New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dlux update #2906
base: develop
Are you sure you want to change the base?
Dlux update #2906
Conversation
Merging latest detections from develop into branch to continue to work on them
@dluxtron : Hey buddy! Can we fix up the conflicts in this PR? |
You can ignore the changes in |
@@ -0,0 +1,69 @@ | |||
name: Authentication DM Distributed Password Spray |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets move this detection to password to the cloud directory where other Azure detections are currently. Consider renaming the search and the filter macro to :
Azure AD Distributed Password Spray
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can leave the detection in the application directory for now and update the name to
Detect Distributed Password Spray Attempts
- 90bc2e54-6c84-47a5-9439-0a2a92b4b175 | ||
confidence: 70 | ||
impact: 70 | ||
message: This is not a risk rule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a valid risk message even though it not a risk_rule
| table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | ||
| sort - total_failures | `authentication_dm_distributed_password_spray_filter`' | ||
how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. | ||
known_false_positives: Mondays. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
improve this text
mitre_attack_id: | ||
- T1110.003 | ||
- T1110 | ||
observable: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are currently enforcing authors to have atleast one victim defined in the observables so that it gets converted to risk objects upon generation of ESCU app
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: UPDATE url to dataset |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add dataset links
PR Summary
There are 24 new detections, updates to 12 detections, and 5 new lookup files included in this PR.
Also included a whole stack of AD centric detections focusing on group policy & ACLs of AD objects. Potentially worth putting together as its own analytic story? Or just included as part of the sneak AD story (current state).
Breakdown of each of the new/modified files below
6 New Detections - misc: Utilising the CIM Datamodel
detections/application/authentication_dm_distributed_password_spray.yml
detections/application/authentication_dm_password_spray.yml
detections/endpoint/windows_network_share_discovery_with_net.yml
detections/network/internal_horizontal_port_scan.yml
detections/network/internal_vertical_port_scan.yml
detections/network/internal_vulnerability_scan.yml
3 New Detections: Misc
detections/application/windows_increase_in_group_or_object_modification_activity.yml
detections/application/windows_increase_in_user_modification_activity.yml
detections/endpoint/windows_vulnerable_driver_installed.yml
3 Updates to existing detections: Fixes
detections/application/okta_risk_threshold_exceeded.yml
detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
detections/endpoint/windows_ad_domain_replication_acl_addition.yml
3 Updates: minor spelling changes
detections/endpoint/macos_plutil.yml
dist/DA-ESS-ContentUpdate/default/analyticstories.conf
dist/DA-ESS-ContentUpdate/default/savedsearches.conf
4 Updates Misc: (additional references, enhancements etc)
detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
detections/endpoint/windows_admon_default_group_policy_object_modified.yml
detections/endpoint/windows_admon_group_policy_object_created.yml
2 Updates to existing detections: Adding support for XMLWinevevntLog
detections/endpoint/detect_new_local_admin_account.yml
detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
15 New Detections: AD Related
detections/application/windows_ad_add_self_to_group.yml
detections/application/windows_ad_dangerous_deny_acl_modification.yml
detections/application/windows_ad_dangerous_group_acl_modification.yml
detections/application/windows_ad_dangerous_user_acl_modification.yml
detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
detections/application/windows_ad_domain_root_acl_deletion.yml
detections/application/windows_ad_domain_root_acl_modification.yml
detections/application/windows_ad_gpo_deleted.yml
detections/application/windows_ad_gpo_disabled.yml
detections/application/windows_ad_gpo_new_cse_addition.yml
detections/application/windows_ad_hidden_ou_creation.yml
detections/application/windows_ad_object_owner_updated.yml
detections/application/windows_ad_privileged_group_modification.yml
detections/application/windows_ad_self_dacl_assignment.yml
detections/application/windows_ad_suspicious_attribute_modification.yml
5 New Lookups to support the SACL/Ace detections
dist/DA-ESS-ContentUpdate/default/transforms.conf
lookups/ace_access_rights_lookup.csv
lookups/ace_access_rights_lookup.yml
lookups/ace_flag_lookup.csv
lookups/ace_flag_lookup.yml
lookups/ace_type_lookup.csv
lookups/ace_type_lookup.yml
lookups/builtin_groups_lookup.csv
lookups/builtin_groups_lookup.yml
lookups/msad_guid_lookup.csv
lookups/msad_guid_lookup.yml
I have no idea about this change
dist/api/detections.json
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature