Rew rule examples: RC4 Kerberos, JAVA remote debugging process

windows/builtin/susp_rc4_kerberos.yml

@@ -0,0 +1,18 @@
+title: Suspicious Kerberos RC4 Ticket Encryption
+status: experimental
+reference: https://adsecurity.org/?p=3458
+description: Detects logons using RC4 encryption type 
+detection:
+    selection:
+        - EventLog: Security
+          EventID: 4769
+          TicketOptions: '0x40810000'
+          TicketEncryption: '0x17'
+    reduction:
+        - ServiceName: '$*'
+        - Type: 'Success Audit'
+    condition: selection and not reduction
+falsepositives:
+    - Service accounts used on legacy systems (e.g. NetApp)
+    - Windows Domains with DFL 2003 and legacy systems
+level: 40

windows/sysmon/vul_java_remote_debugging.yml

@@ -0,0 +1,15 @@
+title: Java running with Remote Debugging
+description: 
+reference: 
+detection:
+    selection:
+        - EventLog: Microsoft-Windows-Sysmon/Operational
+        - EventID: 1
+        - CommandLine: '*transport=dt_socket,address=*'
+    exclusion:
+        - CommandLine: '*address=127.0.0.1*'
+        - CommandLine: '*address=localhost*'
+    condition: selection and not exclusion
+falsepositives:
+    - unknown
+level: 30