security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Scheduled Task Execution at Scale via GPO (#1605)

Browse Source 
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json

(cherry picked from commit 865771886e)
This commit is contained in:
Jonhnathan
2022-01-19 22:06:48 -03:00
committed by github-actions[bot]
parent d0b144acbc
commit e9a47c69f4
2 changed files with 135 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/non-ecs-schema.json
+18 -11
View File
@@ -8,18 +8,25 @@
}
},
"winlogbeat-*": {
"winlog.event_data.OriginalFileName": "keyword",
"winlog.event_data.GrantedAccess": "keyword",
"winlog.event_data.CallTrace": "keyword",
"powershell.file.script_block_text": "text",
"winlog.event_data.TargetProcessGUID": "keyword",
"powershell.file.script_block_text": "text",
"winlog.event_data.CallerProcessName": "keyword",
"winlog.event_data.TargetSid": "keyword",
"winlog": {
"event_data": {
"AccessList": "keyword",
"AttributeLDAPDisplayName": "keyword",
"AttributeValue": "keyword",
"CallerProcessName": "keyword",
"CallTrace": "keyword",
"OriginalFileName": "keyword",
"GrantedAccess": "keyword",
"RelativeTargetName": "keyword",
"ShareName": "keyword",
"SubjectLogonId": "keyword",
"TargetImage": "keyword",
"TargetLogonId": "keyword",
"TargetProcessGUID": "keyword",
"TargetSid": "keyword"
}
},
"winlog.logon.type": "keyword",
"winlog.event_data.TargetLogonId": "keyword",
"winlog.event_data.SubjectLogonId": "keyword",
"winlog.event_data.TargetImage": "keyword",
"powershell.file.script_block_text": "text"
},
"filebeat-*": {
rules/windows/privilege_escalation_group_policy_scheduled_task.toml
+117
View File
@@ -0,0 +1,117 @@
[metadata]
creation_date = "2021/11/08"
maturity = "production"
updated_date = "2021/11/08"
[rule]
author = ["Elastic"]
description = """
Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.
"""
index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "Scheduled Task Execution at Scale via GPO"
note = """## Triage and analysis
### Investigating Scheduled Task Execution at Scale via GPO
Group Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO,
this is done by changing the contents of the `<GPOPath>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.
#### Possible investigation steps:
- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate
and the administrator is authorized to perform this operation.
- Retrieve the contents of the `ScheduledTasks.xml` file, check the `<Command>` and `<Arguments>` XML tags for any potentially malicious
commands and binaries.
- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
### False Positive Analysis
- Verify if the execution is allowed and done under change management, and if the execution is legitimate.
### Related Rules
- Group Policy Abuse for Privilege Addition
- Startup/Logon Script added to Group Policy Object
### Response and Remediation
- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
post-compromise behavior.
## Config
The 'Audit Detailed File Share' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)
```
The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
"""
references = [
"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md",
"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md",
"https://labs.f-secure.com/tools/sharpgpoabuse",
"https://twitter.com/menasec1/status/1106899890377052160",
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml"
]
risk_score = 47
rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"]
timestamp_override = "event.ingested"
type = "query"
query = '''
(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and
winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))
or
(event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and
(message: WriteData or winlog.event_data.AccessList: *%%4417*))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1053/"
id = "T1053"
name = "Scheduled Task/Job"
[[rule.threat.technique.subtechnique]]
reference = "https://attack.mitre.org/techniques/T1053/005/"
id = "T1053.005"
name = "Scheduled Task"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1484/"
id = "T1484"
name = "Domain Policy Modification"
[[rule.threat.technique.subtechnique]]
reference = "https://attack.mitre.org/techniques/T1484/001/"
id = "T1484.001"
name = "Group Policy Modification"
[rule.threat.tactic]
reference = "https://attack.mitre.org/tactics/TA0004/"
id = "TA0004"
name = "Privilege Escalation"