[Rule Tuning] Enumeration of Privileged Local Groups Membership #2024
Assignees
Labels
Comments
terrancedejesus
added
Integration: Azure
|
@GabrielMioranza - Thank you for bringing this to our attention! We will review this issue and start a PR to tune the rule after our investigation. |
terrancedejesus
added
OS: Windows
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
## Link to rule
Description
The Azure Guest Client, used on Windows VM in Azure, can trigger the rule.
Example Data
{ "_index": ".internal.alerts-security.alerts-default-000001", "_id": "e0c657e71491ae566aa342f7f3d06eee0895b65bf93c9237f15d90fd0d8e4800", "_score": 1, "_source": { "kibana.version": "8.2.2", "kibana.alert.rule.category": "Event Correlation Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.execution.uuid": "1d4308e0-8987-4986-87b6-814b71ea34e5", "kibana.alert.rule.name": "Enumeration of Privileged Local Groups Membership", "kibana.alert.rule.producer": "siem", "kibana.alert.rule.rule_type_id": "siem.eqlRule", "kibana.alert.rule.uuid": "4623de94-6259-11ec-8362-d90e5ecb7c0a", "kibana.space_ids": [ "default" ], "kibana.alert.rule.tags": [ "Elastic", "Host", "Windows", "Threat Detection", "Discovery" ], "@timestamp": "2022-06-08T16:43:57.143Z", "agent": { "name": "Production", "id": "2160fad0-8675-4874-9ecf-b4f274d636a6", "type": "filebeat", "ephemeral_id": "02dc59f0-700f-4dc5-bedd-6b0945d30182", "version": "8.2.2" }, "winlog": { "computer_name": "Production", "process": { "pid": 712, "thread": { "id": 1552 } }, "keywords": [ "Audit Success" ], "logon": { "id": "0x3e7" }, "channel": "Security", "event_data": { "CallerProcessId": "0x1e98", "SubjectUserName": "Production$", "TargetSid": "S-1-5-32-544", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "TargetUserName": "Administrators", "TargetDomainName": "Builtin", "CallerProcessName": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1044_2022-02-14_202055\\WaAppAgent.exe", "SubjectUserSid": "S-1-5-18" }, "opcode": "Info", "record_id": "23689331", "event_id": "4799", "task": "Security Group Management", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id": "{20af9c88-78a1-0000-33d6-7ce2df13d801}", "api": "wineventlog", "provider_name": "Microsoft-Windows-Security-Auditing" }, "log": { "level": "information" }, "elastic_agent": { "id": "2160fad0-8675-4874-9ecf-b4f274d636a6", "version": "8.2.2", "snapshot": false }, "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tProduction$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x1e98\n\tProcess Name:\t\tC:\\WindowsAzure\\GuestAgent_2.7.41491.1044_2022-02-14_202055\\WaAppAgent.exe", "cloud": { "instance": { "name": "Production", "id": "20af9c88-78a1-4a49-ba60-809340c70fc9" }, "provider": "azure", "machine": { "type": "Standard_E2as_v4" }, "service": { "name": "Virtual Machines" }, "region": "eastus2", "account": {} }, "input": { "type": "winlog" }, "ecs": { "version": "8.0.0" }, "related": { "user": [ "Production$" ] },Before open this issue. i have ben testing on custom rule and works fine.
I opened a MR, before read the docs about new MR and Issues, #2023
Just need add the
"?:\\WindowsAzure\\GuestAgent*.exe",The text was updated successfully, but these errors were encountered: