Branch was auto-updated.

detections/endpoint/detect_certipy_file_modifications.yml

@@ -0,0 +1,87 @@
+name: Detect Certipy File Modifications
+id: 7e3df743-b1d8-4631-8fa8-bd5819688876
+version: 1
+date: '2023-06-25'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when the attacker tool Certipy is used to enumerate Active Directory Certificate Services (AD CS) environments. The default behavior of this toolkit drops a number of file uniquely named files or file extensions related to it's information gathering and exfiltration process.
+data_source:
+- Windows Security 4663
+- Sysmon Event ID 11
+- Sysmon Event ID 15
+- Sysmon Event ID 26
+search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime values(Processes.process_current_directory) as process_current_directory FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h Processes.user Processes.dest Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.parent_process_name Processes.parent_process Processes.process_guid Processes.action
+|`drop_dm_object_name(Processes)` 
+| join max=0 dest process_guid [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*_certipy.zip", "*_certipy.txt", "*_certipy.json", "*.ccache") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest
+| `drop_dm_object_name(Filesystem)` 
+]
+| fields firstTime lastTime user dest file_create_time file_name file_path parent_process_name parent_process process_name process_path process_current_directory process process_guid process_id
+| where isnotnull(file_name)
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `detect_certipy_file_modifications_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints as well as file creation or deletion events. 
+known_false_positives: Unknown
+references:
+- https://github.com/ly4k/Certipy
+tags:
+  analytic_story:
+  - Windows Certificate Services
+  - Data Exfiltration
+  - Ingress Tool Transfer
+  asset_type: Endpoint
+  confidence: 90
+  impact: 50
+  message: Suspicious files $file_name$ related to Certipy detected on $dest$
+  mitre_attack_id:
+  - T1649
+  - T1560
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: file_name
+    type: File Name
+    role:
+    - Attacker
+  - name: process_name
+    type: Process Name
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.user 
+  - Processes.dest 
+  - Processes.process_id 
+  - Processes.process_name 
+  - Processes.process 
+  - Processes.process_path 
+  - Processes.parent_process_name 
+  - Processes.parent_process 
+  - Processes.process_guid 
+  - Processes.action
+  - Filesystem.file_create_time 
+  - Filesystem.process_id 
+  - Filesystem.process_guid 
+  - Filesystem.file_name 
+  - Filesystem.file_path 
+  - Filesystem.dest
+  risk_score: 45
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog
+    update_timestamp: true

detections/endpoint/windows_steal_authentication_certificates_esc1_abuse.yml

@@ -0,0 +1,83 @@
+name: Windows Steal Authentication Certificates - ESC1 Abuse
+id: cbe761fc-d945-4c8c-a71d-e26d12255d32
+version: 1
+date: '2023-05-25'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when a new certificate is requested and/or granted against the Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). This action by its self is not malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1)
+data_source:
+- Windows Security 4886
+- Windows Security 4887
+search: >-
+  `wineventlog_security` EventCode IN (4886,4887) Attributes="*SAN:*upn*" Attributes="*CertificateTemplate:*"
+  | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject
+  values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | rex field=Attributes "(?i)CertificateTemplate:(?<object>[^\r\n]+)"
+  | rex field=Attributes "(?i)ccm:(?<req_src>[^\r\n]+)"
+  | rex max_match=10 field=Attributes "(?i)(upn=(?<req_user_1>[^\r\n&]+))"
+  | rex max_match=10 field=Attributes "(?i)(dns=(?<req_dest_1>[^\r\n&]+))"
+  | rex field=Requester "(.+\\\\)?(?<src_user>[^\r\n]+)"
+  | eval flavor_text = case(EventCode=="4886","A suspicious certificate was requested using request ID: ".'RequestId',EventCode=="4887", "A suspicious certificate was issued using request ID: ".'RequestId'.". To revoke this certifacte use this request ID or the SSL fingerprint [".'ssl_hash'."]"), dest = upper(coalesce(req_dest_1,req_dest_2)), src = upper(coalesce(req_src,Computer)) | fields - req_* | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name| `windows_steal_authentication_certificates___esc1_abuse_filter`
+how_to_implement: To implement this analytic, enhanced Audit Logging must be enabled on AD CS and within Group Policy Management for CS server. See Page 115 of first reference. Recommend throttle correlation by RequestId/ssl_serial at minimum.
+known_false_positives: False positives may be generated in environments where administrative users or processes are allowed to generate certificates with Subject Alternative Names. Sources or templates used in these processes may need to be tuned out for accurate function. 
+references:
+- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
+- https://github.com/ly4k/Certipy#esc1
+- https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/
+tags:
+  analytic_story:
+  - Windows Certificate Services
+  asset_type: Endpoint
+  confidence: 60
+  impact: 100
+  message: Possible AD CS ESC1 activity by $src_user$ - $flavor_text$
+  mitre_attack_id:
+    - T1649
+  observable:
+    - name: src
+      type: Hostname
+      role:
+        - Victim
+    - name: dest
+      type: Hostname
+      role:
+        - Victim
+    - name: src_user
+      type: User
+      role:
+        - Victim
+    - name: user
+      type: User
+      role:
+        - Victim
+    - name: ssl_hash
+      type: Other
+      role:
+        - Attacker
+    - name: ssl_serial
+      type: Other
+      role:
+        - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Attributes 
+  - Computer
+  - EventCode
+  - Requester
+  - RequestId
+  risk_score: 60
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
+    update_timestamp: true