From c843293e4761540f56c1c2d7d2efcc9daec4fdfd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 11 Mar 2022 18:14:09 +0100 Subject: [PATCH] rules: NTDS.DIT exfiltration --- .../file_event/file_event_win_ntds_dit.yml | 45 +++++++++++++ .../file_event_win_ntds_exfil_tools.yml | 25 +++++++ .../proc_creation_win_susp_ntds.yml | 66 +++++++++++++++++++ 3 files changed, 136 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_ntds_dit.yml create mode 100644 rules/windows/file_event/file_event_win_ntds_exfil_tools.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_ntds.yml diff --git a/rules/windows/file_event/file_event_win_ntds_dit.yml b/rules/windows/file_event/file_event_win_ntds_dit.yml new file mode 100644 index 000000000..d95195744 --- /dev/null +++ b/rules/windows/file_event/file_event_win_ntds_dit.yml @@ -0,0 +1,45 @@ +title: Suspicious NTDS.DIT Creation +id: 4e7050dd-e548-483f-b7d6-527ab4fa784d +description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner +status: experimental +author: Florian Roth +references: + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ + - https://pentestlab.blog/tag/ntds-dit/ + - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1 +date: 2022/03/11 +tags: + - attack.credential_access + - attack.t1003.003 +logsource: + product: windows + category: file_event +detection: + selection_file: + TargetFilename|endswith: '\ntds.dit' + selection_process: + - ParentImage|endswith: + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' + - ParentImage|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + - Image|contains: + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + condition: selection_file and 1 of selection_process* +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml new file mode 100644 index 000000000..055ca56b7 --- /dev/null +++ b/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml @@ -0,0 +1,25 @@ +title: Suspicious NTDS Exfil Filename Patterns +id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a +description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration +status: experimental +author: Florian Roth +references: + - https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/ntds_grabber.rb + - https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps1 + - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 +date: 2022/03/11 +tags: + - attack.credential_access + - attack.t1003.003 +logsource: + product: windows + category: file_event +detection: + selection_file: + TargetFilename|endswith: + - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps + - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 + condition: selection_file +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml new file mode 100644 index 000000000..b879ca54c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -0,0 +1,66 @@ +title: Suspicious Process Patterns NTDS.DIT Exfil +id: 8bc64091-6875-4881-aaf9-7bd25b5dda08 +description: Detects suspicious process patterns used in NTDS.DIT exfiltration +status: experimental +author: Florian Roth +references: + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ + - https://pentestlab.blog/tag/ntds-dit/ + - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1 + - https://github.com/zcgonvh/NTDSDumpEx + - https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps1 +date: 2022/03/11 +tags: + - attack.credential_access + - attack.t1003.003 +logsource: + product: windows + category: process_creation +detection: + selection_tool: + # https://github.com/zcgonvh/NTDSDumpEx + - Image|endswith: + - '\NTDSDump.exe' + - '\NTDSDumpEx.exe' + - CommandLine|contains|all: + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - 'ntds.dit' + - 'system.hiv' + - CommandLine|contains: + - 'NTDSgrab.ps1' + selection_oneliner_1: + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + - CommandLine|contains|all: + - 'ac i ntds' + - 'create full' + selection_onliner_2: + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + - CommandLine|contains|all: + - '/c copy ' + - '\windows\ntds\ntds.dit' + selection_powershell: + CommandLine|contains|all: + - 'powershell' + - 'ntds.dit' + set1_selection_ntds_dit: + CommandLine|contains: 'ntds.dit' + set1_selection_image_folder: + - ParentImage|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + - Image|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + condition: 1 of selection* or all of set1* +falsepositives: + - Unknown +level: high \ No newline at end of file