Skip to content

Commit 5c76c5c

Browse files
Samirbousgithub-actions[bot]
Samirbous
authored and
github-actions[bot]
committed
[New Rule] FirstTimeSeen User Performing DCSync (#2433)
* Create credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <[email protected]> * Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_newterm_subjectuser.toml * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml Co-authored-by: Jonhnathan <[email protected]> --------- Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit cd2307b)
1 parent 15c6af6 commit 5c76c5c

File tree

1 file changed

+87
-0
lines changed

1 file changed

+87
-0
lines changed

rules/windows/credential_access_dcsync_newterm_subjectuser.toml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
[metadata]
2+
creation_date = "2022/12/19"
3+
integration = ["windows"]
4+
maturity = "production"
5+
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
6+
min_stack_version = "8.4.0"
7+
updated_date = "2023/02/01"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
This rule identifies when a User Account starts the Active Directory Replication Process for the first time.
13+
Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain,
14+
thus compromising the entire domain.
15+
"""
16+
from = "now-9m"
17+
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18+
language = "kuery"
19+
license = "Elastic License v2"
20+
name = "FirstTime Seen Account Performing DCSync"
21+
note = """## Setup
22+
23+
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
24+
Steps to implement the logging policy with Advanced Audit Configuration:
25+
26+
```
27+
Computer Configuration >
28+
Policies >
29+
Windows Settings >
30+
Security Settings >
31+
Advanced Audit Policies Configuration >
32+
Audit Policies >
33+
DS Access >
34+
Audit Directory Service Changes (Success,Failure)
35+
```
36+
37+
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
38+
"""
39+
references = [
40+
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
41+
"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
42+
"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
43+
"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
44+
"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
45+
"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
46+
]
47+
risk_score = 73
48+
rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def"
49+
severity = "high"
50+
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
51+
timestamp_override = "event.ingested"
52+
type = "new_terms"
53+
54+
query = '''
55+
event.action : "Directory Service Access" and event.code : "4662" and
56+
winlog.event_data.Properties : (*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
57+
not winlog.event_data.SubjectUserName : (*$ or MSOL_*)
58+
'''
59+
60+
61+
[[rule.threat]]
62+
framework = "MITRE ATT&CK"
63+
64+
[[rule.threat.technique]]
65+
id = "T1003"
66+
reference = "https://attack.mitre.org/techniques/T1003/"
67+
name = "OS Credential Dumping"
68+
69+
[[rule.threat.technique.subtechnique]]
70+
id = "T1003.006"
71+
reference = "https://attack.mitre.org/techniques/T1003/006/"
72+
name = "DCSync"
73+
74+
75+
[rule.threat.tactic]
76+
id = "TA0006"
77+
reference = "https://attack.mitre.org/tactics/TA0006/"
78+
name = "Credential Access"
79+
80+
81+
[rule.new_terms]
82+
field = "new_terms_fields"
83+
value = ["winlog.event_data.SubjectUserName"]
84+
85+
[[rule.new_terms.history_window_start]]
86+
field = "history_window_start"
87+
value = "now-15d"

0 commit comments

Comments
 (0)