| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 |
- <!--
- SOC Proposal Rules — Appendix A4: Windows / Active Directory
- Simulation profile rule IDs : 100341-100364
- Production profile rule IDs : 110341-110364
- Production rules use specific built-in Wazuh rule SIDs as parents
- to avoid the N×M rule-tree explosion from if_group=windows:
- 60105/60122 → event 4625 (auth failure)
- 60106 → event 4624 (auth success / logon)
- 60109 → events 4720/4722 (account create/enable)
- 60113 → events 4728/4732 (group membership change)
- 67027 → event 4688 (new process created)
- 60103 → event 4794 (DSRM password set)
- -->
- <group name="soc_mvp,appendix_a,a4,windows,">
- <!-- ── Simulation profile ── -->
- <!-- ── Production profile ──
- Parents are specific built-in Wazuh SIDs (not if_group=windows) to
- avoid N×M rule-tree explosion. Each parent fires for one event ID.
- -->
- <!-- A4-01/02/19: Auth failures (event 4625)
- Parent: 60105 (4625 base), 60122 (4625 variant) -->
- <rule id="110341" level="8">
- <if_sid>60105, 60122</if_sid>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
- <description>A4-01 [PROD] Windows: privileged account name auth failure (4625)</description>
- <group>soc_prod,a4,auth_fail,</group>
- <mitre><id>T1110.001</id></mitre>
- </rule>
- <rule id="110342" level="8">
- <if_sid>60105, 60122</if_sid>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
- <description>A4-02 [PROD] Windows: service account auth failure (4625)</description>
- <group>soc_prod,a4,auth_fail,</group>
- <mitre><id>T1110.001</id></mitre>
- </rule>
- <rule id="110359" level="5">
- <if_sid>60105, 60122</if_sid>
- <description>A4-19 [PROD] Windows: authentication failure (4625)</description>
- <group>soc_prod,a4,spray,</group>
- <mitre><id>T1110.003</id></mitre>
- </rule>
- <!-- A4-03: AD enumeration via process execution (event 4688)
- Parent: 67027 (new process created) -->
- <rule id="110343" level="8">
- <if_sid>67027</if_sid>
- <field name="win.eventdata.newProcessName" type="pcre2">(?i)adfind\.exe</field>
- <description>A4-03 [PROD] Windows AD: adfind enumeration tool executed (4688)</description>
- <group>soc_prod,a4,ad_enum,</group>
- <mitre><id>T1087.002</id></mitre>
- </rule>
- <!-- A4-06/07/08/09/10: Auth successes (event 4624)
- Parent: 60106 (logon success) -->
- <rule id="110346" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.logonType">^10$</field>
- <description>A4-06 [PROD] Windows: remote interactive auth success logon type 10 (4624)</description>
- <group>soc_prod,a4,auth_success,remote,</group>
- <mitre><id>T1021.001</id></mitre>
- <mitre><id>T1078</id></mitre>
- </rule>
- <rule id="110348" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.authenticationPackageName">NTLM</field>
- <field name="win.eventdata.logonType">^3$</field>
- <description>A4-08 [PROD] Windows: NTLM network logon type 3 — pass-the-hash indicator (4624)</description>
- <group>soc_prod,a4,pth,</group>
- <mitre><id>T1550.002</id></mitre>
- </rule>
- <rule id="110349" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)^guest$</field>
- <description>A4-09 [PROD] Windows: guest account auth success (4624)</description>
- <group>soc_prod,a4,auth_success,guest,</group>
- <mitre><id>T1078.001</id></mitre>
- </rule>
- <rule id="110350" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.logonType">^2$</field>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
- <description>A4-10 [PROD] Windows: service account interactive logon type 2 (4624)</description>
- <group>soc_prod,a4,service_account,</group>
- <mitre><id>T1078.003</id></mitre>
- </rule>
- <!-- A4-11/12: Group membership changes (events 4728/4732)
- Parent: 60113 (member added to security-enabled group) -->
- <rule id="110352" level="12">
- <if_sid>60113</if_sid>
- <field name="win.system.eventID">^4728$</field>
- <description>A4-12 [PROD] Windows: account added to privileged domain group (4728)</description>
- <group>soc_prod,a4,privilege_escalation,</group>
- <mitre><id>T1098.007</id></mitre>
- </rule>
- <rule id="110353" level="12">
- <if_sid>60113</if_sid>
- <field name="win.system.eventID">^4732$</field>
- <description>A4-11 [PROD] Windows: account added to privileged local group (4732)</description>
- <group>soc_prod,a4,privilege_escalation,</group>
- <mitre><id>T1098.007</id></mitre>
- </rule>
- <!-- A4-13: DSRM password set (event 4794)
- Parent: 60103 (Windows audit success event — must constrain to eventID 4794) -->
- <rule id="110354" level="12">
- <if_sid>60103</if_sid>
- <field name="win.system.eventID">^4794$</field>
- <description>A4-13 [PROD] Windows DC: DSRM account password set (4794)</description>
- <group>soc_prod,a4,persistence,</group>
- <mitre><id>T1098</id></mitre>
- </rule>
- <!-- A4-21/22/23/24: Account lifecycle (events 4720/4722)
- Parent: 60109 (account created/enabled) -->
- <rule id="110361" level="5">
- <if_sid>60109</if_sid>
- <field name="win.system.eventID">^4720$</field>
- <description>A4-21/23 [PROD] Windows: new user account created (4720)</description>
- <group>soc_prod,a4,account_create,</group>
- <mitre><id>T1136</id></mitre>
- </rule>
- <rule id="110362" level="5">
- <if_sid>60109</if_sid>
- <field name="win.system.eventID">^4722$</field>
- <description>A4-22/24 [PROD] Windows: user account re-enabled (4722)</description>
- <group>soc_prod,a4,account_lifecycle,</group>
- <mitre><id>T1078</id></mitre>
- </rule>
- <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
- </group>
|
