Skip to content

[New Rule] Enumerating domain trusts activity #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
peasead opened this issue Oct 30, 2020 · 1 comment · Fixed by #2010
Closed

[New Rule] Enumerating domain trusts activity #437

peasead opened this issue Oct 30, 2020 · 1 comment · Fixed by #2010
Labels
backlog Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule

Comments

@peasead
Copy link
Contributor

peasead commented Oct 30, 2020

Description

NLTEST. EXE is a very powerful command-line utility that can be used to test Trust relationships and the state of Domain Controller replication in a Microsoft Windows NT Domain.

This rule will detect when it is being used to enumerate network trusts.

Required Info

  • Eventing Sources:

    • winlogbeat-*
    • logs-endpoint.events.*

  • Target Operating Systems:
    Windows

  • Platforms
    NA

  • Target ECS Version: 1.6.0

  • New fields required in ECS for this? NA

  • Related issues or PRs NA

Optional Info

Example Data

process.pe.original_file_name:nltestrk.exe and process.args:("/domain_trusts" or "/all_trusts" or /dclist\:*)

{
  "_index": ".ds-logs-endpoint.events.process-default-000003",
  "_type": "_doc",
  "_id": "ggIienUBFsYu-VWrXlfJ",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "c4cbe1e4-30da-417e-91b9-5845f93f5d4e",
      "type": "endpoint",
      "version": "7.9.2"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTgxNzItMTMyNDg1NDUwNzkuMTU0OTkyMDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTUxMTItMTMyNDg1NDUwNjMuNDY5NDA3MDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTUwMzYtMTMyNDg1NDUwNjMuNzU2NjI1MDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTU4OC0xMzI0ODU0NTA1My45NzcyMDAw"
        ],
        "code_signature": [
          {
            "subject_name": "Microsoft Windows",
            "status": "trusted"
          }
        ],
        "token": {
          "integrity_level_name": "high",
          "elevation_level": "default"
        }
      },
      "args": [
        "nltest.exe",
        "/dclist:WORKGROUP"
      ],
      "parent": {
        "name": "cmd.exe",
        "pid": 8172,
        "entity_id": "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTgxNzItMTMyNDg1NDUwNzkuMTU0OTkyMDA=",
        "executable": "C:\\Windows\\System32\\cmd.exe"
      },
      "pe": {
        "original_file_name": "nltestrk.exe"
      },
      "name": "nltest.exe",
      "pid": 11028,
      "args_count": 2,
      "entity_id": "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTExMDI4LTEzMjQ4NTQ1MzYwLjI4OTI4MzAw",
      "command_line": "nltest.exe  /dclist:WORKGROUP",
      "executable": "C:\\Windows\\System32\\nltest.exe",
      "hash": {
        "sha1": "2339275f8bdd00bdd740e97b104917b085260904",
        "sha256": "e2c3e91f1ff8c518a3276c80d7f3ac875090bf6e02a0e03d7eaab47c60af658f",
        "md5": "f9a3731de3c11b21e101cfd6bd1f7bd3"
      }
    },
    "message": "Endpoint process event",
    "@timestamp": "2020-10-30T15:29:20.28928300Z",
    "ecs": {
      "version": "1.5.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.events.process"
    },
    "elastic": {
      "agent": {
        "id": "689cfe1b-a8dc-4242-83ae-965312db059e"
      }
    },
    "host": {
      "hostname": "[redacted]",
      "os": {
        "Ext": {
          "variant": "Windows 10 Enterprise Evaluation"
        },
        "kernel": "1909 (10.0.18363.1139)",
        "name": "Windows",
        "family": "windows",
        "version": "1909 (10.0.18363.1139)",
        "platform": "windows",
        "full": "Windows 10 Enterprise Evaluation 1909 (10.0.18363.1139)"
      },
      "ip": [
        "172.16.17.151",
        "fe80::81e2:50b5:eb1d:daf2",
        "127.0.0.1",
        "::1"
      ],
      "name": "[redacted]",
      "id": "d58f982a-e1cd-db85-d110-f444e469a221",
      "mac": [
        "00:0c:29:b4:4c:e8"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "sequence": 2952,
      "ingested": "2020-10-30T15:31:14.216707127Z",
      "created": "2020-10-30T15:29:20.28928300Z",
      "kind": "event",
      "module": "endpoint",
      "action": "start",
      "id": "Ltkk6+c1EkX1FvFt++++++rQ",
      "category": [
        "process"
      ],
      "type": [
        "start"
      ],
      "dataset": "endpoint.events.process"
    },
    "user": {
      "domain": "[redacted]",
      "name": "[redacted]"
    }
  },
  "fields": {
    "event.ingested": [
      "2020-10-30T15:31:14.216Z"
    ],
    "@timestamp": [
      "2020-10-30T15:29:20.289Z"
    ],
    "event.created": [
      "2020-10-30T15:29:20.289Z"
    ]
  },
  "highlight": {
    "process.pe.original_file_name": [
      "@[email protected]@/kibana-highlighted-field@"
    ],
    "process.args": [
      "@kibana-highlighted-field@/dclist:WORKGROUP@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1604071760289
  ]
}
@peasead peasead added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint v7.11.0 labels Oct 30, 2020
@peasead peasead self-assigned this Oct 30, 2020
@peasead peasead removed their assignment Jul 1, 2021
@peasead peasead added backlog and removed v7.11.0 labels Jul 1, 2021
@peasead
Copy link
Contributor Author

peasead commented Jul 1, 2021

7/1 - update

Recommend handing off to Analysis to assess viability or Issue closure.

@terrancedejesus terrancedejesus changed the title [Rule Tuning] Enumerating domain trusts activity [New Rule] Enumerating domain trusts activity May 31, 2022
@terrancedejesus terrancedejesus mentioned this issue Jun 1, 2022
Merged
@terrancedejesus terrancedejesus linked a pull request Jun 1, 2022 that will close this issue
[New Rule] Domain Trust Enumeration via Nltest #2010
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[New Rule] Domain Trust Enumeration via Nltest elastic/detection-rules
1 participant
@peasead