sigma-rules/rules/windows/credential_access_ldap_attributes.toml

[metadata]
creation_date = "2022/11/09"
integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/27"

[rule]
author = ["Elastic"]
description = """
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Access to a Sensitive LDAP Attribute"
note = """## Setup

## Setup

The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:

```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
"""
references = [
    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
]
risk_score = 47
rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
any where event.action == "Directory Service Access" and event.code == "4662" and

  not winlog.event_data.SubjectUserSid : "S-1-5-18" and

  winlog.event_data.Properties : (
   /* unixUserPassword */
  "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",

  /* ms-PKI-AccountCredentials */
  "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",

  /*  ms-PKI-DPAPIMasterKeys */
  "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",

  /* msPKI-CredentialRoamingTokens */
  "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
  ) and

  /*
   Excluding noisy AccessMasks
   0x0 undefined and 0x100 Control Access
   https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
   */
  not winlog.event_data.AccessMask in ("0x0", "0x100")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"