From 65cacb496085d9637e0120c67dda079a152a4cd5 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 31 Jul 2024 12:02:34 -0300 Subject: [PATCH] [New Rule] Potential Active Directory Replication User Backdoor (#3014) * [New Rule] Potential Active Directory Replication User Backdoor * Update credential_access_dcsync_user_backdoor.toml * Update rules/windows/credential_access_dcsync_user_backdoor.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/credential_access_dcsync_user_backdoor.toml * Update rules/windows/credential_access_dcsync_user_backdoor.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- ...redential_access_dcsync_user_backdoor.toml | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 rules/windows/credential_access_dcsync_user_backdoor.toml diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml new file mode 100644 index 000000000..ecfdf735f --- /dev/null +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -0,0 +1,81 @@ +[metadata] +creation_date = "2024/07/10" +integration = ["system", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/07/10" + +[rule] +author = ["Elastic"] +description = """ +Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a +user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Active Directory Replication Account Backdoor" +note = """## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` +""" +references = [ + "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", + "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", + "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", + "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set" +] +risk_score = 47 +rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and + winlog.event_data.AttributeValue : ( + ( + *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and + *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and + *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-* + ) + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [[rule.threat.technique]] + id = "T1003" + reference = "https://attack.mitre.org/techniques/T1003/" + name = "OS Credential Dumping" + + [[rule.threat.technique.subtechnique]] + id = "T1003.006" + reference = "https://attack.mitre.org/techniques/T1003/006/" + name = "DCSync" + + +[rule.threat.tactic] +id = "TA0006" +reference = "https://attack.mitre.org/tactics/TA0006/" +name = "Credential Access" +