On Wed, Aug 8, 2012 at 10:11 AM, Dmitry <[email protected]> wrote:
> You see the rule 18111 is "A user account was changed"
> In the part of log "Changed Attributes" there are all the names of
> attributes and there is only one value of changed attribute.
> So in any alert of rule 18111 there is the name of attribute "Password Last
> Set"
>
> So the only way to determine the change of password is to look for a digit
> after "Password Last Set: ".
> In other case there will be "-"
>
<rule id="100089" level="7">
<if_sid>18111</if_sid>
<regex>Password Last Set: \d+</regex>
<description>blahblah</description>
</rule>
# cat /tmp/p
WinEvtLog: Security: AUDIT_SUCCESS(4738):
Microsoft-Windows-Security-Auditing: (no user): no domain:
SRV-DC.ft.local: A user account was changed. Subject: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg
Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP
Account Domain: FL Changed Attributes: SAM Account Name: - Display
Name: - User Principal Name: - Home Directory: - Home Drive: - Script
Path: - Profile Path: - User Workstations: - Password Last Set:
8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: -
AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account
Control: - User Parameters: - SID History: - Logon Hours: - Additional
Information: Privileges: -
# cat /tmp/p | /var/ossec/bin/ossec-logtest
2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/08/08 10:20:52 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists
file: 'lists/userlist.txt.cdb'
2012/08/08 10:20:52 ossec-testrule: INFO: Reading loading the lists
file: 'lists/banneduser.txt.cdb'
2012/08/08 10:20:53 ossec-testrule: INFO: Started (pid: 26728).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738):
Microsoft-Windows-Security-Auditing: (no user): no domain:
SRV-DC.ft.local: A user account was changed. Subject: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg
Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP
Account Domain: FL Changed Attributes: SAM Account Name: - Display
Name: - User Principal Name: - Home Directory: - Home Drive: - Script
Path: - Profile Path: - User Workstations: - Password Last Set:
8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: -
AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account
Control: - User Parameters: - SID History: - Logon Hours: - Additional
Information: Privileges: -'
hostname: 'ix'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738):
Microsoft-Windows-Security-Auditing: (no user): no domain:
SRV-DC.ft.local: A user account was changed. Subject: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg
Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP
Account Domain: FL Changed Attributes: SAM Account Name: - Display
Name: - User Principal Name: - Home Directory: - Home Drive: - Script
Path: - Profile Path: - User Workstations: - Password Last Set:
8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: -
AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account
Control: - User Parameters: - SID History: - Logon Hours: - Additional
Information: Privileges: -'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4738'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'SRV-DC.ft.local'
**Phase 3: Completed filtering (rules).
Rule id: '100089'
Level: '7'
Description: 'blahblah'
**Alert to be generated.
> On Wednesday, August 8, 2012 4:28:10 PM UTC+4, dan (ddpbsd) wrote:
>>
>> On Wed, Aug 8, 2012 at 7:29 AM, Dmitry <[email protected]> wrote:
>> > Hi!
>> >
>> > In Windows Log event that says about changing password looks like:
>> >
>> > WinEvtLog: Security: AUDIT_SUCCESS(4738):
>> > Microsoft-Windows-Security-Auditing: (no user): no domain:
>> > SRV-DC.ft.local:
>> > A user account was changed. Subject: Security ID:
>> > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg Account
>> > Domain: FL Logon ID: 0x1204753c Target Account: Security ID:
>> > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP Account
>> > Domain: FL Changed Attributes: SAM Account Name: - Display Name: - User
>> > Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile
>> > Path: - User Workstations: - Password Last Set: 8/8/2012 2:42:44 PM
>> > Account
>> > Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: -
>> > New
>> > UAC Value: - User Account Control: - User Parameters: - SID History: -
>> > Logon
>> > Hours: - Additional Information: Privileges: -
>> >
>> > This log triggered alert of rule 18111 (Windows account changed).
>> >
>> > In order to have separate rule "Password changed" I wrote rule:
>> >
>> > <!-- Password changed for Windows Account -->
>> > <rule id="100003" level="7">
>> > <if_sid>18111</if_sid>
>> > <regex>Password Last Set: \d </regex>
>> > <description>Password changed for Windows account</description>
>> > </rule>
>> >
>> > Dut it doesn't work. When I use <match> instead of <regex> it doesn't
>> > help.
>> >
>> >
>>
>> This works fine for me:
>>
>> <rule id="100089" level="7">
>> <if_sid>18111</if_sid>
>> <match>Password Last Set:</match>
>> <description>blahblah</description>
>> </rule>
