.N W2K_SANS #Policy Name .L 2 #Policy structure .D This policy contains rules that detect Microsoft Windows 2000 issues from the SANS Top 20 list. #Policy Description .V 1065030844 #Policy revision number .Z 3052 #Policy ID .Z 3052 #Policy ID .R IIS_Printer_ISAPI_Extension_BO #Rule Definition ..D This rule detects an attempted buffer overflow to the Internet Printing ISAPI extension. #Rule Description ..Z 3020 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*null.printer* #Regular text ....C 1 #Case sensitivity ....Z 3018 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3019 #ID of the clause .R IIS_ASP_SourceCode #Rule Definition ..D This rule detects a request to view ASP source code on an Internet Information Server (IIS) system. ASP requests with "::$DATA" appended can return the source code if permissions are improperly set on the shared web directory. #Rule Description ..Z 3023 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET*.asp::$DATA* #Regular text ....C 1 #Case sensitivity ....Z 3021 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3022 #ID of the clause .R MSSQL_Service_Object_Changed #Rule Definition ..D This rule detects changes to the Microsoft SQL Server service start object in the registry. Incorrectly set default permissions on these keys can allow an attacker to change the credentials used when starting the SQL Server (7.0 and 2000). #Rule Description ..Z 3026 #Rule ID ..V 75 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\MSSQLSERVER\ObjectName =*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 3024 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3025 #ID of the clause .R MSSQL_Service_Object - Filter #Rule Definition ..D Detects changes to the "HKLM\SYSTEM\CurrentControlSet\Services\MSSQLSERVER\" Key "ObjectName" Value. #Regular text ..Z 3028 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\MSSQLSERVER\* #Regular text ....T 3145728 #Regular text ....C 0 #Case sensitivity ....Z 3027 #ID of the clause .R LMHash_Storing_Enabled #Rule Definition ..D This rule detects changes to the Windows registry that enable the storing of LM Hashes. It is recommended that customers disable the caching of LM Hashes on Microsoft Windows Systems. #Rule Description ..Z 3031 #Rule ID ..V 60 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\LSA\NoLMHash*DELETE* #Regular text ....C 1 #Case sensitivity ....Z 3029 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3030 #ID of the clause .R LMHash_Storing - Filter #Rule Definition ..D Detects changes to the "HKLM\SYSTEM\CurrentControlSet\Control\LSA\" Key "NoLMHash" Value. #Regular text ..Z 3033 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\LSA\NoLMHash #Regular text ....T 160 #Regular text ....C 0 #Case sensitivity ....Z 3032 #ID of the clause .R VBScript_Script_File_Changed #Rule Definition ..D This rule detects changes to the "\HKEY_CLASSES_ROOT\.VBS" key. The majority of email-based viruses are often written in VBScript, a scripting language used to automate tasks without user intervention. #Rule Description ..Z 3036 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_CLASSES_ROOT\.VBS\*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 3034 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3035 #ID of the clause .R VBScript_Script_File - Filter #Rule Definition ..D Detects changes to the "HKEY_CLASSES_ROOT\.VBS\" Key. #Regular text ..Z 3038 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_CLASSES_ROOT\.VBS\* #Regular text ....T 2097152 #Regular text ....C 0 #Case sensitivity ....Z 3037 #ID of the clause .R Remote_Registry_Access_Change #Rule Definition ..D This rule detects changes to the registry that may allow unauthorized users to connect and modify the Windows registry remotely. The values stored under the 'HKLM\CurrentControlSet\Control\SecurePipeServers\winreg' hive control remote access. #Rule Description ..Z 3041 #Rule ID ..V 65 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\*DELETE* #Regular text ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\AllowedPaths\Machine =*SET VALUE* #Regular text ....T *\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\AllowedPaths\Users =*SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 3039 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3040 #ID of the clause .R Remote_Registry_Access - Filter #Rule Definition ..D Detects changes to the "HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\" Key. #Regular text ..Z 3043 #Rule ID ..T #Indirect Rule ..V 0 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SecurePipeServers\winreg\* #Regular text ....T 2097312 #Regular text ....C 0 #Case sensitivity ....Z 3042 #ID of the clause .R HTTP_Administration_Recon #Rule Definition ..D This rule detects any HTTP requests which attempt to use sample applications which are included with the Internet Information Server. It is recommended that they are removed as there are many known vulnerabilities associated with the provided samples. #Rule Description ..Z 3047 #Rule ID ..K #Rule And Select logic ..V 25 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET* #Regular text ....T *HEAD* #Regular text ....T *POST* #Regular text ....C 0 #Case sensitivity ....Z 3044 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T */code.asp* #Regular text ....T */iisadmpwd/* #Regular text ....T */iishelp/* #Regular text ....T */iissamples/* #Regular text ....T */ntadmin/ntadmin.htm* #Regular text ....T */scripts/iisadmin/bdir.htr* #Regular text ....T */viewcode.asp* #Regular text ....T */winmsdp.exe* #Regular text ....C 1 #Case sensitivity ....Z 3045 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3046 #ID of the clause .R HTTP_Configuration_Recon #Rule Definition ..D This rule detects any HTTP requests which attempt to retrieve configuration files from the remote system. These configuration files may provide the attacker with additional information to further penetrate the system. #Rule Description ..Z 3051 #Rule ID ..K #Rule And Select logic ..V 25 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *GET* #Regular text ....T *HEAD* #Regular text ....T *POST* #Regular text ....C 0 #Case sensitivity ....Z 3048 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *autoexec.bat* #Regular text ....T *boot.ini* #Regular text ....T *config.sys* #Regular text ....C 1 #Case sensitivity ....Z 3049 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 3050 #ID of the clause