/
active_directory_privilege_escalation_identified.yml
58 lines (58 loc) · 3.99 KB
/
active_directory_privilege_escalation_identified.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Active Directory Privilege Escalation Identified
id: 583e8a68-f2f7-45be-8fc9-bf725f0e22fd
version: 1
date: '2023-05-23'
author: Mauricio Velazco, Splunk
status: production
type: Correlation
data_source: []
description: The primary objective of this correlation rule is to detect and alert on potential privilege escalation activities within an organization's Active Directory (AD) environment. By identifying multiple analytics associated with the Active Directory Privilege Escalation analytic story, security analysts can gain better insight into possible threats and respond accordingly to mitigate risks.
The correlation rule will trigger an alert when multiple analytics from the Active Directory Privilege Escalation analytic story are detected within a specified time frame.
The rule will generate an alert if a predetermined threshold of correlated analytics is reached within the specified time frame. This threshold can be customized to suit the needs and risk appetite of the organization.
search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 4
| `active_directory_privilege_escalation_identified_filter`'
how_to_implement: Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased as the analytic story includes over 30 analytics. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.
known_false_positives: False positives will most likely be present based on risk scoring and how the organization handles system to system communication. Filter, or modify as needed. In addition to count by analytics, adding a risk score may be useful. In our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. Your organization will be different, monitor and modify as needed.
references:
- https://attack.mitre.org/tactics/TA0004/
- https://research.splunk.com/stories/active_directory_privilege_escalation/
tags:
analytic_story:
- Active Directory Privilege Escalation
asset_type: Endpoint
atomic_guid: []
confidence: 80
impact: 80
message: Activity related to privilege escalation has been identified on $risk_object$.
mitre_attack_id:
- T1484
observable:
- name: risk_object
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- All_Risk.calculated_risk_score
- All_Risk.annotations.mitre_attack.mitre_tactic_id
- All_Risk.annotations.mitre_attack.mitre_technique_id
- All_Risk.tag
- All_Risk.analyticstories
- All_Risk.risk_object_type
- All_Risk.risk_object
- All_Risk.annotations.mitre_attack.mitre_tactic
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log
source: adlm
sourcetype: stash