/
schcache_change_by_app_connect_and_create_adsi_object.yml
67 lines (67 loc) · 2.7 KB
/
schcache_change_by_app_connect_and_create_adsi_object.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: SchCache Change By App Connect And Create ADSI Object
id: 991eb510-0fc6-11ec-82d3-acde48001122
version: 1
date: '2021-09-07'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic is to detect an application try to connect and create ADSI
Object to do LDAP query. Every time an application connects to the directory and
attempts to create an ADSI object, the Active Directory Schema is checked for changes.
If it has changed since the last connection, the schema is downloaded and stored
in a cache on the local computer either in %LOCALAPPDATA%\Microsoft\Windows\SchCache
or %systemroot%\SchCache. We found this a good anomaly use case to detect suspicious
application like blackmatter ransomware that use ADS object api to execute ldap
query. having a good list of ldap or normal AD query tool used within the network
is a good start to reduce the noise.
data_source:
- Sysmon EventID 11
search: '`sysmon` EventCode=11 TargetFilename = "*\\Windows\\SchCache\\*" TargetFilename
= "*.sch*" NOT (Image IN ("*\\Windows\\system32\\mmc.exe")) |stats count min(_time)
as firstTime max(_time) as lastTime by Image TargetFilename EventCode process_id process_name
dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `schcache_change_by_app_connect_and_create_adsi_object_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
Sysmon TA.
known_false_positives: normal application like mmc.exe and other ldap query tool may
trigger this detections.
references:
- https://docs.microsoft.com/en-us/windows/win32/adsi/adsi-and-uac
- https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
tags:
analytic_story:
- BlackMatter Ransomware
asset_type: Endpoint
confidence: 50
impact: 50
message: process $Image$ create a file $TargetFilename$ in host $dest$
mitre_attack_id:
- T1087.002
- T1087
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Image
- TargetFilename
- EventCode
- process_id
- process_name
- dest
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog