| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 |
- <!--
- SOC Proposal Rules — Appendix A4: Windows / Active Directory
- Simulation profile rule IDs : 100341-100364
- Production profile rule IDs : 110341-110364
- Production rules use specific built-in Wazuh rule SIDs as parents
- to avoid the N×M rule-tree explosion from if_group=windows:
- 60105/60122 → event 4625 (auth failure)
- 60106 → event 4624 (auth success / logon)
- 60109 → events 4720/4722 (account create/enable)
- 60113 → events 4728/4732 (group membership change)
- 67027 → event 4688 (new process created)
- 60103 → event 4794 (DSRM password set) — must add eventID=4794 constraint!
- 67017 → event 5140 (network share access, non-IPC$)
- 60103 → event 4771 (Kerberos pre-auth failure) — constrained with eventID field
- Real event volumes observed (2026-03-20):
- 4624: 209K | 4625: 1.5K | 4688: 138K | 5140: 26K | 4776: 25K
- 4771: 281 | 4648: 6K | 4740: 7
- -->
- <group name="soc_mvp,appendix_a,a4,windows,">
- <!-- ── Simulation profile ── -->
- <!-- ── Production profile ──
- Parents are specific built-in Wazuh SIDs (not if_group=windows) to
- avoid N×M rule-tree explosion. Each parent fires for one event ID.
- -->
- <!-- A4-01/02/19: Auth failures (event 4625)
- Parent: 60105 (4625 base), 60122 (4625 variant) -->
- <rule id="110341" level="8">
- <if_sid>60105, 60122</if_sid>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
- <description>A4-01 [PROD] Windows: privileged account name auth failure (4625)</description>
- <group>soc_prod,a4,auth_fail,</group>
- <mitre><id>T1110.001</id></mitre>
- </rule>
- <rule id="110342" level="8">
- <if_sid>60105, 60122</if_sid>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
- <description>A4-02 [PROD] Windows: service account auth failure (4625)</description>
- <group>soc_prod,a4,auth_fail,</group>
- <mitre><id>T1110.001</id></mitre>
- </rule>
- <rule id="110359" level="5">
- <if_sid>60105, 60122</if_sid>
- <description>A4-19 [PROD] Windows: authentication failure (4625)</description>
- <group>soc_prod,a4,spray,</group>
- <mitre><id>T1110.003</id></mitre>
- </rule>
- <!-- A4-03: AD enumeration via process execution (event 4688)
- Parent: 67027 (new process created) -->
- <rule id="110343" level="8">
- <if_sid>67027</if_sid>
- <field name="win.eventdata.newProcessName" type="pcre2">(?i)adfind\.exe</field>
- <description>A4-03 [PROD] Windows AD: adfind enumeration tool executed (4688)</description>
- <group>soc_prod,a4,ad_enum,</group>
- <mitre><id>T1087.002</id></mitre>
- </rule>
- <!-- A4-06/07/08/09/10: Auth successes (event 4624)
- Parent: 60106 (logon success) -->
- <rule id="110346" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.logonType">^10$</field>
- <description>A4-06 [PROD] Windows: remote interactive auth success logon type 10 (4624)</description>
- <group>soc_prod,a4,auth_success,remote,</group>
- <mitre><id>T1021.001</id></mitre>
- <mitre><id>T1078</id></mitre>
- </rule>
- <rule id="110348" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.authenticationPackageName">NTLM</field>
- <field name="win.eventdata.logonType">^3$</field>
- <description>A4-08 [PROD] Windows: NTLM network logon type 3 — pass-the-hash indicator (4624)</description>
- <group>soc_prod,a4,pth,</group>
- <mitre><id>T1550.002</id></mitre>
- </rule>
- <rule id="110349" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)^guest$</field>
- <description>A4-09 [PROD] Windows: guest account auth success (4624)</description>
- <group>soc_prod,a4,auth_success,guest,</group>
- <mitre><id>T1078.001</id></mitre>
- </rule>
- <rule id="110350" level="12">
- <if_sid>60106</if_sid>
- <field name="win.eventdata.logonType">^2$</field>
- <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
- <description>A4-10 [PROD] Windows: service account interactive logon type 2 (4624)</description>
- <group>soc_prod,a4,service_account,</group>
- <mitre><id>T1078.003</id></mitre>
- </rule>
- <!-- A4-11/12: Group membership changes (events 4728/4732)
- Parent: 60113 (member added to security-enabled group) -->
- <rule id="110352" level="12">
- <if_sid>60113</if_sid>
- <field name="win.system.eventID">^4728$</field>
- <description>A4-12 [PROD] Windows: account added to privileged domain group (4728)</description>
- <group>soc_prod,a4,privilege_escalation,</group>
- <mitre><id>T1098.007</id></mitre>
- </rule>
- <rule id="110353" level="12">
- <if_sid>60113</if_sid>
- <field name="win.system.eventID">^4732$</field>
- <description>A4-11 [PROD] Windows: account added to privileged local group (4732)</description>
- <group>soc_prod,a4,privilege_escalation,</group>
- <mitre><id>T1098.007</id></mitre>
- </rule>
- <!-- A4-13: DSRM password set (event 4794)
- Parent: 60103 (Windows audit success event — must constrain to eventID 4794) -->
- <rule id="110354" level="12">
- <if_sid>60103</if_sid>
- <field name="win.system.eventID">^4794$</field>
- <description>A4-13 [PROD] Windows DC: DSRM account password set (4794)</description>
- <group>soc_prod,a4,persistence,</group>
- <mitre><id>T1098</id></mitre>
- </rule>
- <!-- A4-21/22/23/24: Account lifecycle (events 4720/4722)
- Parent: 60109 (account created/enabled) -->
- <rule id="110361" level="5">
- <if_sid>60109</if_sid>
- <field name="win.system.eventID">^4720$</field>
- <description>A4-21/23 [PROD] Windows: new user account created (4720)</description>
- <group>soc_prod,a4,account_create,</group>
- <mitre><id>T1136</id></mitre>
- </rule>
- <rule id="110362" level="5">
- <if_sid>60109</if_sid>
- <field name="win.system.eventID">^4722$</field>
- <description>A4-22/24 [PROD] Windows: user account re-enabled (4722)</description>
- <group>soc_prod,a4,account_lifecycle,</group>
- <mitre><id>T1078</id></mitre>
- </rule>
- <!-- A4-05: Network share access (file share enumeration / lateral movement)
- Event 5140 — A network share object was accessed
- Parent: 67017 (WEF baseline: network share accessed, non-IPC$/NetLogon)
- Real data: 26,202 events/day observed; admin shares (D$, C$, ADMIN$) accessed by
- both machine accounts ($) and user accounts — alert on user accounts accessing admin shares.
- Excludes machine accounts (ending in $) to reduce service/replication noise. -->
- <rule id="110355" level="8">
- <if_sid>67017</if_sid>
- <field name="win.eventdata.shareName" type="pcre2">(?i)\\\\[A-Z]\$|\\\\ADMIN\$|\\\\C\$|\\\\D\$|\\\\E\$</field>
- <field name="win.eventdata.subjectUserName" negate="yes" type="pcre2">\$$</field>
- <description>A4-05 [PROD] Windows: user account accessing admin share (5140) — lateral movement indicator</description>
- <group>soc_prod,a4,lateral_movement,share,</group>
- <mitre><id>T1021.002</id></mitre>
- </rule>
- <!-- A4 (supplemental): Kerberos pre-authentication failure (event 4771)
- Event 4771 — Kerberos pre-authentication failed (similar to 4625 but Kerberos-specific)
- Parent: 60103 (Windows audit success — constrained to eventID 4771)
- Real data: 281 events observed; status=0x18 = bad password
- Note: Wazuh has no dedicated built-in parent for 4771 in the base ruleset. -->
- <rule id="110356" level="5">
- <if_sid>60103</if_sid>
- <field name="win.system.eventID">^4771$</field>
- <description>A4-supplemental [PROD] Windows: Kerberos pre-authentication failure (4771)</description>
- <group>soc_prod,a4,auth_fail,kerberos,</group>
- <mitre><id>T1110.001</id></mitre>
- </rule>
- <!-- A4 (supplemental): Account lockout (event 4740)
- Parent: 60103 (Windows audit events — constrained to eventID 4740)
- Real data: 7 events observed — indicates repeated auth failures triggering lockout policy -->
- <rule id="110357" level="8">
- <if_sid>60103</if_sid>
- <field name="win.system.eventID">^4740$</field>
- <description>A4-supplemental [PROD] Windows: user account locked out (4740)</description>
- <group>soc_prod,a4,auth_fail,lockout,</group>
- <mitre><id>T1110.001</id></mitre>
- </rule>
- </group>
|
