From 748bdbf8b184b4d1ebff9ec7fff25992f951dfad Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 1 Feb 2023 10:27:42 -0500 Subject: [PATCH] [New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508) * [New Rule] Enumerating Domain Trusts via Dsquery.exe T1482 Domain Trust Discovery New rule to capture domain trust discovery with dsquery. * Update discovery_enumerating_domain_trusts_via_dsquery.toml I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq Other than that, LGTM! --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...enumerating_domain_trusts_via_dsquery.toml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml new file mode 100644 index 000000000..258fb593b --- /dev/null +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/01/27" +integration = ["endpoint", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/01/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to +enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest +environments. +""" +false_positives = [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes.", +] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Enumerating Domain Trusts via DSQUERY.EXE" +note = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +references = [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", + "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944", +] +risk_score = 21 +rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + (process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and + process.args : "*objectClass=trustedDomain*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" +