From d2365783fa5393f514fa28f4acfc57771ff047d9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 3 Aug 2021 15:28:17 -0500 Subject: [PATCH] [Rule Tuning] NTDS or SAM Database File Copied (#1378) * Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 176bea0e3..379fe7d1e 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/07/22" [rule] -author = ["Elastic"] +author = ["Elastic","Austin Songer"] description = """ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. @@ -15,7 +15,10 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "NTDS or SAM Database File Copied" -references = ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"] +references = [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", +] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" severity = "high" @@ -25,9 +28,13 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and - process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") and - process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*") + ( + (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ) or + (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*")) + ) and + process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*") ''' @@ -43,4 +50,3 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -