Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add LDAP firewall application rules #4528

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add LDAP firewall application rules #4528

wants to merge 3 commits into from

Conversation

dekelpaz
Copy link

Summary of the Pull Request

Added new Sigma application rules for LDAP Firewall

Changelog

new: ldap_firewall_bloodhound.yml
new: ldap_firewall_laps.yml
new: ldap_firewall_name_impersonation.yml

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added the Rules label Oct 30, 2023
@nasbench nasbench self-requested a review October 30, 2023 10:47
@nasbench nasbench self-assigned this Oct 30, 2023
@nasbench
Copy link
Member

Hi @dekelpaz and thanks for this contribution :)

Can you please provide logs of your testing to make the review process easier.

Thanks in advance and welcome to the Sigma community.

@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Oct 30, 2023
@dekelpaz
Copy link
Author

@nasbench is this the type of log you're looking for?
LDAPFW_bloodhound.evtx.zip

@nasbench
Copy link
Member

@nasbench is this the type of log you're looking for? LDAPFW_bloodhound.evtx.zip

Yes, thank you. If you have more events related to the rules you submitted that would be great.
Cheers.

@dekelpaz
Copy link
Author

dekelpaz commented Nov 2, 2023

LDAPFW_sAMAccountName_spoofing.evtx.zip

Here is a log for the sAMAccountName spoofing rule

@nasbench nasbench removed the Author Input Required changes the require information from original author of the rules label Nov 2, 2023
@dekelpaz
Copy link
Author

hey @nasbench, any updates on this review? do you need anything else from me?

@nasbench
Copy link
Member

hey @nasbench, any updates on this review? do you need anything else from me?

Last time i checked this I figured that i would need to perform a little bit more testing to confirm the findings and I just didn't yet get around to it. Overall the rules looked fine but I would still need to update their metadata (title, description, level) as well as update some of the detection logic as those fields aren't parsed and are part of the data element of the event log.

I'll try to get this merged before next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench Awaiting requested review from nasbench

Assignees

@nasbench nasbench

Labels
Rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dekelpaz @nasbench