security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bdfddac8edea5e327bf28aed7e6dc4a7f701dc6
sigma-rules/rules/windows/credential_access_dcsync_replication_rights.toml
T
Justin Ibarra 6bdfddac8e Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00

146 lines
7.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/02/08"
maturity = "production"
updated_date = "2022/03/31"
[rule]
author = ["Elastic"]
description = """
This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync
technique to get credential information of individual accounts or the entire domain, thus compromising the entire
domain.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Credential Access via DCSync"
note = """## Triage and analysis.
### Investigating Active Directory Replication From User Account
Active Directory replication is the process by which the changes that originate on one domain controller are
automatically transferred to other domain controllers that store the same data.
Active Directory data takes the form of objects that have properties, or attributes. Each object is an instance
of an object class, and object classes and their respective attributes are defined in the Active Directory schema.
The values of the attributes define the object, and a change to a value of an attribute must be transferred from
the domain controller on which it occurs to every other domain controller that stores a replica of that object.
Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process
from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used
legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges
to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of
the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused
to grant controlled objects the right to DCsync/Replicate.
More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing).
and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync)
This rule will monitor for Event ID 4662 (Operation was performed on an Active Directory object) and identify events that use the access
mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID
(DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that
use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).
#### Possible investigation steps:
- Identify the account that performed the action.
- Confirm whether the account owner is aware of the operation.
- Investigate other alerts related to the user/host in the last 48 hours.
- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received
the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
- Investigate which credentials were compromised (e.g. All accounts were replicated or a specific account).
### False Positive Analysis
- This activity should not happen legitimately. Any potential B-TP (Benign True Positive) should be mapped and monitored by the security
team as replication should be done by Domain Controllers only. Any account that performs this activity can put the domain at risk for not
having the same security standards (Long, complex, random passwords that change frequently) as computer accounts, exposing it to credential
cracking attacks (Kerberoasting, brute force, etc.).
### Response and Remediation
- Initiate the incident response process based on the outcome of the triage.
- If specific credentials were compromised:
- Reset the password for the accounts.
- If the entire domain or the `krbtgt` user were compromised:
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password
reset (twice) of the `krbtgt` user.
## Config
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
]
risk_score = 73
rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where event.action == "Directory Service Access" and
event.code == "4662" and winlog.event_data.Properties : (
/* Control Access Rights/Permissions Symbol */
"*DS-Replication-Get-Changes*",
"*DS-Replication-Get-Changes-All*",
"*DS-Replication-Get-Changes-In-Filtered-Set*",
/* Identifying GUID used in ACE */
"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
"*89e95b76-444d-4c62-991a-0facbeda640c*")
/* The right to perform an operation controlled by an extended access right. */
and winlog.event_data.AccessMask : "0x100" and
not winlog.event_data.SubjectUserName : ("*$", "MSOL_*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
reference = "https://attack.mitre.org/techniques/T1003/"
name = "OS Credential Dumping"
[[rule.threat.technique.subtechnique]]
id = "T1003.006"
reference = "https://attack.mitre.org/techniques/T1003/006/"
name = "DCSync"
[rule.threat.tactic]
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
name = "Credential Access"
Reference in New Issue View Git Blame Copy Permalink