This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

yara L rule

Posted on 10-04-2024 08:43 AM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

So I am writing few rules for detcting windows events.

The first one is : 

rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"

  outcome:
    $risk_score = max(20)

  condition:
    $e
}



Any suggestions? so as how to do this. Like what details can I include and how to proceed. 
@AymanC  @jstoner 
0 3 147
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @asinghz297

If you're only trying to capture Event Type 4734 events, the above rule would satisfy that requirement.

Kind Regards,

Ayman C

0 Likes

Posted on --/--/---- --:-- AM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM
rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"
    $e.principal.user.userid = $user
    $e.target.group.windows_sid = $sid
    $e.target.group.group_display_name = $group_name


  outcome:
    $risk_score = max(20)  

    $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID  '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

  condition:
    $e
}


can'/t I change if the group deleted correspond to the critical local or domain security groups like built-in local administrators group, domain admins, enterprise admins, etc.and if it has then assign a higher risk score. If possible then which field should I check and how to do this?


@AymanC 
0 Likes

Posted on --/--/---- --:-- AM
malvarez
Bronze 3
Bronze 3
In response to asinghz297
Reply posted on --/--/---- --:-- AM

Hey  @asinghz297 

You can try a combination of Lists and If() statements in the `Outcome:` section. Create a List of all High priority Security groups. Then, make your $risk_score dynamic by adding the following in the Outcome section:

 $risk_score = sum(45 + if($group_name in %High_Priority_Security_Groups, 55, 0))

So your rule would be:

 

rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"
    $e.principal.user.userid = $user
    $e.target.group.windows_sid = $sid
    $e.target.group.group_display_name = $group_name


  outcome:
    //$risk_score = max(20)  
    $risk_score = sum(45 + if($group_name in %High_Priority_Security_Groups, 55, 0))
    $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID  '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

  condition:
    $e
}

 

 
 
 
0 Likes
Top Solution Authors
View all