detection-hackathon-apt29 icon indicating copy to clipboard operation
detection-hackathon-apt29 copied to clipboard

Published 20 hours ago verified publisher icon OTRF

16.A) Remote System Discovery

Open Cyb3rWard0g opened this issue 4 years ago • 11 comments

Description

The attacker enumerates the environment’s domain controller (T1018)

Cyb3rWard0g avatar May 02 '20 11:05 Cyb3rWard0g

single source with multiple suspicious dce_rpc operations in 5 minutes. use zeek dce_rpc log and operation values of those that would be indicative of "enumeration" like SamrGetGroupsForUser and SamrLookupIdsInDomain

neu5ron avatar May 03 '20 01:05 neu5ron

Niceee I like it! Is that something that can be applied to the Sigma Integration @neu5ron ?

Cyb3rWard0g avatar May 03 '20 17:05 Cyb3rWard0g

definitely possible! Only thing need help with is making sure some of these RPCs arent as common as one would think. I dont think in combination they would be except for how most abused things legitimate things are, admin scenarios. I will do more research on them, make sure don’t write a rule full of false positive.

neu5ron avatar May 03 '20 18:05 neu5ron

alright here start of my rule, will keep working this with more operations:

title: Domain Enumeration Network Reconnaissance Activity
status: experimental
description: Domain enumeration via network reconnaissance. Seen in APT 29 and other common tactics. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller
references:
    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
author: '@neu5ron (Nate Guagenti)'
date: 2020/05/03
modified: 2020/05/03
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1082
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation:
            - SamrLookupIdsInDomain
            - SamrGetGroupsForUser
    timeframe: 30s
    condition: selection | count(operation) by src_ip > 4
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

neu5ron avatar May 04 '20 01:05 neu5ron

That's awesome brother you are on 🔥 . We are adding the rules here. I was asking in the other issue where you shared a rule also if it would be good to create a new folder for zeek in the rules folder or keep the rule under Windows since it is technically a rule for Windows environments. right? https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules

Cyb3rWard0g avatar May 04 '20 01:05 Cyb3rWard0g

testing this rule for false positives still, so far its looking really good

neu5ron avatar May 15 '20 13:05 neu5ron

@Cyb3rWard0g what should I put as the OTRF community author name? I have it in their, but let me know if that is right name to use. I will submit this one this weekend, going to use for my talk and such on Tuesday

title: Domain Enumeration Network Reconnaissance Activity
description: Domain enumeration via network reconnaissance. Seen in APT 29 and other common tactics. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller
id: 66a0bdc6-ee04-441a-9125-99d2eb547942
references:
    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
author: 'Nate Guagenti (@neu5ron), Open Threat Research Forge Community (OTRF)'
date: 2020/05/03
modified: 2020/05/03
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1082
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation:
            - SamrLookupIdsInDomain #method translates a set of RIDs into account names
            - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
            - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
            - SamrEnumerateDomainsInSamServer #thod obtains a listing of all domains hosted by the server side of this protocol
            - SamrQueryInformationGroup #obtains attributes from a group object
            - LsarLookupNames3 #method translates a batch of security principal names to their SID form  
            - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
            - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
            - LsarEnumerateTrustedDomains
    timeframe: 30s
    condition: selection | count(operation) by src_ip > 4
falsepositives:
    - Devices that may do authentication like a VPN or a firewall that looksup IPs to username
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium
status: experimental

neu5ron avatar May 15 '20 13:05 neu5ron

Hey @neu5ron , yeah it would be Open Threat Research (OTR) . Open Threat Research Forge is the GitHub repo (a Forge) for the OTR initiative 😉 . so Open Threat Research (OTR) would be better to reference the community in general. Thank you very much for asking! . Regarding submitting the rule to SIGMA, yes that works. I will track it as a rule created from this event.

Would it possible that when you submit the rule your reference in the PR title or the description the event and the community? Thank you very much for your contributions man. I appreciate it!! I have a few rules coming too 😉

Cyb3rWard0g avatar May 15 '20 14:05 Cyb3rWard0g

@Cyb3rWard0g can you verify this meets your requests? https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml Only reason I did not put APT 29 in title, is because this goes far beyond any APT and is going to work for many things :) ie: technique for domain enumeration used by whoever :boom:

neu5ron avatar May 18 '20 13:05 neu5ron

Hey @neu5ron , did you update the link? it does not work.

Cyb3rWard0g avatar May 28 '20 04:05 Cyb3rWard0g

yeah, rule is merged into SIGMA too

https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml

neu5ron avatar May 28 '20 12:05 neu5ron