From bad4429ad0367f9e00841faaf490cdba7c28ae9c Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 18 Nov 2021 10:31:28 +0900 Subject: [PATCH] Rule tuning --- ...04_T1059_PowershellExecutionRemoteCommand.yml | 7 +++---- rules-noisy/Security/4688.yml | 8 ++++---- .../win_hidden_user_creation.yml | 0 .../win_user_added_to_local_administrators.yml | 0 .../win_user_creation.yml | 0 .../59_T1197_BitsJobCreation.yaml | 6 +++--- .../4103_T1059_PowershellExecutionPipeline.yml | 6 +++--- .../1102_T1070.001_SecurityLogCleared.yml | 2 +- rules/alert-rules/hayabusa/Security/4673.yml | 3 ++- rules/alert-rules/hayabusa/Security/4674.yml | 5 +++-- rules/alert-rules/hayabusa/Security/4720.yml | 13 ------------- ...720_T1136.001_LocalComputerAccountCreated.yml | 15 +++++++++++++++ .../4720_T1136.001_LocalUserAccountCreated.yml | 16 ++++++++++++++++ rules/alert-rules/hayabusa/Security/4728.yml | 11 ++++++----- rules/alert-rules/hayabusa/Security/4732.yml | 11 ++++++----- rules/alert-rules/hayabusa/Security/4756.yml | 9 +++++---- .../Security/4768_T1558.004_AS-REP-Roasting.yml | 4 ++-- rules/alert-rules/hayabusa/Security/_4625.yml | 4 ++-- rules/alert-rules/hayabusa/Security/_4648.yml | 2 +- rules/alert-rules/hayabusa/Security/_4672.yml | 6 +++--- rules/alert-rules/hayabusa/Sysmon/1.yml | 10 +++++----- rules/alert-rules/hayabusa/Sysmon/7.yml | 10 +++++----- rules/alert-rules/hayabusa/System/7030.yml | 9 +++++---- rules/alert-rules/hayabusa/System/7040.yml | 11 ++++++----- rules/alert-rules/hayabusa/System/7045.yml | 11 ++++++----- .../Logons/4624-Logon-Type-0-System.yml | 2 +- .../4624-Logon-Type-10-RemoteInteractive.yml | 4 ++-- .../4624-Logon-Type-11-CachedInteractive.yml | 4 ++-- ...624-Logon-Type-12-CachedRemoteInteractive.yml | 4 ++-- .../Logons/4624-Logon-Type-13-CachedUnlock.yml | 4 ++-- .../Logons/4624-Logon-Type-2-Interactive.yml | 4 ++-- .../Logons/4624-Logon-Type-3-Network.yml | 4 ++-- .../Logons/4624-Logon-Type-4-Batch.yml | 4 ++-- .../Logons/4624-Logon-Type-5-Service.yml | 4 ++-- .../Logons/4624-Logon-Type-7-Unlock.yml | 4 ++-- .../4624-Logon-Type-8-NetworkCleartext.yml | 2 +- .../Logons/4624-Logon-Type-9-NewInteractive.yml | 4 ++-- .../timeline-rules/Logons/4625-Logon-Failure.yml | 2 +- rules/timeline-rules/Logons/4634-Logoff.yml | 4 ++-- .../Logons/4647-Logoff-User-Initiated.yml | 4 ++-- rules/timeline-rules/Logons/4672-Admin-Logon.yml | 4 ++-- .../Logons/4768-Kerberos-TGT-Request.yml | 4 ++-- .../4769-Kerberos-Service-Ticket-Request.yml | 4 ++-- .../Logons/4776-NTLM-Logon-to-Local-Account.yml | 4 ++-- 44 files changed, 137 insertions(+), 112 deletions(-) rename {rules/alert-rules/sigma => rules-noisy/Sigma/already-have-hayabusa-rule}/win_hidden_user_creation.yml (100%) rename {rules/alert-rules/sigma => rules-noisy/Sigma/already-have-hayabusa-rule}/win_user_added_to_local_administrators.yml (100%) rename {rules/alert-rules/sigma => rules-noisy/Sigma/already-have-hayabusa-rule}/win_user_creation.yml (100%) delete mode 100644 rules/alert-rules/hayabusa/Security/4720.yml create mode 100644 rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml create mode 100644 rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml diff --git a/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml b/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml index cc434c4e..7fae9b75 100644 --- a/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml +++ b/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml @@ -2,8 +2,7 @@ title: PowerShell Execution Remote Command title_jp: Powershellのリモートコマンドの実行 description: Powershell command executed remotely. description_jp: Powershell command executed remotely. -author: Eric Conrad -contributor: Zach Mathis +author: Eric Conrad, Zach Mathis mitre_attack: T1059 level: medium detection: @@ -15,7 +14,7 @@ detection: # condition: selection falsepositives: - normal system usage -output: 'Command = %ScriptBlockText%' -output: 'コマンド = %ScriptBlockText%' +output: 'Command: %ScriptBlockText%' +output: 'コマンド: %ScriptBlockText%' creation_date: 2020/11/08 updated_date: 2021/11/06 diff --git a/rules-noisy/Security/4688.yml b/rules-noisy/Security/4688.yml index fb5565e1..f22fd44e 100644 --- a/rules-noisy/Security/4688.yml +++ b/rules-noisy/Security/4688.yml @@ -1,6 +1,6 @@ title: Command Line Logging -description: hogehoge -author: DeepblueCLI, Zach Mathis +description: Command line logging. +author: Eric Conrad, Zach Mathis detection: selection: Channel: Security @@ -9,6 +9,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%' +output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%' creation_date: 2020/11/8 -updated_date: 2020/11/8 +updated_date: 2021/11/8 diff --git a/rules/alert-rules/sigma/win_hidden_user_creation.yml b/rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml similarity index 100% rename from rules/alert-rules/sigma/win_hidden_user_creation.yml rename to rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml diff --git a/rules/alert-rules/sigma/win_user_added_to_local_administrators.yml b/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml similarity index 100% rename from rules/alert-rules/sigma/win_user_added_to_local_administrators.yml rename to rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml diff --git a/rules/alert-rules/sigma/win_user_creation.yml b/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml similarity index 100% rename from rules/alert-rules/sigma/win_user_creation.yml rename to rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml diff --git a/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml b/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml index 67ed9189..2ded00a4 100644 --- a/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml +++ b/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml @@ -12,7 +12,7 @@ detection: EventID: 59 falsepositives: - normal system usage -output: 'Job Title:%JobTitle% URL:%Url%' -output_jp: 'Job名:%JobTitle% URL:%Url%' +output: 'Job Title:%JobTitle% : URL:%Url%' +output_jp: 'Job名:%JobTitle% : URL:%Url%' creation_date: 2021/07/15 -updated_date: 2021/11/06 +updated_date: 2021/11/18 diff --git a/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml b/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml index fa73eba0..fc0d6590 100644 --- a/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml +++ b/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml @@ -16,7 +16,7 @@ detection: # condition: selection falsepositives: - normal system usage -output: 'Command = %CommandLine%' -output_jp: 'コマンド = %CommandLine%' +output: 'Command:%CommandLine%' +output_jp: 'コマンド:%CommandLine%' creation_date: 2020/11/08 -updated_date: 2021/11/06 +updated_date: 2021/11/18 diff --git a/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml b/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml index c5a700e4..65f9f039 100644 --- a/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml +++ b/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml @@ -2,7 +2,7 @@ title: Security log was cleared title_jp: セキュリティログがクリアされた description: Somebody has cleared the Security event log. description_jp: 誰かがセキュリティログをクリアした。 -author: Eric Contrad +author: Eric Conrad contributor: Zach Mathis, Akira Nishikawa, James Takai mitre_attack: T1070.001 level: high diff --git a/rules/alert-rules/hayabusa/Security/4673.yml b/rules/alert-rules/hayabusa/Security/4673.yml index 7be27d9e..5f945934 100644 --- a/rules/alert-rules/hayabusa/Security/4673.yml +++ b/rules/alert-rules/hayabusa/Security/4673.yml @@ -1,6 +1,7 @@ title: Sensitive Privilede Use (Mimikatz) description: hogehoge -author: DeepblueCLI, Zach Mathis +author: Eric Conrad, Zach Mathis +level: medium detection: selection: Channel: Security diff --git a/rules/alert-rules/hayabusa/Security/4674.yml b/rules/alert-rules/hayabusa/Security/4674.yml index 877d7ab4..58b68ffc 100644 --- a/rules/alert-rules/hayabusa/Security/4674.yml +++ b/rules/alert-rules/hayabusa/Security/4674.yml @@ -1,6 +1,7 @@ -title: An Operation was attempted on a privileged object +title: An operation was attempted on a privileged object description: hogehoge -author: DeepblueCLI, Zach Mathis +author: Eric Conrad, Zach Mathis +level: informational detection: selection: Channel: Security diff --git a/rules/alert-rules/hayabusa/Security/4720.yml b/rules/alert-rules/hayabusa/Security/4720.yml deleted file mode 100644 index 8edd44c1..00000000 --- a/rules/alert-rules/hayabusa/Security/4720.yml +++ /dev/null @@ -1,13 +0,0 @@ -title: A user account was created. -description: hogehoge -author: DeepblueCLI, Zach Mathis -detection: - selection: - Channel: Security - EventID: 4720 - # condition: selection -falsepositives: - - unknown -output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%' -creation_date: 2020/11/8 -updated_date: 2020/11/8 diff --git a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml new file mode 100644 index 00000000..6aa71f27 --- /dev/null +++ b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml @@ -0,0 +1,15 @@ +title: Hidden computer account created! (Possible Backdoor) +description: A local user account was created +author: Eric Conrad, Zach Mathis +level: high +detection: + selection: + Channel: Security + EventID: 4720 + TargetUserName|endswith: "$" + +falsepositives: + - unknown +output: 'User: %TargetUserName% : SID:%TargetSid%' +creation_date: 2020/11/8 +updated_date: 2021/11/18 diff --git a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml new file mode 100644 index 00000000..3c5aac23 --- /dev/null +++ b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml @@ -0,0 +1,16 @@ +title: User account created +description: A local user account was created +author: Eric Conrad, Zach Mathis +level: low +detection: + selection: + Channel: Security + EventID: 4720 + filter: + TargetUserName|endswith: "$" + condition: selection and not filter +falsepositives: + - unknown +output: 'User: %TargetUserName% : SID:%TargetSid%' +creation_date: 2020/11/8 +updated_date: 2021/11/18 diff --git a/rules/alert-rules/hayabusa/Security/4728.yml b/rules/alert-rules/hayabusa/Security/4728.yml index 49cfc922..2be29502 100644 --- a/rules/alert-rules/hayabusa/Security/4728.yml +++ b/rules/alert-rules/hayabusa/Security/4728.yml @@ -1,6 +1,7 @@ -title: A member was added to a security-enabled global group. -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: User added to local Administrators group +description: A user was added to a group. +author: Eric Conrad, Zach Mathis +level: high detection: selection: Channel: Security @@ -9,6 +10,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%' +output: 'User: %MemberName% : SID: %MemberSid%' creation_date: 2020/11/8 -updated_date: 2020/11/8 +updated_date: 2021/11/18 diff --git a/rules/alert-rules/hayabusa/Security/4732.yml b/rules/alert-rules/hayabusa/Security/4732.yml index 5c96c1f7..009f986a 100644 --- a/rules/alert-rules/hayabusa/Security/4732.yml +++ b/rules/alert-rules/hayabusa/Security/4732.yml @@ -1,6 +1,7 @@ -title: A member was added to a security-enabled local group. -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: User added to local Administrators group +description: User added to local Administrators group +author: Eric Conrad, Zach Mathis +level: high detection: selection: Channel: Security @@ -9,6 +10,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' +output: 'UserName: %MemberName% : SID: %MemberSid%' creation_date: 2020/11/8 -updated_date: 2020/11/8 +updated_date: 2021/11/18 diff --git a/rules/alert-rules/hayabusa/Security/4756.yml b/rules/alert-rules/hayabusa/Security/4756.yml index 76cd4f6a..e04c6376 100644 --- a/rules/alert-rules/hayabusa/Security/4756.yml +++ b/rules/alert-rules/hayabusa/Security/4756.yml @@ -1,6 +1,7 @@ -title: A member was added to a security-enabled universal group. +title: User added to Administrators universal group. description: hogehoge -author: DeepblueCLI, Zach Mathis +author: Eric Conrad, Zach Mathis +level: high detection: selection: Channel: Security @@ -9,6 +10,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%' +output: 'UserName: %MemberName% : SID: %MemberSid%' creation_date: 2020/11/8 -updated_date: 2020/11/8 +updated_date: 2021/11/8 diff --git a/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml b/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml index 18d538e1..da166715 100644 --- a/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml +++ b/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml @@ -1,5 +1,5 @@ -title: AS-REP Roasting -title_jp: AS-REPロースティング +title: Possible AS-REP Roasting +title_jp: AS-REPロースティングの可能性 description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. author: Matsui diff --git a/rules/alert-rules/hayabusa/Security/_4625.yml b/rules/alert-rules/hayabusa/Security/_4625.yml index a18149a2..e0600ef1 100644 --- a/rules/alert-rules/hayabusa/Security/_4625.yml +++ b/rules/alert-rules/hayabusa/Security/_4625.yml @@ -1,7 +1,7 @@ title: An account failed to log on -description: hogehoge +description: Logon Failure ignore: true -author: DeepblueCLI, Zach Mathis +author: Eric Conrad, Zach Mathis detection: selection: Channel: Security diff --git a/rules/alert-rules/hayabusa/Security/_4648.yml b/rules/alert-rules/hayabusa/Security/_4648.yml index 61ff8115..ad71e9b4 100644 --- a/rules/alert-rules/hayabusa/Security/_4648.yml +++ b/rules/alert-rules/hayabusa/Security/_4648.yml @@ -1,7 +1,7 @@ title: An account failed to log on description: hogehoge ignore: true -author: DeepblueCLI, Zach Mathis +author: Eric Conrad, Zach Mathis detection: selection: Channel: Security diff --git a/rules/alert-rules/hayabusa/Security/_4672.yml b/rules/alert-rules/hayabusa/Security/_4672.yml index 8be52045..81a2c7cc 100644 --- a/rules/alert-rules/hayabusa/Security/_4672.yml +++ b/rules/alert-rules/hayabusa/Security/_4672.yml @@ -1,7 +1,7 @@ title: Command Line Logging -description: hogehoge +description: Command Line Logging ignore: true -author: DeepblueCLI, Zach Mathis +author: Eric Conrad, Zach Mathis detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%' +output: 'CommandLine:%CommandLine% : ParentProcessName:%ParentProcessName%' creation_date: 2020/11/8 updated_date: 2020/11/8 diff --git a/rules/alert-rules/hayabusa/Sysmon/1.yml b/rules/alert-rules/hayabusa/Sysmon/1.yml index 5aefb1a2..08c4ca47 100644 --- a/rules/alert-rules/hayabusa/Sysmon/1.yml +++ b/rules/alert-rules/hayabusa/Sysmon/1.yml @@ -1,6 +1,6 @@ -title: Sysmon Check command lines -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: Command line execution +description: Command line execution +author: Eric Conrad, Zach Mathis detection: selection: Channel: Sysmon @@ -9,7 +9,7 @@ detection: # condition: selection falsepositives: - unknown -output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%' +output: 'CommandLine: %CommandLine% : ParentImage:%ParentImage%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +uodated_date: 2021/11/8 diff --git a/rules/alert-rules/hayabusa/Sysmon/7.yml b/rules/alert-rules/hayabusa/Sysmon/7.yml index 6f30fbfe..cc9e497f 100644 --- a/rules/alert-rules/hayabusa/Sysmon/7.yml +++ b/rules/alert-rules/hayabusa/Sysmon/7.yml @@ -1,6 +1,6 @@ -title: Check for unsigned EXEs/DLLs -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: Unsigned EXEs/DLLs +description: Detects usage of unsigned exe and dlls. +author: Eric Conrad, Zach Mathis detection: selection: Channel: Sysmon @@ -9,6 +9,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'Message: Unsigned Image(DLL)¥n Result : Loaded by: %event_data.Image%¥nCommand : %event_data.ImageLoaded%' +output: 'Unsigned Image(DLL): %event_data.Image : Command: %event_data.ImageLoaded%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +uodated_date: 2021/11/8 diff --git a/rules/alert-rules/hayabusa/System/7030.yml b/rules/alert-rules/hayabusa/System/7030.yml index 5c617130..5b1c1e7f 100644 --- a/rules/alert-rules/hayabusa/System/7030.yml +++ b/rules/alert-rules/hayabusa/System/7030.yml @@ -1,6 +1,7 @@ -title: This service may not function properly -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: Interactive service may not function properly +description: Uses a blocklist of suspicious services to detect malware. 7030 happens when a service is marked as an interactive service but the system is not configured to allow interactive services so it might not function properly. +author: Eric Conrad, Zach Mathis +level: low detection: selection: Channel: System @@ -10,6 +11,6 @@ detection: # condition: selection falsepositives: - unknown -output: 'Interactive service warning¥nService name: %ServiceName%¥nMalware (and some third party software) trigger this warning' +output: 'Service: %ServiceName%' creation_date: 2020/11/8 uodated_date: 2020/11/8 diff --git a/rules/alert-rules/hayabusa/System/7040.yml b/rules/alert-rules/hayabusa/System/7040.yml index 4d3bf996..3ac40691 100644 --- a/rules/alert-rules/hayabusa/System/7040.yml +++ b/rules/alert-rules/hayabusa/System/7040.yml @@ -1,6 +1,7 @@ -title: The start type of the Windows Event Log service was changed from auto start to disabled -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: Windows Event Log service start type changed from auto start to disabled +description: Possible anti-forensics disabling the log service. +author: Eric Conrad, Zach Mathis +level: high detection: selection: Channel: System @@ -12,6 +13,6 @@ detection: condition: selection falsepositives: - unknown -output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' +output: 'Service: %param1%' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +uodated_date: 2021/11/8 diff --git a/rules/alert-rules/hayabusa/System/7045.yml b/rules/alert-rules/hayabusa/System/7045.yml index e5a33e5b..5c2e6e9f 100644 --- a/rules/alert-rules/hayabusa/System/7045.yml +++ b/rules/alert-rules/hayabusa/System/7045.yml @@ -1,6 +1,7 @@ -title: A service was installed in the system -description: hogehoge -author: DeepblueCLI, Zach Mathis +title: Service installed +description: A service was installed. Malware often will install itself as malware. +author: Eric Conrad, Zach Mathis +level: low detection: selection: Channel: System @@ -13,6 +14,6 @@ detection: condition: selection falsepositives: - unknown -output: 'New Service Created¥n%ImagePath¥nService name: %ServiceName%' +output: 'Service: %ServiceName% : Image path: %ImagePath' creation_date: 2020/11/8 -uodated_date: 2020/11/8 +uodated_date: 2021/11/8 diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml b/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml index 32ad52d2..7fdc6500 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml @@ -1,7 +1,7 @@ title: Logon Type 0 - System description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml index 3c4916b4..c5e69909 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml @@ -1,7 +1,7 @@ title: Logon Type 10 - RDP (Remote Interactive) description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml index ce7c6043..8cfa15ec 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml @@ -1,7 +1,7 @@ title: Logon Type 11 - CachedInteractive description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml index 99bec874..2c751eb2 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml @@ -1,7 +1,7 @@ title: Logon Type 12 - CachedRemoteInteractive description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml b/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml index 30f6ad2e..8f61f3ce 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml @@ -1,7 +1,7 @@ title: Logon Type 13 - CachedUnlock description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml index 05b70687..f5c52e7b 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml @@ -1,7 +1,7 @@ title: Logon Type 2 - Interactive description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml b/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml index bd0d14e3..c8781e31 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml @@ -1,7 +1,7 @@ title: Logon Type 3 - Network description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -17,6 +17,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml b/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml index 31748b24..cab347aa 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml @@ -1,7 +1,7 @@ title: Logon Type 4 - Batch description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml b/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml index f300048e..a668fdc8 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml @@ -1,7 +1,7 @@ title: Logon Type 5 - Service description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -17,6 +17,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml b/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml index 28c7f23b..0892cba9 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml @@ -1,7 +1,7 @@ title: Logon Type 7 - Unlock description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml b/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml index 9f03bcf4..0e7f2533 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml b/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml index 160e4cb0..970ed461 100644 --- a/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml +++ b/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml @@ -1,7 +1,7 @@ title: Logon Type 9 - NewCredentials description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -10,6 +10,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)' +output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4625-Logon-Failure.yml b/rules/timeline-rules/Logons/4625-Logon-Failure.yml index 281afb3c..3b693890 100644 --- a/rules/timeline-rules/Logons/4625-Logon-Failure.yml +++ b/rules/timeline-rules/Logons/4625-Logon-Failure.yml @@ -9,6 +9,6 @@ detection: falsepositives: - normal system usage -output: 'User: %TargetUserName% Type: %LogonType% Workstation: %Workstation% IP Address: %IpAddress% SubStatus: %SubStatus% AuthPackage: %AuthenticationPackageName%' +output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %Workstation% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4634-Logoff.yml b/rules/timeline-rules/Logons/4634-Logoff.yml index a6eacc07..2ab4be6d 100644 --- a/rules/timeline-rules/Logons/4634-Logoff.yml +++ b/rules/timeline-rules/Logons/4634-Logoff.yml @@ -1,7 +1,7 @@ title: Logoff description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -14,6 +14,6 @@ detection: falsepositives: - normal system usage -output: 'Username: %TargetUserName% LogonID: %TargetLogonId%' +output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml b/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml index 630828eb..22185d51 100644 --- a/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml +++ b/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml @@ -1,7 +1,7 @@ title: Logoff - User Initiated description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -9,6 +9,6 @@ detection: falsepositives: - normal system usage -output: 'Username: %TargetUserName% LogonID: %TargetLogonId%' +output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4672-Admin-Logon.yml b/rules/timeline-rules/Logons/4672-Admin-Logon.yml index 1f56c794..d0d0e881 100644 --- a/rules/timeline-rules/Logons/4672-Admin-Logon.yml +++ b/rules/timeline-rules/Logons/4672-Admin-Logon.yml @@ -1,7 +1,7 @@ title: Admin Logon description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -17,6 +17,6 @@ detection: falsepositives: - normal system usage -output: 'User: %SubjectUserName% LogonID: %SubjectLogonId%' +output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml b/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml index 99a4f265..c66d4468 100644 --- a/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml +++ b/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml @@ -1,7 +1,7 @@ title: Kerberos TGT was requested description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -9,6 +9,6 @@ detection: falsepositives: - normal system usage -output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status% PreAuthType: %PreAuthType%' +output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml b/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml index 5df28446..66c732ac 100644 --- a/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml +++ b/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml @@ -1,7 +1,7 @@ title: Kerberos Service Ticket Requested description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -9,6 +9,6 @@ detection: falsepositives: - normal system usage -output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status%' +output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file diff --git a/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml b/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml index f941aaa8..e8d63479 100644 --- a/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml +++ b/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml @@ -1,7 +1,7 @@ title: NTLM Logon to Local Account description: Prints logon information author: Zach Mathis -level: info +level: informational detection: selection: Channel: Security @@ -9,6 +9,6 @@ detection: falsepositives: - normal system usage -output: 'Username: %TargetUserName% Workstation %WorkstationName% Status: %Status%' +output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%' creation_date: 2021/11/17 updated_date: 2021/11/17 \ No newline at end of file