Skip to content

[New Rule] Enumerating Domain Trusts via Dsquery.exe #2508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 1, 2023
Merged

[New Rule] Enumerating Domain Trusts via Dsquery.exe #2508

merged 4 commits into from
Feb 1, 2023

Conversation

imays11
Copy link
Contributor

@imays11 imays11 commented Jan 31, 2023

Issues

Summary

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

image

Contributor checklist

@imays11
[New Rule] Enumerating Domain Trusts via Dsquery.exe
7f8c325 
T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.
@imays11 imays11 added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint labels Jan 31, 2023
@imays11 imays11 self-assigned this Jan 31, 2023
@Aegrah
Update discovery_enumerating_domain_trusts_via_dsquery.toml
1d1a2e6 
I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!
Aegrah
Aegrah approved these changes Jan 31, 2023
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than my suggestion, LGTM.

@imays11 imays11 merged commit 748bdbf into main Feb 1, 2023
@imays11 imays11 deleted the domain_trust_discovery_via_dsquery branch February 1, 2023 15:27
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@imays11 @github-actions
[New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508)
ff765de 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 748bdbf)
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@imays11 @github-actions
[New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508)
fe667dd 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 748bdbf)
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@imays11 @github-actions
[New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508)
640aa16 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 748bdbf)
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@imays11 @github-actions
[New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508)
9d1b930 
* [New Rule] Enumerating Domain Trusts via Dsquery.exe

T1482 Domain Trust Discovery

New rule to capture domain trust discovery with dsquery.

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq

Other than that, LGTM!

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Samirbous <[email protected]>

(cherry picked from commit 748bdbf)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@Aegrah Aegrah Aegrah approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

Assignees

@imays11 imays11

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imays11 @Samirbous @Aegrah