splunk · patel-bhavin · Jul 26, 2024 · Jul 2, 2024 · Jul 2, 2024 · Jul 2, 2024
@@ -1,7 +1,7 @@
 name: Azure AD Admin Consent Bypassed by Service Principal
 id: 9d4fea43-9182-4c5a-ada8-13701fd5615d
-version: 2
-date: '2024-05-29'
+version: 3
+date: '2024-07-02'
 author: Mauricio Velazco, Splunk
 data_source:
 - Azure Active Directory Add app role assignment to service principal
@@ -17,17 +17,14 @@ description: The following analytic identifies instances where a service princip
   without proper oversight, potentially compromising the security of the Azure AD
   environment.
 search: >-
-  `azure_monitor_aad` operationName="Add app role assignment to service principal"
-  src_user_type=servicePrincipal
-  | rename properties.* as *  | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue',
-  0)
-  | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1)
-  | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue',
-  2)
-  | eval dest_user = mvindex('targetResources{}.id', 0)
-  | rename initiatedBy.app.displayName as src_user
-  | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user
-  dest_user roleId roleValue roleDescription
+  `azure_monitor_aad` (operationName="Add app role assignment to service principal" OR operationName="Add member to role*") src_user_type=servicePrincipal 
+  | rename properties.* as *  
+  | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0) 
+  | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1) 
+  | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2) 
+  | eval user_id = mvindex('targetResources{}.id', 0), user=coalesce(user,mvindex('targetResources{}.displayName', 0))
+  | rename initiatedBy.app.displayName as src_user 
+  | stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user user user_id roleId roleValue roleDescription
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`  | `azure_ad_admin_consent_bypassed_by_service_principal_filter`
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
@@ -47,10 +44,14 @@ tags:
   confidence: 60
   impact: 90
   message: Service principal $src_user$ bypassed the admin consent process and granted
-    permissions to $dest_user$
+    permissions to $user$
   mitre_attack_id:
   - T1098.003
   observable:
+  - name: user
+    type: User
+    role:
+    - Victim
   - name: src_user
     type: User
     role:

@@ -1,8 +1,8 @@
 name: Azure AD Global Administrator Role Assigned
 id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c
-version: 5
-date: '2024-05-29'
-author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+version: 6
+date: '2024-07-02'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects the assignment of the Azure AD Global
@@ -15,11 +15,14 @@ description: The following analytic detects the assignment of the Azure AD Globa
   posing a severe security risk.
 data_source:
 - Azure Active Directory Add member to role
-search: '`azure_monitor_aad`  operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global
-  Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName
-  as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user)
-  as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`'
+search: '`azure_monitor_aad`  operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\""
+  | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName
+  | eval  initiatedBy = coalesce(userPrincipalName,src_user)
+  | eval user = coalesce(user,mvfilter(displayName!="null"))
+  | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `azure_ad_global_administrator_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment

@@ -1,8 +1,8 @@
 name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 3
-date: '2024-05-29'
-author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
+version: 4
+date: '2024-07-02'
+author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects the assignment of privileged Azure Active
@@ -14,8 +14,10 @@ description: The following analytic detects the assignment of privileged Azure A
   over the Azure AD infrastructure.
 data_source:
 - Azure Active Directory Add member to role
-search: ' `azure_monitor_aad`  "operationName"="Add member to role" | rename properties.*  as * 
-  | rename initiatedBy.user.userPrincipalName as initiatedBy 
+search: ' `azure_monitor_aad`  "operationName"="Add member to role" 
+  | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName
+  | eval  initiatedBy = coalesce(userPrincipalName,src_user)
+  | eval user = coalesce(user,mvfilter(displayName!="null"))
   | rename targetResources{}.modifiedProperties{}.newValue  as roles 
   | eval role=mvindex(roles,1)
   | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role

@@ -1,8 +1,8 @@
 name: Azure AD Service Principal New Client Credentials
 id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a
-version: 3
-date: '2024-05-11'
-author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
+version: 4
+date: '2024-07-02'
+author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects the addition of new credentials to Service
@@ -15,11 +15,21 @@ description: The following analytic detects the addition of new credentials to S
   access and control over the Azure environment.
 data_source:
 - Azure Active Directory
-search: ' `azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates
-  and secrets management " | rename properties.* as * | rename  targetResources{}.*
-  as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName)
-  as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`'
+search: ' `azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates and secrets management*"
+ | rename properties.* as * 
+ | rename  targetResources{}.* as * 
+ | rename modifiedProperties{}.* as *
+ | eval src_user=coalesce(user,identity), newValue=mvfilter(newValue!="\"KeyDescription\"")
+ | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName values(src_ip) as src_ip values(eval(mvfilter(oldValue!="null"))) as oldValue by src_user, object, newValue
+ | spath input=oldValue output=oldValues path={}
+ | spath input=newValue output=newValues path={}
+ | mvexpand newValues
+ | where NOT newValues IN (oldValues)
+ | fields - newValue, oldValue, oldValues
+ | rename newValues as newValue
+ | `security_content_ctime(firstTime)` 
+ | `security_content_ctime(lastTime)`
+ | `azure_ad_service_principal_new_client_credentials_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment.
@@ -42,12 +52,16 @@ tags:
   asset_type: Azure Active Directory
   confidence: 50
   impact: 70
-  message: New credentials added for Service Principal by $user$
+  message: New Service Principal credentials were added to $object$ by $src_user$
   mitre_attack_id:
   - T1098
   - T1098.001
   observable:
-  - name: user
+  - name: src_user
+    type: User
+    role:
+    - Victim
+  - name: object
     type: User
     role:
     - Victim

@@ -1,7 +1,7 @@
 name: Detect New Local Admin account
 id: b25f6f62-0712-43c1-b203-083231ffd97d
-version: 4
-date: '2024-05-15'
+version: 5
+date: '2024-07-02'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -10,10 +10,11 @@ description: |-
 data_source:
 - Windows Event Log Security 4732 
 - Windows Event Log Security 4720
-search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
-  | transaction src_user connected=false maxspan=180m | rename src_user as user |
-  stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`'
+search: '`wineventlog_security` (EventCode=4720) OR (EventCode=4732 Group_Name=Administrators) 
+| stats dc(EventCode) as evCount min(_time) as _time range(_time) as duration values(src_user) as src_user values(src_user_category) as src_user_category values(dest_category) as dest_category by user dest
+| where evCount=2
+| fields - evCount, duration
+| `detect_new_local_admin_account_filter`'
 how_to_implement: You must be ingesting Windows event logs using the Splunk Windows
   TA and collecting event code 4720 and 4732
 known_false_positives: The activity may be legitimate. For this reason, it's best
@@ -39,6 +40,10 @@ tags:
     type: User
     role:
     - Victim
+  - name: src_user
+    type: User
+    role:
+    - Victim
   - name: dest
     type: Hostname
     role:

@@ -1,8 +1,8 @@
 name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl
 id: 0cb847ee-9423-11ec-b2df-acde48001122
-version: 2
-date: '2024-05-24'
-author: Mauricio Velazco, Splunk
+version: 3
+date: '2024-07-02'
+author: Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects when the Kerberos Pre-Authentication flag
@@ -15,9 +15,10 @@ description: The following analytic detects when the Kerberos Pre-Authentication
   of sensitive information.
 data_source:
 - Windows Event Log Security 4738
-search: ' `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require
-  Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest,
-  Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`'
+search: '`wineventlog_security` EventCode=4738 (UserAccountControl="%%2096" OR MSADChangedAttributes="*Don''t Require Preauth'' - Enabled*")
+  | eval MSADChangedAttributes="''Don''t Require Preauth'' - Enabled"
+  | table _time, source, EventCode, src_user, src_user_category, user, user_category, MSADChangedAttributes 
+  | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   Domain Controller events. The Advanced Security Audit policy setting `User Account
   Management` within `Account Management` needs to be enabled.

@@ -41,6 +41,7 @@ references:
 - https://adsecurity.org/?p=1729
 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer
 - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
 tags:
   analytic_story:
   - Sneaky Active Directory Persistence Tricks

@@ -45,6 +45,7 @@ references:
 - https://adsecurity.org/?p=1729
 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer
 - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
 tags:
   analytic_story:
   - Sneaky Active Directory Persistence Tricks
@@ -88,6 +89,7 @@ tags:
   - status
   risk_score: 100
   security_domain: endpoint
+  manual_test: This detection runs correctly when run manually and given some time is given for data to settle in the splunk index. 
 tests:
 - name: True Positive Test
   attack_data: