From 99dcfe20552f65bfdc1bba1eabe13cdeb0f95696 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 19 Sep 2022 19:07:05 +0200 Subject: [PATCH] [New Rule] Multiple Vault Web credentials were read (#2281) * [New Rule] Multiple Vault Web credentials were read https://github.com/elastic/detection-rules/issues/2164 * Update credential_access_saved_creds_vault_winlog.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_saved_creds_vault_winlog.toml Co-authored-by: Justin Ibarra Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra --- detection_rules/etc/non-ecs-schema.json | 2 + ...ntial_access_saved_creds_vault_winlog.toml | 68 +++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 rules/windows/credential_access_saved_creds_vault_winlog.toml diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index c3980bf32..6d2691150 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -38,6 +38,8 @@ "TargetLogonId": "keyword", "TargetProcessGUID": "keyword", "TargetSid": "keyword", + "SchemaFriendlyName": "keyword", + "Resource": "keyword", "PrivilegeList": "keyword", "AuthenticationPackageName" : "keyword", "TargetUserSid" : "keyword", diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml new file mode 100644 index 000000000..035eb9d1c --- /dev/null +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -0,0 +1,68 @@ +[metadata] +creation_date = "2022/08/30" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/30" + +[rule] +author = ["Elastic"] +description = """ +Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected +applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for +saved usernames and passwords. This may also be performed in preparation of lateral movement. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*"] +language = "eql" +license = "Elastic License v2" +name = "Multiple Vault Web Credentials Read" +note = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +references = ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",] +risk_score = 47 +rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +type = "eql" + +query = ''' +sequence by host.id, winlog.process.pid with maxspan=1s + + /* 2 consecutive vault reads from same pid for web creds */ + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7"] + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7"] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1555.004" +name = "Windows Credential Manager" +reference = "https://attack.mitre.org/techniques/T1555/004/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +