Closed peasead closed 1 year ago
Request feedback from @Samirbous prior me creating PRs.
@peasead there are some rules (3 at least) in old eq-rules repo for accounts or groups discovery, for example this one is a good candidate to expand.
You can also leverage EQL wildcard to makes it a bit broader in term of privileged groups or user accounts (domain and local) discovery, maybe something like below:
you can add more known privileged groups to the discovery scope, net1.exe can be also used directly that's why it was included
process where event.type in ("start", "process_started") and ((process.name == "net.exe" or process.pe.original_file_name == "net.exe") or (process.name == "net1.exe" and not process.parent.name == "net.exe")) and wildcard(process.args, "*group", "* user *") and wildcard(process.args, "*admin*","Domain Controllers", "Exchange Servers", "Domain Computers") and not wildcard(process.args,"/add")
7/1 - update
Recommend handing off to Analysis to assess viability or Issue closure.
Closing this one as the behavior is covered in the following:
Description
net group
allows you to enumerate accounts in a Windows environment. This is a behavior that is commonly associate with ransomware operators.This rule will detect when it is being used to enumerate domain and enterprise administrators.
Required Info
Eventing Sources:
Target Operating Systems: Windows
Platforms NA
Target ECS Version: 1.6.0
New fields required in ECS for this? NA
Related issues or PRs NA
Optional Info
Example Data