azureEventHub_windows-auth.rules

# Sagan windows-auth.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Windows authentication rules.
# Eventlog to syslog service. This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/


alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 529; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; xbits: set,brute_force,track ip_src,expire 21600; parse_src_ip: 1; parse_port; sid:5008421; metadata: created_on 2022_11_22, old_sid 5001151; rev:29;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 529; classtype: unsuccessful-user; program: *Security*; sid:5008422; metadata: created_on 2022_11_22, old_sid 5001531; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account login time restriction"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 530; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008423; metadata: created_on 2022_11_22, old_sid 5001152; rev:7;)

# We only want disabled users that contain usernames, hence the content:! on sid 5001153.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account currently disabled [0/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 531; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; threshold: type suppress, track by_username, count 1, seconds 300; sid:5008424; metadata: created_on 2022_11_22, old_sid 5001153; rev:22;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Specified account expired"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 532; classtype: unsuccessful-user; program: *Security*; sid:5008425; metadata: created_on 2022_11_22, old_sid 5001154; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not allowed to login at this computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 533; classtype: unsuccessful-user; program: *Security*; sid:5008426; metadata: created_on 2022_11_22, old_sid 5001155; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not granted login type"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 534; classtype: unsuccessful-user; program: *Security*; sid:5008427; metadata: created_on 2022_11_22, old_sid 5001156; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account password is expired"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 535; classtype: unsuccessful-user; program: *Security*; sid:5008428; metadata: created_on 2022_11_22, old_sid 5001157; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Internal error"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 536,537; classtype: unsuccessful-user; program: *Security*; after: track by_username, count 10, seconds 300; threshold: type suppress, track by_username, count 2, seconds 300; parse_src_ip: 1; sid:5008429; metadata: created_on 2022_11_22, old_sid 5001158; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account locked [0/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 539; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; content:!"Source Network Address|3a| -"; classtype: unsuccessful-user; threshold: type suppress, track by_username, count 1, seconds 300; parse_src_ip: 1; parse_port; program: *Security*; sid:5008430; metadata: created_on 2022_11_22, old_sid 5001159; rev:24;)

# See 681 & 4769 for subcodes

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 675,676,681,4771,4768; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008431; metadata: created_on 2022_11_22, old_sid 5001160; rev:28;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account unlocked"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4767,671; classtype: unsuccessful-user; program: *Security*; sid:5008432; metadata: created_on 2022_11_22, old_sid 5001161; rev:7;)

#Enabled rules to catch all 4732, 4728, 4756 member added to security-enabled groups. These will catch ALL security enabled groups and not just the builtin ones. This will produce duplicates with any enabled detection for builtin admin groups.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4754,4731,4727,658,635,631; classtype: system-event; program: *Security*; sid:5008433; metadata: created_on 2022_11_22, old_sid 5001162; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4730,662,638,634; classtype: system-event; program: *Security*; sid:5008434; metadata: created_on 2022_11_22, old_sid 5001163; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4759,4749,631,4727,4744,4754,635,4731,658,648,653,663; classtype: system-event; program: *Security*; sid:5008435; metadata: created_on 2022_11_22, old_sid 5001164; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4763,4753,4748,634,4730,4758,4734,638,662,652,657,667; classtype: system-event; program: *Security*; sid:5008436; metadata: created_on 2022_11_22, old_sid 5001165; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 632,4728,633,4729,636,4732,637,4733,639,4735,641,4737,637,4733,659,4755,660,4766,668,4764,649,4745,650,4746,651,4747,654,4750,655,4751,656,4752,659,4755,660,4756,661,4757,664,4760,665,4761,666,4762; classtype: system-event; program: *Security*; sid:5008437; metadata: created_on 2022_11_22, old_sid 5001475; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] A member was added to a security-enabled global group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:4728,632; classtype: system-event; program: *Security*; sid:5008438; metadata: created_on 2022_11_22, old_sid 5001166; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4729,633; classtype: system-event; program: *Security*; sid:5008439; metadata: created_on 2022_11_22, old_sid 5001167; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4730,634; classtype: system-event; program: *Security*; sid:5008440; metadata: created_on 2022_11_22, old_sid 5001168; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4731,635; classtype: system-event; program: *Security*; sid:5008441; metadata: created_on 2022_11_22, old_sid 5001169; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] A member was added to a security-enabled local group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4732,636; classtype: system-event; program: *Security*; sid:5008442; metadata: created_on 2022_11_22, old_sid 5001170; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4733,637; classtype: system-event; program: *Security*; sid:5008443; metadata: created_on 2022_11_22, old_sid 5001171; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4734,686; classtype: system-event; program: *Security*; sid:5008444; metadata: created_on 2022_11_22, old_sid 5001172; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4735,639; classtype: system-event; program: *Security*; sid:5008445; metadata: created_on 2022_11_22, old_sid 5001173; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4730,634; classtype: system-event; program: *Security*; sid:5008446; metadata: created_on 2022_11_22, old_sid 5001174; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4754,585; classtype: system-event; program: *Security*; sid:5008447; metadata: created_on 2022_11_22, old_sid 5001176; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4755,659; classtype: system-event; program: *Security*; sid:5008448; metadata: created_on 2022_11_22, old_sid 5001177; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] A member was added to a security-enabled universal group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4756,660; classtype: system-event; program: *Security*; sid:5008449; metadata: created_on 2022_11_22, old_sid 5001178; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member removed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4757,661; classtype: system-event; program: *Security*; sid:5008450; metadata: created_on 2022_11_22, old_sid 5001179; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4758,662; classtype: system-event; program: *Security*; sid:5008451; metadata: created_on 2022_11_22, old_sid 5001180; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RDP maximum allowed failed logon attempts"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1012; classtype: system-event; program: TermService; sid:5008452; metadata: created_on 2022_11_22, old_sid 5001181; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows login attempt (ignored). Duplicated"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 680; classtype: unsuccessful-user; program: *Security*; sid:5008453; metadata: created_on 2022_11_22, old_sid 5001186; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login failure"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 20187,20014,20078,20050,20049,20189; classtype: unsuccessful-user; program: RemoteAccess; sid:5008454; metadata: created_on 2022_11_22, old_sid 5001187; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login success"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 20158; classtype: successful-user; program: RemoteAccess; sid:5008455; metadata: created_on 2022_11_22, old_sid 5001188; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4743,4742,647,646; classtype: system-event; program: *Security*; sid:5008456; metadata: created_on 2022_11_22, old_sid 5001189; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4743,4742,647,646; classtype: system-event; program: *Security*; sid:5008457; metadata: created_on 2022_11_22, old_sid 5001190; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out [multiple login errors] [0/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4740,644; threshold: type suppress, track by_username, count 1, seconds 300; classtype: unsuccessful-user; program: *Security*; sid:5008458; metadata: created_on 2022_11_22, old_sid 5001192; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] General account database changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 640; classtype: system-event; program: *Security*; sid:5008459; metadata: created_on 2022_11_22, old_sid 5001193; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Integrity check on decrypted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: "Failure Code|3a| 0x1F"; classtype: exploit-attempt; program: *Security*; sid:5008460; metadata: created_on 2022_11_22, old_sid 5001195; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Possible replay attack"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: "Failure Code|3a| 0x22"; classtype: exploit-attempt; program: *Security*; sid:5008461; metadata: created_on 2022_11_22, old_sid 5001196; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Clock skew too great"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: "Failure Code|3a| 0x25"; threshold: type suppress, track by_username, count 1, seconds 86400; classtype: exploit-attempt; parse_src_ip: 1; program: *Security*; sid:5008462; metadata: created_on 2022_11_22, old_sid 5001197; rev:10;)

# Tied to SIDs.

#if_sid 18207,18208 - see msauth rules. Sagan can do the same, rules just need to be written.
# Same with "Kerberos failures that may indicate an attack"
#
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Administrator group changed"; pcre: "/ ID:\s+\p*S-1-5-32-544\p*/"; classtype: unsuccessful-user; program: *Security*; sid: XXXXXXX; rev:5;)

# 09/18/2012 Sniffty Dugen

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Attempted Password Reset"; event_idt: 4724,628; classtype: configuration-change; program: *Security*; sid:5008464; metadata: created_on 2022_11_22, old_sid 5001620; rev:8;)

# Generic "catch all" for event ID 6273
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; threshold: type suppress, track by_username, count 5, seconds 300; parse_src_ip: 1; sid:5008465; metadata: created_on 2022_11_22, old_sid 5001648; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 6273; content: "Reason Code: 16 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008466; metadata: created_on 2022_11_22, old_sid 5001657; rev:23;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password"; content: "Reason Code|3a| 16 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008467; metadata: created_on 2022_11_22, old_sid 5001658; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account does not exist"; content: "Reason Code|3a| 8 "; event_type: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008468; metadata: created_on 2022_11_22, old_sid 5001659; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Domain does not exist"; content: "Reason Code|3a| 7 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008469; metadata: created_on 2022_11_22, old_sid 5001660; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] No matching newtork policy"; content: "Reason Code|3a| 48 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008470; metadata: created_on 2022_11_22, old_sid 5001661; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RADIUS Access-Request message is disabled"; content: "Reason Code|3a| 34 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008471; metadata: created_on 2022_11_22, old_sid 5001662; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User much change password"; content: "Reason Code|3a| 33 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008472; metadata: created_on 2022_11_22, old_sid 5001663; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote RADIUS did not process auth request"; content: "Reason Code|3a| 112 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008473; metadata: created_on 2022_11_22, old_sid 5001664; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Incomplete message. Signature not verified"; content: "Reason Code|3a| 262 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008474; metadata: created_on 2022_11_22, old_sid 5001665; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] EAP type cannot be processed by server"; content: "Reason Code|3a| 22 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008475; metadata: created_on 2022_11_22, old_sid 5001666; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Error occured with EAP"; content: "Reason Code|3a| 23 "; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 6273; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; sid:5008476; metadata: created_on 2022_11_22, old_sid 5001667; rev:7;)

# Group change rules where typically to noisy and didn't supply the information
# Needed. These rule detect "what" group a user was "added" to. This should
# reduce the signal/noise ratio greatly.
#
# These where created by Robert Nunley (rnunley@quadrantsec.com)

# Local group
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Local Administrator account added to a local group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4732,636; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-500 /"; program: *Security*; classtype: successful-user; sid:5008477; metadata: created_on 2022_11_22, old_sid 5001692; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Network Config Operator group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4732,636; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-556 /"; program: *Security*; classtype: successful-user; sid:5008478; metadata: created_on 2022_11_22, old_sid 5001693; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to DNS Admins group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4732,636; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-1101 /"; program: *Security*; classtype: successful-admin; sid:5008479; metadata: created_on 2022_11_22, old_sid 5001694; rev:8;)
# Domain/global group
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Domain Administrators group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4728,632; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-512 /"; program: *Security*; classtype: successful-admin; sid:5008480; metadata: created_on 2022_11_22, old_sid 5001695; rev:10;)
# Enterprise/universal group
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Enterprise Administrators group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4756,660; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-519 /"; program: *Security*; classtype: successful-admin; sid:5008481; metadata: created_on 2022_11_22, old_sid 5001696; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Group Policy Creator Owner group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4756,660; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-520 /"; program: *Security*; classtype: successful-admin; sid:5008482; metadata: created_on 2022_11_22, old_sid 5001697; rev:9;)
# Schema Admins
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Schema Admins"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4756,660; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-518 /"; program: *Security*; classtype: successful-admin; sid:5008483; metadata: created_on 2022_11_22, old_sid 5003104; rev:4;)

# User created
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4720,624; program: *Security*; classtype: successful-user; sid:5008484; metadata: created_on 2022_11_22, old_sid 5001791; rev:23;)

# Windows 2008 rules submitted by Robert Nunley (rnunley@quadrantsec.com)

# Sids 5001728, 5001729, 5001730, 5001731 only work if they have a valid IP. Need to be able to pull from DNS!
# Champ Clark III (2019/04/17)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; content:!"$ Source"; content:!"$ Account Domain|3a| "; pcre: "/([1-2]?[0-9]{0,2}\.){3,3}[1-2]?[0-9]{0,2}|([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}/"; xbits: set,brute_force,track ip_src, expire 21600; classtype: brute-force; program: *Security*; parse_src_ip: 1; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; sid:5008485; metadata: created_on 2022_11_22, old_sid 5001728; rev:32;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1]"; content:!"|24| Source Workstation|3a|"; content: "C000006A"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; content:!"|24| Account Domain|3a| "; content:!"Source Network Address|3a| -"; pcre: "/([1-2]?[0-9]{0,2}\.){3,3}[1-2]?[0-9]{0,2}|([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}/"; xbits: set,brute_force,track ip_src, expire 21600; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008486; metadata: created_on 2022_11_22, old_sid 5001729; rev:32;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1]"; content: "C0000234"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; pcre: "/([1-2]?[0-9]{0,2}\.){3,3}[1-2]?[0-9]{0,2}|([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}/"; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008487; metadata: created_on 2022_11_22, old_sid 5001730; rev:27;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1]"; content: "C0000072"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; pcre: "/([1-2]?[0-9]{0,2}\.){3,3}[1-2]?[0-9]{0,2}|([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}/"; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008488; metadata: created_on 2022_11_22, old_sid 5001731; rev:30;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1]"; content: "C000006F"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008489; metadata: created_on 2022_11_22, old_sid 5001732; rev:27;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Account [25/1]"; content: "C0000193"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008490; metadata: created_on 2022_11_22, old_sid 5001733; rev:27;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Password [25/1]"; content: "C0000071"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008491; metadata: created_on 2022_11_22, old_sid 5001734; rev:27;)

# Windows authentication rules by code type. Submitted by Brian Echeverry

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008492; metadata: created_on 2022_11_22, old_sid 5001740; rev:25;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008493; metadata: created_on 2022_11_22, old_sid 5001741; rev:24;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; classtype: brute-forcer; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008494; metadata: created_on 2022_11_22, old_sid 5001742; rev:24;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x4 Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008495; metadata: created_on 2022_11_22, old_sid 5001743; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x5 Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008496; metadata: created_on 2022_11_22, old_sid 5001744; rev:12;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x6 Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008497; metadata: created_on 2022_11_22, old_sid 5001745; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x7 Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008498; metadata: created_on 2022_11_22, old_sid 5001746; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x8 Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008499; metadata: created_on 2022_11_22, old_sid 5001747; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x9 Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008500; metadata: created_on 2022_11_22, old_sid 5001748; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008501; metadata: created_on 2022_11_22, old_sid 5001749; rev:11;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xB Client "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008502; metadata: created_on 2022_11_22, old_sid 5001750; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xC "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600;after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008503; metadata: created_on 2022_11_22, old_sid 5001751; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xD "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008504; metadata: created_on 2022_11_22, old_sid 5001752; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xE "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008505; metadata: created_on 2022_11_22, old_sid 5001753; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xF "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008506; metadata: created_on 2022_11_22, old_sid 5001754; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x10 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008507; metadata: created_on 2022_11_22, old_sid 5001755; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x11 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008508; metadata: created_on 2022_11_22, old_sid 5001756; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x12 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008509; metadata: created_on 2022_11_22, old_sid 5001757; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x13 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008510; metadata: created_on 2022_11_22, old_sid 5001758; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x14 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008511; metadata: created_on 2022_11_22, old_sid 5001759; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x15 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600;after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008512; metadata: created_on 2022_11_22, old_sid 5001760; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1]"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008513; metadata: created_on 2022_11_22, old_sid 5001761; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x17 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008514; metadata: created_on 2022_11_22, old_sid 5001762; rev:11;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Kerberos password authentication failure [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: !"|24| Service Information|3a|"; content: " 0x18 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008515; metadata: created_on 2022_11_22, old_sid 5001763; rev:27;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x19 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008516; metadata: created_on 2022_11_22, old_sid 5001764; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x1F "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008517; metadata: created_on 2022_11_22, old_sid 5001765; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x20 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008518; metadata: created_on 2022_11_22, old_sid 5001766; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x21 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008519; metadata: created_on 2022_11_22, old_sid 5001767; rev:12;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x22 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008520; metadata: created_on 2022_11_22, old_sid 5001768; rev:13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x23 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008521; metadata: created_on 2022_11_22, old_sid 5001769; rev:12;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x24 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600;after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008522; metadata: created_on 2022_11_22, old_sid 5001770; rev:13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x25 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008523; metadata: created_on 2022_11_22, old_sid 5001771; rev:12;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x26 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008524; metadata: created_on 2022_11_22, old_sid 5001772; rev:13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x27 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008525; metadata: created_on 2022_11_22, old_sid 5001773; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x28 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008526; metadata: created_on 2022_11_22, old_sid 5001774; rev:13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x29 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008527; metadata: created_on 2022_11_22, old_sid 5001775; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2A "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008528; metadata: created_on 2022_11_22, old_sid 5001776; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2C "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008529; metadata: created_on 2022_11_22, old_sid 5001777; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2D "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008530; metadata: created_on 2022_11_22, old_sid 5001778; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2E "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008531; metadata: created_on 2022_11_22, old_sid 5001779; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2F "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008532; metadata: created_on 2022_11_22, old_sid 5001780; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x30 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008533; metadata: created_on 2022_11_22, old_sid 5001781; rev:12;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x31 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008534; metadata: created_on 2022_11_22, old_sid 5001782; rev:13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x32 "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008535; metadata: created_on 2022_11_22, old_sid 5001783; rev:11;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x3C "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008536; metadata: created_on 2022_11_22, old_sid 5001784; rev:12;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x3D "; classtype: brute-force; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008537; metadata: created_on 2022_11_22, old_sid 5001785; rev:12;)
# Account "re-enabled" via xbit (12/03/2013)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4720,624; program: *Security*; classtype: successful-user; xbits: set,create_enabled,track ip_src, expire 30; sid:5008538; metadata: created_on 2022_11_22, old_sid 5001880; rev:12;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4722,626; content:! "$" ;program: *Security*; xbits: isset,create_enabled,track ip_src; xbits_pause: 5; classtype: successful-user; sid:5008539; metadata: created_on 2022_11_22, old_sid 5001881; rev:11;)

# User enabled

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account enabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4722,626; content:!"$ Account Domain"; program: *Security*; xbits: isset,create_enabled,track ip_src; classtype: successful-user; sid:5008540; metadata: created_on 2022_11_22, old_sid 5001687; rev:13;)

# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 02/21/2014
# Disabled by default. Possible xbit rule canidate (?)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out (ADMINISTRATOR)"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4740,644; content: "administrator"; nocase; classtype: unsuccessful-user; program: *Security*; sid:5008541; metadata: created_on 2022_11_22, old_sid 5001978; rev:5;)

# You'll want to populate the "WINDOWS_DOMAINS" before enabling this rule.
# Champ Clark - 03/03/2014

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4724,4625; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| %sagan% ",$WINDOWS_DOMAINS; meta_nocase; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,en.wikipedia.org/wiki/Pass_the_hash; sid:5008542; metadata: created_on 2022_11_22, old_sid 5002017; rev:7;)

# Records _all_ RDP sessions

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] RDP / Logon type 10"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4524,528; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; sid:5008543; metadata: created_on 2022_11_22, old_sid 5002015; rev:7;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Logon attempt using explicit credentials"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4648,552; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; sid:5008544; metadata: created_on 2022_11_22, old_sid 5002018; rev:7;)

# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/08/2014

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account disabled"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4725,629; program: *Security*; classtype: successful-user; sid:5008545; metadata: created_on 2022_11_22, old_sid 5002213; rev:7;)

# Enabled by Brian Echeverry - 04/08/2016
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account deleted"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4726,630; program: *Security*; classtype: successful-user; sid:5008546; metadata: created_on 2022_11_22, old_sid 5002335; rev:6;)

# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group created"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4727,631; classtype: system-event; program: *Security*; sid:5008547; metadata: created_on 2022_11_22, old_sid 5002403; rev:5;)

# Added by Adam Hall (Jan, 11th 2016). You'll need to make sure your audit policy/GPO have logging for this enabled!
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Domain policy was changed"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4739,643; classtype: system-event; program: *Security*; sid:5008548; metadata: created_on 2022_11_22, old_sid 5002775; rev:5;)

# Steve Rawls (2016/12/22) - detect "administrator" logins. Disabled by default

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Successful Administrator Logon Detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624,548; classtype: successful-user; program: *Security*; content: "Account Name|3a| Administrator"; nocase; parse_src_ip: 1; parse_port; sid:5008549; metadata: created_on 2022_11_22, old_sid 5003039; rev:6;)

# Steve Rawls (2017/03/27) - Split off from sid 5001763 which detects from _user_ brute force_. 5003101 & 5003102 detect "Broken Domain Trust".

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771; content: "|24| Service Information|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008550; metadata: created_on 2022_11_22, old_sid 5003101; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768; content: "|24| Supplied Realm Name|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008551; metadata: created_on 2022_11_22, old_sid 5003102; rev:5;)

# Steve Rawls (2017/03/29) - Another Broken domain trust with event ID 4776.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: "|24| Source Workstation|3a|"; content: "C000006A"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4776; content:!"|24| Account Domain|3a| "; content:!"Source Network Address|3a| -"; xbits: set,brute_force,track ip_src, expire 21600; content:!"Account Name|3a| Account Domain|3a| Failure"; classtype: unsuccessful-user; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; sid:5008552; metadata: created_on 2022_11_22, old_sid 5003103; rev:5;)

# Steve Rawls (2017/04/13) - Broken domain trust (generic).

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible Windows Broken Domain Trust [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; content: "|24| Session ID|3a|"; content:!"access denied by ACL"; content:!"Kerberos"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; sid:5008553; metadata: created_on 2022_11_22, old_sid 5003107; rev:4;)


# Steve Rawls (2017/08/31)

# 172.16.1.1|daemon|err|err|1b|2017-08-29|14:42:22|Directory-Services-SAM| 12294: The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] SAM Database Unable to Lock Account"; program: "Directory-Services-SAM"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 12294; classtype: unsuccessful-user; reference: url,technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx; sid:5008554; metadata: created_on 2022_11_22, old_sid 5003203; rev:2;)

# 2017-02-22 - Rule create by Champ Clark III based off Jack Crook's work. See:
# From Jack Crook via https://www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624; content: "Logon Type|3a| 3"; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; content:!"Workstation Name|3a| Source Network Address|3a|"; reference: url,indingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5008555; metadata: created_on 2022_11_22, old_sid 5003376; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login from non-RFC1918"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624; content: "Logon Type|3a| 3"; parse_src_ip: 1; meta_content:!"Source Network Address|3a| %sagan%",10.,192.168.,-,|3a 3a|1,127.0.0.1,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,172.28.,172.29.,172.30.,172.31,169.254,fe80,|3a 3a|1; meta_nocase; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5008556; metadata: created_on 2022_11_22, old_sid 5003377; classtype:suspicious-login; rev:6;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious WMIC/Net/Powershell execution"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4648; content:!"Account Name|3a| -"; content:!"Target Server Name|3a| localhost"; pcre: "/Target Server Name: (.*)\$ /"; pcre: "/Process Name: (.*)(net\.exe|net1.exe|wmic\.exe)(.*)/i"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5008557; metadata: created_on 2022_11_22, old_sid 5003387; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5140; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5008558; metadata: created_on 2022_11_22, old_sid 5003389; rev:2;)

# 2018/09/26 - This fires when any session "expires". It might "expire" for valid reasons.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account expired."; program: *System*; event_id 40960; content: "0xc0000193"; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5008559; metadata: created_on 2022_11_22, old_sid 5003786; rev:2;)

# 2018/09/26 - This fires when an account has already been locked out. That is, this isn't
# the initial locked out message, this is returned to an application that the account is locked.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account locked."; program: *System*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 40960; content: "0xc0000234"; threshold: type suppress, track by_username, count 1, seconds 300; classtype: unsuccessful-user; sid:5008560; metadata: created_on 2022_11_22, old_sid 5003787; rev:2;)


# Password "spraying" rules by Steve Rawls
# 2018/05/10

# Configure alerts for >50 4625 events within 1 minute.
# 0xC000006A user name is correct but the password is wrong

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0xC000006A"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 50, seconds 60; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; sid:5008561; metadata: created_on 2022_11_22, old_sid 5003798; rev:5;)

# Configure alerts for >50 4771 events with failure code=0x18 within 1 minute.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [50/1]"; content: "0x18"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 50, seconds 60; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; sid:5008562; metadata: created_on 2022_11_22, old_sid 5003799; rev:5;)

# Configure alerts for >100 4648 events on workstations within 1 minute.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Password Spray Detected [100/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4648; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,track ip_src, expire 21600; after: track by_username, count 100, seconds 60; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; reference: url,www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing; sid:5008563; metadata: created_on 2022_11_22, old_sid 5003800; rev:5;)

# Steve Rawls 2018/09/19

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Local Administrators group"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 636,4732; content: "Group|3a| Security ID|3a| S-1-5-32-544 "; program: *Security*; classtype: successful-admin; sid:5008564; metadata: created_on 2022_11_22, old_sid 5003927; rev:2;)

# Champ Clark 2019/06/12

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Repeated login attempt to a suspicious username [5/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; meta_content: "Account|3a| %sagan% ",guest,sql,demo,db2admin,pos,accounting,letmein,mysql,oracle,test,testing,support,sales,ansible,ec2-user,azureuser; content:!"Error Code|3a| 0x0"; meta_nocase; xbits: set,brute_force,track ip_src, expire 21600; classtype: brute-force; program: *Security*; parse_src_ip: 1; after: track by_username, count 5, seconds 3600; threshold: type suppress, track by_username, count 1, seconds 86400; sid:5008565; metadata: created_on 2022_11_22, old_sid 5003980; rev:4;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Login via RDP from a suspicious user"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624,528; content: "Logon Type|3a| 10 "; meta_content: "Account Name|3a| %sagan% ",guest,administrator,sql,demo,db2admin,pos,accounting,letmein,mysql,oracle,test,testing,support,sales,ansible,ec2-user,azureuser; meta_nocase; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; sid:5008566; metadata: created_on 2022_11_22, old_sid 5003981; rev:4;)

# We exclude "administrator" as there is a specific rule for "administrator" lockouts.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Account Lockout"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4740,644; meta_content: "Account Name|3a| %sagan% ",guest,sql,demo,db2admin,pos,accounting,letmein,mysql,oracle,test,testing,support,sales,ansible,ec2-user,azureuser; meta_nocase; classtype: brute-force; xbits: set,brute_force,track ip_src, expire 21600; program: *Security*; parse_src_ip: 1; threshold: type suppress, track by_username, count 1, seconds 86400; sid:5008567; metadata: created_on 2022_11_22, old_sid 5003982; rev:4;)


# Zerologon

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Vulnerable Netlogon/Zerologon connection is allowed - CVE-2020-1472"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 5830,5831; classtype: successful-admin; parse_src_ip: 1; reference: url,support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc; sid:5008568; metadata: created_on 2022_11_22, old_sid 5004780;rev: 2;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Vulnerable Netlogon/Zerologon connection was denied - CVE-2020-1472"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5827,5828; classtype: attempted-admin; parse_src_ip: 1; normalize; threshold: type suppress, track by_username, count 3, seconds 60; reference: url,support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc; sid:5008569; metadata: created_on 2022_11_22, old_sid 5004781;rev: 2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Vulnerable Netlogon/Zerologon connection allowed during deployment phase - CVE-2020-1472"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 5829; classtype: suspicious-traffic; parse_src_ip: 1; normalize; threshold: type limit, track by_username, count 1, seconds 86400; reference: url,support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc; sid:5008570; metadata: created_on 2022_11_22, old_sid 5004782; rev: 2;)

# NOTE needs json-parse-data: enabled
#alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] The computer attempted to validate the credentials. Username does not exist. [100/1]"; program:*Security*; json_map:"event_id",".EventID"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4776; json_map:"hostname",".Workstation"; json_content:".Status","0xc0000064"; after:track by_username, count 100, seconds 60; threshold: type suppress, track by_username, count 1, seconds 60; reference:url,docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776; classtype:unsuccessful-user; sid:5008571; metadata: created_on 2022_11_22, old_sid 5007689; rev:1;)