[New Rule] Potential Active Directory Replication User Backdoor (#3014)

* [New Rule] Potential Active Directory Replication User Backdoor * Update credential_access_dcsync_user_backdoor.toml * Update rules/windows/credential_access_dcsync_user_backdoor.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/credential_access_dcsync_user_backdoor.toml * Update rules/windows/credential_access_dcsync_user_backdoor.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2024-07-31 12:02:34 -03:00
parent 134b842361
commit 65cacb4960
1 changed files with 81 additions and 0 deletions
@@ -0,0 +1,81 @@
+[metadata]
+creation_date = "2024/07/10"
+integration = ["system", "windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/07/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a
+user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential Active Directory Replication Account Backdoor"
+note = """## Setup
+
+The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Changes (Success,Failure)
+```
+"""
+references = [
+    "https://twitter.com/menasec1/status/1111556090137903104",
+    "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
+    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml",
+    "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all",
+    "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes",
+    "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"
+]
+risk_score = 47
+rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
+  winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
+  winlog.event_data.AttributeValue : (
+    (
+      *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
+      *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
+      *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*
+    )
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [[rule.threat.technique]]
+  id = "T1003"
+  reference = "https://attack.mitre.org/techniques/T1003/"
+  name = "OS Credential Dumping"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1003.006"
+    reference = "https://attack.mitre.org/techniques/T1003/006/"
+    name = "DCSync"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+name = "Credential Access"
+