From cd064d00b5359ac6e17f9d094109d460bba4cfd6 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Wed, 3 May 2023 15:54:54 -0400 Subject: [PATCH 1/3] adding new SRS detections --- ...group_policy_object_modified_with_gpme.yml | 72 +++++++++++++++++++ ...ws_file_share_discovery_with_powerview.yml | 66 +++++++++++++++++ .../ssa___windows_findstr_gpp_discovery.yml | 65 +++++++++++++++++ ...sa___windows_powersploit_gpp_discovery.yml | 71 ++++++++++++++++++ ...iew_ad_access_control_list_enumeration.yml | 64 +++++++++++++++++ 5 files changed, 338 insertions(+) create mode 100644 dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml create mode 100644 dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml create mode 100644 dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml create mode 100644 dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml create mode 100644 dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml diff --git a/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml new file mode 100644 index 0000000000..aaccf47fdd --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -0,0 +1,72 @@ +name: Windows Default Group Policy Object Modified with GPME +id: bcb55c13-067b-4648-98f3-627010f72520 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain + two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment. + The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group + policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs. +data_source: +- Windows Security 4688 +search: + selection1: + process_name: + - mmc.exe + process|contains: gpme.msc + selection2: + process|contains: 31B2F340-016D-11D2-945F-00C04FB984F9 + selection3: + process|contains: 6AC1786C-016F-11D2-945F-00C04fB984F9 + condition: selection1 or selection2 or selection3 +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed. +references: +- https://attack.mitre.org/techniques/T1484/ +- https://attack.mitre.org/techniques/T1484/001 +- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ +- https://adsecurity.org/?p=2716 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 100 + message: A default group policy object was opened with Group Policy Manage Editor on $dest$ + mitre_attack_id: + - T1484 + - T1484.001 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: parent_process_name + type: Process + role: + - Parent Process + - name: process_name + type: Process + role: + - Child Process + product: + - Splunk Behavioral Analytics + required_fields: + - process_name + - _time + - dest_device_id + - dest_user_id + - process + risk_score: 50 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + source: WinEventLog:Security diff --git a/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml b/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml new file mode 100644 index 0000000000..f96b20ea3a --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml @@ -0,0 +1,66 @@ +name: Windows File Share Discovery With Powerview +id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all + active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information + like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them + for Privilege Escalation or Lateral Movement. +data_source: +- Windows Security 4104 +search: + selection1: + process|contains: '4194304' + selection2: + process|re: Invoke-ShareFinder + condition: selection1 and selection2 +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 +- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 60 + message: Invoke-ShareFinder commandlet was executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - EventCode + - ScriptBlockText + - Opcode + - Computer + - UserID + kill_chain_phases: + - Exploitation + risk_score: 48 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + source: WinEventLog + sourcetype: WinEventLog + update_timestamp: true diff --git a/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml b/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml new file mode 100644 index 0000000000..825c9f66cc --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml @@ -0,0 +1,65 @@ +name: Windows Findstr GPP Discovery +id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). + GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. + These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). + While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. +data_source: +- Windows Security 4688 +search: + selection1: + process_name: + - findstr.exe + process|contains: sysvol + process|contains: cpassword + condition: selection1 +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Findstr was executed to discover GPP credentials on $dest$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - process_name + - _time + - dest_device_id + - dest_user_id + - process + risk_score: 56 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + source: WinEventLog:Security diff --git a/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml b/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml new file mode 100644 index 0000000000..2940e7d052 --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml @@ -0,0 +1,71 @@ +name: Windows PowerSploit GPP Discovery +id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). + GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. + These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). + While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. +data_source: +- Windows Security 4104 +search: + selection1: + process|contains: '4194304' + selection2: + process|re: Get-GPPPassword + selection3: + process|re: Get-CachedGPPPassword + condition: selection1 and selection2 or selection3 +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://adsecurity.org/?p=2288 +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: Computer + type: Hostname + role: + - Victim + - name: UserID + type: User + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - EventCode + - ScriptBlockText + - Opcode + - Computer + - UserID + kill_chain_phases: + - Exploitation + risk_score: 56 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + source: WinEventLog + sourcetype: WinEventLog + update_timestamp: true diff --git a/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml new file mode 100644 index 0000000000..2a8af508b0 --- /dev/null +++ b/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -0,0 +1,64 @@ +name: Windows PowerView AD Access Control List Enumeration +id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +status: production +type: TTP +description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets + are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within + the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex + and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged + by attackers to identify and exploit configuration weaknesses. +data_source: +- Windows Security 4104 +search: + selection1: + process|contains: '4194304' + selection2: + process|re: Invoke-ShareFinder + condition: selection1 and selection2 +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed. +references: +- https://attack.mitre.org/techniques/T1078/002/ +- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 +- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 40 + message: PowerView AD acccess control list enumeration detected on $Computer$ + mitre_attack_id: + - T1078.002 + - T1069 + observable: + - name: Computer + type: Hostname + role: + - Victim + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - EventCode + - ScriptBlockText + - Opcode + - Computer + - UserID + kill_chain_phases: + - Exploitation + risk_score: 20 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: + source: WinEventLog + sourcetype: WinEventLog + update_timestamp: true From 5acb7033a641151a79cd8d5b4821d4295cb6faa6 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Wed, 17 May 2023 15:19:36 -0400 Subject: [PATCH 2/3] fixing detection --- .../ssa___windows_findstr_gpp_discovery.yml | 10 +- .../ssa___windows_findstr_gpp_discovery.yml | 125 ++++++++++++++++++ .../ssa___windows_findstr_gpp_discovery.yml | 115 ++++++++++++++++ 3 files changed, 245 insertions(+), 5 deletions(-) create mode 100644 dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml create mode 100644 ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml diff --git a/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml b/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml index 825c9f66cc..2d95d09f81 100644 --- a/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml +++ b/dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml @@ -13,10 +13,10 @@ data_source: - Windows Security 4688 search: selection1: - process_name: + process.file.name: - findstr.exe - process|contains: sysvol - process|contains: cpassword + process.cmd_line|contains: sysvol + process.cmd_line|contains: cpassword condition: selection1 how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -61,5 +61,5 @@ tags: tests: - name: True Positive Test attack_data: - - data: - source: WinEventLog:Security + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + source: XmlWinEventLog \ No newline at end of file diff --git a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml new file mode 100644 index 0000000000..a0c8df7164 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml @@ -0,0 +1,125 @@ +name: Windows Findstr GPP Discovery +id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 +version: 1 +description: The following analytic identifies the use of the findstr command employed + to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools + that allow administrators to create domain policies with embedded credentials. These + policies allow administrators to set local accounts. These group policies are stored + in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL + share and decrypt the password (using the AES key that has been made public). While + Microsoft released a patch that impedes Administrators to create unsecure credentials, + existing Group Policy Preferences files with passwords are not removed from SYSVOL. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where process_file_name="findstr.exe" AND like(process_cmd_line, "%cpassword%") + + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), + "message", concat("Windows Findstr GPP Discovery has been triggered on ", device_hostname, " by ", actor_user_name, "."), + "users", [ + create_map( + "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 56, + "severity_id", 0, + "rule", create_map("name", "Windows Findstr GPP Discovery", "uid", "73ed0f19-080e-4917-b7c6-56e1760a50d4", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Administrators may leverage findstr to find passwords in GPO + to validate exposure. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 56 + security_domain: endpoint + risk_severity: medium + research_site_url: https://research.splunk.com/endpoint/73ed0f19-080e-4917-b7c6-56e1760a50d4/ + event_schema: ocsf + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1552 + - T1552.006 + nist: + - DE.CM +test: + name: Windows Findstr GPP Discovery Unit Test + tests: + - name: Windows Findstr GPP Discovery + attack_data: + - file_name: windows-4688.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml b/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml new file mode 100644 index 0000000000..9a807b25d7 --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_findstr_gpp_discovery.yml @@ -0,0 +1,115 @@ +name: Windows Findstr GPP Discovery +id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the use of the findstr command employed + to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools + that allow administrators to create domain policies with embedded credentials. These + policies allow administrators to set local accounts. These group policies are stored + in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL + share and decrypt the password (using the AES key that has been made public). While + Microsoft released a patch that impedes Administrators to create unsecure credentials, + existing Group Policy Preferences files with passwords are not removed from SYSVOL. +data_source: +- Windows Security 4688 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where process_file_name="findstr.exe" AND like(process_cmd_line, "%cpassword%") + --finding_report--' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: Administrators may leverage findstr to find passwords in GPO + to validate exposure. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Findstr was executed to discover GPP credentials on $dest$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 56 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + source: XmlWinEventLog From 358751bc8e8acb680f5e4252ba822b9592a2d0f4 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Wed, 17 May 2023 17:03:05 -0400 Subject: [PATCH 3/3] adding srs detections --- ...group_policy_object_modified_with_gpme.yml | 12 +- ...ws_file_share_discovery_with_powerview.yml | 14 +- ...sa___windows_powersploit_gpp_discovery.yml | 16 +-- ...iew_ad_access_control_list_enumeration.yml | 14 +- ...group_policy_object_modified_with_gpme.yml | 128 ++++++++++++++++++ ...ws_file_share_discovery_with_powerview.yml | 101 ++++++++++++++ ...sa___windows_powersploit_gpp_discovery.yml | 106 +++++++++++++++ ...iew_ad_access_control_list_enumeration.yml | 109 +++++++++++++++ ...group_policy_object_modified_with_gpme.yml | 119 ++++++++++++++++ ...ws_file_share_discovery_with_powerview.yml | 84 ++++++++++++ ...sa___windows_powersploit_gpp_discovery.yml | 89 ++++++++++++ ...iew_ad_access_control_list_enumeration.yml | 90 ++++++++++++ 12 files changed, 851 insertions(+), 31 deletions(-) create mode 100644 dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml create mode 100644 dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml create mode 100644 dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml create mode 100644 dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml create mode 100644 ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml create mode 100644 ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml create mode 100644 ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml create mode 100644 ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml diff --git a/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml index aaccf47fdd..b889453c15 100644 --- a/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml +++ b/dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -13,13 +13,13 @@ data_source: - Windows Security 4688 search: selection1: - process_name: + process.file.name: - mmc.exe - process|contains: gpme.msc + process.cmd_line|contains: gpme.msc selection2: - process|contains: 31B2F340-016D-11D2-945F-00C04FB984F9 + process.cmd_line|contains: 31B2F340-016D-11D2-945F-00C04FB984F9 selection3: - process|contains: 6AC1786C-016F-11D2-945F-00C04fB984F9 + process.cmd_line|contains: 6AC1786C-016F-11D2-945F-00C04fB984F9 condition: selection1 or selection2 or selection3 how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your @@ -68,5 +68,5 @@ tags: tests: - name: True Positive Test attack_data: - - data: - source: WinEventLog:Security + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log + source: XmlWinEventLog diff --git a/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml b/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml index f96b20ea3a..c06c90dbfe 100644 --- a/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml +++ b/dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml @@ -10,13 +10,11 @@ description: The following analytic identifies the use of the Invoke-ShareFinder like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement. data_source: -- Windows Security 4104 +- Powershell 4104 search: selection1: - process|contains: '4194304' - selection2: - process|re: Invoke-ShareFinder - condition: selection1 and selection2 + process.cmd_line|re: 'invoke-sharefinder' + condition: selection1 how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -60,7 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - source: WinEventLog - sourcetype: WinEventLog + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog update_timestamp: true diff --git a/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml b/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml index 2940e7d052..00830803d8 100644 --- a/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml +++ b/dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml @@ -10,15 +10,11 @@ description: The following analytic identifies the use of the Get-GPPPassword Po These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL. data_source: -- Windows Security 4104 +- Powershell 4104 search: selection1: - process|contains: '4194304' - selection2: - process|re: Get-GPPPassword - selection3: - process|re: Get-CachedGPPPassword - condition: selection1 and selection2 or selection3 + process.cmd_line|re: 'get-gpppassword' + condition: selection1 how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -65,7 +61,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - source: WinEventLog - sourcetype: WinEventLog + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog update_timestamp: true diff --git a/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml index 2a8af508b0..93e9ac8b43 100644 --- a/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml +++ b/dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -11,13 +11,13 @@ description: The following analytic leverages Event ID 4104 to identify the exec and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses. data_source: -- Windows Security 4104 +- Powershell 4104 search: selection1: - process|contains: '4194304' + process.cmd_line|re: 'get-objectacl' selection2: - process|re: Invoke-ShareFinder - condition: selection1 and selection2 + process.cmd_line|re: 'get-domainobjectacl' + condition: selection1 or selection2 how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. @@ -58,7 +58,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - source: WinEventLog - sourcetype: WinEventLog + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog update_timestamp: true diff --git a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml new file mode 100644 index 0000000000..a5e83f1ed2 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -0,0 +1,128 @@ +name: Windows Default Group Policy Object Modified with GPME +id: bcb55c13-067b-4648-98f3-627010f72520 +version: 1 +description: The following analytic identifies the potential edition of a default + Group Policy Object. A fresh installation of an Active Directory network will typically + contain two default group policy objects `Default Domain Controllers Policy` and + `Default Domain Policy`. The default domain controllers policy is used to enforce + and set policies to all the domain controllers within the domain environment. The + default domain policy is linked to all users and computers by default. An adversary + who has obtained privileged access to an Active Directory network may modify the + default group policy objects to obtain further access, deploy persistence or execute + malware across a large number of hosts. Security teams should monitor the edition + of the default GPOs. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where (process_file_name="mmc.exe" AND like(process_cmd_line, "%gpme.msc%")) + OR like(process_cmd_line, "%31B2F340-016D-11D2-945F-00C04FB984F9%") OR like(process_cmd_line, + "%6AC1786C-016F-11D2-945F-00C04fB984F9%") + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("process.pid", process_pid, "process.file.path", process_file_path, "process.file.name", process_file_name, "process.cmd_line", process_cmd_line, "actor.user.name", actor_user_name, "actor.process.pid", actor_process_pid, "actor.process.file.path", actor_process_file_path, "actor.process.file.name", actor_process_file_name, "device.hostname", device_hostname), + "message", concat("Windows Default Group Policy Object Modified with GPME has been triggered on ", device_hostname, " by ", actor_user_name, "."), + "users", [ + create_map( + "name", actor_user_name, "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 50, + "severity_id", 0, + "rule", create_map("name", "Windows Default Group Policy Object Modified with GPME", "uid", "bcb55c13-067b-4648-98f3-627010f72520", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. +references: +- https://attack.mitre.org/techniques/T1484/ +- https://attack.mitre.org/techniques/T1484/001 +- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ +- https://adsecurity.org/?p=2716 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) +tags: + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 50 + security_domain: endpoint + risk_severity: medium + research_site_url: https://research.splunk.com/endpoint/bcb55c13-067b-4648-98f3-627010f72520/ + event_schema: ocsf + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1484 + - T1484.001 + nist: + - DE.CM +test: + name: Windows Default Group Policy Object Modified with GPME Unit Test + tests: + - name: Windows Default Group Policy Object Modified with GPME + attack_data: + - file_name: security-4688.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml new file mode 100644 index 0000000000..7210a61325 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml @@ -0,0 +1,101 @@ +name: Windows File Share Discovery With Powerview +id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 +version: 1 +description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell + commandlet part of PowerView. This module obtains the list of all active domain + computers and lists the active shares on each computer. Network file shares in Active + Directory environments may contain sensitive information like backups, scripts, + credentials, etc. Adversaries who have obtained a foothold in an AD network may + leverage PowerView to identify secrets and leverage them for Privilege Escalation + or Lateral Movement. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)invoke-sharefinder/)=true + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), + "message", concat("Windows File Share Discovery With Powerview has been triggered on ", device_hostname, " by ", "Unknown", "."), + "users", [ + create_map( + "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 48, + "severity_id", 0, + "rule", create_map("name", "Windows File Share Discovery With Powerview", "uid", "ec4f671e-c736-4f78-a4c0-8fe809e952e5", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 +- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ +- https://attack.mitre.org/techniques/T1135/ +tags: + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 48 + security_domain: endpoint + risk_severity: low + research_site_url: https://research.splunk.com/endpoint/ec4f671e-c736-4f78-a4c0-8fe809e952e5/ + event_schema: ocsf + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1552 + - T1552.006 + nist: + - DE.CM +test: + name: Windows File Share Discovery With Powerview Unit Test + tests: + - name: Windows File Share Discovery With Powerview + attack_data: + - file_name: windows-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml new file mode 100644 index 0000000000..71ca37b2d3 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml @@ -0,0 +1,106 @@ +name: Windows PowerSploit GPP Discovery +id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 +version: 1 +description: The following analytic identifies the use of the Get-GPPPassword PowerShell + commandlet employed to search for unsecured credentials Group Policy Preferences + (GPP). GPP are tools that allow administrators to create domain policies with embedded + credentials. These policies allow administrators to set local accounts. These group + policies are stored in SYSVOL on a domain controller. This means that any domain + user can view the SYSVOL share and decrypt the password (using the AES key that + has been made public). While Microsoft released a patch that impedes Administrators + to create unsecure credentials, existing Group Policy Preferences files with passwords + are not removed from SYSVOL. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-gpppassword/)=true + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), + "message", concat("Windows PowerSploit GPP Discovery has been triggered on ", device_hostname, " by ", "Unknown", "."), + "users", [ + create_map( + "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 2, + "risk_score", 56, + "severity_id", 0, + "rule", create_map("name", "Windows PowerSploit GPP Discovery", "uid", "fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://adsecurity.org/?p=2288 +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 56 + security_domain: endpoint + risk_severity: medium + research_site_url: https://research.splunk.com/endpoint/fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2/ + event_schema: ocsf + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1552 + - T1552.006 + nist: + - DE.CM +test: + name: Windows PowerSploit GPP Discovery Unit Test + tests: + - name: Windows PowerSploit GPP Discovery + attack_data: + - file_name: win-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml new file mode 100644 index 0000000000..14986a2e6a --- /dev/null +++ b/dist/ssa/srs/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -0,0 +1,109 @@ +name: Windows PowerView AD Access Control List Enumeration +id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf +version: 1 +description: The following analytic leverages Event ID 4104 to identify the execution + of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. + This commandlets are used to enumerate Access Control List permissions given to + Active Directory objects. In an active directory environment, an object is an entity + that represents an available resource within the organizations network, such as + domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory + permissions is complicated and hard to manage, especially in complex and large environments + with multiple domains. Weak permissions may allow adversaries and red teamers to + escalate their privileges in Active Directory. PowerView is a common tool leveraged + by attackers to identify and exploit configuration weaknesses. +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-objectacl/)=true OR match_regex(process_cmd_line, /(?i)get-domainobjectacl/)=true + + | eval body=create_map( + "devices", [ + create_map( + "hostname", device_hostname, "type_id", 0, "uuid", ucast(map_get(device,"uuid"), "string", null) + ) + ], + "time", timestamp, + "evidence", create_map("device.hostname", device_hostname, "process.file.path", process_file_path, "process.uid", process_uid, "process.cmd_line", process_cmd_line, "actor.user.uid", actor_user_uid), + "message", concat("Windows PowerView AD Access Control List Enumeration has been triggered on ", device_hostname, " by ", "Unknown", "."), + "users", [ + create_map( + "name", "Unknown", "uid", ucast(map_get(actor_user,"uid"), "string", null) + ) + ], + "activity_id", 1, + "category_uid", 2, + "class_uid", 102001, + "risk_level_id", 1, + "risk_score", 20, + "severity_id", 0, + "rule", create_map("name", "Windows PowerView AD Access Control List Enumeration", "uid", "2b301d6c-0527-4dbd-8d2d-5345bc4be0cf", "type", "Streaming"), + "metadata", create_map("customer_uid", ucast(map_get(metadata,"customer_uid"), "string", null), "product", create_map("name", "Behavior Analytics", "vendor_name", "Splunk"), "version", "1.0.0-rc.2", "logged_time", time()), + "type_uid", 10200101, + "start_time", timestamp, + "end_time", timestamp + ) + | into write_ba_finding_events();' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. +references: +- https://attack.mitre.org/techniques/T1078/002/ +- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 +- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ +tags: + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 20 + security_domain: endpoint + risk_severity: low + research_site_url: https://research.splunk.com/endpoint/2b301d6c-0527-4dbd-8d2d-5345bc4be0cf/ + event_schema: ocsf + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id + annotations: + analytic_story: + - Active Directory Privilege Escalation + cis20: + - CIS 10 + kill_chain_phases: + - Exploitation + - Delivery + - Installation + mitre_attack_id: + - T1078.002 + - T1069 + nist: + - DE.CM +test: + name: Windows PowerView AD Access Control List Enumeration Unit Test + tests: + - name: Windows PowerView AD Access Control List Enumeration + attack_data: + - file_name: windows-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + source: XmlWinEventLog +runtime: SPL-DSP diff --git a/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml new file mode 100644 index 0000000000..97b6acf6b2 --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -0,0 +1,119 @@ +name: Windows Default Group Policy Object Modified with GPME +id: bcb55c13-067b-4648-98f3-627010f72520 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the potential edition of a default + Group Policy Object. A fresh installation of an Active Directory network will typically + contain two default group policy objects `Default Domain Controllers Policy` and + `Default Domain Policy`. The default domain controllers policy is used to enforce + and set policies to all the domain controllers within the domain environment. The + default domain policy is linked to all users and computers by default. An adversary + who has obtained privileged access to an Active Directory network may modify the + default group policy objects to obtain further access, deploy persistence or execute + malware across a large number of hosts. Security teams should monitor the edition + of the default GPOs. +data_source: +- Windows Security 4688 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + process=ucast(map_get(input_event,"process"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), + "string", null) | eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", + null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) + | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval + actor=ucast(map_get(input_event,"actor"), "map", null) | eval actor_user=ucast(map_get(actor,"user"), + "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), + "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", + null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), + "string", null) | eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), + "string", null) | eval device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), "string", + null) | where (process_file_name="mmc.exe" AND like(process_cmd_line, "%gpme.msc%")) + OR like(process_cmd_line, "%31B2F340-016D-11D2-945F-00C04FB984F9%") OR like(process_cmd_line, + "%6AC1786C-016F-11D2-945F-00C04fB984F9%") --finding_report--' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: The default Group Policy Objects within an AD network may be + legitimately updated for administrative operations, filter as needed. +references: +- https://attack.mitre.org/techniques/T1484/ +- https://attack.mitre.org/techniques/T1484/001 +- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ +- https://adsecurity.org/?p=2716 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11) +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 100 + message: A default group policy object was opened with Group Policy Manage Editor + on $dest$ + mitre_attack_id: + - T1484 + - T1484.001 + observable: + - name: process.pid + type: Other + - name: process.file.path + type: File + - name: process.file.name + type: File + - name: process.cmd_line + type: Other + - name: actor.user.name + type: User Name + - name: actor.process.pid + type: Other + - name: actor.process.file.path + type: File Name + - name: actor.process.file.name + type: File Name + - name: device.hostname + type: Hostname + product: + - Splunk Behavioral Analytics + required_fields: + - process.pid + - process.file.path + - process.file.name + - process.cmd_line + - actor.user.name + - actor.process.pid + - actor.process.file.path + - actor.process.file.name + - device.hostname + risk_score: 50 + security_domain: endpoint + mappings: + - ocsf: process.pid + cim: process_id + - ocsf: process.file.path + cim: process_path + - ocsf: process.file.name + cim: process_name + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.name + cim: user + - ocsf: actor.process.pid + cim: parent_process_id + - ocsf: actor.process.file.path + cim: parent_process_path + - ocsf: actor.process.file.name + cim: parent_process_name + - ocsf: device.hostname + cim: dest +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log + source: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml b/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml new file mode 100644 index 0000000000..9fc3a90784 --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_file_share_discovery_with_powerview.yml @@ -0,0 +1,84 @@ +name: Windows File Share Discovery With Powerview +id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell + commandlet part of PowerView. This module obtains the list of all active domain + computers and lists the active shares on each computer. Network file shares in Active + Directory environments may contain sensitive information like backups, scripts, + credentials, etc. Adversaries who have obtained a foothold in an AD network may + leverage PowerView to identify secrets and leverage them for Privilege Escalation + or Lateral Movement. +data_source: +- Powershell 4104 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)invoke-sharefinder/)=true --finding_report--' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 +- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 60 + message: Invoke-ShareFinder commandlet was executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: device.hostname + type: Hostname + - name: process.file.path + type: File + - name: process.uid + type: Other + - name: process.cmd_line + type: Other + - name: actor.user.uid + type: Other + product: + - Splunk Behavioral Analytics + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 48 + security_domain: endpoint + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml b/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml new file mode 100644 index 0000000000..7c904bfeaa --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_powersploit_gpp_discovery.yml @@ -0,0 +1,89 @@ +name: Windows PowerSploit GPP Discovery +id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic identifies the use of the Get-GPPPassword PowerShell + commandlet employed to search for unsecured credentials Group Policy Preferences + (GPP). GPP are tools that allow administrators to create domain policies with embedded + credentials. These policies allow administrators to set local accounts. These group + policies are stored in SYSVOL on a domain controller. This means that any domain + user can view the SYSVOL share and decrypt the password (using the AES key that + has been made public). While Microsoft released a patch that impedes Administrators + to create unsecure credentials, existing Group Policy Preferences files with passwords + are not removed from SYSVOL. +data_source: +- Powershell 4104 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-gpppassword/)=true --finding_report--' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1552/006/ +- https://pentestlab.blog/2017/03/20/group-policy-preferences/ +- https://adsecurity.org/?p=2288 +- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/ +- https://adsecurity.org/?p=2288 +- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30 +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 80 + impact: 70 + message: Commandlets leveraged to discover GPP credentials were executed on $Computer$ + mitre_attack_id: + - T1552 + - T1552.006 + observable: + - name: device.hostname + type: Hostname + - name: process.file.path + type: File + - name: process.uid + type: Other + - name: process.cmd_line + type: Other + - name: actor.user.uid + type: Other + product: + - Splunk Behavioral Analytics + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 56 + security_domain: endpoint + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog diff --git a/ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml b/ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml new file mode 100644 index 0000000000..746b0f137e --- /dev/null +++ b/ssa_detections/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml @@ -0,0 +1,90 @@ +name: Windows PowerView AD Access Control List Enumeration +id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf +version: 1 +date: '2023-05-02' +author: Mauricio Velazco, Splunk +type: TTP +status: production +description: The following analytic leverages Event ID 4104 to identify the execution + of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. + This commandlets are used to enumerate Access Control List permissions given to + Active Directory objects. In an active directory environment, an object is an entity + that represents an available resource within the organizations network, such as + domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory + permissions is complicated and hard to manage, especially in complex and large environments + with multiple domains. Weak permissions may allow adversaries and red teamers to + escalate their privileges in Active Directory. PowerView is a common tool leveraged + by attackers to identify and exploit configuration weaknesses. +data_source: +- Powershell 4104 +search: ' | from read_ba_enriched_events() | eval timestamp = ucast(map_get(input_event,"time"),"long", + null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", + null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval + device=ucast(map_get(input_event,"device"), "map", null) | eval device_hostname=ucast(map_get(device,"hostname"), + "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval process_file=ucast(map_get(process,"file"), "map", + null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null) + | eval process_uid=ucast(map_get(process,"uid"), "string", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), + "string", null) | eval actor=ucast(map_get(input_event,"actor"), "map", + null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | + eval actor_user_uid=ucast(map_get(actor_user,"uid"), "string", null) | where match_regex(process_cmd_line, + /(?i)get-objectacl/)=true OR match_regex(process_cmd_line, /(?i)get-domainobjectacl/)=true + --finding_report--' +how_to_implement: To successfully implement this analytic, you will need to enable + PowerShell Script Block Logging on some or all endpoints. Additional setup here + https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. +known_false_positives: Administrators may leverage PowerView for legitimate purposes, + filter as needed. +references: +- https://attack.mitre.org/techniques/T1078/002/ +- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 +- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces +- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ +tags: + analytic_story: + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 50 + impact: 40 + message: PowerView AD acccess control list enumeration detected on $Computer$ + mitre_attack_id: + - T1078.002 + - T1069 + observable: + - name: device.hostname + type: Hostname + - name: process.file.path + type: File + - name: process.uid + type: Other + - name: process.cmd_line + type: Other + - name: actor.user.uid + type: Other + product: + - Splunk Behavioral Analytics + required_fields: + - device.hostname + - process.file.path + - process.uid + - process.cmd_line + - actor.user.uid + risk_score: 20 + security_domain: endpoint + mappings: + - ocsf: device.hostname + cim: dest + - ocsf: process.file.path + cim: process_path + - ocsf: process.uid + cim: process_id + - ocsf: process.cmd_line + cim: process + - ocsf: actor.user.uid + cim: user_id +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + source: XmlWinEventLog + sourcetype: XmlWinEventLog