From a2a2366dfb32b1dc13ab13040554282d164cc6fd Mon Sep 17 00:00:00 2001 From: dimi Date: Fri, 9 Jun 2017 14:05:40 +0200 Subject: [PATCH 1/3] rule to detect mimikatz lsadump::changentlm and lsadump::setntlm --- rules/windows/builtin/win_susp_samr_pwset.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rules/windows/builtin/win_susp_samr_pwset.yml diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml new file mode 100644 index 00000000..538f3136 --- /dev/null +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -0,0 +1,18 @@ +title: Possible password change (NTLM hash only) through SAMR +description: Detects a possible NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. +author: Dimitrios Slamaris +logsource: + product: windows + service: security +detection: + samrpipe: + - EventLog: Security + EventID: 5145 + RelativeTargetName: samr + passwordchanged: + - EventLog: Security + EventID: 4738 + PasswordLastSet: (any) + timeframe: 15s + condition: samrpipe and passwordchanged +level: medium From ac95e372e5083421c3d33ced81b6442fadcb2705 Mon Sep 17 00:00:00 2001 From: dimi Date: Fri, 9 Jun 2017 14:15:37 +0200 Subject: [PATCH 2/3] clarification: if executed locally there is no connection to the samr pipe on IPC$. So this rule detects remote changes --- rules/windows/builtin/win_susp_samr_pwset.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index 538f3136..19fa6882 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -1,5 +1,5 @@ -title: Possible password change (NTLM hash only) through SAMR -description: Detects a possible NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. +title: Possible remote password change (NTLM hash only) through SAMR +description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. author: Dimitrios Slamaris logsource: product: windows From 91b3c39c0dc74373775c95765eb999ba59569c42 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 11 Jun 2017 23:54:19 +0200 Subject: [PATCH 3/3] Amended condition Changed condition according to proposed syntax for related event matching (#4) --- rules/windows/builtin/win_susp_samr_pwset.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index 19fa6882..1a74a051 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -14,5 +14,5 @@ detection: EventID: 4738 PasswordLastSet: (any) timeframe: 15s - condition: samrpipe and passwordchanged + condition: samrpipe | near passwordchanged within timeframe level: medium