updating yaml formatting

splunk · Jun 26, 2024 · adba790 · adba790
1 parent be162b9
commit adba790
Show file tree

Hide file tree

Showing 10 changed files with 57 additions and 50 deletions.
diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: Group ACL modification event with potentially dangerous permissions applied. 
-search: '`wineventlog_security` EventCode=5136 ObjectClass=group
+search: >-
+  `wineventlog_security` EventCode=5136 ObjectClass=group
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -29,7 +30,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=group
   | stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
   | search NOT aceType IN ("*denied*","D","OD","XD") AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP)
-  | `windows_ad_dangerous_group_acl_modification_filter`'
+  | `windows_ad_dangerous_group_acl_modification_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
 known_false_positives: Unknown
 references:

diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: User ACL modification event with potentially dangerous permissions applied. 
-search: '`wineventlog_security` EventCode=5136 ObjectClass=user 
+search: >-
+  `wineventlog_security` EventCode=5136 ObjectClass=user 
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -29,7 +30,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=user
   | stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
   | search NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP)
-  | `windows_ad_dangerous_user_acl_modification_filter`'
+  | `windows_ad_dangerous_user_acl_modification_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
 known_false_positives: Unknown
 references:

diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: Detect ACL modification event applying the minimum required extended rights to perform a DCShadow attack. 
-search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
+search: >-
+  `wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -29,7 +30,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
   | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
   | stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
   | search (aceControlAccessRights="DS-Install-Replica" AND aceControlAccessRights="DS-Replication-Manage-Topology" AND aceControlAccessRights="DS-Replication-Synchronize") OR (aceControlAccessRights="9923a32a-3607-11d2-b9be-0000f87a36b2" AND aceControlAccessRights="1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ac-9c07-11d1-f79f-00c04fc2dcd2")
-  | `windows_ad_dcshadow_acl_addition_filter`'
+  | `windows_ad_dcshadow_acl_addition_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. 
 known_false_positives: Unknown
 references:

diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. 
-search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
+search: >-
+  `wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_values>.*?)\)" 
@@ -28,7 +29,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
   | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
   | stats values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(old_values) as old_values by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
-  | `windows_ad_domain_root_acl_deletion_filter`'
+  | `windows_ad_domain_root_acl_deletion_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
 known_false_positives: Unknown
 references:

diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. 
-search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
+search: >-
+  `wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -28,7 +29,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
   | eval aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",'access_rights_value'), aceType=ace_type_value, aceFlags=coalesce(ace_flag_value,"This object only"), aceControlAccessRights=ControlAccessRights, user=coalesce(user, group, builtin_group, aceSid) 
   | stats values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
-  | `windows_ad_domain_root_acl_modification_filter`'
+  | `windows_ad_domain_root_acl_modification_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
 known_false_positives: Unknown
 references:

diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators. 
-search: '`wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit
+search: >-
+  `wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -29,7 +30,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=organizationalUnit
   | stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
   | search aceType IN ("Access denied",D) AND aceAccessRights IN ("List contents","List objects",LC,LO)
-  | `windows_ad_hidden_ou_creation_filter`'
+  | `windows_ad_hidden_ou_creation_filter`
 how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
 known_false_positives: None. 
 references:

diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml
@@ -8,7 +8,8 @@ type: TTP
 data_source:
 - Windows Security 5136
 description: Detect when a user creates a new DACL in AD for their own AD object. 
-search: '`wineventlog_security` EventCode=5136 
+search: >-
+  `wineventlog_security` EventCode=5136 
   | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
   | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
   | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
@@ -30,7 +31,7 @@ search: '`wineventlog_security` EventCode=5136
   | eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
   | rex field=user "\\\(?P<nt_user>.*?)$"
   | where lower(src_user)=lower(nt_user)
-  | `windows_ad_self_dacl_assignment_filter`'
+  | `windows_ad_self_dacl_assignment_filter`
 how_to_implement: Ensure you are ingesting AD audit logs, see lantern doc in references for further details. This detection also leverages admon data. Ensure the admon macro is configured with the correct index. 
 known_false_positives: Unknown
 references:

diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml
@@ -10,12 +10,13 @@ data_source:
 - Windows Security 5145
 description: This analytic looks for a the creation of potentially harmful GPO which could lead to persistence or code execution on remote hosts. 
   Note, this analyic is looking for the absence of the corresponding 5136 events which is evidence of the GPOs being manually created (using a tool like PowerView) or potentially missing logs. 
-search: '`wineventlog_security` EventCode=5145 ShareName="\\\\*\\SYSVOL" RelativeTargetName IN (*\\ScheduledTasks.xml, *\\Groups.xml, *\\Registry.xml, *\\Services.xml, *\\Scripts\\*) NOT RelativeTargetName=*\\Scripts\\scripts.ini AccessMask=0x2 
- | rex field=AccessList max_match=0 "(?P<AccessList>%%\d+)" 
- | table _time AccessMask src_ip src_user RelativeTargetName Logon_ID dvc 
- | rex field=RelativeTargetName "Policies\\\(?P<gpo_guid>{.*?})\\\(?P<scope>\w+?)\\\(\w+)\\\(?P<folder>\w+)\\\(?P<file>\w+\.\w+)$"
- | eval src=if(match(src_ip, "(?i)^fe80:"),dvc,src_ip), folder=case(RelativeTargetName like "%\\Scripts\\%","Scripts",folder="Groups","Local users and groups",1=1,folder)
- | appendpipe 
+search: >-
+  `wineventlog_security` EventCode=5145 ShareName="\\\\*\\SYSVOL" RelativeTargetName IN (*\\ScheduledTasks.xml, *\\Groups.xml, *\\Registry.xml, *\\Services.xml, *\\Scripts\\*) NOT RelativeTargetName=*\\Scripts\\scripts.ini AccessMask=0x2 
+  | rex field=AccessList max_match=0 "(?P<AccessList>%%\d+)" 
+  | table _time AccessMask src_ip src_user RelativeTargetName Logon_ID dvc 
+  | rex field=RelativeTargetName "Policies\\\(?P<gpo_guid>{.*?})\\\(?P<scope>\w+?)\\\(\w+)\\\(?P<folder>\w+)\\\(?P<file>\w+\.\w+)$"
+  | eval src=if(match(src_ip, "(?i)^fe80:"),dvc,src_ip), folder=case(RelativeTargetName like "%\\Scripts\\%","Scripts",folder="Groups","Local users and groups",1=1,folder)
+  | appendpipe 
      [| map search="search `wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames $gpo_guid$" 
      | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
      | rex field=old_value max_match=10000 "(?P<old_values>\{.*?\})" 
@@ -28,10 +29,10 @@ search: '`wineventlog_security` EventCode=5145 ShareName="\\\\*\\SYSVOL" Relativ
      | stats values(OpCorrelationID) as OpCorrelationID values(newPolicy) as newPolicy by ObjectDN 
      | rex field=ObjectDN max_match=10000 "CN=(?P<gpo_guid>\{.*?\})" 
      | fields - ObjectDN] 
- | stats values(AccessMask) as AccessMask values(src) as src values(src_user) as src_user values(RelativeTargetName) as RelativeTargetName values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID) as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid 
- | mvexpand folder 
- | where NOT folder IN (newPolicy)
- | `windows_ad_suspicious_gpo_modification_filter`'
+  | stats values(AccessMask) as AccessMask values(src) as src values(src_user) as src_user values(RelativeTargetName) as RelativeTargetName values(Logon_ID) as Logon_ID values(newPolicy) as newPolicy values(OpCorrelationID) as OpCorrelationID values(folder) as folder values(file) as file by gpo_guid 
+  | mvexpand folder 
+  | where NOT folder IN (newPolicy)
+  | `windows_ad_suspicious_gpo_modification_filter`
 how_to_implement: Ingest EventCodes 5145 and 5136 from domain controllers. Additional SACLs required to capture EventCode 5136, see references for further information on how to configure this. 
   The Group Policy - Audit Detailed File Share will need to be enabled on the DCs to generate event code 5145, this event is very noisy on DCs, consider tuning out sysvol events which do not match access mask 0x2.
 known_false_positives: When a GPO is manually created and there are no 5136 events. 

diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml
@@ -8,20 +8,21 @@ type: TTP
 data_source:
 - XmlWinEventLog:Security
 description: Increase in group or AD object modifications. 
-search: "`wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764)\n| bucket\
-  \ span=5m _time \n| stats values(object) as object, dc(object) as objectCount, values(src_user_category)\
-  \ as src_user_category, values(dest) as dest, values(dest_category) as dest_category\
-  \ by _time, src_user, signature, status\n| eventstats avg(objectCount) as comp_avg\
-  \ , stdev(objectCount) as comp_std by src_user, signature\n| eval upperBound=(comp_avg+comp_std)\
-  \ \n| eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0)\n\
-  | search isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter`"
+search: >-
+  `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764)
+  | bucket span=5m _time 
+  | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status
+  | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature
+  | eval upperBound=(comp_avg+comp_std)
+  | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0)
+  | search isOutlier=1 
+  | `windows_increase_in_group_or_object_modification_activity_filter`
 how_to_implement: Run over past 7 days for best results. 
-known_false_positives: Genuine activity
-references:
-- REFERENCE
+known_false_positives: Unknown
+references: []
 tags:
   analytic_story:
-  - UPDATE_STORY_NAME
+    - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   confidence: 40
   impact: 20