Skip to content

Commit

Permalink
adding another one
Browse files Browse the repository at this point in the history
  • Loading branch information
@dluxtron
dluxtron committed Nov 17, 2023
1 parent cea88ac commit ab65775
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 3 deletions.
80 changes: 80 additions & 0 deletions detections/application/windows_ad_hidden_ou_creation.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
name: Windows AD Hidden OU Creation
id: 66b6ad5e-339a-40af-b721-dacefc7bdb75
version: 1
date: '2023-11-16'
author: Dean Luxton
status: production
type: TTP
data_source:
- Windows Security 5136
description: Hidden OU created using an ACL to deny listing the objects residing in the OU.
search: '`wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit
| eval old_value=if(OperationType=="%%14675",AttributeValue,null), new_value=if(OperationType=="%%14674",AttributeValue,null)
| stats min(_time) as _time values(old_value) as old_value values(new_value) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
| mvexpand new_ace
| where NOT new_ace IN (old_values)
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
| lookup msad_guid_lookup.csv guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
| lookup ace_access_rights_lookup.csv access_rights_string as AccessRights OUTPUT access_rights_value
| lookup ace_type_lookup.csv ace_type_string as aceType OUTPUT ace_type_value as aceType
| lookup ace_flag_lookup.csv flag_string as aceFlags OUTPUT flag_value as ace_flag_value
``` Optional SID resolution lookups
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ```
| lookup builtin_groups_lookup.csv builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
| stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
| search aceType IN ("Access denied",D) AND aceAccessRights IN ("List contents","List objects",LC,LO)
| `windows_ad_hidden_ou_creation_filter`'
how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
known_false_positives: None.
references:
- https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54
tags:
analytic_story:
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
confidence: 100
impact: 100
message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to user $ObjectDN$
mitre_attack_id:
- T1484
- T1222
- T1222.001
observable:
- name: user
type: User
role:
- Victim
- name: src_user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 100
required_fields:
- _time
- OperationType
- ObjectDN
- OpCorrelationID
- src_user
- AttributeLDAPDisplayName
- AttributeValue
- ObjectClass
- SubjectLogonId
- DSName
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
5 changes: 2 additions & 3 deletions detections/application/windows_ad_suspicious_attribute_modification.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@ type: TTP
data_source:
- Windows Security 5136
description: Suspicious AD Attribute Modification
search: ' `wineventlog_security` EventCode=5136 EventCode=5136 AttributeLDAPDisplayName IN ("msDS-AllowedToDelegateTo","msDS-AllowedToActOnBehalfOfOtherIdentity","msDS-KeyCredentialLink","scriptPath","msTSInitialProgram") OperationType=%%14674
search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName IN ("msDS-AllowedToDelegateTo","msDS-AllowedToActOnBehalfOfOtherIdentity","msDS-KeyCredentialLink","scriptPath","msTSInitialProgram") OperationType=%%14674
| table _time ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName AttributeValue AttributeLDAPDisplayName
| rename SubjectLogonId as TargetLogonId, src_user as initiator, _time as eventTime
| appendpipe
| [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
| appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
| stats min(eventTime) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(ObjectDN) as ObjectDN, values(ObjectClass) as ObjectClass, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType values(AttributeValue) as AttributeValue values(AttributeLDAPDisplayName) as AttributeLDAPDisplayName by TargetLogonId
| rex field=ObjectDN "^CN=(?P<cn>.*?),[A-Z]{2}\="
| eval dest=if(ObjectClass="computer",cn,null), user=if(ObjectClass="user",cn,null)
Expand Down

0 comments on commit ab65775

Please sign in to comment.