.N WinNT_SANS #Policy Name .L 2 #Policy structure .D This policy contains rules that detect Microsoft Windows NT issues from the SANS Top 20 list. #Policy Description .V 1065459508 #Policy revision number .Z 3017 #Policy ID .Z 3017 #Policy ID .R HTTP_Configuration_Recon #Rule Definition ..D This rule detects any HTTP requests which attempt to retrieve configuration files from the remote system. These configuration files may provide the attacker with additional information to further penetrate the system. #Rule Description ..Z 2977 #Rule ID ..K #Rule And Select logic ..V 25 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET* #Regular text ....T *HEAD* #Regular text ....T *POST* #Regular text ....C 0 #Case sensitivity ....Z 2974 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *autoexec.bat* #Regular text ....T *boot.ini* #Regular text ....T *config.sys* #Regular text ....T *win_35/repair/sam._* #Regular text ....T *win_351/repair/sam._* #Regular text ....T *win35/repair/sam._* #Regular text ....T *win351/repair/sam._* #Regular text ....T *win40/repair/sam._* #Regular text ....T *windows/repair/sam._* #Regular text ....T *winnt/repair/sam._* #Regular text ....T *winnt_351/repair/sam._* #Regular text ....C 1 #Case sensitivity ....Z 2975 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2976 #ID of the clause .R HTTP_Administration_Recon #Rule Definition ..D This rule detects any HTTP requests which attempt to use sample applications which are included with the Internet Information Server. It is recommended that they are removed as there are many known vulnerabilities associated with the provided samples. #Rule Description ..Z 2981 #Rule ID ..K #Rule And Select logic ..V 25 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET* #Regular text ....T *HEAD* #Regular text ....T *POST* #Regular text ....C 0 #Case sensitivity ....Z 2978 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T */code.asp* #Regular text ....T */iisadmpwd/* #Regular text ....T */iishelp/* #Regular text ....T */iissamples/* #Regular text ....T */ntadmin/ntadmin.htm* #Regular text ....T */scripts/iisadmin/bdir.htr* #Regular text ....T */viewcode.asp* #Regular text ....T */winmsdp.exe* #Regular text ....C 1 #Case sensitivity ....Z 2979 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2980 #ID of the clause .R Remote_Registry_Access_Change #Rule Definition ..D This rule detects changes to the registry that may allow unauthorized users to connect and modify the Windows registry remotely. The values stored under the 'HKLM\CurrentControlSet\Control\SecurePipeServers\winreg' hive control remote access. #Rule Description ..Z 2984 #Rule ID ..V 65 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\*DELETE* #Regular text ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\AllowedPaths\Machine =*SET VALUE* #Regular text ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\AllowedPaths\Users =*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 2982 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2983 #ID of the clause .R Remote_Registry_Access - Filter #Rule Definition ..D Detects changes to the "HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\" Key. #Regular text ..Z 2986 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\* #Regular text ....T 2097312 #Regular text ....C 0 #Case sensitivity ....Z 2985 #ID of the clause .R VBScript_Script_File_Changed #Rule Definition ..D This rule detects changes to the "\HKEY_CLASSES_ROOT\.VBS" key. The majority of email-based viruses are often written in VBScript, a scripting language used to automate tasks without user intervention. #Rule Description ..Z 2989 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_CLASSES_ROOT\.VBS\*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 2987 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2988 #ID of the clause .R VBScript_Script_File - Filter #Rule Definition ..D Detects changes to the "HKEY_CLASSES_ROOT\.VBS\" Key. #Regular text ..Z 2991 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_CLASSES_ROOT\.VBS\* #Regular text ....T 2097152 #Regular text ....C 0 #Case sensitivity ....Z 2990 #ID of the clause .R Newdsn_File_Creation #Rule Definition ..D This rule detects the use of the newdsn sample application that is included with Microsoft Internet Information Server (IIS) 3.0. With a properly formatted request, an attacker can overwrite files on the victim system. #Rule Description ..Z 2994 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*/newdsn?*&dbq*&newdb* #Regular text ....C 1 #Case sensitivity ....Z 2992 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2993 #ID of the clause .R Showcode_ASP_FileAccess #Rule Definition ..D This rule detects an attempt to use the showcode.asp file to view possibly sensitive files on the victim machine. Showcode.asp is a sample file that is included in a default installation of Microsoft Internet Information Server (IIS) 4.0. #Rule Description ..Z 2997 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*showcode.asp?source=* #Regular text ....C 1 #Case sensitivity ....Z 2995 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2996 #ID of the clause .R IIS_ASP_SourceCode #Rule Definition ..D This rule detects a request to view ASP source code on an Internet Information Server (IIS) system. ASP requests with "::$DATA" appended can return the source code if permissions are improperly set on the shared web directory. #Rule Description ..Z 3000 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*.asp::$DATA* #Regular text ....C 1 #Case sensitivity ....Z 2998 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2999 #ID of the clause .R IIS_ISM_Authentication #Rule Definition ..D This rule detects a request to ISM.DLL, an artifact from an upgrade to Internet Information Server (IIS) 4.0 from versions 2.0 or 3.0. The file ISM.DLL in the /iisadmin folder is no longer used for IIS 4.0 administration and can be removed. #Rule Description ..Z 3003 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*iisadmin/ism.dll?* #Regular text ....C 1 #Case sensitivity ....Z 3001 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3002 #ID of the clause .R IIS_MDAC_RDS_RemoteAccess #Rule Definition ..D This rule detects a successful request to the MDAC RDS service. MDAC RDS is vulnerable to remote data access without requiring user authentication and the ability to run arbitrary commands on the target system. #Rule Description ..Z 3006 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*/msadc/msadcs.dll*200* #Regular text ....C 0 #Case sensitivity ....Z 3004 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3005 #ID of the clause .R MSSQL_Weak_Password_Storage #Rule Definition ..D This rule detects a Microsoft SQL Server password that is written to the registry. Passwords are weakly encrypted in MSSQL 7.0 and plain text for MSSQL 6.5. It is recommended that the 'Always prompt for login name and password' function is set. #Rule Description ..Z 3009 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server*=*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 3007 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3008 #ID of the clause .R MSSQL_Weak_Password - Filter #Rule Definition ..D Detects changes to the "HKCU\Software\Microsoft\MSSQLServer\SQLEW\" Key. #Regular text ..Z 3011 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_CURRENT_USER\Software\Microsoft\MSSQLServer\SQLEW\* #Regular text ....T 3145728 #Regular text ....C 0 #Case sensitivity ....Z 3010 #ID of the clause .R MSSQL_Service_Object - Changed #Rule Definition ..D This rule detects changes to the Microsoft SQL Server service start object in the registry. Incorrectly set default permissions on these keys can allow an attacker to change the credentials used when starting the SQL Server (7.0 and 2000). #Rule Description ..Z 3014 #Rule ID ..V 75 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\MSSQLSERVER\ObjectName*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 3012 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3013 #ID of the clause .R MSSQL_Service_Object - Filter #Rule Definition ..D Detects changes to the "HKLM\SYSTEM\CurrentControlSet\Services\MSSQLSERVER\" Key "ObjectName" Value. #Regular text ..Z 3016 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\MSSQLSERVER\* #Regular text ....T 3145728 #Regular text ....C 0 #Case sensitivity ....Z 3015 #ID of the clause