Sure thing.
I am trying to implement three use cases.
1) Windows event ID: Failed object access attempt by a subject "Subject"
(tied to a real user, not a system account) of Object Type: File and
object: "C:\Users\Other-than-Subject\Whatever-else comes after.ext". Ten
recurrences by same Subject --> trigger an e-mail alert.
Here's what the event look like. The content of all the fields is decoded
in Wazuh fork of OSSEC.
2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-
Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an
object was requested. Subject: Security ID:
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: Subject1
Account Domain: DESKTOP Logon ID: 0xXXXXX Object: Object Server: Security
Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt
Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID:
0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request
Information: Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons:
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory):
Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x100001 Privileges Used for
Access Check: - Restricted SID Count: 0
During decoding, the values of Account Name are stored as "subject", Object
Name as "object", the main directory in object as obj_dir_1, and first
subdirectory as obj_dir_2. In the example above obj_dir_1 is "Users" and
obj_dir_2 is "Subject2".
Practically, if an event similar to the above occurs where the value of
obj_dir_1 is "Users" *and* the value of decoded field "subject" does *not*
match the value of decoded field "obj_dir_2" ten times in half an hour from
same subject trigger an e-mail alert.
2) User successfully accessing files in the home folder of another user -->
A single occurrence generates an *immediate *e-mail alert.
2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_SUCCESS(4656): Microsoft-
Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an
object was requested. Subject: Security ID:
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: Subject1
Account Domain: DESKTOP Logon ID: 0xXXXXX Object: Object Server: Security
Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt
Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID:
0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request
Information: Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons:
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory):
Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x100001 Privileges Used for
Access Check: - Restricted SID Count: 0
Practically, if a single event similar to the above occurs where the value
of subject does *not* match the value of obj_dir_2 *and* obj_dir_1 is
"Users" trigger an e-mail alert.
Use case 1 is a security incident that can be described as: repeated failed
attempts at unauthorized object access by user.
Use case 2 is a more serious security incident: confirmed successful
unauthorized object access by user due to a loophole in the access control
list on Object. If subject1 is a *privileged *account, this is a clear
abuse of privilege by a system administrator.
Use Case 3 is an even more serious incident: one or more use case 1
followed by use case 2. Subject successfully managed to modify the ACL on
Object (then we would expect to see evidence thereto in the logs in terms
of changed permissions events -- another use case) or managed to subvert or
bypass the access control mechanism.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
