Permalink
Browse files

RPC threshold.

  • Loading branch information...
Champ Clark III
Champ Clark III committed Sep 19, 2018
1 parent 4da37c1 commit 75787d96b4dc167831d63b73e829bf30d586af97
Showing with 1 addition and 1 deletion.
  1. +1 −1 windows-security.rules
@@ -88,7 +88,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A securit
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A security-disabled group was deleted"; meta_content: " %sagan%|3a| ",4764,667; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003409; sid: 5003409; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A group's type was changed"; meta_content: " %sagan%|3a| ",4764,668; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003410; sid: 5003410; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] The ACL was set on accounts which are members of administrators groups"; meta_content: " %sagan%|3a| ",4780,684; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003411; sid: 5003411; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] RPC detected an integrity violation while decrypting an incoming message"; content: " 4816|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003412; sid: 5003412; rev: 1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] RPC detected an integrity violation while decrypting an incoming message"; content: " 4816|3a| "; threshold: type limit, track by_src, count 1, seconds 300; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003412; sid: 5003412; rev: 2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was added"; content: " 4865|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003413; sid: 5003413; rev: 1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was removed"; content: " 4866|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003414; sid: 5003414; rev: 1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was modified"; content: " 4867|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003415; sid: 5003415; rev: 1;)

0 comments on commit 75787d9

Please sign in to comment.