security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fcc8aaaf63ee8f736c4f6478de372c149889337a
sigma-rules/rules/windows/credential_access_dcsync_user_backdoor.toml
T
Jonhnathan f5069763b6 [Rule Tuning] Add System tag to DRs (#3968) 
* [Rule Tuning] Add System tag to DRs

* bump
2024-08-09 11:14:33 -03:00

80 lines
2.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2024/07/10"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/08/09"
[rule]
author = ["Elastic"]
description = """
Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a
user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Active Directory Replication Account Backdoor"
note = """## Setup
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
"""
references = [
"https://twitter.com/menasec1/status/1111556090137903104",
"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml",
"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all",
"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes",
"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"
]
risk_score = 47
rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
winlog.event_data.AttributeValue : (
(
*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
*89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
reference = "https://attack.mitre.org/techniques/T1003/"
name = "OS Credential Dumping"
[[rule.threat.technique.subtechnique]]
id = "T1003.006"
reference = "https://attack.mitre.org/techniques/T1003/006/"
name = "DCSync"
[rule.threat.tactic]
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
name = "Credential Access"
Reference in New Issue View Git Blame Copy Permalink