Skip to content

[New Rule] AD Group Modification by SYSTEM #3833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 26, 2024
Merged

[New Rule] AD Group Modification by SYSTEM #3833

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ed7e94e
[New Rule] AD Group Modification by SYSTEM
w0rk3r Jun 26, 2024
2304cd8
.
w0rk3r Jun 26, 2024
1ad0b8f
Update rules/windows/persistence_group_modification_by_system.toml
w0rk3r Jun 26, 2024
ac7345b
Tighten up indexes
w0rk3r Jun 26, 2024
5f23c99
Update persistence_group_modification_by_system.toml
w0rk3r Jun 26, 2024
ca7d4ac
Apply suggestions from code review
w0rk3r Jun 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions rules/windows/persistence_group_modification_by_system.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2024/06/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/06/26"

[rule]
author = ["Elastic"]
description = """
Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate
that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting
vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "eql"
license = "Elastic License v2"
name = "Active Directory Group Modification by SYSTEM"
risk_score = 47
rule_id = "6f024bde-7085-489b-8250-5957efdf1caf"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Use Case: Active Directory Monitoring",
"Data Source: Active Directory",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
iam where winlog.api == "wineventlog" and event.code == "4728" and
winlog.event_data.SubjectUserSid : "S-1-5-18" and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should exclude known AD managed service accounts (MSA) as well or do we want to include those?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect the MSAs to have a different SID, as this one should be limited to Local System


/* DOMAIN_USERS and local groups */
not group.id : "S-1-5-21-*-513"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

Loading