From a6e7866faab024d82ceb99fdd9882c07f0faffd3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Apr 2022 10:02:01 +0200 Subject: [PATCH] refactor: field IpAddress in ID 4624/4625 refactoring --- rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml | 4 ++-- rules-unsupported/win_dumping_ntdsdit_via_netsync.yml | 3 ++- .../security/win_petitpotam_susp_tgt_request.yml | 4 ++-- .../builtin/security/win_rdp_localhost_login.yml | 4 ++-- ...in_remote_registry_management_using_reg_utility.yml | 4 ++-- .../builtin/security/win_susp_failed_logon_source.yml | 10 +++++----- .../win_susp_failed_remote_logons_single_source.yml | 4 ++-- .../windows/builtin/security/win_susp_rottenpotato.yml | 4 ++-- tools/config/ala.yml | 1 + tools/config/ecs-ms365_defender.yml | 1 + tools/config/fireeye-helix.yml | 1 + tools/config/hawk.yml | 1 + tools/config/helk.yml | 1 + tools/config/humio.yml | 1 + tools/config/logrhythm_winevent.yml | 3 +++ tools/config/winlogbeat-modules-enabled.yml | 1 + tools/config/winlogbeat-old.yml | 1 + tools/config/winlogbeat.yml | 1 + 18 files changed, 31 insertions(+), 18 deletions(-) diff --git a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml index 6e8edac17..29192750e 100644 --- a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml +++ b/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml @@ -3,7 +3,7 @@ id: 51238c62-2b29-4539-ad75-e94575368a12 description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol author: Teymur Kheirkhabarov, oscd.community date: 2019/10/24 -modified: 2019/11/13 +modified: 2022/04/27 references: - https://twitter.com/gentilkiwi/status/1003236624925413376 - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 @@ -19,7 +19,7 @@ detection: EventID: 4624 ComputerName: '%DomainControllersNamesList%' selection2: - IpAddress: '%DomainControllersIpsList%' + SourceNetworkAddress: '%DomainControllersIpsList%' selection3: EventID: 4662 ComputerName: '%DomainControllersNamesList%' diff --git a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml index 884598897..150e6c562 100644 --- a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml +++ b/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml @@ -3,6 +3,7 @@ id: 757b2a11-73e7-411a-bd46-141d906e0167 description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 +modified: 2022/04/27 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -16,7 +17,7 @@ detection: EventID: 4624 ComputerName: '%DomainControllersNamesList%' selection2: - IpAddress: '%DomainControllersIpsList%' + SourceNetworkAddress: '%DomainControllersIpsList%' selection3: EventID: 5145 ComputerName: '%DomainControllersNamesList%' diff --git a/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml index 059e919a5..b4fff0afc 100644 --- a/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml @@ -10,7 +10,7 @@ description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 -modified: 2021/09/07 +modified: 2022/04/27 references: - https://github.com/topotam/PetitPotam - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ @@ -28,7 +28,7 @@ detection: TargetUserName|endswith: '$' CertThumbprint: '*' filter_local: - IpAddress: '::1' + ClientAddress: '::1' filter_thumbprint: CertThumbprint: '' condition: selection and not 1 of filter_* diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index 26c9954fd..6964f97a5 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -4,7 +4,7 @@ description: RDP login with localhost source address may be a tunnelled login references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/28 -modified: 2021/07/07 +modified: 2022/04/27 tags: - attack.lateral_movement - car.2013-07-002 @@ -18,7 +18,7 @@ detection: selection: EventID: 4624 LogonType: 10 - IpAddress: + SourceNetworkAddress: - '::1' - '127.0.0.1' condition: selection diff --git a/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml b/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml index 86a109be7..4069e7063 100644 --- a/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml +++ b/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, oscd.community references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment date: 2019/10/22 -modified: 2021/11/27 +modified: 2022/04/27 logsource: product: windows service: security @@ -15,7 +15,7 @@ detection: EventID: 5145 RelativeTargetName|contains: '\winreg' filter: - IpAddress: '%Admins_Workstations%' + SourceAddress: '%Admins_Workstations%' condition: selection_1 and not filter falsepositives: - Legitimate usage of remote registry management by administrator diff --git a/rules/windows/builtin/security/win_susp_failed_logon_source.yml b/rules/windows/builtin/security/win_susp_failed_logon_source.yml index 798435a98..8cfbd1e43 100644 --- a/rules/windows/builtin/security/win_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/win_susp_failed_logon_source.yml @@ -4,7 +4,7 @@ status: test description: A login from a public IP can indicate a misconfigured firewall or network boundary. author: NVISO date: 2020/05/06 -modified: 2021/11/27 +modified: 2022/04/27 logsource: product: windows service: security @@ -12,9 +12,9 @@ detection: selection: EventID: 4625 ip_unknown: - IpAddress|contains: '-' + SourceNetworkAddress|contains: '-' ip_privatev4: - IpAddress|startswith: + SourceNetworkAddress|startswith: - '10.' #10.0.0.0/8 - '192.168.' #192.168.0.0/16 - '172.16.' #172.16.0.0/12 @@ -36,8 +36,8 @@ detection: - '127.' #127.0.0.0/8 - '169.254.' #169.254.0.0/16 ip_privatev6: - - IpAddress: '::1' #loopback - - IpAddress|startswith: + - SourceNetworkAddress: '::1' #loopback + - SourceNetworkAddress|startswith: - 'fe80::' #link-local - 'fc00::' #unique local condition: selection and not 1 of ip_* diff --git a/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml index 960b853af..e975bc511 100644 --- a/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml +++ b/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml @@ -6,7 +6,7 @@ author: Mauricio Velazco references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying date: 2021/06/01 -modified: 2021/07/09 +modified: 2022/04/27 tags: - attack.t1110.003 - attack.initial_access @@ -19,7 +19,7 @@ detection: EventID: 4625 LogonType: 3 filter: - IpAddress: '-' + SourceNetworkAddress: '-' timeframe: 24h condition: - selection1 and not filter | count(TargetUserName) by IpAddress > 10 diff --git a/rules/windows/builtin/security/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml index b685533d3..525b44f95 100644 --- a/rules/windows/builtin/security/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_susp_rottenpotato.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1195284233729777665 author: '@SBousseaden, Florian Roth' date: 2019/11/15 -modified: 2021/07/07 +modified: 2022/04/27 tags: - attack.privilege_escalation - attack.credential_access @@ -20,7 +20,7 @@ detection: LogonType: 3 TargetUserName: 'ANONYMOUS_LOGON' WorkstationName: '-' - IpAddress: '127.0.0.1' + SourceNetworkAddress: '127.0.0.1' condition: selection falsepositives: - Unknown diff --git a/tools/config/ala.yml b/tools/config/ala.yml index e9110fc72..007ccd8be 100644 --- a/tools/config/ala.yml +++ b/tools/config/ala.yml @@ -88,6 +88,7 @@ fieldmappings: event_data.Signature: Signature event_data.Source: Source event_data.SourceImage: SourceImage + event_data.SourceNetworkAddress: IpAddress event_data.StartModule: StartModule event_data.Status: Status event_data.SubjectUserName: SubjectUserName diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml index 9bf978674..d5a1ff76d 100644 --- a/tools/config/ecs-ms365_defender.yml +++ b/tools/config/ecs-ms365_defender.yml @@ -15,4 +15,5 @@ fieldmappings: registryKey: microsoft.m365_defender.alerts.entities.registryKey registryValueType: microsoft.m365_defender.alerts.entities.registryValueType ipAddress: microsoft.m365_defender.alerts.entities.ipAddress + SourceNetworkAddress: microsoft.m365_defender.alerts.entities.ipAddress diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 4fbba8b3e..f847a146e 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -182,6 +182,7 @@ fieldmappings: SourceImage: process SourceIp: ~srcipv4 SourcePort: srcport + SourceNetworkAddress: ~srcipv4 src: ~srcipv4 src_ip: ~srcipv4 src_port: srcport diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index c99676763..b88f6f0ab 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -519,6 +519,7 @@ fieldmappings: DeviceClassName: object_name CallTrace: calltrace IpAddress: ip_src + SourceNetworkAddress: ip_src WorkstationName: hostname_src Workstation: hostname_src DestinationIp: ip_dst diff --git a/tools/config/helk.yml b/tools/config/helk.yml index c6077fa77..12c43de63 100644 --- a/tools/config/helk.yml +++ b/tools/config/helk.yml @@ -145,6 +145,7 @@ fieldmappings: SourceHostname: src_host_name SourceImage: process_path SourceIp: src_ip_addr + SourceNetworkAddress: src_ip_addr SourcePort: src_port SourcePortName: src_port_name StartAddress: thread_start_address diff --git a/tools/config/humio.yml b/tools/config/humio.yml index 51c5a06dd..b800dc2f8 100644 --- a/tools/config/humio.yml +++ b/tools/config/humio.yml @@ -427,6 +427,7 @@ fieldmappings: Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage SourceIp: winlog.event_data.SourceIp + SourceNetworkAddress: winlog.event_data.IpAddress StartModule: winlog.event_data.StartModule Status: winlog.event_data.Status SubjectUserName: winlog.event_data.SubjectUserName diff --git a/tools/config/logrhythm_winevent.yml b/tools/config/logrhythm_winevent.yml index 9ca034ab7..198fa1fd3 100644 --- a/tools/config/logrhythm_winevent.yml +++ b/tools/config/logrhythm_winevent.yml @@ -32,6 +32,9 @@ fieldmappings: IpAddress: - originIp - impactedIp + SourceNetworkAddress: + - originIp + - impactedIp ErrorCode: responseCode Task: vendorInfo PrivilegeList: subject diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 4b2b8cce1..95a71c1ed 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -471,6 +471,7 @@ fieldmappings: SidHistory: winlog.event_data.SidHistory SidList: winlog.event_data.SidList SourceAddress: source.ip + SourceNetworkAddress: source.ip Status: winlog.event_data.Status StartType: winlog.event_data.StartType SubcategoryGuid: winlog.event_data.SubcategoryGuid diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 87dea853a..d157d0c40 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -152,6 +152,7 @@ fieldmappings: Signature: event_data.Signature Source: event_data.Source SourceImage: event_data.SourceImage + SourceNetworkAddress: event_data.IpAddress StartModule: event_data.StartModule Status: event_data.Status SubjectUserName: event_data.SubjectUserName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index ae725f338..55d9e45fa 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -179,6 +179,7 @@ fieldmappings: Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage SourceIp: winlog.event_data.SourceIp + SourceNetworkAddress: winlog.event_data.SourceIp src_ip: winlog.event_data.SourceIp SourcePort: winlog.event_data.SourcePort src_port: winlog.event_data.SourcePort