[metadata] creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/10/23" [rule] author = ["Elastic"] description = """ Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Access to a Sensitive LDAP Attribute" references = [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", ] risk_score = 47 rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66" setup = """ The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Access (Success,Failure) ``` """ severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" query = ''' any where event.action == "Directory Service Access" and event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and winlog.event_data.Properties : ( /* unixUserPassword */ "*612cb747-c0e8-4f92-9221-fdd5f15b550d*", /* ms-PKI-AccountCredentials */ "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*", /* ms-PKI-DPAPIMasterKeys */ "*b3f93023-9239-4f7c-b99c-6745d87adbc2*", /* msPKI-CredentialRoamingTokens */ "*b7ff5a38-0818-42b0-8110-d3d154c97f24*" ) and /* Excluding noisy AccessMasks 0x0 undefined and 0x100 Control Access https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 */ not winlog.event_data.AccessMask in ("0x0", "0x100") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/"