elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 498 forks source link

[New Rule] Possible Bloodhound or Sharphound Activity #442

Closed peasead closed 10 months ago

peasead commented 4 years ago

Description

Bloodhound and Sharphound are tools for exploring Active Directory domain security. Bloodhound is an open source application used for analyzing the security of active directory domains.

This rule will detect when regsrv32.exe is used for SMB enumeration.

Required Info

Optional Info

Example Data

process.pe.original_file_name:REGSVR32.EXE and destination.port:445
peasead commented 4 years ago

Request feedback from @Samirbous prior me creating PRs.

Samirbous commented 4 years ago

@peasead good one, there is already a generic|broader rule for this that has same logic but excludes only normal process in Windows that perform direct SMB connections (which is System process and has always same process ID equal to 0x4), so anything else is worth review (e.g. regsvr32, rundll32 etc., usual FPs are scanners related processes)

peasead commented 3 years ago

Okay, I'll move onto the next step and see if it's a worthwhile rule.

process.pe.original_file_name:(REGSVR32.EXE or RUNDLL32.EXE) and destination.port:445
austinsonger commented 3 years ago
((winlog.channel:Microsoft\-Windows\-Sysmon\/Operational AND winlog.event_id:1) AND (process.executable:(*\\Bloodhound.exe* OR *\\SharpHound.exe*) OR process.args:(*\ \-CollectionMethod\ All\ * OR *.exe\ \-c\ All\ \-d\ * OR *Invoke\-Bloodhound* OR *Get\-BloodHoundData*) OR (process.args:*\ \-JsonFolder\ * AND process.args:*\ \-ZipFileName\ *) OR (process.args:*\ DCOnly\ * AND process.args:*\ \-\-NoSaveCache\ *)))

References

peasead commented 3 years ago

Thanks @austinsonger

Quick note on the References, it looks like SharpHound is deprecated for SharpHound3

That said, winlog.channel is only a Winlogbeat field and Sharphound lights up the Security integration of the Elastic Endpoint Agent. image

So, I think maybe what we do is use some of your process.args (which look fairly complete) along with process.pe.original_file_name:BloodHound.exe? These look to be in Lucene?

peasead commented 3 years ago

What about something like this? We can build more on this, but as a jumping-off point

event.category:process and event.type:(process_start or start) and (process.name:SharpHound.exe or 
process.pe.original_file_name:SharpHound.exe) and process.args:("--CollectionMethod" or "-c")

Edit: I think that if we shoot for the process names (incl. the compiled process name) and the PowerShell cmdlets, we'll catch any of the available switches of Bloodhound collectors (SharpHound and AzureHound). See below.

peasead commented 3 years ago

Stashing some options for now: KQL

event.category:process and event.type:(process_start or start) and
 (process.name:(SharpHound.exe or BloodHound.exe) or
 process.pe.original_file_name:(BloodHound.exe or SharpHound.exe)) or
 process.args:(invoke-bloodhound or invoke-azurehound)

EQL (I like this better because we can do case-insensitivity) but will need to wait until this merges

process where event.type in ("start", "process_started") and 
(process.name:("sharphound.exe", "bloodhound.exe") or 
process.pe.original_file_name:("sharphound.exe", "bloodhound.exe")) or 
process.args:("invoke-bloodhound", "invoke-azurehound")

As an EQL workaround until that PR merges

process where event.type in ("start", "process_started") and 
((process.name:"sharphound.exe" or process.name:"bloodhound.exe") or 
(process.pe.original_file_name:"sharphound.exe" or 
process.pe.original_file_name:"bloodhound.exe")) or (process.args:"invoke-bloodhound" 
or process.args:"invoke-azurehound")

In DevTools

GET /.ds-logs-endpoint.events.*/_eql/search
{
  "query": """
process where event.type in ("start", "process_started") and 
((process.name:"sharphound.exe" or process.name:"bloodhound.exe") or 
(process.pe.original_file_name:"sharphound.exe" or 
process.pe.original_file_name:"bloodhound.exe")) or (process.args:"invoke-bloodhound" or 
process.args:"invoke-azurehound")
  """
}
peasead commented 3 years ago

Possible smarter ways to find this. H/T @bm11100 event.module:powershell

powershell.file.script_block_text
)
    $DeflatedStream.Read($UncompressedFileBytes, 0, 833024) | Out-Null
    $Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
    $BindingFlags = [Reflection.BindingFlags] "Public,Static"
    $a = @()
    $Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
    $Assembly.GetType("SharpHound3.SharpHound").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}

message
)
    $DeflatedStream.Read($UncompressedFileBytes, 0, 833024) | Out-Null
    $Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
    $BindingFlags = [Reflection.BindingFlags] "Public,Static"
    $a = @()
    $Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
    $Assembly.GetType("SharpHound3.SharpHound").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}
bm11100 commented 3 years ago

And the built in windows integration covers Microsoft-Windows-PowerShell/Operational. We could then add a logs-windows* index. Just depends if we would want to do leading and trailing wildcards, which would pretty much be our only option in the script blocks.

austinsonger commented 3 years ago

This one would expand coverage for Elastic.

MITRE

Tactic Technique ID Technique Name Sub-Technique Name Elastic Current Coverage
Discovery T1087.001 Account Discovery Local Account :x:
Discovery T1087.002 Account Discovery Domain Account :heavy_check_mark:
Discovery T1482 Domain Trust Discovery :heavy_check_mark:
Discovery T1069.001 Permission Groups Discovery Local Groups :x:
Discovery T1069.002 Permission Groups Discovery Domain Groups :heavy_check_mark:
peasead commented 3 years ago

7/1 - update

Suggesting this be taken over by Analysis and assessed for viability or closed.