how to detect eternalblue and bluekeep attack

[alireza MHZ]

Hello

I want to detect eternalblue and bluekeep attacks in wazuh

I also imported sigma rulls but it is not able to recognize.
I don't see anything in the att&ck mitre dashboard

thanks

[Julia Magán Rodríguez]

Hello,

To detect EternalBlue and BlueKeep attacks it is necessary to create rules that can detect these attacks, maybe this community can help you. About Sigma rules, which rules and how did you import them?

Also, if you share with me what version of Wazuh you are using and how you are replicating the use cases, it may help me in replicating the behavior to find a solution.

​

[alireza MHZ]

hello julia

As you well know, there are many attacks that we need to have on our wazuh rules.
Our use of this product inside an organization is subject to attacks, so we want wazuh to detect all known attacks.
Can you guide me from where I can automatically get all the rules and import them into wazuh so that it can detect attacks?
I am using version 4.7.3 and I have attached the files that I imported. i converted all sigma rules with this script

thanks

[Julia Magán Rodríguez]

Currently, there are no rules for EternalBlue or BlueKeep detection in Wazuh’s default ruleset. You should create them manually. Doing some research I could see that there are some Snort rules to detect possible EternalBlue attacks. You could use Snort to monitor network traffic and then integrate Snort with Wazuh, with the help of localfile. Perhaps Symson could also help. The first thing is to see how attacks can be detected, what events can tell us that something might be going on, and from those events create rules.

About the Sigma rules, there seems to be an error in the MITRE IDs, as they have the following format:

<mitre> <id>attack.execution</id> <id>attack.t1047</id> <id>attack.t1053.002</id> <id>attack.t1569.002</id> </mitre>

But they should be:

<mitre> <id>T1047</id> <id>T1053.002</id> <id>T1569.002</id> </mitre>

​