##### # # Copyright (C) 2003 Vincent Glaume # Currently supported by G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ############################################################################# # # This ruleset aims at analyzing the logs returned by the ntsyslog # application, which converts NT events to syslog. # English logs only. # TODO: # * Add all log entries not currently present # ############################################################################# ### # I. Security events ### # 1. Success events # 1.a 515 #LOG:Jul 11 09:33:18 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 515 NT AUTHORITY\SYSTEM A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:KSecDD regex=security\[success\] 515 (.*) A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:([\w\\]+); \ classification.text=Authentication system started; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=515; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com183.html; \ id=1400; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$2 has registered as a trusted logon process; \ source(0).process.name=$2; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ last # 1.b 528 #LOG:Jul 11 13:44:11 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 528 SACRAMENTO\ggomez Successful Logon: User Name:ggomez Domain:SACRAMENTO Logon ID:(0x0,0x16AC1854) Logon Type:7 Logon Process:User32 Authentication Package:Negotiate Workstation Name:SMF-ENG-GGOMEZ Logon GUID: {621924db-649e-3b17-b41a-215e55680eb3} regex=security\[success\] 528 (.*) Successful Logon: User Name:([\w ]+) Domain:(.+) Logon ID:\(.*\) Logon Type:(\d+) Logon Process:(\w+) .* Workstation Name:(\S+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=528; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \ id=1401; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=$2 successfully logged on on $6 ($3 domain) via $5; \ source(0).process.name=$5; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$6; \ source(0).node.name=$6; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=integer; \ additional_data(0).meaning=Logon type; \ additional_data(0).data=$4; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication domain; \ additional_data(1).data=$3; \ last # 1.c 538 #LOG:Jun 24 15:22:39 bigipnet security[success] 538 NT AUTHORITY\ANONYMOUS LOGON User Logoff: User Name:ANONYMOUS LOGON Domain:NT AUTHORITY Logon ID:(0x0,0x938205) Logon Type:3 regex=security\[success\] 538 .* User Logoff:\s+User Name:([\w ]+) Domain:([\w ]+) Logon ID:\S+ Logon Type:(\d+); \ classification.text=Logoff; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=538; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com199.html; \ id=1402; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=$1 logged off; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ additional_data(0).type=integer; \ additional_data(0).meaning=Logon type; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication domain; \ additional_data(1).data=$2; \ last # 1.d 560 # Currently broken on Windows 2003; verify against older Windows #LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 560 NT AUTHORITY\SYSTEM Object Open: Object Server:Security Account Manager Object Type:SAM_DOMAIN Object Name:SMF-ENG-GGOMEZ Handle ID:1290248 Operation ID:{0,378510053} Process ID:944 Image File Name: C:\WINDOWS\system32\lsass.exe Primary User Name:SMF-ENG-GGOMEZ$ Primary Domain:RES Primary Logon ID:(0x0,0x3E7) Client User Name:SMF-ENG-GGOMEZ$ Client Domain:RES Client Logon ID:(0x0,0x3E7) Accesses: %%1537 %%1538 %%1539 %%1540 %%5392 %%5393 %%5394 %%5395 %%5396 %%5398 %%5399 %%5400 %%5401 %%5402 Privileges:- Restricted Sid Count: 0 regex=security\[success\] 560 (.*) Object Open:\s* Object Server:[\w\s]+ Object Type:[\w\_]+\s* Object Name:([\w-]+)\s* Handle ID:\d+\s* Operation ID:.*\s* Process ID:(\d+) [\S ]+ Primary User Name:(\S*)\s* Primary Domain:\S+\s* Primary Logon ID:\S*\s* Client User Name:(\S+)\s* Client Domain; \ classification.text=Object opened; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=560; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com202.html; \ id=1403; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$3 opened an object $2; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$4; \ source(0).user.user_id(2).type=current-user; \ source(0).user.user_id(2).name=$5; \ source(0).process.pid=$3; \ last # 1.e 562 #LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 562 NT AUTHORITY\SYSTEM Handle Closed: Object Server:Security Account Manager Handle ID:1093856 Process ID:944 Image File Name: C:\WINDOWS\system32\lsass.exe regex=security\[success\] 562 (.*) Handle Closed: Object Server:[\w\s]+ Handle ID:(\d+) Process ID:(\d+) Image File Name: (.+); \ classification.text=Object closed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=562; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com204.html; \ id=1404; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Object Handle $2 closed; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).process.pid=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=Handle ID; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Image; \ additional_data(1).data=$4; \ last # 1.g 577 #LOG:Jul 11 15:09:21 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 577 NT AUTHORITY\SYSTEM Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service:LsaRegisterLogonProcess() Primary User Name:SMF-ENG-GGOMEZ$ Primary Domain:RES Primary Logon ID:(0x0,0x3E7) Client User Name:SMF-ENG-GGOMEZ$ Client Domain:RES Client Logon ID:(0x0,0x3E7) Privileges:SeTcbPrivilege regex= security\[success\] 577 (.*) Privileged Service Called: Server:.+ Service:(.*) Primary User Name:(.+) Primary Domain:.+ Primary Logon ID:\(.*\) Client User Name:(.+) Client Domain:.+ Client Logon ID:.+ Privileges:(.+); \ classification.text=User privilege exercised; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=577; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com213.html; \ id=1406; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Service $2 called with the following privileges: $5; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$3; \ source(0).user.user_id(2).type=current-user; \ source(0).user.user_id(2).name=$4; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$2; \ target(0).node.name=$2; \ last # 1.h # No log sample; please submit regex= security\[success\] 643 (.*) Domain Policy Changed: Password Policy modified Domain:(.+) Domain ID: .+ Caller User Name:(.+); \ classification.text=Password policy modified; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=643; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com263.html; \ id=1407; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=User $3 modified the password policy for the $2 domain; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$3; \ last # 1.i 680 #LOG:Oct 22 20:57:03 smf-syslog-02 smf-dc-01/smf-dc-01 security[success] Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Account Name: DRankin Workstation: SMF-HLP-16 regex= security\[success\].*Account Used for Logon by: (.+) Account Name: (.+) Workstation: (.+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=680; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com304.html; \ id=1408; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=Logon attempt on $3 using the $2 account; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$3; \ source(0).node.name=$3; \ source(0).process.name=$1; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ last # 1.j 682 # No log sample; please submit regex= security\[success\] 682 (.*) Session reconnected to winstation: User Name:([\w ]+) Domain:.+ Logon ID:\(.+\) Session Name:.+ Client Name:(.+) Client Address:([\d\.]+); \ classification.text=Remote control user reconnected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=682; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com306.html; \ id=1409; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Session reconnection from $5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).node.address(1).category=unknown; \ source(0).node.address(1).address=$3; \ source(0).node.name=$3; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last # 1.k 683 # No log sample; please submit regex= security\[success\] 683 (.*) Session disconnected from winstation: User Name:([\w ]+) Domain:.+ Logon ID:\(.+\) Session Name:.+ Client Name:(.+) Client Address:([\d\.]+); \ classification.text=Remote control user disconnected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=683; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com307.html; \ id=1410; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Session reconnection from $4; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).node.address(1).category=unknown; \ source(0).node.address(1).address=$3; \ source(0).node.name=$3; \ source(0).user.user_id(0).type=target-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$2; \ last # 1.l other # No log sample; please submit #regex= security\[success\] (\d+); \ # classification.text=Windows Event ID [$1]; \ # id=1411; \ # revision=1; \ # analyzer(0).name=NTsyslog; \ # analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ # analyzer(0).class=Logging; \ # assessment.impact.severity=low; \ # assessment.impact.type=other; \ # assessment.impact.description=Security Success message with identifier #$1; \ # last # 2. Failure events # 2.a 529 or 534 #LOG:Dec 10 00:23:37 webbrain.itg.sac.tfs security[failure] 529 NT AUTHORITY\SYSTEM Logon Failure: Reason:Unknown user name or bad password User Name:administrator Domain:ITG Logon Type:2 Logon Process:Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:WEBBRAIN regex=security\[failure\] (529|534) .+ Logon Failure: Reason:(.+) User Name:([\w ]+) Domain:(.+) Logon Type:(\d+) Logon Process:(\w+) Authentication Package:.+ Workstation Name:(.+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=$1; \ id=1412; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Logon as $3 failed: $2; \ source(0).process.name=$6; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$7; \ target(0).node.name=$7; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=Logon type; \ additional_data(0).data=$5; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication domain; \ additional_data(1).data=$4; \ last # 2.b 578 #LOG:Dec 9 17:42:49 testdb.itg.sac.tfs security[failure] 578 ITG\mzirion Privileged object operation: Object Server:Security Object Handle:4294967295 Process ID:3540 Primary User Name:TESTDB$ Primary Domain:ITG Primary Logon ID:(0x0,0x3E7) Client User Name:mzirion Client Domain:ITG Client Logon ID:(0x2,0x5E829351) Privileges:SeIncreaseBasePriorityPrivilege regex=security\[failure\] 578 .+ Privileged object operation: Object Server:Security Object Handle:\d+ Process ID:(\d+) Primary User Name:(.+) Primary Domain:(.+) Primary Logon ID:\(.*\) Client User Name:([\w ]+) Client.+Privileges:(\S+); \ classification.text=User privilege exercised; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=578; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com214.html; \ id=1413; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ target(0).process.pid=$1; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication domain; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Privileges; \ additional_data(1).data=$5; \ last # 2.c 627 # LOG:Dec 7 20:07:49 testdb.itg.sac.tfs security[failure] 627 NT AUTHORITY\SYSTEM Change Password Attempt: Target Account Name:TsInternetUser Target Domain:TESTDB Target Account ID: %{S-1-5-21-854245398-413027322-725345543-1000} Caller User Name:TESTDB$ Caller Domain:ITG Caller Logon ID:(0x0,0x3E7) Privileges:- regex= security\[failure\] 627 (.+) Change Password Attempt: Target Account Name:(.+) Target Domain:(.+) Target Account ID:.+ Caller User Name:(.+); \ classification.text=Password change; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=627; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com247.html; \ id=1414; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ assessment.impact.description=$4 attempted to change the password for $2 on the $3 domain; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$4; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication domain; \ additional_data(0).data=$3; \ last # 2.d 681 # LOG:Dec 10 08:20:07 mrfreeze.itg.sac.tfs security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: tfslegalask@itg.sac.tfs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: MRFREEZE failed. The error code was: 3221225572 regex=security\[failure\] 681 (.+) The logon to account: (\S+) by:.+ from workstation: (\w+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=681; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com326.html; \ id=1415; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Logging; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Logon as $2 from $3 failed; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$3; \ source(0).node.name=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last # 2.e other # No log sample; please submit #regex= security\[failure\] (\d+); \ # classification.text=Windows Event ID [$1]; \ # id=1416; \ # revision=1; \ # analyzer(0).name=NTsyslog; \ # analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ # analyzer(0).class=Logging; \ # assessment.impact.severity=medium; \ # assessment.impact.type=other; \ # assessment.impact.description=Security Failure message with identifier #$1; \ # last