SIEM Rules from Event log ID and use cases


 Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity - Network Share Accessed
This rule looks for Windows Event ID 5140 which indicates that a network share has been accessed. When on Workstations or Domain controllers, this event can be used to identify access to C$ or Admin$. Common false positives will be IPC$, \Sysvol, \Netlogon.
 
Credential Access - AD - Account Lockout - Service Account
Event ID 4740
 
Defense Evasion - Domain Controller - System Change - Event Logs Cleared
Identifies the deletion of event logs from a windows host or domain controller. This may be performed to destroy evidence of malicious activity on a system.
Event ID 1102
 
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
 
Discovery - AD - Kerberoasting
This rule looks for activity on Active Directory indicative of Kerberoasting attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket and rewrites them in order to gain access to a targeted service.
Event ID 4769
 
Execution - Network - Access Attempt - Unicode Domain
Identifies web requests where the website domain contains Unicode characters. Unicode allows the display of foreign characters within the URL bar and can be used to attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy Server and Firewalls
 
Exfiltration - Email - Auto Forwarding
This rule looks for many emails from a single internal user going to an external email address, indicative of a user forwarding their external mail content to a personal mailbox.
Vendor Msg id is : send , and status is: originating
 
Initial Access - ADFS - Excessive Login Failures
Identifies a large volume of ADFS failures, which may indicate account enumeration, brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
 
Initial Access - Remote Access - Login Attempt - Different Geos
Identifies VPN login attempts by the same user across geographically distant locations in a short time period. This may indicate account compromise, especially if the user is not traveling.

 
Lateral Movement - Domain Controller - Login Attempt - Interactive
Identifies a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
 
Persistence - Domain Controller - System Change - Audit Policy Changed
Identifies system audit policy changes on windows hosts. This represents a change to the type of security events logged by the system and may be a pre-attack activity to avoid detection.
Event ID 4719,4905,4912
 
Persistence - Domain Controller - System Change - Domain Policy Changed
Event ID 4739
 
Persistence - Domain Controller - System Change - Multiple Processes Created
Identifies a large number of processes being created in a short time on a monitored windows host. The presence of an abnormal volume of abnormal processes may indicate the host has been compromised or is being misused.
Event ID 4688  Unique value>=10
 
Persistence - Domain Controller - System Change - Scheduled Task
Identifies the creation of new scheduled tasks as well as changes to existing tasks. The creation of new scheduled tasks or the removal of existing ones may be technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
 
Persistence - Domain Controller - System Change - Service Installed
Identifies the installation of unexpected services on a system. The installation of unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
 
Privilege Escalation - AD - Group Change - Admin
Identifies attempts to change a user's group membership in AD. The high risk associated with delegating certain permissions in AD warrants a high level of scrutiny. For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
 
Privilege Escalation - ATP - Golden Ticket
This rule looks for Golden Ticket related activity identified by Azure ATP. See here for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
 
Hunting the Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
 
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
 
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days

0 comments:

Post a Comment

Twitter Facebook Favorites More