[New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783)
* [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege
https://github.com/mpgn/BackupOperatorToDA
https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp
Detection mainly occurs on AD/DC side :
EQL
```
sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
[iam where event.action == "logged-in-special" and
winlog.event_data.PrivilegeList : "SeBackupPrivilege"]
[any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
```
```
"sequences" : [
{
"join_keys" : [
"83989f29-8447-4b3c-a54b-4a0f7e5a4872",
"0x2a23a5"
],
"events" : [
{
"_index" : ".ds-logs-system.security-default-2022.02.11-000001",
"_id" : "L68HAn8BQQK22TUvoE_k",
"_source" : {
"agent" : {
"name" : "01566s-win16-ir",
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"type" : "filebeat",
"ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8",
"version" : "8.0.0"
},
"winlog" : {
"computer_name" : "01566s-win16-ir.threebeesco.com",
"process" : {
"pid" : 624,
"thread" : {
"id" : 756
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x2a23a5"
},
"channel" : "Security",
"event_data" : {
"SubjectUserName" : "samir",
"SubjectDomainName" : "3B",
"SubjectLogonId" : "0x2a23a5",
"PrivilegeList" : [
"SeBackupPrivilege",
"SeRestorePrivilege"
],
"SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106"
},
"opcode" : "Info",
"record_id" : "2987813",
"task" : "Special Logon",
"event_id" : "4672",
"provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"version" : "8.0.0",
"snapshot" : false
},
"message" : """Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-308926384-506822093-3341789130-220106
Account Name: samir
Account Domain: 3B
Logon ID: 0x2A23A5
Privileges: SeBackupPrivilege
SeRestorePrivilege""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-02-16T10:15:26.330Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"user" : [
"samir"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "01566s-win16-ir",
"os" : {
"build" : "14393.3659",
"kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)",
"name" : "Windows Server 2016 Datacenter",
"type" : "windows",
"family" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"172.16.66.36",
"fe80::ffff:ffff:fffe",
"fe80::5efe:ac10:4224"
],
"name" : "01566s-win16-ir.threebeesco.com",
"id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
"mac" : [
"00:50:56:24:6c:d2",
"00:00:00:00:00:00:00:e0",
"00:00:00:00:00:00:00:e0"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-02-16T10:15:28Z",
"code" : "4672",
"provider" : "Microsoft-Windows-Security-Auditing",
"created" : "2022-02-16T10:15:27.675Z",
"kind" : "event",
"action" : "logged-in-special",
"category" : [
"iam"
],
"type" : [
"admin"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "3B",
"name" : "samir",
"id" : "S-1-5-21-308926384-506822093-3341789130-220106"
}
}
},
{
"_index" : ".ds-logs-system.security-default-2022.02.11-000001",
"_id" : "Mq8HAn8BQQK22TUvoE_k",
"_source" : {
"agent" : {
"name" : "01566s-win16-ir",
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8",
"type" : "filebeat",
"version" : "8.0.0"
},
"winlog" : {
"computer_name" : "01566s-win16-ir.threebeesco.com",
"process" : {
"pid" : 4,
"thread" : {
"id" : 1176
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x2a23a5"
},
"channel" : "Security",
"event_data" : {
"ShareName" : """\\*\IPC$""",
"IpPort" : "50071",
"SubjectLogonId" : "0x2a23a5",
"AccessMask" : "0x12019f",
"ObjectType" : "File",
"SubjectUserName" : "samir",
"AccessReason" : "-",
"SubjectDomainName" : "3B",
"IpAddress" : "172.16.66.25",
"AccessMaskDescription" : [
"List Object",
"Read Property",
"Create Child",
"Control Access",
"Delete Child",
"List Contents",
"SELF",
"SYNCHRONIZE",
"READ_CONTROL"
],
"RelativeTargetName" : "winreg",
"AccessList" : """%%1538
%%1541
%%4416
%%4417
%%4418
%%4419
%%4420
%%4423
%%4424
""",
"SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106"
},
"opcode" : "Info",
"record_id" : "2987816",
"event_id" : "5145",
"task" : "Detailed File Share",
"provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"version" : "8.0.0",
"snapshot" : false
},
"message" : """A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: S-1-5-21-308926384-506822093-3341789130-220106
Account Name: samir
Account Domain: 3B
Logon ID: 0x2A23A5
Network Information:
Object Type: File
Source Address: 172.16.66.25
Source Port: 50071
Share Information:
Share Name: \\*\IPC$
Share Path:
Relative Target Name: winreg
Access Request Information:
Access Mask: 0x12019F
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Check Results:
-""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-02-16T10:15:26.336Z",
"ecs" : {
"version" : "1.12.0"
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "01566s-win16-ir",
"os" : {
"build" : "14393.3659",
"kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)",
"name" : "Windows Server 2016 Datacenter",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"172.16.66.36",
"fe80::ffff:ffff:fffe",
"fe80::5efe:ac10:4224"
],
"name" : "01566s-win16-ir.threebeesco.com",
"id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
"mac" : [
"00:50:56:24:6c:d2",
"00:00:00:00:00:00:00:e0",
"00:00:00:00:00:00:00:e0"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-02-16T10:15:28Z",
"code" : "5145",
"provider" : "Microsoft-Windows-Security-Auditing",
"kind" : "event",
"created" : "2022-02-16T10:15:27.675Z",
"action" : "Detailed File Share",
"dataset" : "system.security",
"outcome" : "success"
}
}
}
]
},
```
* Update non-ecs-schema.json
* Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
(cherry picked from commit c254d0de8b)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
5bc3d1e2d5
commit
cfa5bafb79
@@ -35,7 +35,8 @@
|
||||
"TargetImage": "keyword",
|
||||
"TargetLogonId": "keyword",
|
||||
"TargetProcessGUID": "keyword",
|
||||
"TargetSid": "keyword"
|
||||
"TargetSid": "keyword",
|
||||
"PrivilegeList": "keyword"
|
||||
}
|
||||
},
|
||||
"winlog.logon.type": "keyword",
|
||||
|
||||
@@ -0,0 +1,94 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/16"
|
||||
maturity = "production"
|
||||
updated_date = "2022/02/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies remote access to the registry via an account with Backup Operators group membership. This may indicate an
|
||||
attempt to exfiltrate credentials via dumping the SAM registry hive in preparation for credential access and privileges
|
||||
elevation.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-system.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Remote Registry Access via SeBackupPrivilege"
|
||||
note = """## Config
|
||||
|
||||
The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.
|
||||
Steps to implement the logging policy with with Advanced Audit Configuration:
|
||||
```
|
||||
Computer Configuration >
|
||||
Policies >
|
||||
Windows Settings >
|
||||
Security Settings >
|
||||
Advanced Audit Policies Configuration >
|
||||
Audit Policies >
|
||||
Object Access >
|
||||
Audit Detailed File Share (Success)
|
||||
```
|
||||
|
||||
The 'Special Logon' audit policy must be configured (Success).
|
||||
Steps to implement the logging policy with with Advanced Audit Configuration:
|
||||
```
|
||||
Computer Configuration >
|
||||
Policies >
|
||||
Windows Settings >
|
||||
Security Settings >
|
||||
Advanced Audit Policies Configuration >
|
||||
Audit Policies >
|
||||
Logon/Logoff >
|
||||
Special Logon (Success)
|
||||
```
|
||||
"""
|
||||
references = [
|
||||
"https://github.com/mpgn/BackupOperatorToDA",
|
||||
"https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
|
||||
[iam where event.action == "logged-in-special" and
|
||||
winlog.event_data.PrivilegeList : "SeBackupPrivilege"]
|
||||
[any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
name = "OS Credential Dumping"
|
||||
id = "T1003"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
name = "Security Account Manager"
|
||||
id = "T1003.002"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/002/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
name = "Credential Access"
|
||||
id = "TA0006"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
name = "Remote Services"
|
||||
id = "T1021"
|
||||
reference = "https://attack.mitre.org/techniques/T1021/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
name = "Lateral Movement"
|
||||
id = "TA0008"
|
||||
reference = "https://attack.mitre.org/tactics/TA0008/"
|
||||
|
||||
Reference in New Issue
Block a user