diff --git a/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml new file mode 100644 index 0000000000..b889453c15 --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -0,0 +1,72 @@ +name: Windows Default Group Policy Object Modified with GPME +id: bcb55c13-067b-4648-98f3-627010f72520 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain + two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. + The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group + policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. +data_source: +- Windows Security 4688 +search: + selection1: + process.file.name: + - mmc.exe + process.cmd_line|contains: gpme.msc + selection2: + process.cmd_line|contains: 31B2F340-016D-11D2-945F-00C04FB984F9 + selection3: + process.cmd_line|contains: 6AC1786C-016F-11D2-945F-00C04fB984F9 + condition: selection1 or selection2 or selection3 +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +references: +- https://attack.mitre.org/techniques/T1484/ +- https://attack.mitre.org/techniques/T1484/001 +- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ +- https://adsecurity.org/?p=2716 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 100 + message: A default group policy object was opened with Group Policy Manage Editor on $dest$ + mitre_attack_id: + - T1484 + - T1484.001 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: parent_process_name + type: Process + role: + - Parent Process + - name: process_name + type: Process + role: + - Child Process + product: + - Splunk Behavioral Analytics + required_fields: + - process_name + - _time + - dest_device_id + - dest_user_id + - process + risk_score: 50 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log + source: XmlWinEventLog diff --git a/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml b/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml new file mode 100644 index 0000000000..c06c90dbfe --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml @@ -0,0 +1,64 @@ +name: Windows File Share Discovery With Powerview +id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all + active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information + like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them + for Privilege Escalation or Lateral Movement. +data_source: +- Powershell 4104 +search: + selection1: + process.cmd_line|re: 'invoke-sharefinder' + condition: selection1 +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 +- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 60 + message: Invoke-ShareFinder commandlet was executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - EventCode + - ScriptBlockText + - Opcode + - Computer + - UserID + kill_chain_phases: + - Exploitation + risk_score: 48 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml b/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml new file mode 100644 index 0000000000..2d95d09f81 --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml @@ -0,0 +1,65 @@ +name: Windows Findstr GPP Discovery +id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). + GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. + These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). + While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. +data_source: +- Windows Security 4688 +search: + selection1: + process.file.name: + - findstr.exe + process.cmd_line|contains: sysvol + process.cmd_line|contains: cpassword + condition: selection1 +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Findstr was executed to discover GPP credentials on $dest$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - process_name + - _time + - dest_device_id + - dest_user_id + - process + risk_score: 56 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + source: XmlWinEventLog \ No newline at end of file diff --git a/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml b/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml new file mode 100644 index 0000000000..00830803d8 --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml @@ -0,0 +1,67 @@ +name: Windows PowerSploit GPP Discovery +id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). + GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. + These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). + While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. +data_source: +- Powershell 4104 +search: + selection1: + process.cmd_line|re: 'get-gpppassword' + condition: selection1 +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://adsecurity.org/?p=2288 +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - EventCode + - ScriptBlockText + - Opcode + - Computer + - UserID + kill_chain_phases: + - Exploitation + risk_score: 56 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml new file mode 100644 index 0000000000..93e9ac8b43 --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -0,0 +1,64 @@ +name: Windows PowerView AD Access Control List Enumeration +id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets + are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within + the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex + and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged + by attackers to identify and exploit configuration weaknesses. +data_source: +- Powershell 4104 +search: + selection1: + process.cmd_line|re: 'get-objectacl' + selection2: + process.cmd_line|re: 'get-domainobjectacl' + condition: selection1 or selection2 +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +references: +- https://attack.mitre.org/techniques/T1078/002/ +- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 +- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 40 + message: PowerView AD acccess control list enumeration detected on $Computer$ + mitre_attack_id: + - T1078.002 + - T1069 + observable: + - name: Computer + type: Hostname + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - EventCode + - ScriptBlockText + - Opcode + - Computer + - UserID + kill_chain_phases: + - Exploitation + risk_score: 20 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog + update_timestamp: true diff --git a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml new file mode 100644 index 0000000000..a5e83f1ed2 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -0,0 +1,128 @@ +name: Windows Default Group Policy Object Modified with GPME +id: bcb55c13-067b-4648-98f3-627010f72520 +version: 1 +description: The following analytic identifies the potential edition of a default + Group Policy Object. A fresh installation of an Active Directory network will typically + contain two default group policy objects `Default Domain Controllers Policy` and + `Default Domain Policy`. The default domain controllers policy is used to enforce + and set policies to all the domain controllers within the domain environment. The + default domain policy is linked to all users and computers by default. An adversary + who has obtained privileged access to an Active Directory network may modify the + default group policy objects to obtain further access, deploy persistence or execute + malware across a large number of hosts. Security teams should monitor the edition + of the default GPOs. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where (process_file_name="mmc.exe" AND like(process_cmd_line, "%gpme.msc%")) + OR like(process_cmd_line, "%31B2F340-016D-11D2-945F-00C04FB984F9%") OR like(process_cmd_line, + "%6AC1786C-016F-11D2-945F-00C04fB984F9%") + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), + "message", concat("Windows Default Group Policy Object Modified with GPME has been triggered on ", device_hostname, " by ", actor_user_name, "."), + "users", [ + create_map( + "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 50, + "severity_id", 0, + "rule", create_map("name", "Windows Default Group Policy Object Modified with GPME", "uid", "bcb55c13-067b-4648-98f3-627010f72520", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. +references: +- https://attack.mitre.org/techniques/T1484/ +- https://attack.mitre.org/techniques/T1484/001 +- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ +- https://adsecurity.org/?p=2716 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) +tags: + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 50 + security_domain: endpoint + risk_severity: medium + research_site_url: https://research.splunk.com/endpoint/bcb55c13-067b-4648-98f3-627010f72520/ + event_schema: ocsf + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1484 + - T1484.001 + nist: + - DE.CM +test: + name: Windows Default Group Policy Object Modified with GPME Unit Test + tests: + - name: Windows Default Group Policy Object Modified with GPME + attack_data: + - file_name: security-4688.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml new file mode 100644 index 0000000000..7210a61325 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml @@ -0,0 +1,101 @@ +name: Windows File Share Discovery With Powerview +id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 +version: 1 +description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell + commandlet part of PowerView. This module obtains the list of all active domain + computers and lists the active shares on each computer. Network file shares in Active + Directory environments may contain sensitive information like backups, scripts, + credentials, etc. Adversaries who have obtained a foothold in an AD network may + leverage PowerView to identify secrets and leverage them for Privilege Escalation + or Lateral Movement. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)invoke-sharefinder/)=true + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), + "message", concat("Windows File Share Discovery With Powerview has been triggered on ", device_hostname, " by ", "Unknown", "."), + "users", [ + create_map( + "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 48, + "severity_id", 0, + "rule", create_map("name", "Windows File Share Discovery With Powerview", "uid", "ec4f671e-c736-4f78-a4c0-8fe809e952e5", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 +- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ +- https://attack.mitre.org/techniques/T1135/ +tags: + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 48 + security_domain: endpoint + risk_severity: low + research_site_url: https://research.splunk.com/endpoint/ec4f671e-c736-4f78-a4c0-8fe809e952e5/ + event_schema: ocsf + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1552 + - T1552.006 + nist: + - DE.CM +test: + name: Windows File Share Discovery With Powerview Unit Test + tests: + - name: Windows File Share Discovery With Powerview + attack_data: + - file_name: windows-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml new file mode 100644 index 0000000000..a0c8df7164 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml @@ -0,0 +1,125 @@ +name: Windows Findstr GPP Discovery +id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 +version: 1 +description: The following analytic identifies the use of the findstr command employed + to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools + that allow administrators to create domain policies with embedded credentials. These + policies allow administrators to set local accounts. These group policies are stored + in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL + share and decrypt the password (using the AES key that has been made public). While + Microsoft released a patch that impedes Administrators to create unsecure credentials, + existing Group Policy Preferences files with passwords are not removed from SYSVOL. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where process_file_name="findstr.exe" AND like(process_cmd_line, "%cpassword%") + + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), + "message", concat("Windows Findstr GPP Discovery has been triggered on ", device_hostname, " by ", actor_user_name, "."), + "users", [ + create_map( + "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 56, + "severity_id", 0, + "rule", create_map("name", "Windows Findstr GPP Discovery", "uid", "73ed0f19-080e-4917-b7c6-56e1760a50d4", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Administrators may leverage findstr to find passwords in GPO + to validate exposure. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 56 + security_domain: endpoint + risk_severity: medium + research_site_url: https://research.splunk.com/endpoint/73ed0f19-080e-4917-b7c6-56e1760a50d4/ + event_schema: ocsf + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1552 + - T1552.006 + nist: + - DE.CM +test: + name: Windows Findstr GPP Discovery Unit Test + tests: + - name: Windows Findstr GPP Discovery + attack_data: + - file_name: windows-4688.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml new file mode 100644 index 0000000000..71ca37b2d3 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml @@ -0,0 +1,106 @@ +name: Windows PowerSploit GPP Discovery +id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 +version: 1 +description: The following analytic identifies the use of the Get-GPPPassword PowerShell + commandlet employed to search for unsecured credentials Group Policy Preferences + (GPP). GPP are tools that allow administrators to create domain policies with embedded + credentials. These policies allow administrators to set local accounts. These group + policies are stored in SYSVOL on a domain controller. This means that any domain + user can view the SYSVOL share and decrypt the password (using the AES key that + has been made public). While Microsoft released a patch that impedes Administrators + to create unsecure credentials, existing Group Policy Preferences files with passwords + are not removed from SYSVOL. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-gpppassword/)=true + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), + "message", concat("Windows PowerSploit GPP Discovery has been triggered on ", device_hostname, " by ", "Unknown", "."), + "users", [ + create_map( + "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 56, + "severity_id", 0, + "rule", create_map("name", "Windows PowerSploit GPP Discovery", "uid", "fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://adsecurity.org/?p=2288 +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 56 + security_domain: endpoint + risk_severity: medium + research_site_url: https://research.splunk.com/endpoint/fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2/ + event_schema: ocsf + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1552 + - T1552.006 + nist: + - DE.CM +test: + name: Windows PowerSploit GPP Discovery Unit Test + tests: + - name: Windows PowerSploit GPP Discovery + attack_data: + - file_name: win-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml new file mode 100644 index 0000000000..14986a2e6a --- /dev/null +++ b/dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -0,0 +1,109 @@ +name: Windows PowerView AD Access Control List Enumeration +id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf +version: 1 +description: The following analytic leverages Event ID 4104 to identify the execution + of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. + This commandlets are used to enumerate Access Control List permissions given to + Active Directory objects. In an active directory environment, an object is an entity + that represents an available resource within the organizations network, such as + domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory + permissions is complicated and hard to manage, especially in complex and large environments + with multiple domains. Weak permissions may allow adversaries and red teamers to + escalate their privileges in Active Directory. PowerView is a common tool leveraged + by attackers to identify and exploit configuration weaknesses. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-objectacl/)=true OR match_regex(process_cmd_line, /(?i)get-domainobjectacl/)=true + + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), + "message", concat("Windows PowerView AD Access Control List Enumeration has been triggered on ", device_hostname, " by ", "Unknown", "."), + "users", [ + create_map( + "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 1, + "risk_score", 20, + "severity_id", 0, + "rule", create_map("name", "Windows PowerView AD Access Control List Enumeration", "uid", "2b301d6c-0527-4dbd-8d2d-5345bc4be0cf", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. +references: +- https://attack.mitre.org/techniques/T1078/002/ +- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 +- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ +tags: + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 20 + security_domain: endpoint + risk_severity: low + research_site_url: https://research.splunk.com/endpoint/2b301d6c-0527-4dbd-8d2d-5345bc4be0cf/ + event_schema: ocsf + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + - Delivery + - Installation + mitre_attack_id: + - T1078.002 + - T1069 + nist: + - DE.CM +test: + name: Windows PowerView AD Access Control List Enumeration Unit Test + tests: + - name: Windows PowerView AD Access Control List Enumeration + attack_data: + - file_name: windows-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml new file mode 100644 index 0000000000..97b6acf6b2 --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -0,0 +1,119 @@ +name: Windows Default Group Policy Object Modified with GPME +id: bcb55c13-067b-4648-98f3-627010f72520 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the potential edition of a default + Group Policy Object. A fresh installation of an Active Directory network will typically + contain two default group policy objects `Default Domain Controllers Policy` and + `Default Domain Policy`. The default domain controllers policy is used to enforce + and set policies to all the domain controllers within the domain environment. The + default domain policy is linked to all users and computers by default. An adversary + who has obtained privileged access to an Active Directory network may modify the + default group policy objects to obtain further access, deploy persistence or execute + malware across a large number of hosts. Security teams should monitor the edition + of the default GPOs. +data_source: +- Windows Security 4688 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where (process_file_name="mmc.exe" AND like(process_cmd_line, "%gpme.msc%")) + OR like(process_cmd_line, "%31B2F340-016D-11D2-945F-00C04FB984F9%") OR like(process_cmd_line, + "%6AC1786C-016F-11D2-945F-00C04fB984F9%") --finding_report--' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. +references: +- https://attack.mitre.org/techniques/T1484/ +- https://attack.mitre.org/techniques/T1484/001 +- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ +- https://adsecurity.org/?p=2716 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 100 + message: A default group policy object was opened with Group Policy Manage Editor + on $dest$ + mitre_attack_id: + - T1484 + - T1484.001 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 50 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log + source: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml b/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml new file mode 100644 index 0000000000..9fc3a90784 --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml @@ -0,0 +1,84 @@ +name: Windows File Share Discovery With Powerview +id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell + commandlet part of PowerView. This module obtains the list of all active domain + computers and lists the active shares on each computer. Network file shares in Active + Directory environments may contain sensitive information like backups, scripts, + credentials, etc. Adversaries who have obtained a foothold in an AD network may + leverage PowerView to identify secrets and leverage them for Privilege Escalation + or Lateral Movement. +data_source: +- Powershell 4104 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)invoke-sharefinder/)=true --finding_report--' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 +- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 60 + message: Invoke-ShareFinder commandlet was executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: device.hostname + type: Hostname + - name: process.file.path + type: File + - name: process.uid + type: Other + - name: process.cmd_line + type: Other + - name: actor.user.uid + type: Other + product: + - Splunk Behavioral Analytics + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 48 + security_domain: endpoint + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml b/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml new file mode 100644 index 0000000000..9a807b25d7 --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml @@ -0,0 +1,115 @@ +name: Windows Findstr GPP Discovery +id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the use of the findstr command employed + to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools + that allow administrators to create domain policies with embedded credentials. These + policies allow administrators to set local accounts. These group policies are stored + in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL + share and decrypt the password (using the AES key that has been made public). While + Microsoft released a patch that impedes Administrators to create unsecure credentials, + existing Group Policy Preferences files with passwords are not removed from SYSVOL. +data_source: +- Windows Security 4688 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where process_file_name="findstr.exe" AND like(process_cmd_line, "%cpassword%") + --finding_report--' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Administrators may leverage findstr to find passwords in GPO + to validate exposure. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Findstr was executed to discover GPP credentials on $dest$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 56 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + source: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml b/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml new file mode 100644 index 0000000000..7c904bfeaa --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml @@ -0,0 +1,89 @@ +name: Windows PowerSploit GPP Discovery +id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the use of the Get-GPPPassword PowerShell + commandlet employed to search for unsecured credentials Group Policy Preferences + (GPP). GPP are tools that allow administrators to create domain policies with embedded + credentials. These policies allow administrators to set local accounts. These group + policies are stored in SYSVOL on a domain controller. This means that any domain + user can view the SYSVOL share and decrypt the password (using the AES key that + has been made public). While Microsoft released a patch that impedes Administrators + to create unsecure credentials, existing Group Policy Preferences files with passwords + are not removed from SYSVOL. +data_source: +- Powershell 4104 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-gpppassword/)=true --finding_report--' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://adsecurity.org/?p=2288 +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: device.hostname + type: Hostname + - name: process.file.path + type: File + - name: process.uid + type: Other + - name: process.cmd_line + type: Other + - name: actor.user.uid + type: Other + product: + - Splunk Behavioral Analytics + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 56 + security_domain: endpoint + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml new file mode 100644 index 0000000000..746b0f137e --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -0,0 +1,90 @@ +name: Windows PowerView AD Access Control List Enumeration +id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic leverages Event ID 4104 to identify the execution + of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. + This commandlets are used to enumerate Access Control List permissions given to + Active Directory objects. In an active directory environment, an object is an entity + that represents an available resource within the organizations network, such as + domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory + permissions is complicated and hard to manage, especially in complex and large environments + with multiple domains. Weak permissions may allow adversaries and red teamers to + escalate their privileges in Active Directory. PowerView is a common tool leveraged + by attackers to identify and exploit configuration weaknesses. +data_source: +- Powershell 4104 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-objectacl/)=true OR match_regex(process_cmd_line, /(?i)get-domainobjectacl/)=true + --finding_report--' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. +references: +- https://attack.mitre.org/techniques/T1078/002/ +- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 +- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 40 + message: PowerView AD acccess control list enumeration detected on $Computer$ + mitre_attack_id: + - T1078.002 + - T1069 + observable: + - name: device.hostname + type: Hostname + - name: process.file.path + type: File + - name: process.uid + type: Other + - name: process.cmd_line + type: Other + - name: actor.user.uid + type: Other + product: + - Splunk Behavioral Analytics + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 20 + security_domain: endpoint + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog