security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508)

Browse Source 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Isai
2023-02-01 10:27:42 -05:00
committed by GitHub
parent c6125004c1
commit 748bdbf8b1
1 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
+58
View File
@@ -0,0 +1,58 @@
[metadata]
creation_date = "2023/01/27"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/01/27"
[rule]
author = ["Elastic"]
description = """
Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to
enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest
environments.
"""
false_positives = [
"Domain administrators may use this command-line utility for legitimate information gathering purposes.",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Enumerating Domain Trusts via DSQUERY.EXE"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)",
"https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944",
]
risk_score = 21
rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
(process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and
process.args : "*objectClass=trustedDomain*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1482"
name = "Domain Trust Discovery"
reference = "https://attack.mitre.org/techniques/T1482/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"