diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json index 75cf2f0af..370284e04 100644 --- a/etc/non-ecs-schema.json +++ b/etc/non-ecs-schema.json @@ -15,8 +15,8 @@ "AttributeValue": "keyword", "CallerProcessName": "keyword", "CallTrace": "keyword", - "OriginalFileName": "keyword", "GrantedAccess": "keyword", + "OriginalFileName": "keyword", "RelativeTargetName": "keyword", "ShareName": "keyword", "SubjectLogonId": "keyword", diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml new file mode 100644 index 000000000..5bc65aa47 --- /dev/null +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -0,0 +1,117 @@ +[metadata] +creation_date = "2021/11/08" +maturity = "production" +updated_date = "2021/11/08" + +[rule] +author = ["Elastic"] +description = """ +Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. +""" +false_positives = ["Legitimate Administrative Activity"] +index = ["winlogbeat-*", "logs-system.*"] +language = "kuery" +license = "Elastic License v2" +name = "Startup/Logon Script added to Group Policy Object" +note = """## Triage and analysis + +### Investigating Scheduled Task Execution at Scale via GPO + +Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to +execute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or +`psscripts.ini` files. The scripts are stored in the following path: `\\Machine\\Scripts\\`, `\\User\\Scripts\\` + +#### Possible investigation steps: +- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate +and the administrator is authorized to perform this operation. +- Retrieve the contents of the script file, check for any potentially malicious commands and binaries. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis +- Verify if the execution is allowed and done under change management, and legitimate. + +### Related Rules +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e + +### Response and Remediation +- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +post-compromise behavior. + +## Config + +The 'Audit Detailed File Share' audit policy is required be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +Audit Detailed File Share (Success,Failure) +``` + +The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" +] +risk_score = 47 +rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +( + event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and + winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and + (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*)) +) +or +( + event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and + winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and + (message:WriteData or winlog.event_data.AccessList:*%%4417*) +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1547" +name = "Boot or Logon Autostart Execution" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1484" +name = "Domain Policy Modification" + + [[rule.threat.technique.subtechnique]] + reference = "https://attack.mitre.org/techniques/T1484/001/" + id = "T1484.001" + name = "Group Policy Modification" + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0004" +name = "Privilege Escalation"