Samirbous
3f047b987e
* [New Rule] Suspicious Service Creation via Local Kerberos Relay over LDAP This rule will catch also the suspicious service that was created leveraging the imported kerberos ticket https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 which makes triage easier : DATA : ``` "sequences" : [ { "join_keys" : [ "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "0xefac5f" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "XAy1YoABQhClK0XGpqaL", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "type" : "filebeat", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "version" : "8.0.0" }, "process" : { "name" : "-", "pid" : 0, "executable" : "-" }, "winlog" : { "computer_name" : "02694w-win10.threebeesco.com", "process" : { "pid" : 688, "thread" : { "id" : 5160 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x0", "type" : "Network" }, "channel" : "Security", "event_data" : { "LogonGuid" : "{82d3503b-9dac-ab6d-b045-8877b5aab051}", "TargetOutboundDomainName" : "-", "VirtualAccount" : "%%1843", "LogonType" : "3", "TransmittedServices" : "-", "SubjectLogonId" : "0x0", "LmPackageName" : "-", "TargetOutboundUserName" : "-", "KeyLength" : "0", "RestrictedAdminMode" : "-", "TargetLogonId" : "0xefac5f", "SubjectUserName" : "-", "TargetLinkedLogonId" : "0x0", "ElevatedToken" : "%%1842", "SubjectDomainName" : "-", "ImpersonationLevel" : "%%1833", "TargetUserName" : "Administrator", "TargetDomainName" : "THREEBEESCO.COM", "LogonProcessName" : "Kerberos", "SubjectUserSid" : "S-1-0-0", "TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500", "AuthenticationPackageName" : "Kerberos" }, "opcode" : "Info", "version" : 2, "record_id" : "59330", "task" : "Logon", "event_id" : "4624", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "source" : { "port" : 50494, "ip" : "127.0.0.1", "domain" : "-" }, "message" : """An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: THREEBEESCO.COM Logon ID: 0xEFAC5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {82d3503b-9dac-ab6d-b045-8877b5aab051} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 127.0.0.1 Source Port: 50494 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:09:04.559Z", "ecs" : { "version" : "1.12.0" }, "related" : { "ip" : [ "127.0.0.1" ], "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.threebeesco.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:53Z", "code" : "4624", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-04-25T21:51:15.561Z", "action" : "logged-in", "category" : [ "authentication" ], "type" : [ "start" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "THREEBEESCO.COM", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } }, { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "Xwy1YoABQhClK0XGpqaL", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "02694w-win10.threebeesco.com", "process" : { "pid" : 688, "thread" : { "id" : 5160 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0xefac5f" }, "channel" : "Security", "event_data" : { "ServiceAccount" : "LocalSystem", "SubjectUserName" : "Administrator", "ServiceStartType" : "3", "ServiceName" : "KrbSCM", "ServiceType" : "0x10", "SubjectDomainName" : "3B", "SubjectLogonId" : "0xefac5f", "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-500", "ServiceFileName" : "\"C:\\Users\\lgreen\\Downloads\\KrbRelayUp.exe\" system 1" }, "opcode" : "Info", "record_id" : "59331", "task" : "Security System Extension", "event_id" : "4697", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "message" : """A service was installed in the system. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: 3B Logon ID: 0xEFAC5F Service Information: Service Name: KrbSCM Service File Name: "C:\Users\lgreen\Downloads\KrbRelayUp.exe" system 1 Service Type: 0x10 Service Start Type: 3 Service Account: LocalSystem""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:09:04.561Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "service" : { "name" : "KrbSCM", "type" : "Win32 Own Process" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.threebeesco.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:53Z", "code" : "4697", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-04-25T21:51:15.561Z", "kind" : "event", "action" : "service-installed", "category" : [ "iam", "configuration" ], "type" : [ "admin", "change" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } } ] ```` * Update privilege_escalation_krbrelayup_service_creation.toml * removed duplicate SubjectLogonId from non ecs fields list
Detection Rules
Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine.
This repository was first announced on Elastic's blog post, Elastic Security opens public detection rules repo. For additional content, see the accompanying webinar, Elastic Security: Introducing the public repository for detection rules.
Table of Contents
- Overview of this repository
- Getting started
- Red Team Automation
- How to contribute
- Licensing
- Questions? Problems? Suggestions?
Overview of this repository
Detection Rules contains more than just static rule files. This repository also contains code for unit testing in Python and integrating with the Detection Engine in Kibana.
| folder | description |
|---|---|
detection_rules/ |
Python module for rule parsing, validating and packaging |
etc/ |
Miscellaneous files, such as ECS and Beats schemas |
kibana/ |
Python library for handling the API calls to Kibana and the Detection Engine |
kql/ |
Python library for parsing and validating Kibana Query Language |
rta/ |
Red Team Automation code used to emulate attacker techniques, used for rule testing |
rules/ |
Root directory where rules are stored |
tests/ |
Python code for unit testing rules |
Getting started
Although rules can be added by manually creating .toml files, we don't recommend it. This repository also consists of a python module that aids rule creation and unit testing. Assuming you have Python 3.8+, run the below command to install the dependencies:
$ pip install -r requirements.txt
Collecting jsl==0.2.4
Downloading jsl-0.2.4.tar.gz (21 kB)
Collecting jsonschema==3.2.0
Downloading jsonschema-3.2.0-py2.py3-none-any.whl (56 kB)
|████████████████████████████████| 56 kB 318 kB/s
Collecting requests==2.22.0
Downloading requests-2.22.0-py2.py3-none-any.whl (57 kB)
|████████████████████████████████| 57 kB 1.2 MB/s
Collecting Click==7.0
Downloading Click-7.0-py2.py3-none-any.whl (81 kB)
|████████████████████████████████| 81 kB 2.6 MB/s
...
To confirm that everything was properly installed, run with the --help flag
$ python -m detection_rules --help
Usage: detection_rules [OPTIONS] COMMAND [ARGS]...
Commands for detection-rules repository.
Options:
-d, --debug / -n, --no-debug Print full exception stacktrace on errors
-h, --help Show this message and exit.
Commands:
create-rule Create a detection rule.
dev Commands for development and management by internal...
es Commands for integrating with Elasticsearch.
import-rules Import rules from json, toml, or Kibana exported rule...
kibana Commands for integrating with Kibana.
mass-update Update multiple rules based on eql results.
normalize-data Normalize Elasticsearch data timestamps and sort.
rule-search Use KQL or EQL to find matching rules.
test Run unit tests over all of the rules.
toml-lint Cleanup files with some simple toml formatting.
validate-all Check if all rules validates against a schema.
validate-rule Check if a rule staged in rules dir validates against a...
view-rule View an internal rule or specified rule file.
The contribution guide describes how to use the create-rule and test commands to create and test a new rule when contributing to Detection Rules.
For more advanced command line interface (CLI) usage, refer to the CLI guide.
How to contribute
We welcome your contributions to Detection Rules! Before contributing, please familiarize yourself with this repository, its directory structure, and our philosophy about rule creation. When you're ready to contribute, read the contribution guide to learn how we turn detection ideas into production rules and validate with testing.
Licensing
Everything in this repository — rules, code, RTA, etc. — is licensed under the Elastic License v2. These rules are designed to be used in the context of the Detection Engine within the Elastic Security application. If you’re using our Elastic Cloud managed service or the default distribution of the Elastic Stack software that includes the full set of free features, you’ll get the latest rules the first time you navigate to the detection engine.
Occasionally, we may want to import rules from another repository that already have a license, such as MIT or Apache 2.0. This is welcome, as long as the license permits sublicensing under the Elastic License v2. We keep those license notices in NOTICE.txt and sublicense as the Elastic License v2 with all other rules. We also require contributors to sign a Contributor License Agreement before contributing code to any Elastic repositories.
Questions? Problems? Suggestions?
- Want to know more about the Detection Engine? Check out the overview in Kibana.
- This repository includes new and updated rules that have not been released yet. To see the latest set of rules released with the stack, see the Prebuilt rule reference.
- If you’d like to report a false positive or other type of bug, please create a GitHub issue and check if there's an existing one first.
- Need help with Detection Rules? Post an issue or ask away in our Security Discuss Forum or the #security-detection-rules channel within Slack workspace.