diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json index f3a8b980e..75cf2f0af 100644 --- a/etc/non-ecs-schema.json +++ b/etc/non-ecs-schema.json @@ -8,18 +8,25 @@ } }, "winlogbeat-*": { - "winlog.event_data.OriginalFileName": "keyword", - "winlog.event_data.GrantedAccess": "keyword", - "winlog.event_data.CallTrace": "keyword", - "powershell.file.script_block_text": "text", - "winlog.event_data.TargetProcessGUID": "keyword", - "powershell.file.script_block_text": "text", - "winlog.event_data.CallerProcessName": "keyword", - "winlog.event_data.TargetSid": "keyword", + "winlog": { + "event_data": { + "AccessList": "keyword", + "AttributeLDAPDisplayName": "keyword", + "AttributeValue": "keyword", + "CallerProcessName": "keyword", + "CallTrace": "keyword", + "OriginalFileName": "keyword", + "GrantedAccess": "keyword", + "RelativeTargetName": "keyword", + "ShareName": "keyword", + "SubjectLogonId": "keyword", + "TargetImage": "keyword", + "TargetLogonId": "keyword", + "TargetProcessGUID": "keyword", + "TargetSid": "keyword" + } + }, "winlog.logon.type": "keyword", - "winlog.event_data.TargetLogonId": "keyword", - "winlog.event_data.SubjectLogonId": "keyword", - "winlog.event_data.TargetImage": "keyword", "powershell.file.script_block_text": "text" }, "filebeat-*": { diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml new file mode 100644 index 000000000..db7ba63bb --- /dev/null +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -0,0 +1,117 @@ +[metadata] +creation_date = "2021/11/08" +maturity = "production" +updated_date = "2021/11/08" + +[rule] +author = ["Elastic"] +description = """ +Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. +""" +index = ["winlogbeat-*", "logs-system.*"] +language = "kuery" +license = "Elastic License v2" +name = "Scheduled Task Execution at Scale via GPO" +note = """## Triage and analysis + +### Investigating Scheduled Task Execution at Scale via GPO + +Group Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO, +this is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file. + +#### Possible investigation steps: +- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate +and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, check the `` and `` XML tags for any potentially malicious +commands and binaries. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis +- Verify if the execution is allowed and done under change management, and if the execution is legitimate. + +### Related Rules +- Group Policy Abuse for Privilege Addition +- Startup/Logon Script added to Group Policy Object + +### Response and Remediation +- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +post-compromise behavior. + +## Config + +The 'Audit Detailed File Share' audit policy is required be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +Audit Detailed File Share (Success,Failure) +``` + +The 'Audit Directory Service Changes' audit policy is required be configured (Success Failure). +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml" +] +risk_score = 47 +rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and + winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) +or +(event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and + (message: WriteData or winlog.event_data.AccessList: *%%4417*)) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1053" +name = "Scheduled Task/Job" + + [[rule.threat.technique.subtechnique]] + reference = "https://attack.mitre.org/techniques/T1053/005/" + id = "T1053.005" + name = "Scheduled Task" + +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1484/" +id = "T1484" +name = "Domain Policy Modification" + + [[rule.threat.technique.subtechnique]] + reference = "https://attack.mitre.org/techniques/T1484/001/" + id = "T1484.001" + name = "Group Policy Modification" + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0004" +name = "Privilege Escalation"