|
| 1 | +[metadata] |
| 2 | +creation_date = "2022/12/19" |
| 3 | +integration = ["windows"] |
| 4 | +maturity = "production" |
| 5 | +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" |
| 6 | +min_stack_version = "8.4.0" |
| 7 | +updated_date = "2023/02/01" |
| 8 | + |
| 9 | +[rule] |
| 10 | +author = ["Elastic"] |
| 11 | +description = """ |
| 12 | +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. |
| 13 | +Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, |
| 14 | +thus compromising the entire domain. |
| 15 | +""" |
| 16 | +from = "now-9m" |
| 17 | +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] |
| 18 | +language = "kuery" |
| 19 | +license = "Elastic License v2" |
| 20 | +name = "FirstTime Seen Account Performing DCSync" |
| 21 | +note = """## Setup |
| 22 | +
|
| 23 | +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). |
| 24 | +Steps to implement the logging policy with Advanced Audit Configuration: |
| 25 | +
|
| 26 | +``` |
| 27 | +Computer Configuration > |
| 28 | +Policies > |
| 29 | +Windows Settings > |
| 30 | +Security Settings > |
| 31 | +Advanced Audit Policies Configuration > |
| 32 | +Audit Policies > |
| 33 | +DS Access > |
| 34 | +Audit Directory Service Changes (Success,Failure) |
| 35 | +``` |
| 36 | +
|
| 37 | +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. |
| 38 | +""" |
| 39 | +references = [ |
| 40 | + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", |
| 41 | + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", |
| 42 | + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", |
| 43 | + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", |
| 44 | + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", |
| 45 | + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", |
| 46 | +] |
| 47 | +risk_score = 73 |
| 48 | +rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def" |
| 49 | +severity = "high" |
| 50 | +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"] |
| 51 | +timestamp_override = "event.ingested" |
| 52 | +type = "new_terms" |
| 53 | + |
| 54 | +query = ''' |
| 55 | +event.action : "Directory Service Access" and event.code : "4662" and |
| 56 | + winlog.event_data.Properties : (*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and |
| 57 | + not winlog.event_data.SubjectUserName : (*$ or MSOL_*) |
| 58 | +''' |
| 59 | + |
| 60 | + |
| 61 | +[[rule.threat]] |
| 62 | +framework = "MITRE ATT&CK" |
| 63 | + |
| 64 | +[[rule.threat.technique]] |
| 65 | +id = "T1003" |
| 66 | +reference = "https://attack.mitre.org/techniques/T1003/" |
| 67 | +name = "OS Credential Dumping" |
| 68 | + |
| 69 | + [[rule.threat.technique.subtechnique]] |
| 70 | + id = "T1003.006" |
| 71 | + reference = "https://attack.mitre.org/techniques/T1003/006/" |
| 72 | + name = "DCSync" |
| 73 | + |
| 74 | + |
| 75 | +[rule.threat.tactic] |
| 76 | +id = "TA0006" |
| 77 | +reference = "https://attack.mitre.org/tactics/TA0006/" |
| 78 | +name = "Credential Access" |
| 79 | + |
| 80 | + |
| 81 | +[rule.new_terms] |
| 82 | +field = "new_terms_fields" |
| 83 | +value = ["winlog.event_data.SubjectUserName"] |
| 84 | + |
| 85 | +[[rule.new_terms.history_window_start]] |
| 86 | +field = "history_window_start" |
| 87 | +value = "now-15d" |
0 commit comments