security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_nltest_query.yml

Browse Source 
modification based on new reports

1.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) 
-> for (selection_recon1 and seletion_recon2")
2.https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters -> nltest example
3.MITRE reference just for reference to MITRE to gain more insights
4.https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ 
-> new Report about Trickbot with reference and usage of "nltest" therefore I included the option in this rule
This commit is contained in:
gs3cl
2021-08-18 20:45:18 +00:00
committed by GitHub
parent 39ef3e0df9
commit 92b72ffdc1
1 changed files with 34 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_nltest_query.yml
+34 -17
View File
@@ -1,24 +1,41 @@
title: Nltest Credential Hash Theft
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
description: Detects nltest query commands which may leak credential hashes
title: Nltest Usage
description: Detects nltest commands that can be used for information discovery
references:
- https://twitter.com/sysopfb/status/986799053668139009
- https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
date: 2018/04/18
modified: 2021/01/05
tags:
- attack.credential_access
- attack.t1003
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://attack.mitre.org/techniques/T1482/
- https://attack.mitre.org/techniques/T1016/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
status: experimental
author: Craig Young, oscd.community
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021/07/24
modified: 2021/08/17
tags:
- attack.discovery
- attack.T1016
- attack.T1482
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection:
selection_nltest:
Image|endswith: '\nltest.exe'
CommandLine|contains: '\query'
condition: selection
selection_recon1:
CommandLine|contains|all:
- '/server'
- '/query'
selection_recon2:
CommandLine|startswith:
- '/dclist:'
- '/parentdomain'
- '/domain_trusts'
- '/user'
condition: selection_nltest AND (selection_recon1 OR selection_recon2)
falsepositives:
- Legitimate administration
- To be determined
level: medium
fields:
- Image
- User
- CommandLine
- ParentCommandLine