elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 498 forks source link

[New Rule] Enumerating domain and enterprise admins with net group #438

Closed peasead closed 1 year ago

peasead commented 4 years ago

Description

net group allows you to enumerate accounts in a Windows environment. This is a behavior that is commonly associate with ransomware operators.

This rule will detect when it is being used to enumerate domain and enterprise administrators.

Required Info

Optional Info

Example Data

process.pe.original_file_name:net.exe and process.args:("group" and ("domain admins" or "enterprise admins"))
{
  "_index": ".ds-logs-endpoint.events.process-default-000003",
  "_type": "_doc",
  "_id": "n9hpenUBio9VLad41Mxt",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "c4cbe1e4-30da-417e-91b9-5845f93f5d4e",
      "type": "endpoint",
      "version": "7.9.2"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTM4MzYtMTMyNDg1NDk0OTAuNzAxMDUwMDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTkyMDQtMTMyNDg1NDkzNTEuMTQwODkxMDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTkxNzItMTMyNDg1NDkzNTEuNjA1MDk2MDA=",
          "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTYwMC0xMzI0ODU0OTI1NC4xMDgzMDUwMA=="
        ],
        "code_signature": [
          {
            "subject_name": "Microsoft Windows",
            "status": "trusted"
          }
        ],
        "token": {
          "integrity_level_name": "high",
          "elevation_level": "default"
        }
      },
      "args": [
        "net",
        "group",
        "enterprise admins",
        "/domain"
      ],
      "parent": {
        "name": "cmd.exe",
        "pid": 3836,
        "entity_id": "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTM4MzYtMTMyNDg1NDk0OTAuNzAxMDUwMDA=",
        "executable": "C:\\Windows\\System32\\cmd.exe"
      },
      "pe": {
        "original_file_name": "net.exe"
      },
      "name": "net.exe",
      "pid": 9504,
      "args_count": 4,
      "entity_id": "YzRjYmUxZTQtMzBkYS00MTdlLTkxYjktNTg0NWY5M2Y1ZDRlLTk1MDQtMTMyNDg1NTAxMDAuNDY1MjI0MDA=",
      "command_line": "net  group \"enterprise admins\" /domain",
      "executable": "C:\\Windows\\System32\\net.exe",
      "hash": {
        "sha1": "5b9ea3c45a11d4aeb1b1ac0f72c4c19308fc7d0b",
        "sha256": "96cdfd7b263947a6a7c0db54141a6b8d7777db0a03a17cbf95666d98422f937b",
        "md5": "a63df9a6e9098cc189f2a3efc37600f6"
      }
    },
    "message": "Endpoint process event",
    "@timestamp": "2020-10-30T16:48:20.46522400Z",
    "ecs": {
      "version": "1.5.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.events.process"
    },
    "elastic": {
      "agent": {
        "id": "689cfe1b-a8dc-4242-83ae-965312db059e"
      }
    },
    "host": {
      "hostname": "[redacted]",
      "os": {
        "Ext": {
          "variant": "Windows 10 Enterprise Evaluation"
        },
        "kernel": "1909 (10.0.18363.1139)",
        "name": "Windows",
        "family": "windows",
        "version": "1909 (10.0.18363.1139)",
        "platform": "windows",
        "full": "Windows 10 Enterprise Evaluation 1909 (10.0.18363.1139)"
      },
      "ip": [
        "172.16.17.151",
        "fe80::81e2:50b5:eb1d:daf2",
        "127.0.0.1",
        "::1"
      ],
      "name": "[redacted]",
      "id": "d58f982a-e1cd-db85-d110-f444e469a221",
      "mac": [
        "00:0c:29:b4:4c:e8"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "sequence": 7029,
      "ingested": "2020-10-30T16:49:17.421302517Z",
      "created": "2020-10-30T16:48:20.46522400Z",
      "kind": "event",
      "module": "endpoint",
      "action": "start",
      "id": "Ltl+WKnpkS7QQzjt+++++1JB",
      "category": [
        "process"
      ],
      "type": [
        "start"
      ],
      "dataset": "endpoint.events.process"
    },
    "user": {
      "domain": "[redacted]",
      "name": "[redacted]"
    }
  },
  "fields": {
    "event.ingested": [
      "2020-10-30T16:49:17.421Z"
    ],
    "@timestamp": [
      "2020-10-30T16:48:20.465Z"
    ],
    "event.created": [
      "2020-10-30T16:48:20.465Z"
    ]
  },
  "highlight": {
    "process.pe.original_file_name": [
      "@kibana-highlighted-field@net.exe@/kibana-highlighted-field@"
    ],
    "process.args": [
      "@kibana-highlighted-field@group@/kibana-highlighted-field@",
      "@kibana-highlighted-field@enterprise admins@/kibana-highlighted-field@"
    ],
    "host.hostname": [
      "@kibana-highlighted-field@[redacted]@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1604076500465
  ]
}
peasead commented 4 years ago

Request feedback from @Samirbous prior me creating PRs.

Samirbous commented 3 years ago

@peasead there are some rules (3 at least) in old eq-rules repo for accounts or groups discovery, for example this one is a good candidate to expand.

You can also leverage EQL wildcard to makes it a bit broader in term of privileged groups or user accounts (domain and local) discovery, maybe something like below:

you can add more known privileged groups to the discovery scope, net1.exe can be also used directly that's why it was included


process where event.type in ("start", "process_started") and ((process.name == "net.exe" or process.pe.original_file_name == "net.exe") or (process.name == "net1.exe" and not process.parent.name == "net.exe")) and wildcard(process.args, "*group", "* user *") and wildcard(process.args, "*admin*","Domain Controllers", "Exchange Servers", "Domain Computers") and not wildcard(process.args,"/add")
peasead commented 3 years ago

7/1 - update

Recommend handing off to Analysis to assess viability or Issue closure.

w0rk3r commented 1 year ago

Closing this one as the behavior is covered in the following: