Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity -
Network Share Accessed
This
rule looks for Windows Event ID 5140
which indicates that a network share has been accessed. When on Workstations or
Domain controllers, this event can be used to identify access to C$ or Admin$.
Common false positives will be IPC$, \Sysvol, \Netlogon.
Credential Access - AD - Account Lockout - Service
Account
Event ID 4740
Defense Evasion - Domain Controller - System Change -
Event Logs Cleared
Identifies
the deletion of event logs from a windows host or domain controller. This may
be performed to destroy evidence of malicious activity on a system.
Event ID 1102
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
Discovery - AD - Kerberoasting
This
rule looks for activity on Active Directory indicative of Kerberoasting
attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket
and rewrites them in order to gain access to a targeted service.
Event ID 4769
Execution - Network - Access Attempt - Unicode Domain
Identifies
web requests where the website domain contains Unicode characters. Unicode
allows the display of foreign characters within the URL bar and can be used to
attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy
Server and Firewalls
Exfiltration - Email - Auto Forwarding
This
rule looks for many emails from a single internal user going to an external
email address, indicative of a user forwarding their external mail content to a
personal mailbox.
Vendor Msg id is : send , and status is:
originating
Initial Access - ADFS - Excessive Login Failures
Identifies
a large volume of ADFS failures, which may indicate account enumeration,
brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
Initial Access - Remote Access - Login Attempt -
Different Geos
Identifies
VPN login attempts by the same user across geographically distant locations in
a short time period. This may indicate account compromise, especially if the
user is not traveling.
Lateral Movement - Domain Controller - Login Attempt -
Interactive
Identifies
a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
Persistence - Domain Controller - System Change -
Audit Policy Changed
Identifies
system audit policy changes on windows hosts. This represents a change to the
type of security events logged by the system and may be a pre-attack activity
to avoid detection.
Event ID 4719,4905,4912
Persistence - Domain Controller - System Change -
Domain Policy Changed
Event ID 4739
Persistence - Domain Controller - System Change -
Multiple Processes Created
Identifies
a large number of processes being created in a short time on a monitored
windows host. The presence of an abnormal volume of abnormal processes may
indicate the host has been compromised or is being misused.
Event ID 4688
Unique value>=10
Persistence - Domain Controller - System Change -
Scheduled Task
Identifies
the creation of new scheduled tasks as well as changes to existing tasks. The
creation of new scheduled tasks or the removal of existing ones may be
technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
Persistence - Domain Controller - System Change -
Service Installed
Identifies
the installation of unexpected services on a system. The installation of
unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
Privilege Escalation - AD - Group Change - Admin
Identifies
attempts to change a user's group membership in AD. The high risk associated
with delegating certain permissions in AD warrants a high level of scrutiny.
For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
Privilege Escalation - ATP - Golden Ticket
This
rule looks for Golden Ticket related activity identified by Azure ATP. See here
for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
Hunting the
Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
- Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
- Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
- If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline
common domains queried by endpoints in the environment as well as identify
potentially infected endpoints by looking for possible DNS tunneling, domain
generation algorithm (DGA) domains, and traffic to risky top-level domains
(TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days
0 comments:
Post a Comment