From 784db6c6752f62e1124206a4b358a5ec68cd76f0 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus Date: Wed, 1 Jun 2022 10:20:26 -0400 Subject: [PATCH 1/7] adding detection rule --- ...berarkpas_error_audit_event_promotion.toml | 7 +- ..._enumerating_domain_trusts_via_nltest.toml | 64 +++++++++++++++++++ 2 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 019430820a4..6f2f59c76f7 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -1,10 +1,7 @@ [metadata] -creation_date = "2021/06/23" +creation_date = "2022/05/31" maturity = "production" -updated_date = "2021/07/20" -integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/05/31" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml new file mode 100644 index 00000000000..1c4f9446e2f --- /dev/null +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2022/05/31" +maturity = "production" +updated_date = "2022/06/01" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to +enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) +replication in a Microsoft Windows NT Domain. +""" +false_positives = [ + """ + Domain administrators may use this command-line utility for legitimate information gathering purposes but it is not + common for environments with Windows Server 2012 and newer. + """, +] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Enumerating Domain Trusts via NLTEST.EXE" +note = """## Config + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +references = [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", +] +risk_score = 23 +rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" +severity = "low" +tags = ["Elastic", "Threat Detection", "Discovery", "Windows"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where process.parent.name : "cmd.exe" and process.name : "nltest.exe" +and process.args : ( + "/DCLIST:*", + "/DCNAME:*", + "/DSGET*", + "/LSAQUERYFTI:*", + "/PARENTDOMAIN", + "/DOMAIN_TRUSTS", + "/BDC_QUERY:*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + From cfe04b3b71de7563b53ffd003e155803a0bc2362 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus Date: Wed, 1 Jun 2022 10:31:12 -0400 Subject: [PATCH 2/7] removed changes from unrelated rule --- ...escalation_cyberarkpas_error_audit_event_promotion.toml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 6f2f59c76f7..019430820a4 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -1,7 +1,10 @@ [metadata] -creation_date = "2022/05/31" +creation_date = "2021/06/23" maturity = "production" -updated_date = "2022/05/31" +updated_date = "2021/07/20" +integration = "cyberarkpas" +min_stack_comments = "The integration was not introduced until 7.14" +min_stack_version = "7.14.0" [rule] author = ["Elastic"] From 5a07f69bdfc1aaf1f3662ef117561addb4d395d1 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus Date: Wed, 1 Jun 2022 11:30:34 -0400 Subject: [PATCH 3/7] adjusted threat technique --- .../windows/discovery_enumerating_domain_trusts_via_nltest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 1c4f9446e2f..901e2068f8c 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -52,7 +52,7 @@ and process.args : ( [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" +id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" From 61f82254bb3835e6864519ff0001d6fc417ebea3 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 14 Jun 2022 10:02:23 -0400 Subject: [PATCH 4/7] Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml --- ...overy_enumerating_domain_trusts_via_nltest.toml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 901e2068f8c..215254528e0 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -37,15 +37,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where process.parent.name : "cmd.exe" and process.name : "nltest.exe" -and process.args : ( - "/DCLIST:*", - "/DCNAME:*", - "/DSGET*", - "/LSAQUERYFTI:*", - "/PARENTDOMAIN", - "/DOMAIN_TRUSTS", - "/BDC_QUERY:*") +process where event.type in ("start", "process_started") and + process.name : "nltest.exe" and process.args : ( + "/DCLIST:*", "/DCNAME:*", "/DSGET*", + "/LSAQUERYFTI:*", "/PARENTDOMAIN", + "/DOMAIN_TRUSTS", "/BDC_QUERY:*") ''' From 263c06f5c00540ec8831cea409696d7123750dc8 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 5 Jul 2022 09:56:04 -0400 Subject: [PATCH 5/7] Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan --- .../windows/discovery_enumerating_domain_trusts_via_nltest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 215254528e0..82af30fa03b 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -12,7 +12,7 @@ replication in a Microsoft Windows NT Domain. """ false_positives = [ """ - Domain administrators may use this command-line utility for legitimate information gathering purposes but it is not + Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer. """, ] From 6be0ba703d1bb0287312fffd4ffd9f290cc9e9e1 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 5 Jul 2022 09:56:15 -0400 Subject: [PATCH 6/7] Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan --- .../windows/discovery_enumerating_domain_trusts_via_nltest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 82af30fa03b..cbee0cc9746 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -32,7 +32,7 @@ references = [ risk_score = 23 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Elastic", "Threat Detection", "Discovery", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] timestamp_override = "event.ingested" type = "eql" From cea370b8d078f20519a209e3f8b9b15508aa7314 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 5 Jul 2022 09:57:15 -0400 Subject: [PATCH 7/7] Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml --- .../windows/discovery_enumerating_domain_trusts_via_nltest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index cbee0cc9746..8a1817fffc1 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/05/31" maturity = "production" -updated_date = "2022/06/01" +updated_date = "2022/07/05" [rule] author = ["Elastic"]