shashank-elastic
115 lines
3.3 KiB
TOML
115 lines
3.3 KiB
TOML
[metadata]
|
|
creation_date = "2022/11/09"
|
|
integration = ["system", "windows"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/10/23"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
|
|
unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Access to a Sensitive LDAP Attribute"
|
|
references = [
|
|
"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
|
|
"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
|
|
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
|
|
setup = """
|
|
|
|
The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
|
|
Steps to implement the logging policy with Advanced Audit Configuration:
|
|
|
|
```
|
|
Computer Configuration >
|
|
Policies >
|
|
Windows Settings >
|
|
Security Settings >
|
|
Advanced Audit Policies Configuration >
|
|
Audit Policies >
|
|
DS Access >
|
|
Audit Directory Service Access (Success,Failure)
|
|
```
|
|
"""
|
|
severity = "medium"
|
|
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
any where event.action == "Directory Service Access" and event.code == "4662" and
|
|
|
|
not winlog.event_data.SubjectUserSid : "S-1-5-18" and
|
|
|
|
winlog.event_data.Properties : (
|
|
/* unixUserPassword */
|
|
"*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
|
|
|
|
/* ms-PKI-AccountCredentials */
|
|
"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
|
|
|
|
/* ms-PKI-DPAPIMasterKeys */
|
|
"*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
|
|
|
|
/* msPKI-CredentialRoamingTokens */
|
|
"*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
|
|
) and
|
|
|
|
/*
|
|
Excluding noisy AccessMasks
|
|
0x0 undefined and 0x100 Control Access
|
|
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
|
|
*/
|
|
not winlog.event_data.AccessMask in ("0x0", "0x100")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1003"
|
|
name = "OS Credential Dumping"
|
|
reference = "https://attack.mitre.org/techniques/T1003/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1552"
|
|
name = "Unsecured Credentials"
|
|
reference = "https://attack.mitre.org/techniques/T1552/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1552.004"
|
|
name = "Private Keys"
|
|
reference = "https://attack.mitre.org/techniques/T1552/004/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0006"
|
|
name = "Credential Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1078.002"
|
|
name = "Domain Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/002/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
|