From 65e63e41937e5570647425fdfad69406cd57709f Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 11:32:59 +1000 Subject: [PATCH 1/7] Updating detections --- ..._ad_global_administrator_role_assigned.yml | 19 ++++++---- .../azure_ad_privileged_role_assigned.yml | 12 +++--- ...rvice_principal_new_client_credentials.yml | 34 ++++++++++++----- .../detect_new_local_admin_account.yml | 17 ++++++--- ...on_flag_disabled_in_useraccountcontrol.yml | 13 ++++--- ...tion_request_initiated_by_user_account.yml | 1 + ...t_initiated_from_unsanctioned_location.yml | 1 + ...n_default_group_policy_object_modified.yml | 14 +++---- ...dows_admon_group_policy_object_created.yml | 15 ++++---- lookups/privileged_azure_ad_roles.csv | 38 ++++++++++--------- 10 files changed, 97 insertions(+), 67 deletions(-) diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index b4acf713d2..a97e7be545 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -1,8 +1,8 @@ name: Azure AD Global Administrator Role Assigned id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c -version: 5 -date: '2024-05-29' -author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk +version: 6 +date: '2024-07-02' +author: Gowthamaraj Rajendran, Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP description: The following analytic detects the assignment of the Azure AD Global @@ -15,11 +15,14 @@ description: The following analytic detects the assignment of the Azure AD Globa posing a severe security risk. data_source: - Azure Active Directory Add member to role -search: '`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global - Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName - as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user) - as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`' +search: '`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\"" + | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName + | eval initiatedBy = coalesce(userPrincipalName,src_user) + | eval user = coalesce(user,mvfilter(displayName!="null")) + | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_global_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 841b4c60f5..9d7a02ef8f 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -1,8 +1,8 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a -version: 3 -date: '2024-05-29' -author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk +version: 4 +date: '2024-07-02' +author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk status: production type: TTP description: The following analytic detects the assignment of privileged Azure Active @@ -14,8 +14,10 @@ description: The following analytic detects the assignment of privileged Azure A over the Azure AD infrastructure. data_source: - Azure Active Directory Add member to role -search: ' `azure_monitor_aad` "operationName"="Add member to role" | rename properties.* as * - | rename initiatedBy.user.userPrincipalName as initiatedBy +search: ' `azure_monitor_aad` "operationName"="Add member to role" + | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName + | eval initiatedBy = coalesce(userPrincipalName,src_user) + | eval user = coalesce(user,mvfilter(displayName!="null")) | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index 99e48bd36c..6ba133cdc3 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -1,8 +1,8 @@ name: Azure AD Service Principal New Client Credentials id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a -version: 3 -date: '2024-05-11' -author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk +version: 4 +date: '2024-07-02' +author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk status: production type: TTP description: The following analytic detects the addition of new credentials to Service @@ -15,11 +15,21 @@ description: The following analytic detects the addition of new credentials to S access and control over the Azure environment. data_source: - Azure Active Directory -search: ' `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates - and secrets management " | rename properties.* as * | rename targetResources{}.* - as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) - as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`' +search: ' `azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management*" + | rename properties.* as * + | rename targetResources{}.* as * + | rename modifiedProperties{}.* as * + | eval src_user=coalesce(user,identity), newValue=mvfilter(newValue!="\"KeyDescription\"") + | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName values(src_ip) as src_ip values(eval(mvfilter(oldValue!="null"))) as oldValue by src_user, object, newValue + | spath input=oldValue output=oldValues path={} + | spath input=newValue output=newValues path={} + | mvexpand newValues + | where NOT newValues IN (oldValues) + | fields - newValue, oldValue, oldValues + | rename newValues as newValue + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_service_principal_new_client_credentials_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. @@ -42,12 +52,16 @@ tags: asset_type: Azure Active Directory confidence: 50 impact: 70 - message: New credentials added for Service Principal by $user$ + message: New Service Principal credentials were added to $object$ by $src_user$ mitre_attack_id: - T1098 - T1098.001 observable: - - name: user + - name: src_user + type: User + role: + - Victim + - name: object type: User role: - Victim diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index f85f0831f8..05c73d92fc 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -1,7 +1,7 @@ name: Detect New Local Admin account id: b25f6f62-0712-43c1-b203-083231ffd97d -version: 4 -date: '2024-05-15' +version: 5 +date: '2024-07-02' author: David Dorsey, Splunk status: production type: TTP @@ -10,10 +10,11 @@ description: |- data_source: - Windows Event Log Security 4732 - Windows Event Log Security 4720 -search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) - | transaction src_user connected=false maxspan=180m | rename src_user as user | - stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`' +search: '`wineventlog_security` (EventCode=4720) OR (EventCode=4732 Group_Name=Administrators) +| stats dc(EventCode) as evCount min(_time) as _time range(_time) as duration values(src_user) as src_user values(src_user_category) as src_user_category values(dest_category) as dest_category by user dest +| where evCount=2 +| fields - evCount, duration +| `detect_new_local_admin_account_filter`' how_to_implement: You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 known_false_positives: The activity may be legitimate. For this reason, it's best @@ -39,6 +40,10 @@ tags: type: User role: - Victim + - name: src_user + type: User + role: + - Victim - name: dest type: Hostname role: diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 43385ce72c..7b99ce810a 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -1,8 +1,8 @@ name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl id: 0cb847ee-9423-11ec-b2df-acde48001122 -version: 2 -date: '2024-05-24' -author: Mauricio Velazco, Splunk +version: 3 +date: '2024-07-02' +author: Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP description: The following analytic detects when the Kerberos Pre-Authentication flag @@ -15,9 +15,10 @@ description: The following analytic detects when the Kerberos Pre-Authentication of sensitive information. data_source: - Windows Event Log Security 4738 -search: ' `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require - Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest, - Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' +search: '`wineventlog_security` EventCode=4738 (UserAccountControl="%%2096" OR MSADChangedAttributes="*Don''t Require Preauth'' - Enabled*") + | eval MSADChangedAttributes="''Don''t Require Preauth'' - Enabled" + | table _time, source, EventCode, src_user, src_user_category, user, user_category, MSADChangedAttributes + | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `User Account Management` within `Account Management` needs to be enabled. diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index 09293b4370..3b998d3d3b 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -41,6 +41,7 @@ references: - https://adsecurity.org/?p=1729 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml +- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory tags: analytic_story: - Sneaky Active Directory Persistence Tricks diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index 1b02916fdf..85d9731fbc 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -45,6 +45,7 @@ references: - https://adsecurity.org/?p=1729 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml +- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory tags: analytic_story: - Sneaky Active Directory Persistence Tricks diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index c9c7b2a75d..8fb982e3cc 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -1,8 +1,8 @@ name: Windows Admon Default Group Policy Object Modified id: 83458004-db60-4170-857d-8572f16f070b -version: 2 -date: '2024-05-28' -author: Mauricio Velazco, Splunk +version: 3 +date: '2024-07-02' +author: Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP data_source: @@ -15,10 +15,10 @@ description: The following analytic detects modifications to the default Group P persistence, or deploy malware across multiple hosts. If confirmed malicious, such modifications could lead to widespread policy enforcement changes, unauthorized access, and potential compromise of the entire domain environment. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" - (displayName="Default Domain Policy" OR displayName="Default Domain Controllers - Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath) - by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") + | appendpipe [ + | map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] + | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dest) as dest, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName | `windows_admon_default_group_policy_object_modified_filter`' how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index a200ad7329..ed7daf9221 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -1,8 +1,8 @@ name: Windows Admon Group Policy Object Created id: 69201633-30d9-48ef-b1b6-e680805f0582 -version: 2 -date: '2024-05-20' -author: Mauricio Velazco, Splunk +version: 3 +date: '2024-07-02' +author: Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP data_source: @@ -14,10 +14,11 @@ description: The following analytic detects the creation of a new Group Policy O across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, significantly compromising the network's security. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" - versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime - max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`' +search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" + | appendpipe [ + | map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] + | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dest) as dest, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName + | `windows_admon_group_policy_object_created_filter`' how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory diff --git a/lookups/privileged_azure_ad_roles.csv b/lookups/privileged_azure_ad_roles.csv index d4260b6ba3..b3c897e0e7 100644 --- a/lookups/privileged_azure_ad_roles.csv +++ b/lookups/privileged_azure_ad_roles.csv @@ -1,26 +1,28 @@ "azureadrole","isprvilegedadrole","description" +"""Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps." +"""Application Developer""","True","Can create application registrations independent of the 'Users can register applications' setting." """Authentication Administrator""","True","Can access to view, set and reset authentication method information for any non-admin user." -"""Authentication Policy Administrator""","True","Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials." -"""Azure AD Joined Device Local Administrator""","True","Users assigned to this role are added to the local administrators group on Azure AD-joined devices." -"""Azure DevOps Administrator""","True","Can manage Azure DevOps policies and settings." -"""Azure Information Protection Administrator""","True","Can manage all aspects of the Azure Information Protection product." +"""Authentication Extensibility Administrator""","True","Customize sign in and sign up experiences for users by creating and managing custom authentication extensions." +"""B2C IEF Keyset Administrator""","True","Can manage secrets for federation and encryption in the Identity Experience Framework (IEF)." """Cloud Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps except App Proxy." -"""Cloud Device Administrator""","True","Limited access to manage devices in Azure AD." -"""Compliance Administrator""","True","Can read and manage compliance configuration and reports in Azure AD and Microsoft 365." +"""Cloud Device Administrator""","True","Limited access to manage devices in Microsoft Entra ID." """Conditional Access Administrator""","True","Can manage Conditional Access capabilities." -"""Exchange Administrator""","True","Can manage all aspects of the Exchange product." +"""Directory Synchronization Accounts""","True","Only used by Microsoft Entra Connect and Microsoft Entra Cloud Sync services." +"""Directory Writers""","True","Can read and write basic directory information. For granting access to applications, not intended for users." +"""Domain Name Administrator""","True","Can manage domain names in cloud and on-premises." """External Identity Provider Administrator""","True","Can configure identity providers for use in direct federation." -"""Groups Administrator""","True","Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports." +"""Global Administrator""","True","Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities." +"""Global Reader""","True","Can read everything that a Global Administrator can, but not update anything." """Helpdesk Administrator""","True","Can reset passwords for non-administrators and Helpdesk Administrators." -"""Hybrid Identity Administrator""","True","Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings." +"""Hybrid Identity Administrator""","True","Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health." """Intune Administrator""","True","Can manage all aspects of the Intune product." -"""License Administrator""","True","Can manage product licenses on users and groups." -"""Network Administrator""","True","Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications." +"""Lifecycle Workflows Administrator""","True","Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID." +"""Partner Tier1 Support""","True","Do not use - not intended for general use." +"""Partner Tier2 Support""","True","Do not use - not intended for general use." """Password Administrator""","True","Can reset passwords for non-administrators and Password Administrators." -"""Privileged Role Administrator""","True","Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management." -"""Security Administrator""","True","Can read security information and reports, and manage configuration in Azure AD and Office 365." -"""SharePoint Administrator""","True","Can manage all aspects of the SharePoint service." -"""Teams Administrator""","True","Can manage the Microsoft Teams service." -"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins." -"""Windows 365 Administrator""","True","Can provision and manage all aspects of Cloud PCs." - +"""Privileged Authentication Administrator""","True","Can access to view, set and reset authentication method information for any user (admin or non-admin)." +"""Privileged Role Administrator""","True","Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management." +"""Security Administrator""","True","Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365." +"""Security Operator""","True","Creates and manages security events." +"""Security Reader""","True","Can read security information and reports in Microsoft Entra ID and Office 365." +"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins." \ No newline at end of file From c028bd6e5825c08f1f1a741dc2bab1d908771399 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:09:39 +1000 Subject: [PATCH 2/7] Updating detections --- .../network/internal_horizontal_port_scan.yml | 57 ------------------- 1 file changed, 57 deletions(-) delete mode 100644 detections/network/internal_horizontal_port_scan.yml diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml deleted file mode 100644 index 505571fcfd..0000000000 --- a/detections/network/internal_horizontal_port_scan.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Internal Horizontal Port Scan -id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1 -version: 1 -date: '2023-10-20' -author: Dean Luxton -status: production -type: TTP -data_source: [] -description: This analytic detects where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port / protocol. -search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action - values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as - dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic - where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_port - All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` - | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) - as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) - as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | - where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats - min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount - values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) - as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`' -how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model. -known_false_positives: Unknown -references: [] -tags: - analytic_story: - - Network Discovery - asset_type: Endpoint - confidence: 80 - impact: 80 - message: $src_ip$ has scanned for port $dest_port$ across $totalDestIPCount$ destination IPs - mitre_attack_id: - - T1046 - observable: - - name: src_ip - type: Hostname - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - All_Traffic.action - - All_Traffic.src_ip - - All_Traffic.dest_ip - - All_Traffic.dest_port - security_domain: network -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log - source: aws:cloudwatchlogs:vpcflow - sourcetype: aws:cloudwatchlogs:vpcflow - update_timestamp: true \ No newline at end of file From 820151cdb273c9c49e351f42486d4ecc2372bf37 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:11:48 +1000 Subject: [PATCH 3/7] Updating detections --- ...ct_distributed_password_spray_attempts.yml | 69 ------------------- .../detect_password_spray_attempts.yml | 67 ------------------ .../windows_ad_add_self_to_group.yml | 51 -------------- ..._group_or_object_modification_activity.yml | 52 -------------- ...increase_in_user_modification_activity.yml | 53 -------------- ...ndows_network_share_discovery_with_net.yml | 59 ---------------- .../windows_vulnerable_driver_installed.yml | 0 .../network/internal_vertical_port_scan.yml | 0 .../network/internal_vulnerability_scan.yml | 56 --------------- 9 files changed, 407 deletions(-) delete mode 100644 detections/application/detect_distributed_password_spray_attempts.yml delete mode 100644 detections/application/detect_password_spray_attempts.yml delete mode 100644 detections/application/windows_ad_add_self_to_group.yml delete mode 100644 detections/application/windows_increase_in_group_or_object_modification_activity.yml delete mode 100644 detections/application/windows_increase_in_user_modification_activity.yml delete mode 100644 detections/endpoint/windows_network_share_discovery_with_net.yml delete mode 100644 detections/endpoint/windows_vulnerable_driver_installed.yml delete mode 100644 detections/network/internal_vertical_port_scan.yml delete mode 100644 detections/network/internal_vulnerability_scan.yml diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml deleted file mode 100644 index be4c070da1..0000000000 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Detect Distributed Password Spray Attempts -id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 -version: 1 -date: '2023-11-01' -author: Dean Luxton -status: production -type: Hunting -data_source: -- Authentication Datamodel -description: This analytic uses the 3-sigma approach to detect a distributed password spray attack. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events. -search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m - | `drop_dm_object_name("Authentication")` - ```fill out time buckets for 0-count events during entire search length``` - | appendpipe [| timechart limit=0 span=5m count | table _time] - | fillnull value=0 unique_accounts, unique_src - ``` remove duplicate & empty time buckets``` - | sort - total_failures - | dedup _time - ``` Create aggregation field & apply to all null events``` - | eval counter=sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) - ``` 3-sigma detection logic ``` - | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter - | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) - | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) - | replace "::ffff:*" with * in src - | where isOutlier=1 - | foreach * - [ eval <> = if(<>="null",null(),<>)] - | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id - | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' -how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. -known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. -references: -- https://attack.mitre.org/techniques/T1110/003/ -tags: - analytic_story: - - Compromised User Account - - Active Directory Password Spraying - asset_type: Endpoint - atomic_guid: - - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - confidence: 70 - impact: 70 - message: Distributed Password Spray Attempt Detected - mitre_attack_id: - - T1110.003 - - T1110 - observable: - - name: src - type: Endpoint - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 49 - required_fields: - - Authentication.action - - Authentication.user - - Authentication.src - security_domain: access -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techni[…]ure_ad_distributed_spray/azure_ad_distributed_spray.log - source: azure:monitor:aad - sourcetype: azure:monitor:aad \ No newline at end of file diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml deleted file mode 100644 index 9c0ea37da0..0000000000 --- a/detections/application/detect_password_spray_attempts.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Detect Password Spray Attempts -id: 086ab581-8877-42b3-9aee-4a7ecb0923af -version: 1 -date: '2023-11-01' -author: Dean Luxton -status: production -type: TTP -data_source: -- Authentication Datamodel -description: This analytic uses the 3-sigma approach to detect an unusual volume of failed authentication from a single source. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events. -search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m - | `drop_dm_object_name("Authentication")` - ```fill out time buckets for 0-count events during entire search length``` - | appendpipe [| timechart limit=0 span=5m count | table _time] - | fillnull value=0 unique_accounts, unique_src - ``` remove duplicate & empty time buckets``` - | sort - total_failures - | dedup _time - ``` Create aggregation field & apply to all null events``` - | eval counter=src+"__"+sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) - | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter - | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) - | replace "::ffff:*" with * in src - | where isOutlier=1 - | foreach * [ eval <> = if(<>="null",null(),<>)] - | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id - | `detect_password_spray_attempts_filter`' -how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. -known_false_positives: Unknown -references: -- https://attack.mitre.org/techniques/T1110/003/ -tags: - analytic_story: - - Compromised User Account - - Active Directory Password Spraying - asset_type: Endpoint - atomic_guid: - - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - confidence: 70 - impact: 70 - message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. - mitre_attack_id: - - T1110.003 - - T1110 - observable: - - name: src - type: Endpoint - role: - - Attacker - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 49 - required_fields: - - Authentication.action - - Authentication.user - - Authentication.src - security_domain: access -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml deleted file mode 100644 index b0caa2160d..0000000000 --- a/detections/application/windows_ad_add_self_to_group.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: Windows AD add Self to Group -id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9 -version: 1 -date: '2023-12-18' -author: Dean Luxton -status: production -type: TTP -data_source: -- Windows Event Log Security 4728 -description: Detect when a user adds themselfs to an AD Group. -search: '`wineventlog_security` EventCode IN (4728) - | where user=src_user - | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user - | `windows_ad_add_self_to_group_filter`' -how_to_implement: This analytic requires eventCode 4728 to be ingested. -known_false_positives: Unknown -references: [] -tags: - analytic_story: - - Active Directory Privilege Escalation - - Sneaky Active Directory Persistence Tricks - asset_type: Endpoint - confidence: 100 - impact: 50 - message: $user$ added themselves to AD Group $Group_Name$ - mitre_attack_id: - - T1098 - observable: - - name: user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 50 - required_fields: - - EventCode - - user - - src_user - - signature - - Group_Name - security_domain: audit -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog - update_timestamp: true \ No newline at end of file diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml deleted file mode 100644 index 1fdbd7f382..0000000000 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: Windows Increase in Group or Object Modification Activity -id: 4f9564dd-a204-4f22-b375-4dfca3a68731 -version: 1 -date: '2023-10-13' -author: Dean Luxton -status: production -type: TTP -data_source: -- XmlWinEventLog:Security -description: Increase in group or AD object modifications. -search: >- - `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) - | bucket span=5m _time - | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status - | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature - | eval upperBound=(comp_avg+comp_std) - | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) - | search isOutlier=1 - | `windows_increase_in_group_or_object_modification_activity_filter` -how_to_implement: Run over past 7 days for best results. -known_false_positives: Unknown -references: [] -tags: - analytic_story: - - Sneaky Active Directory Persistence Tricks - asset_type: Endpoint - confidence: 40 - impact: 20 - message: Spike in Group or Object Modifications performed by $src_user$ - mitre_attack_id: - - T1098 - observable: - - name: src_user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 8 - required_fields: - - EventCode - - src_user - - signature - security_domain: audit -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml deleted file mode 100644 index cb8e263e59..0000000000 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ /dev/null @@ -1,53 +0,0 @@ -name: Windows Increase in User Modification Activity -id: 0995fca1-f346-432f-b0bf-a66d14e6b428 -version: 1 -date: '2023-10-13' -author: Dean Luxton -status: production -type: TTP -data_source: -- XmlWinEventLog:Security -description: Increase in user account modifications. -search: >- - `wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) - | bucket span=5m _time - | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status - | eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature - | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) - | search isOutlier=1 - | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status - | `windows_increase_in_user_modification_activity_filter` -how_to_implement: Run over past 7 days for best results. -known_false_positives: Genuine activity -references: [] -tags: - analytic_story: - - Sneaky Active Directory Persistence Tricks - asset_type: Endpoint - confidence: 40 - impact: 20 - message: Spike in User Modification actions performed by $src_user$ - mitre_attack_id: - - T1098 - observable: - - name: src_user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 8 - required_fields: - - EventCode - - src_user - - signature - security_domain: audit -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_network_share_discovery_with_net.yml b/detections/endpoint/windows_network_share_discovery_with_net.yml deleted file mode 100644 index 950f1a390d..0000000000 --- a/detections/endpoint/windows_network_share_discovery_with_net.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Windows Network Share Discovery With Net -id: 4dc3951f-b3f8-4f46-b412-76a483f72277 -version: 1 -date: '2023-04-21' -author: Dean Luxton -status: production -type: TTP -data_source: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log -description: Network share discovery performed on Windows using the Net Command. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE ((Processes.process_name="net.exe" OR Processes.orig_process_name="net.exe") AND (Processes.process="*net*view*" OR Processes.process="*net*share*")) BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec - Processes.process Processes.parent_process - | `drop_dm_object_name(Processes)` - | regex process="net\s+view|net\s+share" - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_network_share_discovery_with_net_filter`' -how_to_implement: Ensure you are populating the endpoint datamodel. -known_false_positives: Unknown -references: -- https://attack.mitre.org/techniques/T1135/ -tags: - analytic_story: - - Active Directory Discovery - - Active Directory Privilege Escalation - - Network Discovery - asset_type: Endpoint - atomic_guid: - - ab39a04f-0c93-4540-9ff2-83f862c385ae - confidence: 100 - impact: 20 - message: Network share enumeration performed on $dest$ by $user$, executed by parent process $parent_process$ - mitre_attack_id: - - T1135 - required_fields: - - Processes.process_name - - Processes.user - - Processes.dest - - Processes.process_exec - - Processes.parent_process_exec - - Processes.process - - Processes.parent_process - observable: - - name: dest - type: Hostname - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 20 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml deleted file mode 100644 index 2f2dab7164..0000000000 --- a/detections/network/internal_vulnerability_scan.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Internal Vulnerability Scan -id: 46f946ed-1c78-4e96-9906-c7a4be15e39b -version: 1 -date: '2023-10-27' -author: Dean Luxton -status: experimental -type: TTP -data_source: [] -description: This analytic detects internal hosts triggering multiple IDS signatures (either more than 25 signatures against a single host, or a single signature across over 25 destinations), which can be indicative of active vulnerability scanning performed within the network. -search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action - values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) - as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src - IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, - high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest - IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` - | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity - src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" - | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + - dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount - dc(signature) as sigCount values(signature) values(src_category) as src_category - values(dest_category) as dest_category values(severity) as severity values(dest_port) - as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 - | `internal_vulnerability_scan_filter`' -how_to_implement: CIM mapped IDS/IPS logs are a required to drive this detection. -known_false_positives: Vulnerability Scanners and informational / low severity signatures. -references: [] -tags: - analytic_story: - - Network Discovery - asset_type: Endpoint - confidence: 80 - impact: 80 - message: Large volume of IDS signatures triggered by $src$ - mitre_attack_id: - - T1595.002 - - T1046 - observable: - - name: src - type: Hostname - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 64 - required_fields: - - _time - - IDS_Attacks.action - - IDS_Attacks.src - - IDS_Attacks.dest - - IDS_Attacks.dest_port - - IDS_Attacks.severity - - IDS_Attacks.signature - - IDS_Attacks.transport - security_domain: network \ No newline at end of file From 949d7e6b091687a6a7cf787a05d61fc08f8e207d Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:17:01 +1000 Subject: [PATCH 4/7] Updating detections --- ..._consent_bypassed_by_service_principal.yml | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index 33c9cab5e2..9080e4aaef 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -1,7 +1,7 @@ name: Azure AD Admin Consent Bypassed by Service Principal id: 9d4fea43-9182-4c5a-ada8-13701fd5615d -version: 2 -date: '2024-05-29' +version: 3 +date: '2024-07-02' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add app role assignment to service principal @@ -17,17 +17,14 @@ description: The following analytic identifies instances where a service princip without proper oversight, potentially compromising the security of the Azure AD environment. search: >- - `azure_monitor_aad` operationName="Add app role assignment to service principal" - src_user_type=servicePrincipal - | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', - 0) - | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) - | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', - 2) - | eval dest_user = mvindex('targetResources{}.id', 0) - | rename initiatedBy.app.displayName as src_user - | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user - dest_user roleId roleValue roleDescription + `azure_monitor_aad` (operationName="Add app role assignment to service principal" OR operationName="Add member to role*") src_user_type=servicePrincipal + | rename properties.* as * + | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) + | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) + | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) + | eval user_id = mvindex('targetResources{}.id', 0), user=coalesce(user,mvindex('targetResources{}.displayName', 0)) + | rename initiatedBy.app.displayName as src_user + | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user user user_id roleId roleValue roleDescription | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft @@ -47,10 +44,14 @@ tags: confidence: 60 impact: 90 message: Service principal $src_user$ bypassed the admin consent process and granted - permissions to $dest_user$ + permissions to $user$ mitre_attack_id: - T1098.003 observable: + - name: user + type: User + role: + - Victim - name: src_user type: User role: From 43e4625ef94ab3bc4da3335edbc010fbd9fe13b1 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:22:07 +1000 Subject: [PATCH 5/7] Updating detections --- .../windows_admon_default_group_policy_object_modified.yml | 6 +++++- .../endpoint/windows_admon_group_policy_object_created.yml | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index 8fb982e3cc..9a638c279c 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -18,7 +18,7 @@ description: The following analytic detects modifications to the default Group P search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") | appendpipe [ | map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] - | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dest) as dest, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName + | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dcName) as dcName, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName | `windows_admon_default_group_policy_object_modified_filter`' how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here @@ -47,6 +47,10 @@ tags: type: Endpoint role: - Victim + - name: src_user + type: User + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index ed7daf9221..fe836a4838 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -17,7 +17,7 @@ description: The following analytic detects the creation of a new Group Policy O search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" | appendpipe [ | map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] - | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dest) as dest, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName + | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dcName) as dcName, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName | `windows_admon_group_policy_object_created_filter`' how_to_implement: To successfully implement this search, you need to be monitoring Active Directory logs using Admon. Details can be found here @@ -46,6 +46,10 @@ tags: type: Endpoint role: - Victim + - name: src_user + type: User + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security From ec037e5c7bcaea423afe3fd9e8bf95a6e09a9aee Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:07:14 +1000 Subject: [PATCH 6/7] removing changes to 2x detections --- ...n_default_group_policy_object_modified.yml | 73 ------------------- ...dows_admon_group_policy_object_created.yml | 72 ------------------ 2 files changed, 145 deletions(-) delete mode 100644 detections/endpoint/windows_admon_default_group_policy_object_modified.yml delete mode 100644 detections/endpoint/windows_admon_group_policy_object_created.yml diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml deleted file mode 100644 index 9a638c279c..0000000000 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ /dev/null @@ -1,73 +0,0 @@ -name: Windows Admon Default Group Policy Object Modified -id: 83458004-db60-4170-857d-8572f16f070b -version: 3 -date: '2024-07-02' -author: Mauricio Velazco, Dean Luxton, Splunk -status: production -type: TTP -data_source: -- Windows Active Directory Admon -description: The following analytic detects modifications to the default Group Policy - Objects (GPOs) in an Active Directory environment. It leverages Splunk's Admon to - monitor updates to the "Default Domain Policy" and "Default Domain Controllers Policy." - This activity is significant because changes to these default GPOs can indicate - an adversary with privileged access attempting to gain further control, establish - persistence, or deploy malware across multiple hosts. If confirmed malicious, such - modifications could lead to widespread policy enforcement changes, unauthorized - access, and potential compromise of the entire domain environment. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy") - | appendpipe [ - | map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] - | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dcName) as dcName, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName - | `windows_admon_default_group_policy_object_modified_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring - Active Directory logs using Admon. Details can be found here - https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -known_false_positives: The default Group Policy Objects within an AD network may be - legitimately updated for administrative operations, filter as needed. -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 -- https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -tags: - analytic_story: - - Active Directory Privilege Escalation - - Sneaky Active Directory Persistence Tricks - asset_type: Endpoint - confidence: 50 - impact: 100 - message: A default domain group policy was updated on $dcName$ - mitre_attack_id: - - T1484 - - T1484.001 - observable: - - name: dcName - type: Endpoint - role: - - Victim - - name: src_user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - admonEventType - - objectCategory - - displayName - - gPCFileSysPath - - dcName - risk_score: 50 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log - source: ActiveDirectory - sourcetype: ActiveDirectory diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml deleted file mode 100644 index fe836a4838..0000000000 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ /dev/null @@ -1,72 +0,0 @@ -name: Windows Admon Group Policy Object Created -id: 69201633-30d9-48ef-b1b6-e680805f0582 -version: 3 -date: '2024-07-02' -author: Mauricio Velazco, Dean Luxton, Splunk -status: production -type: TTP -data_source: -- Windows Active Directory Admon -description: The following analytic detects the creation of a new Group Policy Object - (GPO) using Splunk's Admon data. It identifies events where a new GPO is created, - excluding default "New Group Policy Object" entries. Monitoring GPO creation is - crucial as adversaries can exploit GPOs to escalate privileges or deploy malware - across an Active Directory network. If confirmed malicious, this activity could - allow attackers to control system configurations, deploy ransomware, or propagate - malware, significantly compromising the network's security. -search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object" - | appendpipe [ - | map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] - | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dcName) as dcName, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName - | `windows_admon_group_policy_object_created_filter`' -how_to_implement: To successfully implement this search, you need to be monitoring - Active Directory logs using Admon. Details can be found here - https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -known_false_positives: Group Policy Objects are created as part of regular administrative - operations, filter as needed. -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 -- https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory -tags: - analytic_story: - - Active Directory Privilege Escalation - - Sneaky Active Directory Persistence Tricks - asset_type: Endpoint - confidence: 50 - impact: 100 - message: A new group policy objected was created on $dcName$ - mitre_attack_id: - - T1484 - - T1484.001 - observable: - - name: dcName - type: Endpoint - role: - - Victim - - name: src_user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - _time - - admonEventType - - objectCategory - - displayName - - gPCFileSysPath - - dcName - risk_score: 50 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log - source: ActiveDirectory - sourcetype: ActiveDirectory From 3a5eeefb826ece2a1f7cc219db494c64fd5b7fd3 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 24 Jul 2024 15:14:50 -0500 Subject: [PATCH 7/7] manual test --- ..._replication_request_initiated_from_unsanctioned_location.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index 85d9731fbc..d1d6135208 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -89,6 +89,7 @@ tags: - status risk_score: 100 security_domain: endpoint + manual_test: This detection runs correctly when run manually and given some time is given for data to settle in the splunk index. tests: - name: True Positive Test attack_data: