Access to a Sensitive LDAP Attribute

 1[metadata]
 2creation_date = "2022/11/09"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/07/08"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
11unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Access to a Sensitive LDAP Attribute"
18references = [
19    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
20    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
21    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
22]
23risk_score = 47
24rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
25setup = """## Setup
26
27The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
28Steps to implement the logging policy with Advanced Audit Configuration:

 1"""
 2severity = "medium"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Credential Access",
 8    "Tactic: Privilege Escalation",
 9    "Use Case: Active Directory Monitoring",
10    "Data Source: Active Directory",
11]
12timestamp_override = "event.ingested"
13type = "eql"
14
15query = '''
16any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and
17
18  not winlog.event_data.SubjectUserSid : "S-1-5-18" and
19
20  winlog.event_data.Properties : (
21   /* unixUserPassword */
22  "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
23
24  /* ms-PKI-AccountCredentials */
25  "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
26
27  /*  ms-PKI-DPAPIMasterKeys */
28  "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
29
30  /* msPKI-CredentialRoamingTokens */
31  "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
32  ) and
33
34  /*
35   Excluding noisy AccessMasks
36   0x0 undefined and 0x100 Control Access
37   https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
38   */
39  not winlog.event_data.AccessMask in ("0x0", "0x100")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1003"
47name = "OS Credential Dumping"
48reference = "https://attack.mitre.org/techniques/T1003/"
49
50[[rule.threat.technique]]
51id = "T1552"
52name = "Unsecured Credentials"
53reference = "https://attack.mitre.org/techniques/T1552/"
54[[rule.threat.technique.subtechnique]]
55id = "T1552.004"
56name = "Private Keys"
57reference = "https://attack.mitre.org/techniques/T1552/004/"
58
59
60
61[rule.threat.tactic]
62id = "TA0006"
63name = "Credential Access"
64reference = "https://attack.mitre.org/tactics/TA0006/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1078"
69name = "Valid Accounts"
70reference = "https://attack.mitre.org/techniques/T1078/"
71[[rule.threat.technique.subtechnique]]
72id = "T1078.002"
73name = "Domain Accounts"
74reference = "https://attack.mitre.org/techniques/T1078/002/"
75
76
77
78[rule.threat.tactic]
79id = "TA0004"
80name = "Privilege Escalation"
81reference = "https://attack.mitre.org/tactics/TA0004/"