Anomaly detection for Asp.Net

Sep 17, 2020 ·
Detecting suspicious log events which lead to potential security threats
Sigma rule (View on GitHub)

 1title: Anomaly detection for Asp.Net
 2id: 822569af-9133-4eb6-968d-a1f53ada1170
 3status: experimental
 4description: Detecting suspicious log events which lead to potential security threats
 5author: Loginsoft Research Unit
 6references:
 7    - Internal Research
 8date: 2020/09/17
 9logsource:
10  product: Asp.Net
11detection:
12    keywords:
13      -  Invalid certificate store location '{*}'
14      - The name '{*}' is not a safe file name, using '{*}' instead
15      -  User profile not available. Using '{*}' as key repository and Windows DPAPI to encrypt keys at rest
16      - 'ValidateAsync failed: unhandled exception was thrown'
17      - 'The request path {*} does not match a supported file type'
18      - 'Certificate validation failed, subject was {*}'
19      - 'Access was denied by the resource owner or by the remote server'
20      - 'The redirect URI is not well-formed. The URI is:'
21      - 'Endpoint {*} contains authorization metadata, but a middleware was not found that supports authorization'
22      - 'Route exceeds the maximum number of allowed segments of 28 and is unable to be processed'
23      - There was an error loading the certificate. The file '{*}' was not found
24      - IdentityResource '{*}' not found
25      - 'More bytes written than specified in the Content-Length header'
26      - 'Application DLL was not found at *. Confirm the application dll is present. Single-file deployments are not supported in IIS'
27      - 'Executable was not found at'
28      - 'CLR worker thread exited prematurely'
29      - 'Security stamp validation failed, rejecting cookie'
30      - 'Failed to validate a security stamp'
31      - 'VerifyUserTokenAsync() failed with purpose: {*} for user {*}'
32      - 'User {*} is locked out'
33      - 'Failed to connect, retry limit exceeded'
34      - 'Attempted to check whether process * was running, but got a permissions error'
35      - 'There was an error trusting the certificate'
36      - 'ValidateAsync failed: the expiration time is invalid'
37      - 'This request uses the HTTP OPTIONS method but does not have an Access-Control-Request-Method header. This request will not be treated as a CORS preflight reques'
38      - 'Illegal frame body length:'
39      - 'Request method * not allowed in CORS policy'
40      - 'Server execution failed with response {*}. For more info, check the server log file in the location specified by the * environment variable'
41      - 'Failed to deserialize antiforgery tokens'
42      -  Request header '{*}' not allowed in CORS policy
43      -  The response could not be cached for this request because the '{*}' did not match the body length
44      -  The correlation cookie value '{*}' did not match the expected value '{*}'
45      - 'The Validated Security Token must be of type JwtSecurityToken, but instead its type is:'
46      - 'Server returned handshake error: {*}'
47      - 'Key ring failed to load during application startup'
48      - 'Unable to make HTTPS ceritificate key trusted across' 
49      - 'Failed to deserialize the component descriptor'
50      - 'Failed to parse the event data when trying to dispatch an event'
51      - 'CORS policy execution failed'
52      - 'No CORS policy found for the specified request'
53      - 'Application .dll was not found at'
54      - 'The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the policy by listing individual origins if credentials needs to be supported'
55      - 'Found malformed end component comment at'
56      - 'Possible EventEmitter memory leak detected. * added. Use emitter.setMaxListeners() to'
57      - 'Unable to make HTTPS certificate key trusted across security partitions'
58      - 'An error occurred reading the client certificate'
59      -  Encrypting using a null encryptor; secret information isn't being protected
60      - 'Key * was revoked. Unprotect operation cannot proceed'
61      - 'As of \"*\", the heartbeat has been running for \"*\" which is longer than \"*\". This could be caused by thread pool starvation'
62      - 'Not https, skipping certificate authentication'
63      - 'Antiforgery validation failed with message'
64      - 'User password validation failed: *'
65      - 'Assertion failed - heap is currently locked'
66    condition: keywords
67falsepositives:
68  - Unknown
69level: high```
References

Internal Research

Read More