From a5cd35f4981b93ae0ce7119aa35979fd4e41d243 Mon Sep 17 00:00:00 2001 From: Andrew Pease <7442091+peasead@users.noreply.github.com> Date: Wed, 9 Dec 2020 15:01:28 -0600 Subject: [PATCH] AdFind Command Activity (#395) * initial commit * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra * Update rules/windows/discovery_adfind_command_activity.toml * Update rules/windows/discovery_adfind_command_activity.toml * update threat mapping with sub-techniques * update technique url * remove ecs_version * convert rule to eql * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra --- .../discovery_adfind_command_activity.toml | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 rules/windows/discovery_adfind_command_activity.toml diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml new file mode 100644 index 000000000..1bed7f7de --- /dev/null +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2020/10/19" +maturity = "production" +updated_date = "2020/12/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently +leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been +observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*"] +language = "eql" +license = "Elastic License" +name = "AdFind Command Activity" +note = "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment." +references = [ + "http://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", +] +risk_score = 21 +rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", + "objectcategory=person", "(objectcategory=person)", + "objectcategory=subnet", "(objectcategory=subnet)", + "objectcategory=group", "(objectcategory=group)", + "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", + "objectcategory=attributeschema", "(objectcategory=attributeschema)", + "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/"