NetWitness Community

RogerFeagin · ‎2018-12-18

How would I convert this rule to Netwitness?

logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
selection:
- EventID: 4624
LogonType: '3'
LogonProcessName: 'NtLmSsp'
WorkstationName: '%Workstations%'
ComputerName: '%Workstations%'
- EventID: 4625
LogonType: '3'
LogonProcessName: 'NtLmSsp'
WorkstationName: '%Workstations%'
ComputerName: '%Workstations%'
filter:
AccountName: 'ANONYMOUS LOGON'
condition: selection and not filter
falsepositives:
- Administrator activity
- Penetration tests
level: medium

NaushadKasu1 · ‎2018-12-18

reference.id = '528','540','4624' && logon.type = '3' && process='ntlmssp' && user.dst != 'ANONYMOUS LOGON' && NOT(user.dst ends '$')

EricPartington · ‎2018-12-18

Is that from the Sigma project rule list?

RogerFeagin · ‎2018-12-18

It is

JoshRandall · ‎2018-12-18

Should that include Event ID 4625?

reference.id = '528','540','4624','4625' && logon.type = '3' && process='ntlmssp' && user.dst != 'ANONYMOUS LOGON' && NOT(user.dst ends '$')

Mr. Mongo

NaushadKasu1 · ‎2018-12-18

Yes. Good catch.

Sent from my iPhone

NetWitness Community

PtH Rule