Closed peasead closed 10 months ago
Request feedback from @Samirbous prior me creating PRs.
@peasead good one, there is already a generic|broader rule for this that has same logic but excludes only normal process in Windows that perform direct SMB connections (which is System process and has always same process ID equal to 0x4), so anything else is worth review (e.g. regsvr32, rundll32 etc., usual FPs are scanners related processes)
Okay, I'll move onto the next step and see if it's a worthwhile rule.
process.pe.original_file_name:(REGSVR32.EXE or RUNDLL32.EXE) and destination.port:445
((winlog.channel:Microsoft\-Windows\-Sysmon\/Operational AND winlog.event_id:1) AND (process.executable:(*\\Bloodhound.exe* OR *\\SharpHound.exe*) OR process.args:(*\ \-CollectionMethod\ All\ * OR *.exe\ \-c\ All\ \-d\ * OR *Invoke\-Bloodhound* OR *Get\-BloodHoundData*) OR (process.args:*\ \-JsonFolder\ * AND process.args:*\ \-ZipFileName\ *) OR (process.args:*\ DCOnly\ * AND process.args:*\ \-\-NoSaveCache\ *)))
Thanks @austinsonger
Quick note on the References, it looks like SharpHound is deprecated for SharpHound3
That said, winlog.channel
is only a Winlogbeat field and Sharphound lights up the Security integration of the Elastic Endpoint Agent.
So, I think maybe what we do is use some of your process.args
(which look fairly complete) along with process.pe.original_file_name:BloodHound.exe
? These look to be in Lucene?
What about something like this? We can build more on this, but as a jumping-off point
event.category:process and event.type:(process_start or start) and (process.name:SharpHound.exe or
process.pe.original_file_name:SharpHound.exe) and process.args:("--CollectionMethod" or "-c")
Edit: I think that if we shoot for the process names (incl. the compiled process name) and the PowerShell cmdlets, we'll catch any of the available switches of Bloodhound collectors (SharpHound and AzureHound). See below.
Stashing some options for now: KQL
event.category:process and event.type:(process_start or start) and
(process.name:(SharpHound.exe or BloodHound.exe) or
process.pe.original_file_name:(BloodHound.exe or SharpHound.exe)) or
process.args:(invoke-bloodhound or invoke-azurehound)
EQL (I like this better because we can do case-insensitivity) but will need to wait until this merges
process where event.type in ("start", "process_started") and
(process.name:("sharphound.exe", "bloodhound.exe") or
process.pe.original_file_name:("sharphound.exe", "bloodhound.exe")) or
process.args:("invoke-bloodhound", "invoke-azurehound")
As an EQL workaround until that PR merges
process where event.type in ("start", "process_started") and
((process.name:"sharphound.exe" or process.name:"bloodhound.exe") or
(process.pe.original_file_name:"sharphound.exe" or
process.pe.original_file_name:"bloodhound.exe")) or (process.args:"invoke-bloodhound"
or process.args:"invoke-azurehound")
In DevTools
GET /.ds-logs-endpoint.events.*/_eql/search
{
"query": """
process where event.type in ("start", "process_started") and
((process.name:"sharphound.exe" or process.name:"bloodhound.exe") or
(process.pe.original_file_name:"sharphound.exe" or
process.pe.original_file_name:"bloodhound.exe")) or (process.args:"invoke-bloodhound" or
process.args:"invoke-azurehound")
"""
}
Possible smarter ways to find this. H/T @bm11100
event.module:powershell
powershell.file.script_block_text
)
$DeflatedStream.Read($UncompressedFileBytes, 0, 833024) | Out-Null
$Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
$BindingFlags = [Reflection.BindingFlags] "Public,Static"
$a = @()
$Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
$Assembly.GetType("SharpHound3.SharpHound").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}
message
)
$DeflatedStream.Read($UncompressedFileBytes, 0, 833024) | Out-Null
$Assembly = [Reflection.Assembly]::Load($UncompressedFileBytes)
$BindingFlags = [Reflection.BindingFlags] "Public,Static"
$a = @()
$Assembly.GetType("Costura.AssemblyLoader", $false).GetMethod("Attach", $BindingFlags).Invoke($Null, @())
$Assembly.GetType("SharpHound3.SharpHound").GetMethod("InvokeSharpHound").Invoke($Null, @(,$passed))
}
And the built in windows integration covers Microsoft-Windows-PowerShell/Operational
. We could then add a logs-windows*
index. Just depends if we would want to do leading and trailing wildcards, which would pretty much be our only option in the script blocks.
This one would expand coverage for Elastic.
MITRE
Tactic | Technique ID | Technique Name | Sub-Technique Name | Elastic Current Coverage |
---|---|---|---|---|
Discovery | T1087.001 | Account Discovery | Local Account | :x: |
Discovery | T1087.002 | Account Discovery | Domain Account | :heavy_check_mark: |
Discovery | T1482 | Domain Trust Discovery | :heavy_check_mark: | |
Discovery | T1069.001 | Permission Groups Discovery | Local Groups | :x: |
Discovery | T1069.002 | Permission Groups Discovery | Domain Groups | :heavy_check_mark: |
7/1 - update
Suggesting this be taken over by Analysis and assessed for viability or closed.
Description
Bloodhound and Sharphound are tools for exploring Active Directory domain security. Bloodhound is an open source application used for analyzing the security of active directory domains.
This rule will detect when
regsrv32.exe
is used for SMB enumeration.Required Info
Eventing Sources:
Target Operating Systems: Windows
Platforms NA
Target ECS Version: 1.6.0
New fields required in ECS for this? NA
Related issues or PRs NA
Optional Info
Example Data