security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
15faf34a2fbb9892e70166fa6ff56a53d7fa5cee
sigma-rules/rules/windows/credential_access_remote_sam_secretsdump.toml
T
Jonhnathan 3a5fceac3b [Security Content] Add Investigation Guides - 3 (#1836) 
* [Security Content] Add Investigation Guides - 3
* Adjust Investigation Guides and Config
* Adjust Config

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
2022-04-12 15:58:50 -08:00

110 lines
4.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/03/01"
maturity = "production"
min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
min_stack_version = "7.15.0"
updated_date = "2022/03/31"
[rule]
author = ["Elastic"]
description = """
Identifies remote access to the registry to potentially dump credential data from the SAM registry hive in preparation
for credential access and privileges elevation.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Remote Credential Access via Registry"
note = """## Triage and analysis
### Investigating Potential Remote Credential Access via Registry
Dumping registry hives is a common way to access credential information. Some hives store credential material,
such as the SAM hive, which stores locally cached credentials (SAM Secrets), and the SECURITY hive, which stores domain
cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to
decrypt these secrets.
Attackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped
credentials to access other systems in the domain.
#### Possible investigation steps
- Identify the target host role, involved account, and source host.
- Determine the privileges assigned to any compromised accounts.
- Investigate other alerts related to the involved user and source host in the last 48 hours.
- Scope potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
host.
### False positive analysis
- False positives for this rule are unlikely. Any activity that triggered the alert and is not inherently malicious must
be monitored by the security team.
### Related rules
- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved hosts to prevent further post-compromise behavior.
- Scope compromised credentials and disable the accounts.
- Reset the passwords of compromised accounts.
- Determine if other hosts were compromised.
## Config
This rule uses Elastic Endpoint file creation and System Integration events for correlation. Both data should be
collected from the host for this detection to work.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"]
risk_score = 73
rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
type = "eql"
query = '''
sequence by host.id, user.id with maxspan=1m
[authentication where
event.outcome == "success" and
winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and
not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"]
[file where event.action == "creation" and process.name : "svchost.exe" and
file.Ext.header_bytes : "72656766*" and user.id : "S-1-5-21-*" and file.size >= 30000]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "OS Credential Dumping"
id = "T1003"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
name = "Security Account Manager"
id = "T1003.002"
reference = "https://attack.mitre.org/techniques/T1003/002/"
[rule.threat.tactic]
name = "Credential Access"
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Remote Services"
id = "T1021"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
name = "Lateral Movement"
id = "TA0008"
reference = "https://attack.mitre.org/tactics/TA0008/"
Reference in New Issue View Git Blame Copy Permalink