From f217aed00d3c37ffce32dc814ffb2f56ebc5f553 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 27 Mar 2024 18:21:07 -0300 Subject: [PATCH] [New Rule] Creation of a DNS-Named Record (#3539) * [New Rule] Creation of a DNS-Named Record * Update credential_access_dnsnode_creation.toml * Update rules/windows/credential_access_dnsnode_creation.toml (cherry picked from commit 954a93c3b4bb9e806be6d2d52711e7dff7b834f4) --- .../credential_access_dnsnode_creation.toml | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 rules/windows/credential_access_dnsnode_creation.toml diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml new file mode 100644 index 000000000..2f42ee0b8 --- /dev/null +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -0,0 +1,84 @@ +[metadata] +creation_date = "2024/03/26" +integration = ["system", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/26" + +[rule] +author = ["Elastic"] +description = """ +Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and +replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces +some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers +can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target +systems that are requested from multiple systems. They can also create specific records to target specific services, +such as wpad, for spoofing attacks. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Creation of a DNS-Named Record" +references = [ + "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing" +] +risk_score = 21 +rule_id = "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc" +setup = """## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success +``` +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.action == "Directory Service Changes" and + event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and + not winlog.event_data.SubjectUserName : "*$" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +