Nterl0k - T1087.002 - 4662 EventID AD Enumeration

[nterl0k]

Pending splunk/attack_data#816

Details

Showcases when attackers enumerate AD in mass or for specific high priv (default) groups.

Must allow 4662 events to be ingested by Splunk, which is typically advised against/filtered by the Windows TA.

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.

[patel-bhavin]

Hello @nterl0k :We are getting some errors for windows_ad_abnormal_object_access_activity.yml. Here is how the given attack data looks in Splunk : you can see that the ObjectName_count is NOT greater than the limit. Do you suspect an issue with the search/ the dataset ? You may need to dump a new dataset for this detetion

Screenshot without the | where ObjectName_count > limit condition

[nterl0k]

In our production environment the stddev*3 math seemed to be the sweet spot to avoid the detection being overly sensitive. I can artificially inflate the dataset to make it work as expected. If I make a PR to the attack dataset can that be expedited to help with this? Regards, Steven.

…

-------- Original message -------- From: Bhavin Patel ***@***.***> Date: 9/12/23 7:56 PM (GMT-05:00) To: splunk/security_content ***@***.***> Cc: Steven Dick ***@***.***>, Mention ***@***.***> Subject: Re: [splunk/security_content] Nterl0k - T1087.002 - 4662 EventID AD Enumeration (PR #2716) Hello @nterl0k<https://github.com/nterl0k> :We are getting some errors for windows_ad_abnormal_object_access_activity.yml. Here is how the given attack data looks in Splunk : you can see that the ObjectName_count is NOT greater than the limit. Do you suspect an issue with the search/ the dataset ? You may need to dump a new dataset for this detetion Screenshot without the | where ObjectName_count > limit condition [image]<https://user-images.githubusercontent.com/7771446/267493748-a79c1a71-2249-4c33-840e-c9e92f426589.png> — Reply to this email directly, view it on GitHub<#2716 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7UP45GKRC5DFJVJLILX2DZBHANCNFSM6AAAAAAZEYZPUA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[nterl0k]

@patel-bhavin - I've built an updated dataset that will trigger the detection as expected. - See PR splunk/attack_data#833 for the updated data.

[patel-bhavin]

awesome! i merged the attack_data PR and looks like this passes our detection testing now! Thank you for being so prompt as always. Closing this PR and we will be merging the updated PR that contains your content and will be released in ESCU 4.12.0

#2810