-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Rules] Adding Documents for v8.15.1 Pre-Built Detection Ru…
…les (#5612)
- Loading branch information
1 parent
4723e46
commit d4c8c58
Showing
1,281 changed files
with
108,612 additions
and
48,235 deletions.
There are no files selected for viewing
132 changes: 132 additions & 0 deletions
132
...kages/8-15-1/prebuilt-rule-8-15-1-access-to-a-sensitive-ldap-attribute.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,132 @@ | ||
| [[prebuilt-rule-8-15-1-access-to-a-sensitive-ldap-attribute]] | ||
| === Access to a Sensitive LDAP Attribute | ||
|
|
||
| Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * winlogbeat-* | ||
| * logs-system.* | ||
| * logs-windows.* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming | ||
| * https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx | ||
| * https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: Windows | ||
| * Use Case: Threat Detection | ||
| * Tactic: Credential Access | ||
| * Tactic: Privilege Escalation | ||
| * Use Case: Active Directory Monitoring | ||
| * Data Source: Active Directory | ||
|
|
||
| *Version*: 11 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). | ||
| Steps to implement the logging policy with Advanced Audit Configuration: | ||
|
|
||
| ``` | ||
| Computer Configuration > | ||
| Policies > | ||
| Windows Settings > | ||
| Security Settings > | ||
| Advanced Audit Policies Configuration > | ||
| Audit Policies > | ||
| DS Access > | ||
| Audit Directory Service Access (Success,Failure) | ||
| ``` | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and | ||
| not winlog.event_data.SubjectUserSid : "S-1-5-18" and | ||
| winlog.event_data.Properties : ( | ||
| /* unixUserPassword */ | ||
| "*612cb747-c0e8-4f92-9221-fdd5f15b550d*", | ||
| /* ms-PKI-AccountCredentials */ | ||
| "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*", | ||
| /* ms-PKI-DPAPIMasterKeys */ | ||
| "*b3f93023-9239-4f7c-b99c-6745d87adbc2*", | ||
| /* msPKI-CredentialRoamingTokens */ | ||
| "*b7ff5a38-0818-42b0-8110-d3d154c97f24*" | ||
| ) and | ||
| /* | ||
| Excluding noisy AccessMasks | ||
| 0x0 undefined and 0x100 Control Access | ||
| https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 | ||
| */ | ||
| not winlog.event_data.AccessMask in ("0x0", "0x100") | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Credential Access | ||
| ** ID: TA0006 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0006/ | ||
| * Technique: | ||
| ** Name: OS Credential Dumping | ||
| ** ID: T1003 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1003/ | ||
| * Technique: | ||
| ** Name: Unsecured Credentials | ||
| ** ID: T1552 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1552/ | ||
| * Sub-technique: | ||
| ** Name: Private Keys | ||
| ** ID: T1552.004 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1552/004/ | ||
| * Tactic: | ||
| ** Name: Privilege Escalation | ||
| ** ID: TA0004 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0004/ | ||
| * Technique: | ||
| ** Name: Valid Accounts | ||
| ** ID: T1078 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1078/ | ||
| * Sub-technique: | ||
| ** Name: Domain Accounts | ||
| ** ID: T1078.002 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1078/002/ |
93 changes: 93 additions & 0 deletions
93
...active-directory-forced-authentication-from-linux-host-smb-named-pipes.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| [[prebuilt-rule-8-15-1-active-directory-forced-authentication-from-linux-host-smb-named-pipes]] | ||
| === Active Directory Forced Authentication from Linux Host - SMB Named Pipes | ||
|
|
||
| Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * logs-endpoint.events.network-* | ||
| * logs-system.security-* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://github.com/p0dalirius/windows-coerced-authentication-methods | ||
| * https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications | ||
| * https://attack.mitre.org/techniques/T1187/ | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: Windows | ||
| * OS: Linux | ||
| * Use Case: Threat Detection | ||
| * Tactic: Credential Access | ||
| * Data Source: Elastic Defend | ||
| * Data Source: Active Directory | ||
| * Use Case: Active Directory Monitoring | ||
|
|
||
| *Version*: 1 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers | ||
| for correlation. Both data sources should be collected from the hosts for this detection to work. | ||
|
|
||
| The 'Audit Detailed File Share' audit policy must be configured (Success Failure). | ||
| Steps to implement the logging policy with Advanced Audit Configuration: | ||
| ``` | ||
| Computer Configuration > | ||
| Policies > | ||
| Windows Settings > | ||
| Security Settings > | ||
| Advanced Audit Policies Configuration > | ||
| Audit Policies > | ||
| Object Access > | ||
| Audit Detailed File Share (Success,Failure) | ||
| ``` | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| sequence with maxspan=15s | ||
| [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip | ||
| [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Credential Access | ||
| ** ID: TA0006 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0006/ | ||
| * Technique: | ||
| ** Name: Forced Authentication | ||
| ** ID: T1187 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1187/ |
74 changes: 74 additions & 0 deletions
74
...wnloadable-packages/8-15-1/prebuilt-rule-8-15-1-adminsdholder-backdoor.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| [[prebuilt-rule-8-15-1-adminsdholder-backdoor]] | ||
| === AdminSDHolder Backdoor | ||
|
|
||
| Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges. | ||
|
|
||
| *Rule type*: query | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * winlogbeat-* | ||
| * logs-system.* | ||
| * logs-windows.* | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://adsecurity.org/?p=1906 | ||
| * https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: Windows | ||
| * Use Case: Threat Detection | ||
| * Tactic: Persistence | ||
| * Use Case: Active Directory Monitoring | ||
| * Data Source: Active Directory | ||
|
|
||
| *Version*: 107 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:5136 and | ||
| winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Persistence | ||
| ** ID: TA0003 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0003/ | ||
| * Technique: | ||
| ** Name: Valid Accounts | ||
| ** ID: T1078 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1078/ | ||
| * Sub-technique: | ||
| ** Name: Domain Accounts | ||
| ** ID: T1078.002 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1078/002/ | ||
| * Technique: | ||
| ** Name: Account Manipulation | ||
| ** ID: T1098 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1098/ |
Oops, something went wrong.