Jonhnathan
d017156454
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update test_all_rules.py * Update test_all_rules.py --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
76 lines
2.7 KiB
TOML
76 lines
2.7 KiB
TOML
[metadata]
|
|
creation_date = "2021/12/12"
|
|
integration = ["system", "windows"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/04/27"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to
|
|
elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security
|
|
vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Potential Privileged Escalation via SamAccountName Spoofing"
|
|
note = """## Setup
|
|
|
|
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
|
"""
|
|
references = [
|
|
"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e",
|
|
"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
|
|
"https://github.com/cube0x0/noPac",
|
|
"https://twitter.com/exploitph/status/1469157138928914432",
|
|
"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html",
|
|
]
|
|
risk_score = 73
|
|
rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Active Directory"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
iam where event.action == "renamed-user-account" and
|
|
/* machine account name renamed to user like account name */
|
|
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1078.002"
|
|
name = "Domain Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/002/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1098"
|
|
name = "Account Manipulation"
|
|
reference = "https://attack.mitre.org/techniques/T1098/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|