elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 498 forks source link

[New Rule] Enumerating domain trusts activity #437

Closed peasead closed 2 years ago

peasead commented 4 years ago

Description

NLTEST. EXE is a very powerful command-line utility that can be used to test Trust relationships and the state of Domain Controller replication in a Microsoft Windows NT Domain.

This rule will detect when it is being used to enumerate network trusts.

Required Info

Optional Info

Example Data

process.pe.original_file_name:nltestrk.exe and process.args:("/domain_trusts" or "/all_trusts" or /dclist\:*)
{
  "_index": ".ds-logs-endpoint.events.process-default-000003",
  "_type": "_doc",
  "_id": "ggIienUBFsYu-VWrXlfJ",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "c4cbe1e4-30da-417e-91b9-5845f93f5d4e",
      "type": "endpoint",
      "version": "7.9.2"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTgxNzItMTMyNDg1NDUwNzkuMTU0OTkyMDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTUxMTItMTMyNDg1NDUwNjMuNDY5NDA3MDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTUwMzYtMTMyNDg1NDUwNjMuNzU2NjI1MDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTU4OC0xMzI0ODU0NTA1My45NzcyMDAw"
        ],
        "code_signature": [
          {
            "subject_name": "Microsoft Windows",
            "status": "trusted"
          }
        ],
        "token": {
          "integrity_level_name": "high",
          "elevation_level": "default"
        }
      },
      "args": [
        "nltest.exe",
        "/dclist:WORKGROUP"
      ],
      "parent": {
        "name": "cmd.exe",
        "pid": 8172,
        "entity_id": "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTgxNzItMTMyNDg1NDUwNzkuMTU0OTkyMDA=",
        "executable": "C:\\Windows\\System32\\cmd.exe"
      },
      "pe": {
        "original_file_name": "nltestrk.exe"
      },
      "name": "nltest.exe",
      "pid": 11028,
      "args_count": 2,
      "entity_id": "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTExMDI4LTEzMjQ4NTQ1MzYwLjI4OTI4MzAw",
      "command_line": "nltest.exe  /dclist:WORKGROUP",
      "executable": "C:\\Windows\\System32\\nltest.exe",
      "hash": {
        "sha1": "2339275f8bdd00bdd740e97b104917b085260904",
        "sha256": "e2c3e91f1ff8c518a3276c80d7f3ac875090bf6e02a0e03d7eaab47c60af658f",
        "md5": "f9a3731de3c11b21e101cfd6bd1f7bd3"
      }
    },
    "message": "Endpoint process event",
    "@timestamp": "2020-10-30T15:29:20.28928300Z",
    "ecs": {
      "version": "1.5.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.events.process"
    },
    "elastic": {
      "agent": {
        "id": "689cfe1b-a8dc-4242-83ae-965312db059e"
      }
    },
    "host": {
      "hostname": "[redacted]",
      "os": {
        "Ext": {
          "variant": "Windows 10 Enterprise Evaluation"
        },
        "kernel": "1909 (10.0.18363.1139)",
        "name": "Windows",
        "family": "windows",
        "version": "1909 (10.0.18363.1139)",
        "platform": "windows",
        "full": "Windows 10 Enterprise Evaluation 1909 (10.0.18363.1139)"
      },
      "ip": [
        "172.16.17.151",
        "fe80::81e2:50b5:eb1d:daf2",
        "127.0.0.1",
        "::1"
      ],
      "name": "[redacted]",
      "id": "d58f982a-e1cd-db85-d110-f444e469a221",
      "mac": [
        "00:0c:29:b4:4c:e8"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "sequence": 2952,
      "ingested": "2020-10-30T15:31:14.216707127Z",
      "created": "2020-10-30T15:29:20.28928300Z",
      "kind": "event",
      "module": "endpoint",
      "action": "start",
      "id": "Ltkk6+c1EkX1FvFt++++++rQ",
      "category": [
        "process"
      ],
      "type": [
        "start"
      ],
      "dataset": "endpoint.events.process"
    },
    "user": {
      "domain": "[redacted]",
      "name": "[redacted]"
    }
  },
  "fields": {
    "event.ingested": [
      "2020-10-30T15:31:14.216Z"
    ],
    "@timestamp": [
      "2020-10-30T15:29:20.289Z"
    ],
    "event.created": [
      "2020-10-30T15:29:20.289Z"
    ]
  },
  "highlight": {
    "process.pe.original_file_name": [
      "@kibana-highlighted-field@nltestrk.exe@/kibana-highlighted-field@"
    ],
    "process.args": [
      "@kibana-highlighted-field@/dclist:WORKGROUP@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1604071760289
  ]
}
peasead commented 3 years ago

7/1 - update

Recommend handing off to Analysis to assess viability or Issue closure.