From cfa5bafb79023d508ab317a0ff342cfe97be0c03 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 23 Mar 2022 19:42:03 +0100 Subject: [PATCH] [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783) * [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege https://github.com/mpgn/BackupOperatorToDA https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp Detection mainly occurs on AD/DC side : EQL ``` sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m [iam where event.action == "logged-in-special" and winlog.event_data.PrivilegeList : "SeBackupPrivilege"] [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] ``` ``` "sequences" : [ { "join_keys" : [ "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "0x2a23a5" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "L68HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "type" : "filebeat", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 624, "thread" : { "id" : 756 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "SubjectUserName" : "samir", "SubjectDomainName" : "3B", "SubjectLogonId" : "0x2a23a5", "PrivilegeList" : [ "SeBackupPrivilege", "SeRestorePrivilege" ], "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987813", "task" : "Special Logon", "event_id" : "4672", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Privileges: SeBackupPrivilege SeRestorePrivilege""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.330Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "samir" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "type" : "windows", "family" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "4672", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-02-16T10:15:27.675Z", "kind" : "event", "action" : "logged-in-special", "category" : [ "iam" ], "type" : [ "admin" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "samir", "id" : "S-1-5-21-308926384-506822093-3341789130-220106" } } }, { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "Mq8HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 4, "thread" : { "id" : 1176 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "ShareName" : """\\*\IPC$""", "IpPort" : "50071", "SubjectLogonId" : "0x2a23a5", "AccessMask" : "0x12019f", "ObjectType" : "File", "SubjectUserName" : "samir", "AccessReason" : "-", "SubjectDomainName" : "3B", "IpAddress" : "172.16.66.25", "AccessMaskDescription" : [ "List Object", "Read Property", "Create Child", "Control Access", "Delete Child", "List Contents", "SELF", "SYNCHRONIZE", "READ_CONTROL" ], "RelativeTargetName" : "winreg", "AccessList" : """%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 """, "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987816", "event_id" : "5145", "task" : "Detailed File Share", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Network Information: Object Type: File Source Address: 172.16.66.25 Source Port: 50071 Share Information: Share Name: \\*\IPC$ Share Path: Relative Target Name: winreg Access Request Information: Access Mask: 0x12019F Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Access Check Results: -""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.336Z", "ecs" : { "version" : "1.12.0" }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "5145", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-02-16T10:15:27.675Z", "action" : "Detailed File Share", "dataset" : "system.security", "outcome" : "success" } } } ] }, ``` * Update non-ecs-schema.json * Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml Co-authored-by: Jonhnathan Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan (cherry picked from commit c254d0de8bc8789e23ac6ec13e30147a95ed6afc) --- etc/non-ecs-schema.json | 3 +- ...cious_winreg_access_via_sebackup_priv.toml | 94 +++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json index 857095612..59ad39288 100644 --- a/etc/non-ecs-schema.json +++ b/etc/non-ecs-schema.json @@ -35,7 +35,8 @@ "TargetImage": "keyword", "TargetLogonId": "keyword", "TargetProcessGUID": "keyword", - "TargetSid": "keyword" + "TargetSid": "keyword", + "PrivilegeList": "keyword" } }, "winlog.logon.type": "keyword", diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml new file mode 100644 index 000000000..bacd4eae5 --- /dev/null +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -0,0 +1,94 @@ +[metadata] +creation_date = "2022/02/16" +maturity = "production" +updated_date = "2022/02/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies remote access to the registry via an account with Backup Operators group membership. This may indicate an +attempt to exfiltrate credentials via dumping the SAM registry hive in preparation for credential access and privileges +elevation. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Remote Registry Access via SeBackupPrivilege" +note = """## Config + +The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers. +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +Audit Detailed File Share (Success) +``` + +The 'Special Logon' audit policy must be configured (Success). +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Logon/Logoff > +Special Logon (Success) +``` +""" +references = [ + "https://github.com/mpgn/BackupOperatorToDA", + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", +] +risk_score = 47 +rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m + [iam where event.action == "logged-in-special" and + winlog.event_data.PrivilegeList : "SeBackupPrivilege"] + [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "OS Credential Dumping" +id = "T1003" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +name = "Security Account Manager" +id = "T1003.002" +reference = "https://attack.mitre.org/techniques/T1003/002/" + + + +[rule.threat.tactic] +name = "Credential Access" +id = "TA0006" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "Remote Services" +id = "T1021" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +name = "Lateral Movement" +id = "TA0008" +reference = "https://attack.mitre.org/tactics/TA0008/" +