Samirbous
a6582351b5
* [New Rule] Potential Remote Credential Access via Registry 4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624). Example of data : * Delete workspace.xml * Update credential_access_remote_sam_secretsdump.toml * Update credential_access_remote_sam_secretsdump.toml * add non ecs field * Update non-ecs-schema.json * Update credential_access_remote_sam_secretsdump.toml * Update rules/windows/credential_access_remote_sam_secretsdump.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/credential_access_remote_sam_secretsdump.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/credential_access_remote_sam_secretsdump.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
72 lines
2.3 KiB
TOML
72 lines
2.3 KiB
TOML
[metadata]
|
|
creation_date = "2022/03/01"
|
|
maturity = "production"
|
|
min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
|
|
min_stack_version = "7.15.0"
|
|
updated_date = "2022/03/01"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies remote access to the registry to potentially dump credential data from the SAM registry hive in preparation
|
|
for credential access and privileges elevation.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Potential Remote Credential Access via Registry"
|
|
note = """## Config
|
|
|
|
This rule uses Elastic Endpoint file creation and System Integration events for correlation. Both data should be
|
|
collected from the host for this detection to work.
|
|
"""
|
|
references = ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"]
|
|
risk_score = 73
|
|
rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence by host.id, user.id with maxspan=1m
|
|
[authentication where
|
|
event.outcome == "success" and
|
|
winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and
|
|
not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"]
|
|
[file where event.action == "creation" and process.name : "svchost.exe" and
|
|
file.Ext.header_bytes : "72656766*" and user.id : "S-1-5-21-*" and file.size >= 30000]
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
name = "OS Credential Dumping"
|
|
id = "T1003"
|
|
reference = "https://attack.mitre.org/techniques/T1003/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
name = "Security Account Manager"
|
|
id = "T1003.002"
|
|
reference = "https://attack.mitre.org/techniques/T1003/002/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
name = "Credential Access"
|
|
id = "TA0006"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
name = "Remote Services"
|
|
id = "T1021"
|
|
reference = "https://attack.mitre.org/techniques/T1021/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
name = "Lateral Movement"
|
|
id = "TA0008"
|
|
reference = "https://attack.mitre.org/tactics/TA0008/"
|