search

OTRF / ThreatHunter-Playbook

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
MIT License
3.97k stars 803 forks source link

Issue on page /notebooks/windows/07_discovery/WIN-190826010110.html #43

Closed icthieves closed 3 years ago

icthieves commented 3 years ago

While reading the playbook page for Remote SCM handle failures, I noticed that while every SQL query on the page is filtering out SubjectLogonID 0x3e4, the Sigma rules appear to be inverted to only show results where SubjectLogonID=0x3e4, which from my understanding of the article seems to be backwards.

Both referenced Sigma rules are written this way: https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scm_database_privileged_operation.yml and https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scm_database_handle_failure.yml

Relevant snippet:

detection:
    selection: 
        EventID: 4674
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'servicesactive'
        PrivilegeList: 'SeTakeOwnershipPrivilege'
        SubjectLogonId: "0x3e4"
    condition: selection

Possible change:

detection:
    selection: 
        EventID: 4674
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'servicesactive'
        PrivilegeList: 'SeTakeOwnershipPrivilege'
    filter:
        SubjectLogonId: "0x3e4"
    condition: selection and not filter
Cyb3rWard0g commented 3 years ago

oops, yes both should have a filter in the condition. good catch. I might have forgotten to add it. Good catch.

Would you mind opening a PR to update those two. I can always fix it in a PR too this weekend. Thank you for letting us know @icthieves !

Cyb3rWard0g commented 3 years ago

Thank you @icthieves !