Skip to content

[New Rule] Enumerating Domain Trusts via Dsquery.exe #2508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 1, 2023
Merged

[New Rule] Enumerating Domain Trusts via Dsquery.exe #2508

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7f8c325
[New Rule] Enumerating Domain Trusts via Dsquery.exe
imays11 Jan 31, 2023
1d1a2e6
Update discovery_enumerating_domain_trusts_via_dsquery.toml
Aegrah Jan 31, 2023
843d901
Merge branch 'main' into domain_trust_discovery_via_dsquery
Samirbous Feb 1, 2023
0967776
Merge branch 'main' into domain_trust_discovery_via_dsquery
imays11 Feb 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
[metadata]
creation_date = "2023/01/27"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/01/27"

[rule]
author = ["Elastic"]
description = """
Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to
enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest
environments.
"""
false_positives = [
"Domain administrators may use this command-line utility for legitimate information gathering purposes.",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Enumerating Domain Trusts via DSQUERY.EXE"
note = """## Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)",
"https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944",
]
risk_score = 21
rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where event.type == "start" and
(process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and
process.args : "*objectClass=trustedDomain*"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1482"
name = "Domain Trust Discovery"
reference = "https://attack.mitre.org/techniques/T1482/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"