projects / ossec-hids.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.7
[ossec-hids.git] / etc / rules / msauth_rules.xml
1 <!-- @(#) $Id: ./etc/rules/msauth_rules.xml, 2011/09/08 dcid Exp $
2
3   -  Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
4   -
5   -  Copyright (C) 2009 Trend Micro Inc.
6   -  All rights reserved.
7   -
8   -  This program is a free software; you can redistribute it
9   -  and/or modify it under the terms of the GNU General Public
10   -  License (version 2) as published by the FSF - Free Software
11   -  Foundation.
12   -
13   -  License details: http://www.ossec.net/en/licensing.html
14   -->
15
16
17 <var name="MS_FREQ">6</var>      
18
19 <group name="windows,">
20   <rule id="18100" level="0">
21     <category>windows</category>
22     <description>Group of windows rules.</description>
23   </rule>
24
25   <rule id="18101" level="0">
26     <if_sid>18100</if_sid>
27     <status>^INFORMATION</status>
28     <description>Windows informational event.</description>
29   </rule>
30   
31   <rule id="18102" level="0">
32     <if_sid>18100</if_sid>
33     <status>^WARNING</status>
34     <description>Windows warning event.</description>
35   </rule>
36   
37   <rule id="18103" level="5">
38     <if_sid>18100</if_sid>
39     <status>^ERROR</status>
40     <description>Windows error event.</description>
41     <group>system_error,</group>
42   </rule>
43
44   <rule id="18104" level="0">
45     <if_sid>18100</if_sid>
46     <status>^AUDIT_SUCCESS|^success</status>
47     <description>Windows audit success event.</description>
48   </rule>
49   
50   <rule id="18105" level="4">
51     <if_sid>18100</if_sid>
52     <status>^AUDIT_FAILURE|^failure</status>
53     <description>Windows audit failure event.</description>
54   </rule>
55
56   <rule id="18106" level="5">
57     <if_sid>18105</if_sid>
58     <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
59     <description>Windows Logon Failure.</description>
60     <group>win_authentication_failed,</group>
61   </rule>
62
63   <rule id="18107" level="3">
64     <if_sid>18104</if_sid>
65     <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
66     <description>Windows Logon Success.</description>
67     <group>authentication_success,</group>
68   </rule>
69
70   <rule id="18108" level="4">
71     <if_sid>18105</if_sid>
72     <id>^577$</id>
73     <description>Failed attempt to perform a privileged </description>
74     <description>operation.</description>
75   </rule>
76
77   <rule id="18109" level="3">
78     <if_sid>18104</if_sid>
79     <id>^682$|^683$</id>
80     <description>Session reconnected/disconnected to winstation.</description>
81   </rule>
82
83   <rule id="18110" level="8">
84     <if_sid>18104</if_sid>
85     <id>^624$|^626$|^645$|^4720$|^4722$|^4741$</id>
86     <description>User account enabled or created.</description>
87     <group>adduser,account_changed,</group>
88   </rule>
89
90   <rule id="18111" level="8">
91     <if_sid>18104</if_sid>
92     <id>^628$|^642$|^685$|^4738$|^4781$</id>
93     <description>User account changed.</description>
94     <group>account_changed,</group>
95   </rule>
96
97   <rule id="18112" level="8">
98     <if_sid>18104</if_sid>
99     <id>^630$|^629$|^4725$|^4726$</id>
100     <description>User account disabled or deleted.</description>
101     <group>adduser,account_changed,</group>
102   </rule>
103   
104   <rule id="18113" level="8">
105     <if_sid>18104</if_sid>
106     <id>^612$|^643$|^4719$|^4907$|^4912$</id>
107     <description>Windows Audit Policy changed.</description>
108     <group>policy_changed,</group>
109   </rule>
110
111   <rule id="18114" level="5">
112     <if_sid>18104</if_sid>
113     <id>^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|</id>
114     <id>^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|</id>
115     <id>^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|</id>
116     <id>^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|</id>
117     <id>^665$|^4761$|^666$|^4762$</id>
118     <description>Group Account Changed</description>
119     <group>group_changed,win_group_changed,</group>
120   </rule>
121   
122   <rule id="18115" level="8">
123     <if_sid>18104</if_sid>
124     <id>^640$</id>
125     <description>General account database changed.</description>
126     <info type="link">http://www.ultimatewindowssecurity.com/events/com259.html</info>
127     <group>adduser,account_changed,</group>
128   </rule>
129   
130   <rule id="18116" level="9">
131     <if_sid>18104</if_sid>
132     <id>^644$|^4740$</id>
133     <description>User account locked out (multiple login errors).</description>
134     <group>authentication_failures,</group>  
135   </rule>
136
137   <rule id="18117" level="7">
138     <if_sid>18104</if_sid>
139     <id>^513$|^4609$</id>
140     <description>Windows is shutting down.</description>
141     <group>system_shutdown,</group>
142   </rule>
143   
144   <rule id="18118" level="9">
145     <if_sid>18104</if_sid>
146     <id>^517$</id>
147     <description>Windows audit log was cleared.</description>
148     <group>logs_cleared,</group>
149   </rule>
150   
151   <rule id="18119" level="3">
152     <if_sid>18107</if_sid>
153     <options>alert_by_email</options>
154     <if_fts />
155     <description>First time this user logged in this system.</description>
156     <group>authentication_success,</group>
157   </rule>
158
159   <rule id="18120" level="0">
160     <if_sid>18105</if_sid>
161     <id>^680$</id>
162     <description>Windows login attempt (ignored). Duplicated.</description>
163   </rule>
164
165   <rule id="18125" level="5">
166     <if_sid>18102, 18103</if_sid>
167     <id>^20187$|^20014$|^20078$|^20050$|^20049$|^20189$</id>
168     <description>Remote access login failure.</description>
169     <group>authentication_failed,</group>
170   </rule>
171   
172   <rule id="18126" level="3">
173     <if_sid>18101</if_sid>
174     <id>^20158$</id>
175     <description>Remote access login success.</description>
176     <group>authentication_success,</group>
177   </rule>
178   
179   <rule id="18127" level="8">
180     <if_sid>18104</if_sid>
181     <id>^646$|^647$</id>
182     <description>Computer account changed/deleted.</description>
183     <group>account_changed,</group>
184   </rule>
185   
186   <rule id="18128" level="8">
187     <!-- if_sid>18104</if_sid -->
188     <id>^65xxx</id>
189     <description>Group account added/changed/deleted.</description>
190     <info>This rule has been deprecated</info>
191     <group>account_changed,</group>
192   </rule>
193
194   <rule id="18129" level="8">
195     <if_sid>18103</if_sid>
196     <id>^13570$</id>
197     <description>Windows file system full.</description>
198     <group>low_diskspace,</group>
199   </rule>
200
201
202   <!-- Granular windows login rules -->
203   <rule id="18130" level="5">
204     <if_sid>18106</if_sid>
205     <id>^529$</id>
206     <description>Logon Failure - Unknown user or bad password.</description>
207     <info type="link">http://www.ultimatewindowssecurity.com/events/com190.html</info>
208     <group>win_authentication_failed,</group>
209   </rule>
210
211   <rule id="18131" level="5">
212     <if_sid>18106</if_sid>
213     <id>^530$</id>
214     <description>Logon Failure - Account logon time restriction </description>
215     <description>violation.</description>
216     <info type="link">http://www.ultimatewindowssecurity.com/events/com191.html</info>
217     <group>win_authentication_failed,login_denied,</group>
218   </rule>
219
220   <rule id="18132" level="5">
221     <if_sid>18106</if_sid>
222     <id>^531$</id>
223     <description>Logon Failure - Account currently disabled.</description>
224     <info type="link">http://www.ultimatewindowssecurity.com/events/com192.html</info>
225     <group>win_authentication_failed,login_denied,</group>
226   </rule>
227
228   <rule id="18133" level="5">
229     <if_sid>18106</if_sid>
230     <id>^532$</id>
231     <description>Logon Failure - Specified account expired.</description>
232     <info type="link">http://www.ultimatewindowssecurity.com/events/com193.html</info>
233     <group>win_authentication_failed,login_denied,</group>
234   </rule>
235
236   <rule id="18134" level="7">
237     <if_sid>18106</if_sid>
238     <id>^533$</id>
239     <description>Logon Failure - User not allowed to login at </description>
240     <description>this computer.</description>
241     <info type="link">http://www.ultimatewindowssecurity.com/events/com194.html</info>
242     <group>win_authentication_failed,login_denied,</group>
243   </rule>
244
245   <rule id="18135" level="5">
246     <if_sid>18106</if_sid>
247     <id>^534$</id>
248     <description>Logon Failure - User not granted logon type.</description>
249     <info type="link">http://www.ultimatewindowssecurity.com/events/com195.html</info>
250     <group>win_authentication_failed,</group>
251   </rule>
252   
253   <rule id="18136" level="5">
254     <if_sid>18106</if_sid>
255     <id>^535$</id>
256     <description>Logon Failure - Account's password expired.</description>
257     <info type="link">http://www.ultimatewindowssecurity.com/events/com196.html</info>
258     <group>win_authentication_failed,</group>
259   </rule>
260
261   <rule id="18137" level="5">
262     <if_sid>18106</if_sid>
263     <id>^536$|^537$</id>
264     <description>Logon Failure - Internal error.</description>
265     <group>win_authentication_failed,</group>
266   </rule>
267
268   <rule id="18138" level="7">
269     <if_sid>18106</if_sid>
270     <id>^539$</id>
271     <description>Logon Failure - Account locked out.</description>
272     <group>win_authentication_failed,</group>
273   </rule>
274   
275   <rule id="18139" level="5">
276     <if_sid>18105</if_sid>
277     <id>^672$|^673$|^675$|^676$|^681$|^4769$</id>
278     <description>Windows DC Logon Failure.</description>
279     <group>win_authentication_failed,</group>
280   </rule>
281   
282   <rule id="18140" level="5">
283     <if_sid>18104</if_sid>
284     <id>^520$</id>
285     <description>System time changed.</description>
286     <group>time_changed,</group>
287   </rule>
288
289   <rule id="18141" level="7">
290     <if_sid>18102</if_sid>
291     <id>^1076$</id>
292     <match>unexpected shutdown</match>
293     <group>system_error, system_shutdown,</group>
294     <description>Unexpected Windows shutdown.</description>
295   </rule>
296
297   <rule id="18142" level="5">
298     <if_sid>18104</if_sid>
299     <id>^671$|^4767$</id>
300     <description>User account unlocked.</description>
301     <info type="link">http://www.ultimatewindowssecurity.com/events/com291.html</info>
302     <group>account_changed,</group>
303   </rule>
304
305   <rule id="18143" level="8">
306     <if_sid>18114</if_sid>
307     <id>^631$|^635$|^658$</id>
308     <description>Security enabled group created.</description>
309     <group>adduser,account_changed,</group>
310   </rule>
311
312   <rule id="18144" level="8">
313     <if_sid>18114</if_sid>
314     <id>^634$|^638$|^662$</id>
315     <description>Security enabled group deleted.</description>
316     <group>adduser,account_changed,</group>
317   </rule>
318
319   <!-- Some services change their startup type automatically -->
320   <rule id="18145" level="3">
321     <if_sid>18101</if_sid>
322     <id>^7040$</id>
323     <group>policy_changed,</group>
324     <description>Service startup type was changed.</description>
325     <info type="text">This does not appear to be logged on Windows 2000.</info>
326   </rule>
327
328   <rule id="18146" level="5">
329     <if_sid>18101</if_sid>
330     <id>^11724$</id>
331     <options>alert_by_email</options>
332     <description>Application Uninstalled.</description>
333   </rule>
334
335   <rule id="18147" level="5">
336     <if_sid>18101</if_sid>
337     <id>^11707$</id>
338     <options>alert_by_email</options>
339     <description>Application Installed.</description>
340   </rule>
341   
342   <rule id="18148" level="3">
343     <if_sid>18104</if_sid>
344     <id>^4608$</id>
345     <description>Windows is starting up.</description>
346   </rule>
347
348   <rule id="18149" level="3">
349     <if_sid>18104</if_sid>
350     <id>^538$|^4634$|^4647$</id>
351     <description>Windows User Logoff.</description>
352   </rule>
353
354 <!-- Granular group rules -->
355
356   <rule id="18200" level="5">
357     <if_sid>18104</if_sid>
358     <id>^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|</id>
359     <id>^663$|^4759$</id>
360     <description>Group Account Created</description>
361     <group>group_created,win_group_created,</group>
362   </rule>
363   
364   <rule id="18201" level="5">
365     <if_sid>18104</if_sid>
366     <id>^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|</id>
367     <id>^667$|^4763$</id>
368     <description>Group Account Deleted</description>
369     <group>group_deleted,win_group_deleted,</group>
370   </rule>
371
372   <rule id="18202" level="5">
373     <if_sid>18200</if_sid>
374     <id>^631$|^4727$</id>
375     <description>Security Enabled Global Group Created</description>
376     <group>group_created,win_group_created,</group>
377     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631</info>
378   </rule>
379   
380   <rule id="18203" level="5">
381     <if_sid>18114</if_sid>
382     <id>^632$|^4728$</id>
383     <description>Security Enabled Global Group Member Added</description>
384     <group>group_changed,win_group_changed,</group>
385     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
386   </rule>
387   
388   <rule id="18204" level="5">
389     <if_sid>18114</if_sid>
390     <id>^633$|^4729$</id>
391     <description>Security Enabled Global Group Member Removed</description>
392     <group>group_changed,win_group_changed,</group>
393     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
394   </rule>
395
396   <rule id="18205" level="5">
397     <if_sid>18201</if_sid>
398     <id>^634$|^4730$</id>
399     <description>Security Enabled Global Group Deleted</description>
400     <group>group_deleted,win_group_deleted,</group>
401     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634</info>
402   </rule>
403
404   <rule id="18206" level="5">
405     <if_sid>18200</if_sid>
406     <id>^635$|^4731$</id>
407     <description>Security Enabled Local Group Created</description>
408     <group>group_created,win_group_created,</group>
409     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635</info>
410   </rule>
411   
412   <rule id="18207" level="5">
413     <if_sid>18114</if_sid>
414     <id>^636$|^4732$</id>
415     <description>Security Enabled Local Group Member Added</description>
416    <group>group_changed,win_group_changed,</group>
417     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636</info>
418   </rule>
419   
420   <rule id="18208" level="5">
421     <if_sid>18114</if_sid>
422     <id>^637$|^4733$</id>
423     <description>Security Enabled Local Group Member Removed</description>
424     <group>group_changed,win_group_changed,</group>
425     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637</info>
426   </rule>
427   
428   <rule id="18209" level="5">
429     <if_sid>18201</if_sid>
430     <id>^638$|^4734$</id>
431     <description>Security Enabled Local Group Deleted</description>
432     <group>group_deleted,win_group_deleted,</group>
433     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638</info>
434   </rule>
435   
436   <rule id="18210" level="5">
437     <if_sid>18114</if_sid>
438     <id>^639$|^4735$</id>
439     <description>Security Enabled Local Group Changed</description>
440     <group>group_changed,win_group_changed,</group>
441     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639</info>
442   </rule>
443   
444   <rule id="18211" level="5">
445     <if_sid>18114</if_sid>
446     <id>^641$|^4737$</id>
447     <description>Security Enabled Global Group Changed</description>
448     <group>group_changed,win_group_changed,</group>
449     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641</info>
450   </rule>
451   
452   <rule id="18212" level="5">
453     <if_sid>18200</if_sid>
454     <id>^658$|^4754$</id>
455     <description>Security Enabled Universal Group Created</description>
456     <group>group_created,win_group_created,</group>
457     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658</info>
458   </rule>
459   
460   <rule id="18213" level="5">
461     <if_sid>18114</if_sid>
462     <id>^659$|^4755$</id>
463     <description>Security Enabled Universal Group Changed</description>
464     <group>group_changed,win_group_changed,</group>
465     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659</info>
466   </rule>
467   
468   <rule id="18214" level="5">
469     <if_sid>18114</if_sid>
470     <id>^660$|^4756$</id>
471     <description>Security Enabled Universal Group Member Added</description>
472     <group>group_changed,win_group_changed,</group>
473     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660</info>
474   </rule>
475   
476   <rule id="18215" level="5">
477     <if_sid>18114</if_sid>
478     <id>^661$|^4757$</id>
479     <description>Security Enabled Universal Group Member Removed</description>
480     <group>group_changed,win_group_changed,</group>
481     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661</info>
482   </rule>
483   
484   <rule id="18216" level="5">
485     <if_sid>18201</if_sid>
486     <id>^662$|^4758$</id>
487     <description>Security Enabled Universal Group Deleted</description>
488     <group>group_deleted,win_group_deleted,</group>
489     <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662</info>
490   </rule>
491
492   <rule id="18217" level="12">
493     <if_sid>18207,18208</if_sid>
494     <regex> ID:\s+\p*S-1-5-32-544</regex>
495     <description>Administrators Group Changed</description>
496     <group>group_changed,win_group_changed,</group>
497     <info>http://support.microsoft.com/kb/243330</info>
498   </rule>
499
500   <rule id="18218" level="5">
501     <if_sid>18207,18208</if_sid>
502     <regex> ID:\s+%{S-1-1-0}</regex>
503     <description>Everyone Group Changed</description>
504     <group>group_changed,win_group_changed,</group>
505     <info>http://support.microsoft.com/kb/243330</info>
506   </rule>
507
508   <rule id="18219" level="12">
509     <if_sid>18207,18208</if_sid>
510     <regex> ID:\s+%{S-1-5-9}</regex>
511     <description>Enterprise Domain Controllers Group Changed</description>
512     <group>group_changed,win_group_changed,</group>
513     <info>http://support.microsoft.com/kb/243330</info>
514   </rule>
515
516   <rule id="18220" level="5">
517     <if_sid>18207,18208</if_sid>
518     <regex> ID:\s+%{S-1-5-11}</regex>
519     <description>Authenticated Users Group Changed</description>
520     <group>group_changed,win_group_changed,</group>
521     <info>http://support.microsoft.com/kb/243330</info>
522   </rule>
523
524   <rule id="18221" level="5">
525     <if_sid>18207,18208</if_sid>
526     <regex> ID:\s+%{S-1-5-13}</regex>
527     <description>Terminal Server Users Group Changed</description>
528     <group>group_changed,win_group_changed,</group>
529     <info>http://support.microsoft.com/kb/243330</info>
530   </rule>
531
532   <rule id="18222" level="12">
533     <if_sid>18203,18204</if_sid>
534     <regex> ID:\s+%{S-1-5-21\S+-512}</regex>
535     <description>Domain Admins Group Changed</description>
536     <group>group_changed,win_group_changed,</group>
537     <info>http://support.microsoft.com/kb/243330</info>
538   </rule>
539
540   <rule id="18223" level="5">
541     <if_sid>18203,18204</if_sid>
542     <regex> ID:\s+%{S-1-5-21\S+-513}</regex>
543     <description>Domain Users Group Changed</description>
544     <group>group_changed,win_group_changed,</group>
545     <info>http://support.microsoft.com/kb/243330</info>
546   </rule>
547
548     <rule id="18224" level="0">
549       <if_sid>18223,18203</if_sid>
550       <match>Target Account Name: None</match>
551       <description>Local User Group NONE</description>
552       <info>Bogus group user added to upon creation</info>
553     </rule>
554
555   <rule id="18225" level="12">
556     <if_sid>18203,18204</if_sid>
557     <regex> ID:\s+%{S-1-5-21\S+-514}</regex>
558     <description>Domain Guests Group Changed</description>
559     <group>group_changed,win_group_changed,</group>
560     <info>http://support.microsoft.com/kb/243330</info>
561   </rule>
562
563   <rule id="18226" level="5">
564     <if_sid>18203,18204</if_sid>
565     <regex> ID:\s+%{S-1-5-21\S+-515}</regex>
566     <description>Domain Computers Group Changed</description>
567     <group>group_changed,win_group_changed,</group>
568     <info>http://support.microsoft.com/kb/243330</info>
569   </rule>
570
571   <rule id="18227" level="12">
572     <if_sid>18203,18204</if_sid>
573     <regex> ID:\s+%{S-1-5-21\S+-516}</regex>
574     <description>Domain Controllers Group Changed</description>
575     <group>group_changed,win_group_changed,</group>
576     <info>http://support.microsoft.com/kb/243330</info>
577   </rule>
578
579   <rule id="18228" level="10">
580     <if_sid>18207,18208</if_sid>
581     <regex> ID:\s+%{S-1-5-21\S+-517}</regex>
582     <description>Cert Publishers Group Changed</description>
583     <group>group_changed,win_group_changed,</group>
584     <info>http://support.microsoft.com/kb/243330</info>
585   </rule>
586
587   <rule id="18229" level="12">
588     <if_sid>18203,18204</if_sid>
589     <regex> ID:\s+%{S-1-5-21\.+-518}</regex>
590     <description>Schema Admins Group Changed</description>
591     <group>group_changed,win_group_changed,</group>
592     <info>http://support.microsoft.com/kb/243330</info>
593   </rule>
594
595   <rule id="18230" level="12">
596     <if_sid>18203,18204</if_sid>
597     <regex> ID:\s+%{S-1-5-21\S+-519}</regex>
598     <description>Enterprise Admins Group Changed</description>
599     <group>group_changed,win_group_changed,</group>
600     <info>http://support.microsoft.com/kb/243330</info>
601   </rule>
602
603   <rule id="18231" level="10">
604     <if_sid>18203,18204</if_sid>
605     <regex> ID:\s+%{S-1-5-21\S+-520}</regex>
606     <description>Group Policy Creator Owners Group Changed</description>
607     <group>group_changed,win_group_changed,</group>
608     <info>http://support.microsoft.com/kb/243330</info>
609   </rule>
610
611   <rule id="18232" level="10">
612     <if_sid>18207,18208</if_sid>
613     <regex>\w* ID:\s+%{S-1-5-21\S+-553}</regex>
614     <description>RAS and IAS Servers Group Changed</description>
615     <group>group_changed,win_group_changed,</group>
616     <info>http://support.microsoft.com/kb/243330</info>
617   </rule>
618
619   <rule id="18233" level="5">
620     <if_sid>18207,18208</if_sid>
621     <regex> ID:\s+%{S-1-5-32-545}</regex>
622     <description>Users Group Changed</description>
623     <group>group_changed,win_group_changed,</group>
624     <info>http://support.microsoft.com/kb/243330</info>
625   </rule>
626
627   <rule id="18234" level="12">
628     <if_sid>18207,18208</if_sid>
629     <regex> ID:\s+%{S-1-5-32-546}</regex>
630     <description>Guests Group Changed</description>
631     <group>group_changed,win_group_changed,</group>
632     <info>http://support.microsoft.com/kb/243330</info>
633   </rule>
634
635   <rule id="18235" level="10">
636     <if_sid>18207,18208</if_sid>
637     <regex> ID:\s+%{S-1-5-32-547}</regex>
638     <description>Power Users Group Changed</description>
639     <group>group_changed,win_group_changed,</group>
640     <info>http://support.microsoft.com/kb/243330</info>
641   </rule>
642
643   <rule id="18236" level="10">
644     <if_sid>18207,18208</if_sid>
645     <regex> ID:\s+%{S-1-5-32-548}</regex>
646     <description>Account Operators Group Changed</description>
647     <group>group_changed,win_group_changed,</group>
648     <info>http://support.microsoft.com/kb/243330</info>
649   </rule>
650
651   <rule id="18237" level="10">
652     <if_sid>18207,18208</if_sid>
653     <regex> ID:\s+%{S-1-5-32-549}</regex>
654     <description>Server Operators Group Changed</description>
655     <group>group_changed,win_group_changed,</group>
656     <info>http://support.microsoft.com/kb/243330</info>
657   </rule>
658
659   <rule id="18238" level="8">
660     <if_sid>18207,18208</if_sid>
661     <regex>\w* ID:\s+%{S-1-5-32-550}</regex>
662     <description>Print Operators Group Changed</description>
663     <group>group_changed,win_group_changed,</group>
664     <info>http://support.microsoft.com/kb/243330</info>
665   </rule>
666
667   <rule id="18239" level="12">
668     <if_sid>18207,18208</if_sid>
669     <regex> ID:\s+%{S-1-5-32-551}</regex>
670     <description>Backup Operators Group Changed</description>
671     <group>group_changed,win_group_changed,</group>
672     <info>http://support.microsoft.com/kb/243330</info>
673   </rule>
674
675   <rule id="18240" level="10">
676     <if_sid>18207,18208</if_sid>
677     <regex> ID:\s+%{S-1-5-32-552}</regex>
678     <description>Replicators Group Changed</description>
679     <group>group_changed,win_group_changed,</group>
680     <info>http://support.microsoft.com/kb/243330</info>
681   </rule>
682
683   <rule id="18241" level="8">
684     <if_sid>18207,18208</if_sid>
685     <regex> ID:\s+%{S-1-5-32-554}</regex>
686     <description>Pre-Windows 2000 Compatible Access Group Changed</description>
687     <group>group_changed,win_group_changed,</group>
688     <info>http://support.microsoft.com/kb/243330</info>
689   </rule>
690
691   <rule id="18242" level="10">
692     <if_sid>18207,18208</if_sid>
693     <regex> ID:\s+%{S-1-5-32-555}</regex>
694     <description>Remote Desktop Users Group Changed</description>
695     <group>group_changed,win_group_changed,</group>
696     <info>http://support.microsoft.com/kb/243330</info>
697   </rule>
698
699   <rule id="18243" level="10">
700     <if_sid>18207,18208</if_sid>
701     <regex> ID:\s+%{S-1-5-32-556}</regex>
702     <description>Network Configuration Operators Group Changed</description>
703     <group>group_changed,win_group_changed,</group>
704     <info>http://support.microsoft.com/kb/243330</info>
705   </rule>
706
707   <rule id="18244" level="10">
708     <if_sid>18207,18208</if_sid>
709     <regex> ID:\s+%{S-1-5-32-557}</regex>
710     <description>Incoming Forest Trust Builders Group Changed</description>
711     <group>group_changed,win_group_changed,</group>
712     <info>http://support.microsoft.com/kb/243330</info>
713   </rule>
714
715   <rule id="18245" level="8">
716     <if_sid>18207,18208</if_sid>
717     <regex> ID:\s+%{S-1-5-32-558}</regex>
718     <description>Performance Monitor Users Group Changed</description>
719     <group>group_changed,win_group_changed,</group>
720     <info>http://support.microsoft.com/kb/243330</info>
721   </rule>
722
723   <rule id="18246" level="8">
724     <if_sid>18207,18208</if_sid>
725     <regex> ID:\s+%{S-1-5-32-559}</regex>
726     <description>Performance Log Users Group Changed</description>
727     <group>group_changed,win_group_changed,</group>
728     <info>http://support.microsoft.com/kb/243330</info>
729   </rule>
730
731   <rule id="18247" level="8">
732     <if_sid>18207,18208</if_sid>
733     <regex> ID:\s+%{S-1-5-32-560}</regex>
734     <description>Windows Authorization Access Group Changed</description>
735     <group>group_changed,win_group_changed,</group>
736     <info>http://support.microsoft.com/kb/243330</info>
737   </rule>
738
739   <rule id="18248" level="8">
740     <if_sid>18207,18208</if_sid>
741     <regex> ID:\s+%{S-1-5-32-561}</regex>
742     <description>Terminal Server License Servers Group Changed</description>
743     <group>group_changed,win_group_changed,</group>
744     <info>http://support.microsoft.com/kb/243330</info>
745   </rule>
746
747   <rule id="18249" level="8">
748     <if_sid>18207,18208</if_sid>
749     <regex> ID:\s+%{S-1-5-32-562}</regex>
750     <description>Distributed COM Users Group Changed</description>
751     <group>group_changed,win_group_changed,</group>
752     <info>http://support.microsoft.com/kb/243330</info>
753   </rule>
754
755   <rule id="18250" level="12">
756     <if_sid>18207,18208</if_sid>
757     <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}</regex>
758     <description>Enterprise Read-only Domain Controllers Group Changed</description>
759     <group>group_changed,win_group_changed,</group>
760     <info>http://support.microsoft.com/kb/243330</info>
761   </rule>
762
763   <rule id="18251" level="12">
764     <if_sid>18207,18208</if_sid>
765     <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}</regex>
766     <description>Read-only Domain Controllers Group Changed</description>
767     <group>group_changed,win_group_changed,</group>
768     <info>http://support.microsoft.com/kb/243330</info>
769   </rule>
770
771   <rule id="18252" level="12">
772     <if_sid>18207,18208</if_sid>
773     <regex> ID:\s+%{S-1-5-32-569}</regex>
774     <description>Cryptographic Operators Group Changed</description>
775     <group>group_changed,win_group_changed,</group>
776     <info>http://support.microsoft.com/kb/243330</info>
777   </rule>
778
779   <rule id="18253" level="10">
780     <if_sid>18207,18208</if_sid>
781     <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}</regex>
782     <description>Allowed RODC Password Replication Group Changed</description>
783     <group>group_changed,win_group_changed,</group>
784     <info>http://support.microsoft.com/kb/243330</info>
785   </rule>
786
787   <rule id="18254" level="10">
788     <if_sid>18207,18208</if_sid>
789     <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}</regex>
790     <description>Denied RODC Password Replication Group Changed</description>
791     <group>group_changed,win_group_changed,</group>
792     <info>http://support.microsoft.com/kb/243330</info>
793   </rule>
794
795   <rule id="18255" level="10">
796     <if_sid>18207,18208</if_sid>
797     <regex> ID:\s+%{S-1-5-32-573}</regex>
798     <description>Event Log Readers Group Changed</description>
799     <group>group_changed,win_group_changed,</group>
800     <info>http://support.microsoft.com/kb/243330</info>
801   </rule>
802
803   <rule id="18256" level="10">
804     <if_sid>18207,18208</if_sid>
805     <regex> ID:\s+%{S-1-5-32-574}</regex>
806     <description>Certificate Service DCOM Access Group Changed</description>
807     <group>group_changed,win_group_changed,</group>
808     <info>http://support.microsoft.com/kb/243330</info>
809   </rule>
810
811   <!-- Ignore Login events, type 5, from Advapi for:
812     -  LOCAL SERVICE and NETWORK SERVICE.
813     -->
814   <rule id="18121" level="0">
815     <if_sid>18107,18149</if_sid>
816     <id>^528$|^538$|^540$</id>
817     <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
818     <description>Windows Logon Success (ignored).</description>
819   </rule>
820   
821   
822   <!-- Kerberos failures that may indicate an attack -->
823   <rule id="18170" level="10">
824     <if_sid>18139</if_sid>
825     <match>Failure Code: 0x1F</match>
826     <description>Windows DC integrity check on decrypted </description>
827     <description>field failed.</description>
828     <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
829     <group>win_authentication_failed,attacks,</group>
830   </rule>
831   
832   <rule id="18171" level="10">
833     <if_sid>18139</if_sid>
834     <match>Failure Code: 0x22</match>
835     <description>Windows DC - Possible replay attack.</description>
836     <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
837     <group>win_authentication_failed,attacks,</group>
838   </rule>
839
840   <rule id="18172" level="7">
841     <if_sid>18139</if_sid>
842     <match>Failure Code: 0x25</match>
843     <description>Windows DC - Clock skew too great.</description>
844     <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
845     <group>win_authentication_failed,attacks,</group>
846   </rule>
847
848
849   <!-- MS SQL rules -->
850   <rule id="18180" level="5">
851     <if_sid>18105</if_sid>
852     <id>^18456$</id>
853     <group>win_authentication_failed,</group>
854     <description>MS SQL Server Logon Failure.</description>
855   </rule>
856
857   <rule id="18181" level="3">
858     <if_sid>18104</if_sid>
859     <id>^18454$|^18453$</id>
860     <description>MS SQL Server Logon Success.</description>
861     <group>authentication_success,</group>
862   </rule>
863
864   
865   
866   <!-- Composite rules -->
867   <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
868     <if_matched_sid>18108</if_matched_sid>
869     <same_user />
870     <description>Multiple failed attempts to perform a </description>
871     <description>privileged operation by the same user.</description>
872   </rule>
873
874   <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
875     <if_matched_group>win_authentication_failed</if_matched_group>
876     <description>Multiple Windows Logon Failures.</description>
877     <group>authentication_failures,</group>
878   </rule>
879   
880   <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
881     <if_matched_sid>18105</if_matched_sid>
882     <description>Multiple Windows audit failure events.</description>
883   </rule>
884
885   <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
886     <if_matched_sid>18103</if_matched_sid>
887     <description>Multiple Windows error events.</description>
888   </rule>
889   
890   <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
891     <if_matched_sid>18102</if_matched_sid>
892     <description>Multiple Windows warning events.</description>
893   </rule>
894
895   <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
896     <if_matched_sid>18125</if_matched_sid>
897     <description>Multiple remote access login failures.</description>
898     <group>authentication_failures,</group>
899   </rule>
900 </group>
901
902 <!-- EOF -->
ossec-hids