updated descriptions and metadata

detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml

@@ -5,19 +5,29 @@ date: '2023-03-23'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number
+  remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could 
+  represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors.
+  As environments differ across organizations, security teams should customize the thresholds of this detection as needed.
 search: ' `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$")
   | bucket span=5m _time
   | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode
-  | where unique_targets > 40
+  | where unique_targets > 30
   | `windows_administrative_shares_accessed_on_multiple_hosts_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, you need to be ingesting file share events.
+  The Advanced Security Audit policy setting `Audit Detailed File Share` or `Audit File Share` within `Object Access` need to be enabled.
+known_false_positives: An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior.
+  Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
 references:
 - https://attack.mitre.org/techniques/T1135/
+- https://en.wikipedia.org/wiki/Administrative_share
+- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
 tags:
   analytic_story:
   - Active Directory Privilege Escalation
+  - Active Directory Lateral Movement
   asset_type: Endpoint
   cis20:
   - CIS 3

detections/endpoint/windows_admon_default_group_policy_object_modified.yml

@@ -5,19 +5,24 @@ date: '2023-03-29'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Splunks Admon to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain
+  two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment.
+  The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group 
+  policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.
 search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy")
   | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
   | `windows_admon_default_group_policy_object_modified_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here
+  https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory
+known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1484/
 - https://attack.mitre.org/techniques/T1484/001
 - https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
 - https://adsecurity.org/?p=2716
+- https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory
 tags:
   analytic_story:
   - Active Directory Privilege Escalation

detections/endpoint/windows_admon_group_policy_object_created.yml

@@ -5,19 +5,24 @@ date: '2023-04-06'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Splunks Admon to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure 
+  applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or 
+  deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network.
+  Security teams should monitor the creation of new Group Policy Objects.
 search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object"
   | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
   | `windows_admon_group_policy_object_created_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here
+  https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory
+known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1484/
 - https://attack.mitre.org/techniques/T1484/001
 - https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
 - https://adsecurity.org/?p=2716
+- https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory
 tags:
   analytic_story:
   - Active Directory Privilege Escalation

detections/endpoint/windows_default_group_policy_object_modified.yml

@@ -5,15 +5,20 @@ date: '2023-03-28'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Event ID 5136 to identify the modification of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain
+  two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment.
+  The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group 
+  policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the modification of the default GPOs.
 search: ' `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=versionNumber (ObjectDN="CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=*" OR ObjectDN="CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=POLICIES,CN=SYSTEM,DC=*")
   | stats min(_time) as firstTime max(_time) as lastTime by ObjectDN SubjectUserSid AttributeValue Computer DSName
   | rename AttributeValue as versionNumber
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
   | `windows_default_group_policy_object_modified_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled.
+  Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default.
+  A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.
+known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1484/
 - https://attack.mitre.org/techniques/T1484/001

detections/endpoint/windows_dnsadmins_new_member_added.yml

@@ -5,18 +5,22 @@ date: '2023-04-06'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Event ID 4732 to identify the addition of a new member to the DnsAdmins group within Active Directory. . Members of the DnsAdmin group can manage
+  the DNS service which most of the times runs on the Domain Controller. By abusing legitimate DNS management functionality, a member of the DnsAdmins group can escalate privileges by
+  executing malicious code on a Domain Controller as SYSTEM. Security teams should monitor the modification of the DnsAdmins group and validate the changes are legitimate.
 search: ' `wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins
   | stats min(_time) as firstTime max(_time) as lastTime values(SubjectUserName) values(Computer) by MemberSid, TargetUserName
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
   | `windows_dnsadmins_new_member_added_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, Domain Controller events need to be ingested. The Advanced Security Audit policy setting `Audit Security Group Management`
+  within `Account Management` needs to be enabled.
+known_false_positives: New members can be added to the DnsAdmins group as part of legitimate administrative tasks. Filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1098/
 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
 - https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
 tags:
   analytic_story:
   - Active Directory Privilege Escalation

detections/endpoint/windows_group_policy_object_created.yml

@@ -5,20 +5,27 @@ date: '2023-03-27'
 author: Mauricio Velazco
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description:  The following analytic leverages Event IDs 5136 and 51137 to identify the creation of a new Group Policy Object. With GPOs, system administrators can manage and configure 
+  applications, software operations, and user settings throughout an entire organization. GPOs can be abused and leveraged by adversaries to escalate privileges or 
+  deploy malware across an Active Directory network. As an example, the Lockbit ransomware malware will create new group policies on the domain controller that are then pushed out to every device on the network.
+  Security teams should monitor the creation of new Group Policy Objects.
 search: ' `wineventlog_security` EventCode=5137 OR (EventCode=5136 AttributeValue!="New Group Policy Object" AND (AttributeLDAPDisplayName=displayName OR AttributeLDAPDisplayName=gPCFileSysPath) ) ObjectClass=groupPolicyContainer
   | stats values(AttributeValue) as details values(SubjectUserSid) as User values(ObjectDN) as ObjectDN by ObjectGUID Computer
   | eval GPO_Name = mvindex(details, 0)
   | eval GPO_Path = mvindex(details, 1)
   | fields - details
   | `windows_group_policy_object_created_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, the Advanced Security Audit policy setting `Audit Directory Service Changes` within `DS Access` needs to be enabled.
+  Furthermore, the appropriate system access control lists (SACL) need to be created as the used events are not logged by default.
+  A good guide to accomplish this can be found here https://jgspiers.com/audit-group-policy-changes/.
+known_false_positives: Group Policy Objects are created as part of regular administrative operations, filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1484/
 - https://attack.mitre.org/techniques/T1484/001
 - https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
 - https://adsecurity.org/?p=2716
+- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/
+- https://www.varonis.com/blog/group-policy-objects
 tags:
   analytic_story:
   - Active Directory Privilege Escalation

detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml

@@ -6,25 +6,29 @@ author: Mauricio Velazco, Splunk
 type: Anomaly
 datamodel: []
 description: The following analytic leverages Event ID 4769, `A Kerberos
-  service ticket was requested`, to identify a large number of computer service
+  service ticket was requested`, to identify more than 30 computer service
   ticket requests from one source. When a domain joined endpoint connects to other remote
-  endpoint, it first will request a Kerberos Ticket with the computer name as the
+  endpoint, it will first request a Kerberos Service Ticket with the computer name as the
   Service Name. A user requesting a large number of computer service tickets
   for different endpoints could represent malicious behavior like lateral movement,
   malware staging, reconnaissance, etc.\
 
   Active Directory environments can be very different depending on the organization. Users should test this detection and customize 
-  the arbitrary threshold when needed.
+  the arbitrary threshold as needed.
 
 search: ' `wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$"
   | bucket span=2m _time 
   | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName
-  | where unique_targets > 4
+  | where unique_targets > 30
   | `windows_large_number_of_computer_service_tickets_requested_filter`'
-how_to_implement: UPDATE_HOW_TO_IMPLEMENT
-known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. 
+  The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
+known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior.
+  Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
 references:
 - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
+- https://attack.mitre.org/techniques/T1135/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
 tags:
   analytic_story:
   - Active Directory Privilege Escalation

detections/endpoint/windows_local_administrator_credential_stuffing.yml

@@ -7,8 +7,8 @@ type: TTP
 datamodel: []
 description: The following analytic leverages events 4625 and 4624 to identify an endpoint using the builtin local Administrator account to authenticate to a large numbers of endpoints. Specifically, 
   the logic will trigger when an endpoints attempts to authenticate to more than 30 target computers within a 5 minute timespan. This behavior could
-  represent an adversary who has obtained access to credentials and is trying to validate if these credentials work on other hosts to escalate their privileges.
-   As environments differ across organizations, security teams should customize the thresholds of this detection.
+  represent an adversary who has obtained access to local credentials and is trying to validate if these credentials work on other hosts to escalate their privileges.
+   As environments differ across organizations, security teams should customize the thresholds of this detection as needed.
 search: ' `wineventlog_security` EventCode=4625 OR EventCode=4624 Logon_Type=3 TargetUserName=Administrator
   | bucket span=5m _time
   | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName, EventCode

detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml

@@ -5,7 +5,11 @@ date: '2023-04-20'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` and `Get-DomainObjectAcl`. This commandlets
+  are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within 
+  the organizations network, such as domain controllers, users, groups, computers, shares, etc.  Maintaining Active Directory permissions is complicated and hard to manage, especially in complex 
+  and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged
+  by attackers to identify and exploit configuration weaknesses.
 search: ' `powershell` EventCode=4104  (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* )
   | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
   | `security_content_ctime(firstTime)` 

detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml

@@ -5,11 +5,14 @@ date: '2023-03-23'
 author: Mauricio Velazco, Splunk
 type: TTP
 datamodel: []
-description: UPDATE_DESCRIPTION
+description: The following analytic leverages Event ID 4624 to identify a source computer authenticating to a large number of remote endpoints within an Active Directory network.
+  Specifically, the logic will trigger when a source endpoint authenticates to 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is
+  moving laterally across the environment or enumerating network shares in the search for sensitive files.
+  As environments differ across organizations, security teams should customize the thresholds of this detection as needed.
 search: ' EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$"
   | bucket span=5m _time
   | stats dc(Computer) AS unique_targets values(Computer) as host_targets by _time, IpAddress, TargetUserName
-  | where unique_targets > 40
+  | where unique_targets > 30
   | `windows_rapid_authentication_on_multiple_hosts_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   Windows Event Logs from domain controllers as well as member servers and workstations.
@@ -18,6 +21,8 @@ how_to_implement: To successfully implement this search, you need to be ingestin
 known_false_positives: Vulnerability scanners or system administration tools may also trigger this detection. Filter as needed.
 references:
 - https://attack.mitre.org/techniques/T1135/
+- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
 tags:
   analytic_story:
   - Active Directory Privilege Escalation