Skip to main content

yara L rule

  • October 4, 2024
  • 3 replies
  • 41 views
A
Forum|alt.badge.img+7

So I am writing few rules for detcting windows events.

The first one is : 

rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"

  outcome:
    $risk_score = max(20)

  condition:
    $e
}



Any suggestions? so as how to do this. Like what details can I include and how to proceed. 
@AymanC  @jstoner 

3 replies

AymanC
Forum|alt.badge.img+14
  • AymanCBronze 5
  • Bronze 5
  • October 4, 2024

Hi @anurag.q.singh

If you're only trying to capture Event Type 4734 events, the above rule would satisfy that requirement.

Kind Regards,

Ayman C

A
Forum|alt.badge.img+7
rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"
    $e.principal.user.userid = $user
    $e.target.group.windows_sid = $sid
    $e.target.group.group_display_name = $group_name


  outcome:
    $risk_score = max(20)  

    $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID  '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

  condition:
    $e
}


can'/t I change if the group deleted correspond to the critical local or domain security groups like built-in local administrators group, domain admins, enterprise admins, etc.and if it has then assign a higher risk score. If possible then which field should I check and how to do this?


@AymanC 
malvarez12
Forum|alt.badge.img+1
  • malvarez12Bronze 1
  • Bronze 1
  • October 4, 2024
rule A_security_enabled_local_group_was_deleted {
 
  meta:
    author = "ABC"
    description = "This event generates every time a new security-enabled local group was deleted."
    severity = "Low"

  events:
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_event_type = "4734"
    $e.principal.user.userid = $user
    $e.target.group.windows_sid = $sid
    $e.target.group.group_display_name = $group_name


  outcome:
    $risk_score = max(20)  

    $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID  '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain))

  condition:
    $e
}


can'/t I change if the group deleted correspond to the critical local or domain security groups like built-in local administrators group, domain admins, enterprise admins, etc.and if it has then assign a higher risk score. If possible then which field should I check and how to do this?


@AymanC 

Hey  @anurag.q.singh 

You can try a combination of Lists and If() statements in the `Outcome:` section. Create a List of all High priority Security groups. Then, make your $risk_score dynamic by adding the following in the Outcome section:

 $risk_score = sum(45 + if($group_name in %High_Priority_Security_Groups, 55, 0))

So your rule would be:

 

rule A_security_enabled_local_group_was_deleted { meta: author = "ABC" description = "This event generates every time a new security-enabled local group was deleted." severity = "Low" events: $e.metadata.vendor_name = "Microsoft" $e.metadata.product_event_type = "4734" $e.principal.user.userid = $user $e.target.group.windows_sid = $sid $e.target.group.group_display_name = $group_name outcome: //$risk_score = max(20) $risk_score = sum(45 + if($group_name in %High_Priority_Security_Groups, 55, 0)) $alertDesc = array_distinct(strings.concat("The user '", $user, "' deleted a security enabled local group with the group ID '", $sid, "'and group name'", $group_name, "'. The user was logged in to the host : '", $e.principal.asset.hostname, "'under the domain '", $e.principal.administrative_domain)) condition: $e }

 

 
 
 
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.