From cbbac02b5671443fb2e6b86ed9446ecd0afa15c0 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 15 Nov 2022 20:01:22 +0000 Subject: [PATCH] [Rule Tuning] Potential Shadow Credentials added to AD Object (#2359) limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:::` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others). Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- rules/windows/credential_access_shadow_credentials.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 0910b1d49..b7f033e64 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/10/15" [rule] author = ["Elastic"] @@ -50,6 +50,7 @@ references = [ "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", ] risk_score = 73 rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de" @@ -59,7 +60,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" +event.action:"Directory Service Changes" and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* '''