From 85b72256c2cc63eb646f7ef3efd5fb752ffcb489 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 4 Feb 2022 15:49:04 -0300 Subject: [PATCH] [New Rule] Potential Shadow Credentials added to AD Object (#1729) * Potential Shadow Credentials added to AD Object Initial Rule * Apply suggestions from code review Co-authored-by: Justin Ibarra * Update credential_access_shadow_credentials.toml * Add AD tag * Update credential_access_shadow_credentials.toml Co-authored-by: Justin Ibarra --- .../credential_access_shadow_credentials.toml | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 rules/windows/credential_access_shadow_credentials.toml diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml new file mode 100644 index 000000000..ec3475615 --- /dev/null +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -0,0 +1,76 @@ +[metadata] +creation_date = "2022/01/26" +maturity = "production" +updated_date = "2022/01/31" + +[rule] +author = ["Elastic"] +description = """ +Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. +Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain +persistent and stealthy access to the target user or computer object. +""" +false_positives = [ + """ + Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect + synchronization account or the ADFS service account. These accounts can be added as Exceptions. + """, +] +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Shadow Credentials added to AD Object" +note = """## Config + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. +As this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise. + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success +``` +""" +references = [ + "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", + "https://github.com/OTRF/Set-AuditRule", +] +risk_score = 73 +rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "Modify Authentication Process" +id = "T1556" +reference = "https://attack.mitre.org/techniques/T1556/" + + +[rule.threat.tactic] +name = "Credential Access" +id = "TA0006" +reference = "https://attack.mitre.org/tactics/TA0006/" +