Startseite Erkunden Hilfe
Anmelden
tum
/
soc
Beobachten 1
Favorit hinzufügen 0
Fork 0
Code Issues 0 Pull-Requests 0 Commits 34 Releases 0 Wiki

Keine Beschreibung

Branch: main
Branches Tags
soc
/
wazuh-docker
/
single-node
/
config
/
wazuh_cluster
/
rules
/
soc-c1-c3-ru...

soc-c1-c3-rules.xml 4.7KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135 
  1. <!--
    2. 

  2.   SOC Proposal Rules — Appendix C1-C3
    3. 

  3.   C1: Impossible Travel
    4. 

  4.   C2: Advanced Credential Abuse & Privilege Misuse
    5. 

  5.   C3: Lateral Movement & Internal Reconnaissance
    6. 

  6. 

  7.   Simulation profile rule IDs : 100501, 100511-100514, 100521-100524
    8. 

  8.   Production profile rule IDs : 110501, 110502, 110511-110514, 110521-110524
    9. 

  9. 

  10.   C1 prod: if_group=fortigate (VPN) or if_sid=100260 (soc-integrator)
    11. 

  11.   C2/C3 prod: specific built-in Wazuh SIDs to avoid N×M explosion:
    12. 

  12.     60106 → event 4624 (auth success / logon)
    13. 

  13.     60113 → events 4728/4732 (group membership change)
    14. 

  14. -->
    15. 

  15. <group name="soc_mvp,appendix_c,">
    16. 

  16. 

  17.   <!-- ================================================================
    18. 

  18.        C1: Impossible Travel Detection
    19. 

  19.        ================================================================ -->
    20. 

  20. 

  21. 

  22.   <rule id="110501" level="12">
    23. 

  23.     <if_group>fortigate</if_group>
    24. 

  24.     <match>action="ssl-login-success"</match>
    25. 

  25.     <description>C1-01 [PROD] VPN login success with geo context — impossible travel candidate</description>
    26. 

  26.     <group>soc_prod,c1,impossible_travel,identity,</group>
    27. 

  27.     <mitre><id>T1078</id></mitre>
    28. 

  28.   </rule>
    29. 

  29. 

  30.   <rule id="110502" level="15">
    31. 

  31.     <if_sid>100260</if_sid>
    32. 

  32.     <match>event_type=c1_impossible_travel</match>
    33. 

  33.     <description>C1-01 [PROD] Impossible travel confirmed by soc-integrator correlation</description>
    34. 

  34.     <group>soc_prod,c1,impossible_travel,identity,</group>
    35. 

  35.     <mitre><id>T1078</id></mitre>
    36. 

  36.   </rule>
    37. 

  37. 

  38. 

  39. 

  40.   <!-- ================================================================
    41. 

  41.        C2: Advanced Credential Abuse & Privilege Misuse
    42. 

  42.        ================================================================ -->
    43. 

  43. 

  44. 

  45. 

  46. 

  47. 

  48.   <!-- C2 production rules
    49. 

  49.        Parent: 60106 (event 4624 - logon success) for auth rules
    50. 

  50.                60113 (events 4728/4732 - group membership) for privilege rules -->
    51. 

  51. 

  52.   <rule id="110511" level="12">
    53. 

  53.     <if_sid>60106</if_sid>
    54. 

  54.     <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
    55. 

  55.     <description>C2-01 [PROD] Privileged account auth success (4624)</description>
    56. 

  56.     <group>soc_prod,c2,credential_abuse,identity,</group>
    57. 

  57.     <mitre><id>T1078.002</id></mitre>
    58. 

  58.   </rule>
    59. 

  59. 

  60.   <rule id="110512" level="8">
    61. 

  61.     <if_sid>60106</if_sid>
    62. 

  62.     <field name="win.eventdata.targetUserName" type="pcre2">(?i)legacy</field>
    63. 

  63.     <description>C2-02 [PROD] Dormant/legacy account auth success (4624)</description>
    64. 

  64.     <group>soc_prod,c2,credential_abuse,identity,</group>
    65. 

  65.     <mitre><id>T1078</id></mitre>
    66. 

  66.   </rule>
    67. 

  67. 

  68.   <rule id="110513" level="12">
    69. 

  69.     <if_sid>60106</if_sid>
    70. 

  70.     <field name="win.eventdata.logonType">^10$</field>
    71. 

  71.     <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
    72. 

  72.     <description>C2-03 [PROD] Service account remote interactive logon type 10 (4624)</description>
    73. 

  73.     <group>soc_prod,c2,service_account,identity,</group>
    74. 

  74.     <mitre><id>T1078.003</id></mitre>
    75. 

  75.   </rule>
    76. 

  76. 

  77.   <rule id="110514" level="12">
    78. 

  78.     <if_sid>60113</if_sid>
    79. 

  79.     <field name="win.system.eventID">^4732$</field>
    80. 

  80.     <description>C2-04 [PROD] Privilege escalation: group membership change (4732)</description>
    81. 

  81.     <group>soc_prod,c2,privilege_escalation,identity,</group>
    82. 

  82.     <mitre><id>T1098.007</id></mitre>
    83. 

  83.   </rule>
    84. 

  84. 

  85. 

  86. 

  87. 

  88. 

  89.   <!-- ================================================================
    90. 

  90.        C3: Lateral Movement & Internal Reconnaissance
    91. 

  91.        ================================================================ -->
    92. 

  92. 

  93. 

  94. 

  95. 

  96. 

  97.   <!-- C3 production rules
    98. 

  98.        Parent: 60106 (event 4624 - logon success) -->
    99. 

  99. 

  100.   <rule id="110521" level="12">
    101. 

  101.     <if_sid>60106</if_sid>
    102. 

  102.     <field name="win.eventdata.logonType">^10$</field>
    103. 

  103.     <description>C3-01/02 [PROD] RDP auth success logon type 10 (lateral movement indicator)</description>
    104. 

  104.     <group>soc_prod,c3,lateral_movement,rdp,</group>
    105. 

  105.     <mitre><id>T1021.001</id></mitre>
    106. 

  106.     <mitre><id>T1078</id></mitre>
    107. 

  107.   </rule>
    108. 

  108. 

  109.   <rule id="110522" level="12">
    110. 

  110.     <if_sid>60106</if_sid>
    111. 

  111.     <field name="win.eventdata.logonType">^3$</field>
    112. 

  112.     <description>C3-02 [PROD] SMB network logon type 3 (lateral movement indicator)</description>
    113. 

  113.     <group>soc_prod,c3,lateral_movement,smb,</group>
    114. 

  114.     <mitre><id>T1021.002</id></mitre>
    115. 

  115.     <mitre><id>T1078</id></mitre>
    116. 

  116.   </rule>
    117. 

  117. 

  118.   <rule id="110523" level="15">
    119. 

  119.     <if_sid>60106</if_sid>
    120. 

  120.     <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
    121. 

  121.     <description>C3-03 [PROD] Admin account auth success — lateral movement candidate (4624)</description>
    122. 

  122.     <group>soc_prod,c3,lateral_movement,admin,</group>
    123. 

  123.     <mitre><id>T1021.001</id></mitre>
    124. 

  124.     <mitre><id>T1078.002</id></mitre>
    125. 

  125.   </rule>
    126. 

  126. 

  127.   <!-- C3-04 PROD: WFP event 5156 has no specific built-in Wazuh parent SID.
    128. 

  128.        Skip prod rule to avoid N×M explosion from using a generic windows parent. -->
    129. 

  129. 

  130. 

  131. 

  132. 

  133. 

  134. </group>
    135. 

  135.