From 53db78fcccb1c5caae61ab019f60bbabeaa52ad4 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 22:34:54 +0100 Subject: [PATCH] [New Rule] Lateral Movement via Kerberos using Bifrost Console (#843) * [New Rule] Lateral Movement via Kerberos using Bifrost Console * adjusted kql for perf * mitre techniques order * added two args * Update lateral_movement_credential_access_kerberos_bifrostconsole.toml * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...ential_access_kerberos_bifrostconsole.toml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml new file mode 100644 index 000000000..68341786b --- /dev/null +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/01/12" +maturity = "production" +updated_date = "2020/01/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos +tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Potential Kerberos Attack via Bifrost" +references = ["https://github.com/its-a-feature/bifrost"] +risk_score = 73 +rule_id = "16904215-2c95-4ac8-bf5c-12354e047192" +severity = "high" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access", "Lateral Movement"] +type = "query" + +query = ''' +event.category:process and event.type:start and + process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"