[Rule Tuning] Symbolic Link to Shadow Copy Created (#1830)
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit 096723b2a1)
This commit is contained in:
Terrance DeJesus
committed by
github-actions[bot]
github-actions[bot]
parent
a951b99c13
commit
d26759d5a8
@@ -0,0 +1,102 @@
|
||||
[metadata]
|
||||
creation_date = "2021/12/25"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/18"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
description = """
|
||||
Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow
|
||||
copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.
|
||||
"""
|
||||
false_positives = ["Legitimate administrative activity related to shadow copies."]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Symbolic Link to Shadow Copy Created"
|
||||
note = """## Triage and analysis.
|
||||
|
||||
### Investigating
|
||||
|
||||
Shadow copies are backups or snapshots of an endpoints files or volumes at the time of being in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes but an offline copy is needed to extract these hashes and potentially conduct lateral movement.
|
||||
|
||||
#### Possible investigation steps:
|
||||
|
||||
- Determine if a volume shadow copy was recently created on this endpoint.
|
||||
- Review priviledges of the end user as this requires administrative access.
|
||||
- Verify ntds.dit file was successfully copied and the location.
|
||||
- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.
|
||||
- Investigate recent deletions of volume shadow copies.
|
||||
- Identify other files potentially copied from volume shadow copy paths directly.
|
||||
|
||||
### False Positive Analysis
|
||||
|
||||
- There should be very little false positive triggers with this rule.
|
||||
|
||||
### Related Rules
|
||||
- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f
|
||||
|
||||
### Response and Remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- In case specific credentials were compromised:
|
||||
- Reset the password for the accounts
|
||||
- Locate and remove static files copied from volume shadow copies.
|
||||
- Command-Line tool mklink should require administrative access by default unless in developer mode.
|
||||
|
||||
## Config
|
||||
|
||||
Ensure advanced audit policies for Windows are enabled, specifically
|
||||
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
|
||||
|
||||
```
|
||||
Computer Configuration >
|
||||
Policies >
|
||||
Windows Settings >
|
||||
Security Settings >
|
||||
Advanced Audit Policies Configuration >
|
||||
System Audit Policies >
|
||||
Object Access >
|
||||
Audit File System (Success,Failure)
|
||||
Audit Handle Manipulation (Success,Failure)
|
||||
```
|
||||
|
||||
This event will only trigger if symbolic links are created from a new process spawning for cmd.exe or powershell.exe with the correct arguments.
|
||||
Direct access to a shell and calling symbolic link creation tools will not generate an event.
|
||||
"""
|
||||
references = [
|
||||
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
|
||||
"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
|
||||
"https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/",
|
||||
"https://www.hackingarticles.in/credential-dumping-ntds-dit/",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.type in ("start","process_created") and
|
||||
process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and
|
||||
|
||||
/* Create Symbolic Link to Shadow Copies */
|
||||
process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
|
||||
-47
@@ -1,47 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2021/12/25"
|
||||
maturity = "production"
|
||||
updated_date = "2022/02/16"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
description = """
|
||||
Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow
|
||||
copy, including sensitive files that may contain credential information.
|
||||
"""
|
||||
false_positives = ["Legitimate administrative activity related to shadow copies."]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Symbolic Link to Shadow Copy Created"
|
||||
references = [
|
||||
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
|
||||
"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.type in ("start", "process_started") and
|
||||
process.pe.original_file_name == "Cmd.Exe" and
|
||||
process.args : "*mklink*" and
|
||||
process.args : "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
Reference in New Issue
Block a user