LinkedIn
Twitter
1 ACCEPTED SOLUTION
Hi @NASEEF, in this scenario have you tried using Gemini to craft the rules as a first pass? Even if you need to subsequently tune or modify the rule, you might be able to use Gemini as a starting point to draft out a rule at a basic level before tuning and validating it.
Here is an example of me using Gemini to create a rule for your Adversary-in-the-Middle use case.
My first question looking at the rule was related to the first large block of hostnames from DNS queries, so I'm providing the explanation for that segment as well and why Gemini included it.
If you try this, please remember to rate the responses from Gemini (you can provide a thumbs up or thumbs down)!
rule mitm_llmnr_nbns_smb_relay {
meta:
author = "Gemini AI & [Your Name/Organization]"
description = "Detects potential LLMNR/NBT-NS poisoning and SMB relay attacks."
date = "2023-10-27" #Update to current date
mitre_technique = "T1557.001"
mitre_tactic = "Credential Access"
severity = "high"
events:
$network.dns.query.hostname = /.*\\..*/ nocase and
$network.dns.query.hostname != /.*\.local/ nocase and
$network.dns.query.hostname != /.*\.home/ nocase and
$network.dns.query.hostname != /.*\.internal/ nocase and
$network.dns.query.hostname != /.*\.corp/ nocase and
$network.dns.query.hostname != /.*\.companyname/ nocase and #Replace with company name or domain
$network.dns.query.hostname != /.*\.yourdomain/ nocase and #Replace with your domain.
$network.dns.query.hostname != /.*\.yourcompanyinternal/ nocase and #Replace with your internal domain.
$network.dns.query.hostname != /.*\.yourcompanysubdomain/ nocase and #Replace with your subdomain.
$network.dns.query.hostname != /.*\.yourcompany/ nocase and #Replace with your company.
$network.dns.query.hostname != /.*\.yourcompanyinternal/ nocase and #Replace with your company internal.
$network.dns.query.hostname != /.*\.yourcompanysubdomain/ nocase and #Replace with your company subdomain.
$network.dns.query.hostname != /.*\.yourcompanynet/ nocase and #Replace with your company network.
$network.dns.query.hostname != /.*\.yourcompanydomain/ nocase and #Replace with your company domain.
$network.dns.query.hostname != /.*\.yourcompanydns/ nocase and #Replace with your company dns.
$network.dns.query.hostname != /.*\.yourcompanydc/ nocase and #Replace with your company domain controller.
$network.dns.query.hostname != /.*\.yourcompanyserver/ nocase and #Replace with company server.
$network.dns.query.hostname != /.*\.yourcompanyworkstation/ nocase and #Replace with company workstation.
$network.dns.query.hostname != /.*\.yourcompanyprintserver/ nocase and #Replace with company printer server.
$network.dns.query.hostname != /.*\.yourcompanyshare/ nocase and #Replace with company share.
$network.dns.query.hostname != /.*\.yourcompanyfileserver/ nocase and #Replace with Company file server.
$network.dns.query.hostname != /.*\.yourcompanydatabase/ nocase and #Replace with Company database.
$network.dns.query.hostname != /.*\.yourcompanyapplication/ nocase and #Replace with Company application server.
$network.dns.response.ip = $attacker_ip and
$network.dns.query.hostname = $hostname
$network.smb.destination.ip = $attacker_ip and
$network.smb.source.ip != $attacker_ip and
$network.smb.destination.port = 445
$network.smb.authentication.username = $username and
$network.smb.source.ip != $attacker_ip
condition:
$network.dns.query and $network.dns.response and $network.smb.destination and $network.smb.authentication
}
Hi @NASEEF, in this scenario have you tried using Gemini to craft the rules as a first pass? Even if you need to subsequently tune or modify the rule, you might be able to use Gemini as a starting point to draft out a rule at a basic level before tuning and validating it.
Here is an example of me using Gemini to create a rule for your Adversary-in-the-Middle use case.
My first question looking at the rule was related to the first large block of hostnames from DNS queries, so I'm providing the explanation for that segment as well and why Gemini included it.
If you try this, please remember to rate the responses from Gemini (you can provide a thumbs up or thumbs down)!
rule mitm_llmnr_nbns_smb_relay {
meta:
author = "Gemini AI & [Your Name/Organization]"
description = "Detects potential LLMNR/NBT-NS poisoning and SMB relay attacks."
date = "2023-10-27" #Update to current date
mitre_technique = "T1557.001"
mitre_tactic = "Credential Access"
severity = "high"
events:
$network.dns.query.hostname = /.*\\..*/ nocase and
$network.dns.query.hostname != /.*\.local/ nocase and
$network.dns.query.hostname != /.*\.home/ nocase and
$network.dns.query.hostname != /.*\.internal/ nocase and
$network.dns.query.hostname != /.*\.corp/ nocase and
$network.dns.query.hostname != /.*\.companyname/ nocase and #Replace with company name or domain
$network.dns.query.hostname != /.*\.yourdomain/ nocase and #Replace with your domain.
$network.dns.query.hostname != /.*\.yourcompanyinternal/ nocase and #Replace with your internal domain.
$network.dns.query.hostname != /.*\.yourcompanysubdomain/ nocase and #Replace with your subdomain.
$network.dns.query.hostname != /.*\.yourcompany/ nocase and #Replace with your company.
$network.dns.query.hostname != /.*\.yourcompanyinternal/ nocase and #Replace with your company internal.
$network.dns.query.hostname != /.*\.yourcompanysubdomain/ nocase and #Replace with your company subdomain.
$network.dns.query.hostname != /.*\.yourcompanynet/ nocase and #Replace with your company network.
$network.dns.query.hostname != /.*\.yourcompanydomain/ nocase and #Replace with your company domain.
$network.dns.query.hostname != /.*\.yourcompanydns/ nocase and #Replace with your company dns.
$network.dns.query.hostname != /.*\.yourcompanydc/ nocase and #Replace with your company domain controller.
$network.dns.query.hostname != /.*\.yourcompanyserver/ nocase and #Replace with company server.
$network.dns.query.hostname != /.*\.yourcompanyworkstation/ nocase and #Replace with company workstation.
$network.dns.query.hostname != /.*\.yourcompanyprintserver/ nocase and #Replace with company printer server.
$network.dns.query.hostname != /.*\.yourcompanyshare/ nocase and #Replace with company share.
$network.dns.query.hostname != /.*\.yourcompanyfileserver/ nocase and #Replace with Company file server.
$network.dns.query.hostname != /.*\.yourcompanydatabase/ nocase and #Replace with Company database.
$network.dns.query.hostname != /.*\.yourcompanyapplication/ nocase and #Replace with Company application server.
$network.dns.response.ip = $attacker_ip and
$network.dns.query.hostname = $hostname
$network.smb.destination.ip = $attacker_ip and
$network.smb.source.ip != $attacker_ip and
$network.smb.destination.port = 445
$network.smb.authentication.username = $username and
$network.smb.source.ip != $attacker_ip
condition:
$network.dns.query and $network.dns.response and $network.smb.destination and $network.smb.authentication
}
