sid: 5003392; rev: 2;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Administrator recovered system from CrashOnAuditFail"; content: " 4621|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003393; sid: 5003393; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] SIDs were filtered"; content: " 4675|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003394; sid: 5003394; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Backup of data protection master key was attempted"; content: " 4692|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003395; sid: 5003395; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Recovery of data protection master key was attempted"; content: " 4693|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003396; sid: 5003396; rev: 1;)
# The following two rules have been particularly noisy as of late and doing some research shows that it is mostly automated processes between a workstation that
# locally stores a user's roaming profile for the domain it is joined to and the domain controller. These alerts will generate any time a password reset disk is made,
# and the backup of the master key is an automated process that provides no real live security screening other then troubleshooting the programs that use it to encrypt
# files. Microsoft also states as listed below the rules that it hold no real value. I recommend these two are disabled.
#
# Recovery of data protection master key was attempted.
#
# ** This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
#
# Backup of data protection master key was attempted.
#
# ** This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
#
# Jeff Ward 2018/09/12
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Backup of data protection master key was attempted"; content: " 4692|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003395; sid: 5003395; rev: 1;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Recovery of data protection master key was attempted"; content: " 4693|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003396; sid: 5003396; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A new trust was created to a domain"; meta_content: " %sagan%|3a| ",4706,610; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003397; sid: 5003397; rev: 2;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos policy was changed"; meta_content: " %sagan%|3a| ",4713,617; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003398; sid: 5003398; rev: 2;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encrypted data recovery policy was changed"; meta_content: " %sagan%|3a| ",4714,618; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003399; sid: 5003399; rev: 2;)
@@ -123,7 +141,7 @@ alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server dis
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the accounting request for a user"; content: " 6275|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003458; sid: 5003458; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server quarantined a user"; content: " 6276|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003459; sid: 5003459; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"; content: " 6277|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003460; sid: 5003460; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted full access to a user because the host met the defined health policy"; content: " 6278|3a| "; parse_src_ip: 1; classtype: system-event; program: *Security*; xbits: isset,by_src,brute_force; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003461; sid: 5003461; rev: 3;)
#alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted full access to a user because the host met the defined health policy"; content: " 6278|3a| "; parse_src_ip: 1; classtype: system-event; program: *Security*; xbits: isset,by_src,brute_force; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003461; sid: 5003461; rev: 3;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server locked the user account due to repeated failed authentication attempts"; content: " 6279|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003462; sid: 5003462; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server unlocked the user account"; content: " 6280|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003463; sid: 5003463; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] General account database changed"; content: " 640|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003464; sid: 5003464; rev: 1;)

0 comments on commit 16a4a39

Please sign in to comment.