From ed7e94e06e33a30baca95fc0d6a1cb2f365e73d5 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 26 Jun 2024 15:22:11 -0300 Subject: [PATCH 1/6] [New Rule] AD Group Modification by SYSTEM --- ...sistence_group_modification_by_system.toml | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 rules/persistence_group_modification_by_system.toml diff --git a/rules/persistence_group_modification_by_system.toml b/rules/persistence_group_modification_by_system.toml new file mode 100644 index 00000000000..970f792cddc --- /dev/null +++ b/rules/persistence_group_modification_by_system.toml @@ -0,0 +1,68 @@ +[metadata] +creation_date = "2024/06/26" +integration = ["system", "windows"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate +that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting +vulnerabilities or abusing default group privileges (e.g., Server Operators), and is moving to a domain account. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "AD Group Modification by SYSTEM" +risk_score = 47 +rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and +winlog.event_data.SubjectUserSid : "S-1-5-18" and + +/* DOMAIN_USERS and local groups */ +not group.id : ("S-1-5-21-*-513", "S-1-5-32-*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + From 2304cd84f029bf54a7eecc2b9190482b950c7ee5 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 26 Jun 2024 15:28:21 -0300 Subject: [PATCH 2/6] . --- rules/{ => windows}/persistence_group_modification_by_system.toml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{ => windows}/persistence_group_modification_by_system.toml (100%) diff --git a/rules/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml similarity index 100% rename from rules/persistence_group_modification_by_system.toml rename to rules/windows/persistence_group_modification_by_system.toml From 1ad0b8f1a70aa475150d09440baa8974f11e1371 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 26 Jun 2024 15:39:34 -0300 Subject: [PATCH 3/6] Update rules/windows/persistence_group_modification_by_system.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- rules/windows/persistence_group_modification_by_system.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 970f792cddc..3110d5131ef 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -24,7 +24,6 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", - "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", ] From ac7345b088ec8f388ec44f5df6bea8db7a8f8f39 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 26 Jun 2024 15:42:50 -0300 Subject: [PATCH 4/6] Tighten up indexes --- rules/windows/persistence_group_modification_by_system.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 3110d5131ef..f7c90c300b6 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -12,7 +12,7 @@ that the attacker has achieved SYSTEM privileges in a domain controller, which a vulnerabilities or abusing default group privileges (e.g., Server Operators), and is moving to a domain account. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "eql" license = "Elastic License v2" name = "AD Group Modification by SYSTEM" From 5f23c99d30ab88dc24de4154726972381d908599 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 26 Jun 2024 15:45:19 -0300 Subject: [PATCH 5/6] Update persistence_group_modification_by_system.toml --- rules/windows/persistence_group_modification_by_system.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index f7c90c300b6..838e7e5e141 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -31,11 +31,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and +iam where winlog.api == "wineventlog" and event.code == "4728" and winlog.event_data.SubjectUserSid : "S-1-5-18" and /* DOMAIN_USERS and local groups */ -not group.id : ("S-1-5-21-*-513", "S-1-5-32-*") +not group.id : "S-1-5-21-*-513" ''' From ca7d4ac742552b9a6afe9c283e31e380baab6bc4 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 26 Jun 2024 17:16:44 -0300 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/windows/persistence_group_modification_by_system.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml index 838e7e5e141..ee242c6f639 100644 --- a/rules/windows/persistence_group_modification_by_system.toml +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -9,13 +9,13 @@ author = ["Elastic"] description = """ Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting -vulnerabilities or abusing default group privileges (e.g., Server Operators), and is moving to a domain account. +vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "eql" license = "Elastic License v2" -name = "AD Group Modification by SYSTEM" +name = "Active Directory Group Modification by SYSTEM" risk_score = 47 rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" severity = "medium"