--- /dev/null
+<!-- @(#) $Id: ./etc/rules/msauth_rules.xml, 2011/09/08 dcid Exp $
+
+ - Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<var name="MS_FREQ">6</var>
+
+<group name="windows,">
+ <rule id="18100" level="0">
+ <category>windows</category>
+ <description>Group of windows rules.</description>
+ </rule>
+
+ <rule id="18101" level="0">
+ <if_sid>18100</if_sid>
+ <status>^INFORMATION</status>
+ <description>Windows informational event.</description>
+ </rule>
+
+ <rule id="18102" level="0">
+ <if_sid>18100</if_sid>
+ <status>^WARNING</status>
+ <description>Windows warning event.</description>
+ </rule>
+
+ <rule id="18103" level="5">
+ <if_sid>18100</if_sid>
+ <status>^ERROR</status>
+ <description>Windows error event.</description>
+ <group>system_error,</group>
+ </rule>
+
+ <rule id="18104" level="0">
+ <if_sid>18100</if_sid>
+ <status>^AUDIT_SUCCESS|^success</status>
+ <description>Windows audit success event.</description>
+ </rule>
+
+ <rule id="18105" level="4">
+ <if_sid>18100</if_sid>
+ <status>^AUDIT_FAILURE|^failure</status>
+ <description>Windows audit failure event.</description>
+ </rule>
+
+ <rule id="18106" level="5">
+ <if_sid>18105</if_sid>
+ <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
+ <description>Windows Logon Failure.</description>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18107" level="3">
+ <if_sid>18104</if_sid>
+ <id>^528$|^540$|^673$|^4624$|^4769$</id>
+ <description>Windows Logon Success.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="18108" level="4">
+ <if_sid>18105</if_sid>
+ <id>^577$|^4673$</id>
+ <description>Failed attempt to perform a privileged </description>
+ <description>operation.</description>
+ </rule>
+
+ <rule id="18109" level="3">
+ <if_sid>18104</if_sid>
+ <id>^682$|^683$|^4778$|^4779$</id>
+ <description>Session reconnected/disconnected to winstation.</description>
+ </rule>
+
+ <rule id="18110" level="8">
+ <if_sid>18104</if_sid>
+ <id>^624$|^626$|^4720$|^4722$</id>
+ <description>User account enabled or created.</description>
+ <group>adduser,account_changed,</group>
+ </rule>
+
+ <rule id="18111" level="8">
+ <if_sid>18104</if_sid>
+ <id>^628$|^642$|^685$|^4738$|^4781$</id>
+ <description>User account changed.</description>
+ <group>account_changed,</group>
+ </rule>
+
+ <rule id="18112" level="8">
+ <if_sid>18104</if_sid>
+ <id>^630$|^629$|^4725$|^4726$</id>
+ <description>User account disabled or deleted.</description>
+ <group>adduser,account_changed,</group>
+ </rule>
+
+ <rule id="18113" level="8">
+ <if_sid>18104</if_sid>
+ <id>^612$|^643$|^4719$|^4907$|^4912$|^4719$</id>
+ <description>Windows Audit Policy changed.</description>
+ <group>policy_changed,</group>
+ </rule>
+
+ <rule id="18114" level="5">
+ <if_sid>18104</if_sid>
+ <id>^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|</id>
+ <id>^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|</id>
+ <id>^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|</id>
+ <id>^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|</id>
+ <id>^665$|^4761$|^666$|^4762$</id>
+ <description>Group Account Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ </rule>
+
+ <rule id="18115" level="8">
+ <if_sid>18104</if_sid>
+ <id>^640$</id>
+ <description>General account database changed.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640</info>
+ <group>adduser,account_changed,</group>
+ </rule>
+
+ <rule id="18116" level="9">
+ <if_sid>18104</if_sid>
+ <id>^644$|^4740$</id>
+ <description>User account locked out (multiple login errors).</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="18117" level="7">
+ <if_sid>18104</if_sid>
+ <id>^513$|^4609$</id>
+ <description>Windows is shutting down.</description>
+ <group>system_shutdown,</group>
+ </rule>
+
+ <rule id="18118" level="9">
+ <if_sid>18104</if_sid>
+ <id>^517$|^1102$</id>
+ <description>Windows audit log was cleared.</description>
+ <group>logs_cleared,</group>
+ </rule>
+
+ <rule id="18119" level="3">
+ <if_sid>18107</if_sid>
+ <options>alert_by_email</options>
+ <if_fts />
+ <description>First time this user logged in this system.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="18120" level="0">
+ <if_sid>18105</if_sid>
+ <id>^680$</id>
+ <description>Windows login attempt (ignored). Duplicated.</description>
+ </rule>
+
+ <rule id="18125" level="5">
+ <if_sid>18102, 18103</if_sid>
+ <id>^20187$|^20014$|^20078$|^20050$|^20049$|^20189$</id>
+ <description>Remote access login failure.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="18126" level="3">
+ <if_sid>18101</if_sid>
+ <id>^20158$</id>
+ <description>Remote access login success.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="18127" level="5">
+ <if_sid>18104</if_sid>
+ <id>^646$|^645$|^647$|^4741$|^4742$|^4743$</id>
+ <description>Computer account added/changed/deleted.</description>
+ <group>account_changed,</group>
+ </rule>
+
+ <rule id="18128" level="8">
+ <!-- if_sid>18104</if_sid -->
+ <id>^65xxx</id>
+ <description>Group account added/changed/deleted.</description>
+ <info>This rule has been deprecated</info>
+ <group>account_changed,</group>
+ </rule>
+
+ <rule id="18129" level="8">
+ <if_sid>18103</if_sid>
+ <id>^13570$</id>
+ <description>Windows file system full.</description>
+ <group>low_diskspace,</group>
+ </rule>
+
+
+ <!-- Granular windows login rules -->
+ <rule id="18130" level="5">
+ <if_sid>18106</if_sid>
+ <id>^529$|^4625$</id>
+ <description>Logon Failure - Unknown user or bad password.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625</info>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18131" level="5">
+ <if_sid>18106</if_sid>
+ <id>^530$</id>
+ <description>Logon Failure - Account logon time restriction </description>
+ <description>violation.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530</info>
+ <group>win_authentication_failed,login_denied,</group>
+ </rule>
+
+ <rule id="18132" level="5">
+ <if_sid>18106</if_sid>
+ <id>^531$</id>
+ <description>Logon Failure - Account currently disabled.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531</info>
+ <group>win_authentication_failed,login_denied,</group>
+ </rule>
+
+ <rule id="18133" level="5">
+ <if_sid>18106</if_sid>
+ <id>^532$</id>
+ <description>Logon Failure - Specified account expired.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532</info>
+ <group>win_authentication_failed,login_denied,</group>
+ </rule>
+
+ <rule id="18134" level="7">
+ <if_sid>18106</if_sid>
+ <id>^533$</id>
+ <description>Logon Failure - User not allowed to login at </description>
+ <description>this computer.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533</info>
+ <group>win_authentication_failed,login_denied,</group>
+ </rule>
+
+ <rule id="18135" level="5">
+ <if_sid>18106</if_sid>
+ <id>^534$</id>
+ <description>Logon Failure - User not granted logon type.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534</info>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18136" level="5">
+ <if_sid>18106</if_sid>
+ <id>^535$</id>
+ <description>Logon Failure - Account's password expired.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535</info>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18137" level="5">
+ <if_sid>18106</if_sid>
+ <id>^536$|^537$</id>
+ <description>Logon Failure - Internal error.</description>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18138" level="7">
+ <if_sid>18106</if_sid>
+ <id>^539$</id>
+ <description>Logon Failure - Account locked out.</description>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18139" level="5">
+ <if_sid>18105</if_sid>
+ <id>^673$|^675$|^681$|^4769$</id>
+ <description>Windows DC Logon Failure.</description>
+ <group>win_authentication_failed,</group>
+ </rule>
+
+ <rule id="18140" level="5">
+ <if_sid>18104</if_sid>
+ <id>^520$|^4616$</id>
+ <description>System time changed.</description>
+ <group>time_changed,</group>
+ </rule>
+
+ <rule id="18141" level="7">
+ <if_sid>18102</if_sid>
+ <id>^1076$</id>
+ <match>unexpected shutdown</match>
+ <group>system_error, system_shutdown,</group>
+ <description>Unexpected Windows shutdown.</description>
+ </rule>
+
+ <rule id="18142" level="5">
+ <if_sid>18104</if_sid>
+ <id>^671$|^4767$</id>
+ <description>User account unlocked.</description>
+ <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767</info>
+ <group>account_changed,</group>
+ </rule>
+
+ <rule id="18143" level="8">
+ <if_sid>18114</if_sid>
+ <id>^631$|^635$|^658$</id>
+ <description>Security enabled group created.</description>
+ <group>adduser,account_changed,</group>
+ </rule>
+
+ <rule id="18144" level="8">
+ <if_sid>18114</if_sid>
+ <id>^634$|^638$|^662$</id>
+ <description>Security enabled group deleted.</description>
+ <group>adduser,account_changed,</group>
+ </rule>
+
+ <!-- Some services change their startup type automatically -->
+ <rule id="18145" level="3">
+ <if_sid>18101</if_sid>
+ <id>^7040$</id>
+ <group>policy_changed,</group>
+ <description>Service startup type was changed.</description>
+ <info type="text">This does not appear to be logged on Windows 2000.</info>
+ </rule>
+
+ <rule id="18146" level="5">
+ <if_sid>18101</if_sid>
+ <id>^11724$</id>
+ <options>alert_by_email</options>
+ <description>Application Uninstalled.</description>
+ </rule>
+
+ <rule id="18147" level="5">
+ <if_sid>18101</if_sid>
+ <id>^11707$</id>
+ <options>alert_by_email</options>
+ <description>Application Installed.</description>
+ </rule>
+
+ <rule id="18148" level="3">
+ <if_sid>18104</if_sid>
+ <id>^4608$</id>
+ <description>Windows is starting up.</description>
+ </rule>
+
+ <rule id="18149" level="3">
+ <if_sid>18104</if_sid>
+ <id>^538$|^551$|^4634$|^4647$</id>
+ <description>Windows User Logoff.</description>
+ </rule>
+
+<!-- Granular group rules -->
+
+ <rule id="18200" level="5">
+ <if_sid>18104</if_sid>
+ <id>^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|</id>
+ <id>^663$|^4759$</id>
+ <description>Group Account Created</description>
+ <group>group_created,win_group_created,</group>
+ </rule>
+
+ <rule id="18201" level="5">
+ <if_sid>18104</if_sid>
+ <id>^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|</id>
+ <id>^667$|^4763$</id>
+ <description>Group Account Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ </rule>
+
+ <rule id="18202" level="5">
+ <if_sid>18200</if_sid>
+ <id>^631$|^4727$</id>
+ <description>Security Enabled Global Group Created</description>
+ <group>group_created,win_group_created,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631</info>
+ </rule>
+
+ <rule id="18203" level="5">
+ <if_sid>18114</if_sid>
+ <id>^632$|^4728$</id>
+ <description>Security Enabled Global Group Member Added</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
+ </rule>
+
+ <rule id="18204" level="5">
+ <if_sid>18114</if_sid>
+ <id>^633$|^4729$</id>
+ <description>Security Enabled Global Group Member Removed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
+ </rule>
+
+ <rule id="18205" level="5">
+ <if_sid>18201</if_sid>
+ <id>^634$|^4730$</id>
+ <description>Security Enabled Global Group Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634</info>
+ </rule>
+
+ <rule id="18206" level="5">
+ <if_sid>18200</if_sid>
+ <id>^635$|^4731$</id>
+ <description>Security Enabled Local Group Created</description>
+ <group>group_created,win_group_created,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635</info>
+ </rule>
+
+ <rule id="18207" level="5">
+ <if_sid>18114</if_sid>
+ <id>^636$|^4732$</id>
+ <description>Security Enabled Local Group Member Added</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636</info>
+ </rule>
+
+ <rule id="18208" level="5">
+ <if_sid>18114</if_sid>
+ <id>^637$|^4733$</id>
+ <description>Security Enabled Local Group Member Removed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637</info>
+ </rule>
+
+ <rule id="18209" level="5">
+ <if_sid>18201</if_sid>
+ <id>^638$|^4734$</id>
+ <description>Security Enabled Local Group Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638</info>
+ </rule>
+
+ <rule id="18210" level="5">
+ <if_sid>18114</if_sid>
+ <id>^639$|^4735$</id>
+ <description>Security Enabled Local Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639</info>
+ </rule>
+
+ <rule id="18211" level="5">
+ <if_sid>18114</if_sid>
+ <id>^641$|^4737$</id>
+ <description>Security Enabled Global Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641</info>
+ </rule>
+
+ <rule id="18212" level="5">
+ <if_sid>18200</if_sid>
+ <id>^658$|^4754$</id>
+ <description>Security Enabled Universal Group Created</description>
+ <group>group_created,win_group_created,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658</info>
+ </rule>
+
+ <rule id="18213" level="5">
+ <if_sid>18114</if_sid>
+ <id>^659$|^4755$</id>
+ <description>Security Enabled Universal Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659</info>
+ </rule>
+
+ <rule id="18214" level="5">
+ <if_sid>18114</if_sid>
+ <id>^660$|^4756$</id>
+ <description>Security Enabled Universal Group Member Added</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660</info>
+ </rule>
+
+ <rule id="18215" level="5">
+ <if_sid>18114</if_sid>
+ <id>^661$|^4757$</id>
+ <description>Security Enabled Universal Group Member Removed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661</info>
+ </rule>
+
+ <rule id="18216" level="5">
+ <if_sid>18201</if_sid>
+ <id>^662$|^4758$</id>
+ <description>Security Enabled Universal Group Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662</info>
+ </rule>
+
+ <rule id="18217" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+\p*S-1-5-32-544</regex>
+ <description>Administrators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18218" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0</regex>
+ <description>Everyone Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18219" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9</regex>
+ <description>Enterprise Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18220" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11</regex>
+ <description>Authenticated Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18221" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13</regex>
+ <description>Terminal Server Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18222" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512</regex>
+ <description>Domain Admins Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18223" level="5">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513</regex>
+ <description>Domain Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18224" level="0">
+ <if_sid>18223,18203</if_sid>
+ <match>Target Account Name: None</match>
+ <description>Local User Group NONE</description>
+ <info>Bogus group user added to upon creation</info>
+ </rule>
+
+ <rule id="18225" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514</regex>
+ <description>Domain Guests Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18226" level="5">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515</regex>
+ <description>Domain Computers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18227" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516</regex>
+ <description>Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18228" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517</regex>
+ <description>Cert Publishers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18229" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518</regex>
+ <description>Schema Admins Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18230" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519</regex>
+ <description>Enterprise Admins Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18231" level="10">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520</regex>
+ <description>Group Policy Creator Owners Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18232" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553</regex>
+ <description>RAS and IAS Servers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18233" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545</regex>
+ <description>Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18234" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546</regex>
+ <description>Guests Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18235" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547</regex>
+ <description>Power Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18236" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548</regex>
+ <description>Account Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18237" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549</regex>
+ <description>Server Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18238" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550</regex>
+ <description>Print Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18239" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551</regex>
+ <description>Backup Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18240" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552</regex>
+ <description>Replicators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18241" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554</regex>
+ <description>Pre-Windows 2000 Compatible Access Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18242" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555</regex>
+ <description>Remote Desktop Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18243" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556</regex>
+ <description>Network Configuration Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18244" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557</regex>
+ <description>Incoming Forest Trust Builders Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18245" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558</regex>
+ <description>Performance Monitor Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18246" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559</regex>
+ <description>Performance Log Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18247" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560</regex>
+ <description>Windows Authorization Access Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18248" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561</regex>
+ <description>Terminal Server License Servers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18249" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562</regex>
+ <description>Distributed COM Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18250" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498</regex>
+ <description>Enterprise Read-only Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18251" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529</regex>
+ <description>Read-only Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18252" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569</regex>
+ <description>Cryptographic Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18253" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571</regex>
+ <description>Allowed RODC Password Replication Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18254" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572</regex>
+ <description>Denied RODC Password Replication Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18255" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573</regex>
+ <description>Event Log Readers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18256" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574</regex>
+ <description>Certificate Service DCOM Access Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18257" level="3">
+ <if_sid>18101</if_sid>
+ <id>^200$|^300$|^302$</id>
+ <description>TS Gateway login success.</description>
+ <group>authentication_success,</group>
+ <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
+ </rule>
+
+ <rule id="18258" level="5">
+ <if_sid>18102, 18103</if_sid>
+ <id>^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$</id>
+ <description>TS Gateway login failure.</description>
+ <group>authentication_failed,</group>
+ <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
+ </rule>
+
+ <rule id="18259" level="3">
+ <if_sid>18101</if_sid>
+ <id>^202$|^303$</id>
+ <description>TS Gateway user disconnected.</description>
+ <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
+ </rule>
+
+ <!-- Ignore Login events, type 5, from Advapi for:
+ - LOCAL SERVICE and NETWORK SERVICE.
+ -->
+ <rule id="18121" level="0">
+ <if_sid>18107,18149</if_sid>
+ <id>^528$|^538$|^540$|^4624$</id>
+ <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
+ <description>Windows Logon Success (ignored).</description>
+ </rule>
+
+
+ <!-- Kerberos failures that may indicate an attack -->
+ <rule id="18170" level="10">
+ <if_sid>18139</if_sid>
+ <match>Failure Code: 0x1F</match>
+ <description>Windows DC integrity check on decrypted </description>
+ <description>field failed.</description>
+ <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
+ <group>win_authentication_failed,attacks,</group>
+ </rule>
+
+ <rule id="18171" level="10">
+ <if_sid>18139</if_sid>
+ <match>Failure Code: 0x22</match>
+ <description>Windows DC - Possible replay attack.</description>
+ <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
+ <group>win_authentication_failed,attacks,</group>
+ </rule>
+
+ <rule id="18172" level="7">
+ <if_sid>18139</if_sid>
+ <match>Failure Code: 0x25</match>
+ <description>Windows DC - Clock skew too great.</description>
+ <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
+ <group>win_authentication_failed,attacks,</group>
+ </rule>
+
+
+ <!-- MS SQL rules -->
+ <rule id="18180" level="5">
+ <if_sid>18105</if_sid>
+ <id>^18456$</id>
+ <group>win_authentication_failed,</group>
+ <description>MS SQL Server Logon Failure.</description>
+ </rule>
+
+ <rule id="18181" level="3">
+ <if_sid>18104</if_sid>
+ <id>^18454$|^18453$</id>
+ <description>MS SQL Server Logon Success.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+<!-- Detail logon rules -->
+ <rule id="18260" level="3">
+ <if_sid>18107</if_sid>
+ <id>^4624$</id>
+ <match>Logon Type: 8</match>
+ <description>MS Exchange Logon Success.</description>
+ </rule>
+
+ <rule id="18261" level="0">
+ <if_sid>18149</if_sid>
+ <id>^4634$</id>
+ <match>Logon Type: 8</match>
+ <description>User Logoff Exchange.</description>
+ </rule>
+
+
+ <!-- Composite rules -->
+ <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
+ <if_matched_sid>18108</if_matched_sid>
+ <same_user />
+ <description>Multiple failed attempts to perform a </description>
+ <description>privileged operation by the same user.</description>
+ </rule>
+
+ <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
+ <if_matched_group>win_authentication_failed</if_matched_group>
+ <description>Multiple Windows Logon Failures.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
+ <if_matched_sid>18105</if_matched_sid>
+ <description>Multiple Windows audit failure events.</description>
+ </rule>
+
+ <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
+ <if_matched_sid>18103</if_matched_sid>
+ <description>Multiple Windows error events.</description>
+ </rule>
+
+ <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
+ <if_matched_sid>18102</if_matched_sid>
+ <description>Multiple Windows warning events.</description>
+ </rule>
+
+ <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
+ <if_matched_sid>18125</if_matched_sid>
+ <description>Multiple remote access login failures.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="18157" level="10" frequency="$MS_FREQ" timeframe="240">
+ <if_matched_sid>18258</if_matched_sid>
+ <description>Multiple TS Gateway login failures.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <!--
+ Chrome Remote Desktop
+ Created by Kevin Branch
+ Updated by Wazuh
+ -->
+ <rule id="18158" level="5">
+ <if_sid>18103</if_sid>
+ <match>chromoting</match>
+ <regex>: chromoting: \.* Access denied for client: </regex>
+ <description>Chrome Remote Desktop attempt - access denied</description>
+ </rule>
+
+ <rule id="18159" level="5">
+ <if_sid>18101</if_sid>
+ <match>chromoting</match>
+ <regex>: chromoting: \.* Client connected:</regex>
+ <description>Chrome Remote Desktop attempt - connected</description>
+ </rule>
+
+ <rule id="18160" level="5">
+ <if_sid>18101</if_sid>
+ <match>chromoting</match>
+ <regex>: chromoting: \.* Client disconnected:</regex>
+ <description>Chrome Remote Desktop attempt - disconnected</description>
+ </rule>
+
+</group>
+
+<!-- EOF -->
projects / ossec-hids.git / blobdiff