security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
322162f097a12e8a468a8b42d86a00a8a71fec66
sigma-rules/rules/windows/credential_access_dnsnode_creation.toml
T

82 lines
2.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2024/03/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/07/08"
[rule]
author = ["Elastic"]
description = """
Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and
replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces
some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers
can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target
systems that are requested from multiple systems. They can also create specific records to target specific services,
such as wpad, for spoofing attacks.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Creation of a DNS-Named Record"
references = [
"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/",
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing",
]
risk_score = 21
rule_id = "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc"
setup = """## Setup
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
```
Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
```
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and
event.code == "5137" and winlog.event_data.ObjectClass == "dnsNode" and
not winlog.event_data.SubjectUserName : "*$"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1557"
name = "Adversary-in-the-Middle"
reference = "https://attack.mitre.org/techniques/T1557/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink