Rule tuning - new password "spraying" rules...

beave · Sep 13, 2018 · b460f86416a3dba8fc0f21e590015da76f35351f · b460f86
1 parent 16a4a39
commit b460f86416a3dba8fc0f21e590015da76f35351f
Unified Split

Showing with 25 additions and 5 deletions.

+3 −0 sagan-sid-msg.map

+18 −2 windows-auth.rules

+1 −1 windows-correlated.rules

+2 −1 windows-malware.rules

+1 −1 windows-security.rules
diff --git a/sagan-sid-msg.map b/sagan-sid-msg.map

 5003795 || [Trendmicro] Url Filtering Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003795
 5003796 || [Trendmicro] Virus Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003796
 5003797 || [Trendmicro] Web Reputation Logs Detected || url,wiki.quadrantsec.com/bin/view/Main/5003797
+5003798 || [WINDOWS-AUTH] Possible Password Spray Detected [50/1] || url,wiki.quadrantsec.com/bin/view/Main/5003798 || url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
+5003799 || [WINDOWS-AUTH] Possible Password Spray Detected [50/1] || url,wiki.quadrantsec.com/bin/view/Main/5003799 || url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
+5003800 || [WINDOWS-AUTH] Possible Password Spray Detected [100/1] || url,wiki.quadrantsec.com/bin/view/Main/5003800 || url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing
diff --git a/windows-auth.rules b/windows-auth.rules
@@ -258,14 +258,30 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] SAM Database
 
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; content:!"Workstation Name|3a| Source Network Address|3a|"; reference: url,indingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003376; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5003376; rev:1;)
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login from non-RFC1918"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; parse_src_ip: 1; meta_content:!"Source Network Address|3a| %sagan%",10.,192.168.,-,|3a 3a|1,127.0.0.1,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,172.28.,172.29.,172.30.,172.31,169.254,fe80; meta_nocase; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003377; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003377; classtype:suspicious-login; rev:4;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login from non-RFC1918"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; parse_src_ip: 1; meta_content:!"Source Network Address|3a| %sagan%",10.,192.168.,-,|3a 3a|1,127.0.0.1,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,172.28.,172.29.,172.30.,172.31,169.254,fe80,|3a 3a|1; meta_nocase; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003377; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003377; classtype:suspicious-login; rev:5;)
 
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious WMIC/Net/Powershell execution"; program: *Security*; content: " 4648|3a| "; content:!"Account Name|3a| -"; content:!"Target Server Name|3a| localhost"; pcre: "/Target Server Name: (.*)\$ /"; pcre: "/Process Name: (.*)(net\.exe|wmic\.exe|powershell\.exe)(.*)/i"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003387; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003387; rev:1;)
 
-##alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; content: " 5140|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003389; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003389; rev:1;)
+#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; content: " 5140|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003389; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003389; rev:1;)
 
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account expired."; program: *System*; content: " 40960|3a| "; content: "0xc0000193"; reference: url,wiki.quadrantsec.com/bin/view/Main/5003786; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5003786; rev:1;)
 
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account locked."; program: *System*; content: " 40960|3a| "; content: "0xc0000234"; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003787; classtype: unsuccessful-user; sid:5003787; rev:1;)
 
 
+# Password "spraying" rules by Steve Rawls 
+# 2018/05/10
+
+# Configure alerts for >50 4625 events within 1 minute. 
+# 0xC000006A user name is correct but the password is wrong 
+
+alert any any any -> any any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0xC000006A"; nocase; content: " 4625|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003798; sid:5003798; rev:1;) 
+
+# Configure alerts for >50 4771 events with failure code=0x18 within 1 minute. 
+
+alert any any any -> any any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0x18"; nocase; content: " 4771|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 50, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003799; sid:5003799; rev:1;) 
+
+# Configure alerts for >100 4648 events on workstations within 1 minute. 
+
+alert any any any -> any any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [100/1]"; content: " 4648|3a| "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 100, seconds 60; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5003800; sid:5003800; rev:1;) 
+
diff --git a/windows-correlated.rules b/windows-correlated.rules
@@ -53,6 +53,6 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspici
 
 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET]"; content: " 4688|3a| "; pcre: "/Process Name: (.*)wmiprvse\.exe(.*)/i"; xbits: set,wmiprvse,1; xbits:nounified2; xbits:noeve; classtype: suspicious-command; program: *Security*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003385; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003385; rev:2;)
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; meta_content:!"Source Network Address|3a| %sagan%",-,127.0.0.1,::1; xbits: isset,src_xbitdst,wmiprvse; parse_src_ip: 1; parse_port; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003386; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003386; classtype:suspicious-login; rev:2;)
+alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; meta_content:!"Source Network Address|3a| %sagan%",-,127.0.0.1,|3a 3a|1; xbits: isset,src_xbitdst,wmiprvse; parse_src_ip: 1; parse_port; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003386; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003386; classtype:suspicious-login; rev:4;)
 
 
diff --git a/windows-malware.rules b/windows-malware.rules
@@ -169,8 +169,9 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ran
 
 
 # Offline ransomware
+# Disabled - causes a lot of F/P and was last seen 2018
 
-alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Offline ransomware ransomware extension detected."; meta_content: " %sagan%|3a| ",4663,567,5145; meta_depth: 8; content: ".cbf "; nocase; program: *Security*; classtype: trojan-activity; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002840; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002840; rev:8;)
+# alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Offline ransomware ransomware extension detected."; meta_content: " %sagan%|3a| ",4663,567,5145; meta_depth: 8; content: ".cbf "; nocase; program: *Security*; classtype: trojan-activity; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002840; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002840; rev:8;)
 
 # OMG! Ransomware
 

diff --git a/windows-security.rules b/windows-security.rules
@@ -68,7 +68,7 @@ alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos policy was chang
 alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encrypted data recovery policy was changed"; meta_content: " %sagan%|3a| ",4714,618; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003399; sid: 5003399; rev: 2;)
 alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit policy (SACL) on an object was changed"; content: " 4715|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003400; sid: 5003400; rev: 1;)
 alert any any any -> any any (msg: "[WINDOWS-SECURITY] Trusted domain information was modified"; meta_content: " %sagan%|3a| ",4716,620; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003401; sid: 5003401; rev: 2;)
-alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; meta_content: " %sagan%|3a| ",4724,628; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003402; sid: 5003402; rev: 2;)
+alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; meta_content: " %sagan%|3a| ",4724,628; meta_depth: 8; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003402; sid: 5003402; rev: 3;)
 alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was created"; meta_content: " %sagan%|3a| ",4727,631; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003403; sid: 5003403; rev: 2;)
 
 # Champ Clark III - Removed Account Name of machines - 2018/10/20