[New Rule] Suspicious Access to LDAP Attributes (#2504)
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
(cherry picked from commit f025616cbd)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
5a18a6cea2
commit
22857aca2e
@@ -0,0 +1,67 @@
|
||||
[metadata]
|
||||
creation_date = "2023/01/29"
|
||||
integration = ["windows", "system"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/04/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can
|
||||
help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Access to LDAP Attributes"
|
||||
risk_score = 73
|
||||
rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
|
||||
setup = """
|
||||
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
|
||||
Steps to implement the logging policy with Advanced Audit Configuration:
|
||||
|
||||
Computer Configuration >
|
||||
Policies >
|
||||
Windows Settings >
|
||||
Security Settings >
|
||||
Advanced Audit Policies Configuration >
|
||||
Audit Policies >
|
||||
DS Access >
|
||||
Audit Directory Service Changes (Success,Failure)
|
||||
"""
|
||||
severity = "high"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Discovery",
|
||||
"Data Source: System",
|
||||
"Data Source: Active Directory",
|
||||
"Data Source: Windows",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
any where event.action == "Directory Service Access" and
|
||||
event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
|
||||
winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1069"
|
||||
name = "Permission Groups Discovery"
|
||||
reference = "https://attack.mitre.org/techniques/T1069/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0007"
|
||||
name = "Discovery"
|
||||
reference = "https://attack.mitre.org/tactics/TA0007/"
|
||||
|
||||
Reference in New Issue
Block a user