File: windows-auth.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (248 lines) | stat: -rw-r--r-- 56,327 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
# Sagan windows-auth.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Windows authentication rules. 
# Eventlog to syslog service.  This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/


alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1]"; content: " 529|3a| "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001151; sid: 5001151; rev:26;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password"; content: " 529|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001531; sid: 5001531; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account login time restriction"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001152; sid: 5001152; rev:6;)

# We only want disabled users that contain usernames, hence the content:! on sid 5001153.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account currently disabled [0/1]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001153; sid: 5001153; rev:21;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001154; sid: 5001154; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001155; sid: 5001155; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not granted login type"; content: " 534|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001156; sid: 5001156; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account password is expired"; content: " 535|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001157; sid: 5001157; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Internal error"; pcre: "/ 536: | 537: /"; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 2, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001158; sid: 5001158; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_port; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001159; sid: 5001159; rev:21;)

# See 681 & 4769 for subcodes

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001160; sid: 5001160; rev:23;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account unlocked"; pcre: "/ 671: | 4767: /"; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001161; sid: 5001161; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group created"; pcre: "/ 631: | 635: | 658: | 4727: | 4731: | 4754: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001162; sid: 5001162; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group deleted"; pcre: "/ 634: | 638: | 662: | 4730: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001163; sid: 5001163; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account created"; pcre: "/ 631: | 4727: | 635: | 4731: | 658: | 4754: | 648: | 4744: | 653: | 4749: | 663: | 4759: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001164; sid: 5001164; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account deleted"; pcre: "/ 634: | 4730: | 638: | 4734: | 662: | 4758: | 652: | 4748: | 657: | 4753: | 667: | 4763: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001165; sid: 5001165; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account changed"; pcre: "/ 632: | 4728: | 633: | 4729: | 636: | 4732: | 637: | 4733: | 639: | 4735: | 641 | 4737: | 637: | 4733: | 659: | 4755: | 660: | 4766: | 668: | 4764: | 649: | 4745: | 650: | 4746: | 651: | 4747: | 654: | 4750: | 655: | 4751: | 656: | 4752: | 659: | 4755: | 660: | 4756: | 661: | 4757: | 664: | 4760: | 665: | 4761: | 666: | 4762: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001475; sid: 5001475; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member added"; pcre: "/ 632: | 4728: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001166; sid: 5001166; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member removed"; pcre: "/ 633: | 4729: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001167; sid: 5001167; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group deleted"; pcre: "/ 634: | 4730: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001168; sid: 5001168; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group created"; pcre: "/ 635: | 4731: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001169; sid: 5001169; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member added"; pcre: "/ 636: | 4732: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001170; sid: 5001170; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member removed"; pcre: "/ 637: | 4733: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001171; sid: 5001171; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group deleted"; pcre: "/ 638: | 4734: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001172; sid: 5001172; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group changed"; pcre: "/ 639: | 4735: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001173; sid: 5001173; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group changed"; pcre: "/ 641: | 4737: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001174; sid: 5001174; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group created"; pcre: "/ 658: | 4754: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001176; sid: 5001176; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group changed"; pcre: "/ 659: | 4755: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001177; sid: 5001177; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group member added"; pcre: "/ 660: | 4756: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001178; sid: 5001178; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member removed"; pcre: "/ 661: | 4757: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001179; sid: 5001179; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member deleted"; pcre: "/ 662: | 4758: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001180; sid: 5001180; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RDP maximum allowed failed logon attempts"; content: " 1012|3a| "; classtype: system-event; program: TermService; reference: url,wiki.quadrantsec.com/bin/view/Main/5001181; sid: 5001181; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows login attempt (ignored). Duplicated"; content: " 680|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001186; sid: 5001186; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login failure"; pcre: "/ 20187: | 20014: | 20078: | 20050: | 20049: | 20189: /"; classtype: unsuccessful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001187; sid: 5001187; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login success"; content: " 20158|3a| "; classtype: successful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001188; sid: 5001188; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001189; sid: 5001189; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid: 5001190; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out [multiple login errors] [0/1]"; pcre: "/ 644: | 4740: /"; threshold: type limit, track by_src, count 1, seconds 300; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001192; sid: 5001192; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] General account database changed"; content: " 640|3a| "; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001193; sid: 5001193; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC  - Integrity check on decrypted"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x1F"; classtype: exploit-attempt; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001195; sid: 5001195; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Possible replay attack"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x22"; classtype: exploit-attempt; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001196; sid: 5001196; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Clock skew too great"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x25"; threshold: type limit, track by_src, count 1, seconds 86400; classtype: exploit-attempt; parse_src_ip: 1; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001197; sid: 5001197; rev:8;)

# Tied to SIDs.

#if_sid 18207,18208 - see msauth rules.  Sagan can do the same,  rules just need to be written.
# Same with "Kerberos failures that may indicate an attack"
#
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Administrator group changed"; pcre: "/ ID:\s+\p*S-1-5-32-544\p*/"; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/XXXXXXX; sid: XXXXXXX; rev:4;)

# 09/18/2012 Sniffty Dugen 

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Attempted Password Reset"; pcre: "/ 628: | 4724: /"; classtype: configuration-change; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001620; sid:5001620; rev:6;)

# Generic "catch all" for event ID 6273
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5]"; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001648; sid: 5001648; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1]"; content: " 6273|3a| "; content: "Reason Code: 16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001657; sid: 5001657; rev:20;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password"; content: "Reason Code|3a| 16 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001658; sid: 5001658; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account does not exist"; content: "Reason Code|3a| 8 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001659; sid: 5001659; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Domain does not exist"; content: "Reason Code|3a| 7 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001660; sid: 5001660; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] No matching newtork policy"; content: "Reason Code|3a| 48 ";  content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001661; sid: 5001661; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RADIUS Access-Request message is disabled"; content: "Reason Code|3a| 34 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001662; sid: 5001662; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User much change password"; content: "Reason Code|3a| 33 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001663; sid: 5001663; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote RADIUS did not process auth request"; content: "Reason Code|3a| 112 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001664; sid: 5001664; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Incomplete message. Signature not verified"; content: "Reason Code|3a| 262 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001665; sid: 5001665; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] EAP type cannot be processed by server"; content: "Reason Code|3a| 22 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001666; sid: 5001666; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Error occured with EAP"; content: "Reason Code|3a| 23 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001667; sid: 5001667; rev:6;)

# Group change rules where typically to noisy and didn't supply the information
# Needed.  These rule detect "what" group a user was "added" to.  This should
# reduce the signal/noise ratio greatly. 
#
# These where created by Robert Nunley (rnunley@quadrantsec.com)

# Local group
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Local Administrator account added to a local group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-500 /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001692; sid: 5001692; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Network Config Operator group";  pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-556 /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001693; sid: 5001693; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to DNS Admins group";  pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-1101 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001694; sid: 5001694; rev:6;)
# Domain/global group
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Domain Administrators group";  pcre: "/ 632: | 4728: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-512 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001695; sid: 5001695; rev:8;)
# Enterprise/universal group
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Enterprise Administrators group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-519 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001696; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Group Policy Creator Owner group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-520 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001697; rev:7;)
# Schema Admins
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Schema Admins"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-518 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5003104; sid:5003104; rev:2;)

# User enabled
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account enabled"; pcre: "/ 626: | 4722: /"; content:!"$ Account Domain"; program: *Security*; xbits: isset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001687; sid: 5001687; rev:10;)

# User created
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001786; sid: 5001791; rev:20;)

# Windows 2008 rules submitted by Robert Nunley (rnunley@quadrantsec.com)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001728; sid: 5001728; rev:27;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1]"; content:!"|24| Source Workstation|3a|"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"|24| Account Domain|3a| "; content:!"Source Network Address|3a| -"; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001729; sid: 5001729; rev:27;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001730; sid: 5001730; rev:22;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001731; sid: 5001731; rev:25;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001732; sid: 5001732; rev:23;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Account [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001733; sid: 5001733; rev:23;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Password [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001734; sid: 5001734; rev:23;)

# Windows authentication rules by code type.  Submitted by Brian Echeverry

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001740; sid: 5001740; rev:21;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001741; sid: 5001741; rev:20;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001742; sid: 5001742; rev:20;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001743; sid: 5001743; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001744; sid: 5001744; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001745; sid: 5001745; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001746; sid: 5001746; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001747; sid: 5001747; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001748; sid: 5001748; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001749; sid: 5001749; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001750; sid: 5001750; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001751; sid: 5001751; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001752; sid: 5001752; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001753; sid: 5001753; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001754; sid: 5001754; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001755; sid: 5001755; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001756; sid: 5001756; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001757; sid: 5001757; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001758; sid: 5001758; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001759; sid: 5001759; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001760; sid: 5001760; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001761; sid: 5001761; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001762; sid: 5001762; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: !"|24| Service Information|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001763; sid: 5001763; rev:23;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001764; sid: 5001764; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001765; sid: 5001765; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001766; sid: 5001766; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001767; sid: 5001767; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001768; sid: 5001768; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001769; sid: 5001769; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001770; sid: 5001770; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001771; sid: 5001771; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001772; sid: 5001772; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001773; sid: 5001773; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001774; sid: 5001774; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001775; sid: 5001775; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001776; sid: 5001776; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001777; sid: 5001777; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001778; sid: 5001778; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001779; sid: 5001779; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001780; sid: 5001780; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001781; sid: 5001781; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001782; sid: 5001782; rev:9;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001783; sid: 5001783; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001784; sid: 5001784; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001785; sid: 5001785; rev:8;) 
# Account "re-enabled" via xbit (12/03/2013) 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [XBIT SET]"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; xbits: set, created_enabled, 30; xbits:nounified2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; pcre: "/ 626: | 4722: /"; content:! "$" ;program: *Security*; xbits: isnotset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001881; sid: 5001881; rev:6;)

# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 02/21/2014
# Disabled by default.  Possible xbit rule canidate (?)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out (ADMINISTRATOR)"; pcre: "/ 644: | 4740: /"; content: "administrator"; nocase; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001978; sid: 5001978; rev:4;) 

# You'll want to populate the "WINDOWS_DOMAINS" before enabling this rule. 
# Champ Clark - 03/03/2014

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| %sagan% ",$WINDOWS_DOMAINS; meta_nocase; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url, http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:5;)

# Records _all_ RDP sessions

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] RDP / Logon type 10"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002015; sid: 5002015; rev:4;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Logon attempt using explicit credentials"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002018; sid: 5002018; rev:5;)

# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/08/2014

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account disabled"; pcre: "/ 629: | 4725: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002213; sid: 5002213; rev:5;)

# Enabled by Brian Echeverry - 04/08/2016
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account deleted"; pcre: "/ 630: | 4726: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002335; sid: 5002335; rev:4;)

# Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group created"; pcre: "/ 631: | 4727: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002403; sid: 5002403; rev:3;)

# Added by Adam Hall (Jan, 11th 2016).  You'll need to make sure your audit policy/GPO have logging for this enabled!
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Domain policy was changed"; pcre: "/ 4739: | 643: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002775; sid: 5002775; rev:3;)

# Steve Rawls (2016/12/22) - detect "administrator" logins.  Disabled by default

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Successful Administrator Logon Detected"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: *Security*; content: "Account Name|58| Administrator"; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5003039; sid:5003039; rev:2;)

# Steve Rawls (2017/03/27) - Split off from sid 5001763 which detects from _user_ brute force_.  5003101 & 5003102 detect "Broken Domain Trust". 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: " 4771|3a| "; content: "|24| Service Information|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003101; sid:5003101; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: " 4768|3a| "; content: "|24| Supplied Realm Name|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003102; sid:5003102; rev:2;)

# Steve Rawls (2017/03/29) - Another Broken domain trust with event ID 4776. 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: "|24| Source Workstation|3a|"; content: "C000006A"; nocase; content: " 4776: "; content:!"|24| Account Domain|3a| "; content:!"Source Network Address|3a| -"; xbits: set,brute_force,21600;content:!"Account Name|3a| Account Domain|3a| Failure"; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003103; sid:5003103; rev:3;) 

# Steve Rawls (2017/04/13) - Broken domain trust (generic). 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible Windows Broken Domain Trust [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; content: "|24| Session ID|3a|"; content:!"access denied by ACL"; content:!"Kerberos"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003107; sid:5003107; rev:2;)