From b4e924f82e12395ecf7e6d59d4d18d9d226f0bc3 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Tue, 15 Feb 2022 21:40:26 -0300
Subject: [PATCH] [New Rule] Potential Credential Access via DCSync (#1763)

* "Potential Credential Access via DCSync" Initial Rule

* replace unintentional bracket removal

* json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 42436d3364f418b306c40da65141ad5f9d73695b)
---
 etc/non-ecs-schema.json                       |   3 +
 ...tial_access_dcsync_replication_rights.toml | 142 ++++++++++++++++++
 2 files changed, 145 insertions(+)
 create mode 100644 rules/windows/credential_access_dcsync_replication_rights.toml

diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index c656c005f..9ab26c0b6 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -11,6 +11,7 @@
     "winlog": {
       "event_data": {
         "AccessList": "keyword",
+        "AccessMask": "keyword",
         "AllowedToDelegateTo": "keyword",
         "AttributeLDAPDisplayName": "keyword",
         "AttributeValue": "keyword",
@@ -22,10 +23,12 @@
         "ObjectDN": "keyword",
         "OldTargetUserName": "keyword",
         "OriginalFileName": "keyword",
+        "Properties": "keyword",
         "ParentProcessId": "keyword",
         "RelativeTargetName": "keyword",
         "ShareName": "keyword",
         "SubjectLogonId": "keyword",
+        "SubjectUserName": "keyword",
         "TargetImage": "keyword",
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml
new file mode 100644
index 000000000..4b598e894
--- /dev/null
+++ b/rules/windows/credential_access_dcsync_replication_rights.toml
@@ -0,0 +1,142 @@
+[metadata]
+creation_date = "2022/02/08"
+maturity = "production"
+updated_date = "2022/02/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync
+technique to get credential information of individual accounts or the entire domain, thus compromising the entire
+domain.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Credential Access via DCSync"
+note = """## Triage and analysis.
+
+### Investigating Active Directory Replication From User Account
+
+Active Directory replication is the process by which the changes that originate on one domain controller are
+automatically transferred to other domain controllers that store the same data. 
+
+Active Directory data takes the form of objects that have properties, or attributes. Each object is an instance
+of an object class, and object classes and their respective attributes are defined in the Active Directory schema.
+The values of the attributes define the object, and a change to a value of an attribute must be transferred from
+the domain controller on which it occurs to every other domain controller that stores a replica of that object.
+
+Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process
+from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used
+legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges
+to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of
+the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused
+to grant controlled objects the right to DCsync/Replicate.
+
+More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing).
+and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync)
+
+This rule will monitor for Event ID 4662 (Operation was performed on an Active Directory object) and identify events that use the access
+mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID
+(DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that
+use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).
+
+#### Possible investigation steps:
+
+- Identify the account that performed the action
+- Confirm whether the account owner is aware of the operation
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received
+the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
+- Investigate which credentials were compromised (e.g. All accounts were replicated or a specific account).
+
+### False Positive Analysis
+
+- This activity should not happen legitimately. Any potential B-TP (Benign True Positive) should be mapped and monitored by the security
+team as replication should be done by Domain Controllers only. Any account that performs this activity can put the domain at risk for not
+having the same security standards (Long, complex, random passwords that change frequently) as computer accounts, exposing it to credential
+cracking attacks (Kerberoasting, brute force, etc.).
+
+### Response and Remediation
+
+- Initiate the incident response process based on the outcome of the triage
+- In case of specific credentials were compromised:
+    - Reset the password for the accounts
+- In case of the entire domain or the `krbtgt` user were compromised:
+    - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password
+    reset (twice) of the `krbtgt` user.
+
+## Config
+
+The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+Audit Directory Service Access (Success,Failure)
+```
+"""
+references = [
+    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
+    "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
+    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
+    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
+    "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
+    "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
+]
+risk_score = 73
+rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where event.action == "Directory Service Access" and
+  event.code == "4662" and winlog.event_data.Properties : (
+
+    /* Control Access Rights/Permissions Symbol */
+
+    "*DS-Replication-Get-Changes*",
+    "*DS-Replication-Get-Changes-All*",
+    "*DS-Replication-Get-Changes-In-Filtered-Set*",
+
+    /* Identifying GUID used in ACE */
+
+    "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
+    "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
+    "*89e95b76-444d-4c62-991a-0facbeda640c*") 
+    
+    /* The right to perform an operation controlled by an extended access right. */
+
+    and winlog.event_data.AccessMask : "0x100" and
+    not winlog.event_data.SubjectUserName : ("*$", "MSOL_*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+reference = "https://attack.mitre.org/techniques/T1003/"
+name = "OS Credential Dumping"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1003.006"
+    reference = "https://attack.mitre.org/techniques/T1003/006/"
+    name = "DCSync"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+name = "Credential Access"
+