4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-49019
README.md
Rendering markdown...
POC / local_rules.xml XML
⬇ Raw GitHub ✕ Close 
<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->

<!-- Example -->
<group name="security_event,windows,windows_security,sysmon, ">
 
  <!-- This rule detects DCSync attacks using windows security event on the domain controller -->
  <rule id="110001" level="15">
    <if_sid>60001,60017</if_sid>
  <field name="win.system.channel">^Security$</field>
    <field name="win.system.eventID">^4662$</field>
    <options>no_full_log</options>
    <description>Directory Service Access. Possible Secret Dump DCSync attack</description>
  </rule>
 
 <!-- This rule ignores Directory Service Access originating from machine accounts containing $ -->
 
  <!-- This rule detects Keberoasting attacks using windows security event on the domain controller -->
  <rule id="110002" level="12" overwrite="yes">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4769$</field>
    <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
    <options>no_full_log</options>
    <description>Possible Keberoasting attack</description>
  </rule>
  <!-- This rule detects Golden Ticket attacks using windows security events on the domain controller -->
  <rule id="110003" level="12">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4624$</field>
    <field name="win.eventdata.LogonGuid" type="pcre2">{00000000-0000-0000-0000-000000000000}</field>
    <field name="win.eventdata.logonType" type="pcre2">3</field>
    <options>no_full_log</options>
    <description>Possible Golden Ticket attack</description>
  </rule>
 <!-- This rule detects when PsExec is launched remotely to perform lateral movement within the domain. The rule uses Sysmon events collected from the domain controller. -->
  <rule id="110004" level="12">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID" type="pcre2">17|18</field>
    <field name="win.eventdata.PipeName" type="pcre2">\\PSEXESVC</field>
    <options>no_full_log</options>
    <description>PsExec service launched for possible lateral movement within the domain</description>
  </rule>
  <!-- This rule detects NTDS.dit file extraction using a sysmon event captured on the domain controller -->
  <rule id="110006" level="12">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata.commandLine" type="pcre2">NTDSUTIL</field>
    <description>Possible NTDS.dit file extraction using ntdsutil.exe</description>
  </rule>
  <!-- This rule detects Pass-the-ash (PtH) attacks using windows security event 4624 on the compromised endpoint -->
  <rule id="110007" level="12">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4624$</field>
    <field name="win.eventdata.LogonProcessName" type="pcre2">seclogo</field>
    <field name="win.eventdata.LogonType" type="pcre2">9</field>
    <field name="win.eventdata.AuthenticationPackageName" type="pcre2">Negotiate</field>
    <field name="win.eventdata.LogonGuid" type="pcre2">{00000000-0000-0000-0000-000000000000}</field>
    <options>no_full_log</options>
    <description>Possible Pass the hash attack</description>
  </rule>
  
  <!-- This rule detects credential dumping when the command sekurlsa::logonpasswords is run on mimikatz -->
  <rule id="110008" level="12">
    <if_sid>61612</if_sid>
    <field name="win.eventdata.TargetImage" type="pcre2">(?i)\\\\system32\\\\lsass.exe</field>
    <field name="win.eventdata.GrantedAccess" type="pcre2">(?i)0x1010</field>
    <description>Possible credential dumping using mimikatz</description>
  </rule>
<rule id="110064" level="15">
    <if_sid>60020,60021</if_sid>
  <field name="win.system.channel">^Directory Service$</field>
  <field name="win.system.providerName">^Microsoft-Windows-ActiveDirectory_DomainService$</field>
  <field name="win.system.eventID">^1644$</field>
  <mitre>
    <id>T1087</id>  
  </mitre>
  <description>Possible malicious DC enumeration (Certipy find -dc-ip) - LDAP Event ID 1644 triggered.</description>
  <group>ldap,windows</group>
</rule>
 <rule id="110065" level="15">
    <if_sid>60001,60017</if_sid>
  <field name="win.system.channel">^Security$</field>
  <field name="win.system.eventID">^4886$</field>
  <field name="win.eventdata.requester" type="pcre2" negate="yes">.*\\Administrator$</field>
  <field name="win.eventdata.attributes" type="pcre2">SAN:upn=Administrator@[^ ]+</field>
  <description>Possible malicious certificate request in DC</description>
  <options>no_full_log</options>
</rule> 
<rule id="110066" level="15">
    <if_sid>60001,60017</if_sid>
  <field name="win.system.channel">^Security$</field>
  <field name="win.system.eventID">^4887$</field>
  <field name="win.eventdata.requestert" type="pcre2" negate="yes">.*\\Administrator$</field>
  <field name="win.eventdata.attributes" type="pcre2">SAN:upn=Administrator@[^ ]+</field>
  <description>Possible Keberoasting attack.ID 4887 .Certificate Services approved a certificate request and issued a certificate.</description>
  <options>no_full_log</options>
</rule>
<rule id="110071" level="15">
    <if_sid>60001,60017</if_sid>
    <field name="win.system.channel">^Security$</field>
    <field name="win.system.eventID">^4887$</field>
    <field name="win.eventdata.requester" negate="yes" type="pcre2">.*\\Administrator$</field>
    <field name="win.eventdata.subject" type="pcre2" negate="yes">CN=Administrator</field>
    <description>Suspicious certificate issuance: non-Administrator requesting Administrator subject</description>
</rule>
<rule id="110067" level="15">
    <if_sid>60001,60017</if_sid>
  <field name="win.system.channel">^Security$</field>
  <field name="win.system.eventID">^4898$</field>
  <mitre>
    <id>T1601</id>  
    <id>T1078</id>  
  </mitre>
  <description>Possible Keberoasting attack.Certificate Services loaded a template.</description>
  <options>no_full_log</options>
</rule>
<rule id="110068" level="15">
    <if_sid>60001,60017</if_sid>
  <field name="win.system.channel">^Security$</field>
  <field name="win.system.eventID">^5136$</field>
  <description>A directory service object was modified. Possible Dumping Administrator</description>
  <options>no_full_log</options>
</rule>
<rule id="110069" level="15">
      <if_sid>60020,60021</if_sid>
      <field name="win.system.providerName">^Microsoft-Windows-ActiveDirectory_DomainService$</field>
      <field name="win.system.eventID">^1138$|^1139$</field>
      <match>who-am-i</match>
      <mitre>
        <id>T1078</id>  
        <id>T1550</id>  
        </mitre>
      <description>Possible using Ldap-shell to connect to the server </description>
      <group>windows,ldap,noise</group>
    </rule>
<rule id="110070" level="15">
  <if_sid>60001,60017</if_sid>
  <field name="win.system.channel">^Security$</field>
  <field name="win.system.eventID">^4769$</field>
  <field name="win.eventdata.IpAddress" type="pcre2">^(?!::1$).*</field>
  <description>Suspicious Kerberos service ticket request from remote source for non-machine account</description>
</rule>
</group>