Dlux update #2906
Dlux update #2906
Conversation
Merging latest detections from develop into branch to continue to work on them
|
@dluxtron : Hey buddy! Can we fix up the conflicts in this PR? |
|
You can ignore the changes in |
| @@ -0,0 +1,69 @@ | |||
| name: Authentication DM Distributed Password Spray | |||
There was a problem hiding this comment.
Lets move this detection to password to the cloud directory where other Azure detections are currently. Consider renaming the search and the filter macro to :
Azure AD Distributed Password Spray
There was a problem hiding this comment.
We can leave the detection in the application directory for now and update the name to
Detect Distributed Password Spray Attempts
| - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 | ||
| confidence: 70 | ||
| impact: 70 | ||
| message: This is not a risk rule |
There was a problem hiding this comment.
add a valid risk message even though it not a risk_rule
| | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | ||
| | sort - total_failures | `authentication_dm_distributed_password_spray_filter`' | ||
| how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. | ||
| known_false_positives: Mondays. |
| mitre_attack_id: | ||
| - T1110.003 | ||
| - T1110 | ||
| observable: |
There was a problem hiding this comment.
We are currently enforcing authors to have atleast one victim defined in the observables so that it gets converted to risk objects upon generation of ESCU app
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: UPDATE url to dataset |
PR Summary
There are 24 new detections, updates to 12 detections, and 5 new lookup files included in this PR.
Also included a whole stack of AD centric detections focusing on group policy & ACLs of AD objects. Potentially worth putting together as its own analytic story? Or just included as part of the sneak AD story (current state).
Breakdown of each of the new/modified files below
6 New Detections - misc: Utilising the CIM Datamodel
detections/application/authentication_dm_distributed_password_spray.yml
detections/application/authentication_dm_password_spray.yml
detections/endpoint/windows_network_share_discovery_with_net.yml
detections/network/internal_horizontal_port_scan.yml
detections/network/internal_vertical_port_scan.yml
detections/network/internal_vulnerability_scan.yml
3 New Detections: Misc
detections/application/windows_increase_in_group_or_object_modification_activity.yml
detections/application/windows_increase_in_user_modification_activity.yml
detections/endpoint/windows_vulnerable_driver_installed.yml
3 Updates to existing detections: Fixes
detections/application/okta_risk_threshold_exceeded.yml
detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
detections/endpoint/windows_ad_domain_replication_acl_addition.yml
3 Updates: minor spelling changes
detections/endpoint/macos_plutil.yml
dist/DA-ESS-ContentUpdate/default/analyticstories.conf
dist/DA-ESS-ContentUpdate/default/savedsearches.conf
4 Updates Misc: (additional references, enhancements etc)
detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
detections/endpoint/windows_admon_default_group_policy_object_modified.yml
detections/endpoint/windows_admon_group_policy_object_created.yml
2 Updates to existing detections: Adding support for XMLWinevevntLog
detections/endpoint/detect_new_local_admin_account.yml
detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
15 New Detections: AD Related
detections/application/windows_ad_add_self_to_group.yml
detections/application/windows_ad_dangerous_deny_acl_modification.yml
detections/application/windows_ad_dangerous_group_acl_modification.yml
detections/application/windows_ad_dangerous_user_acl_modification.yml
detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
detections/application/windows_ad_domain_root_acl_deletion.yml
detections/application/windows_ad_domain_root_acl_modification.yml
detections/application/windows_ad_gpo_deleted.yml
detections/application/windows_ad_gpo_disabled.yml
detections/application/windows_ad_gpo_new_cse_addition.yml
detections/application/windows_ad_hidden_ou_creation.yml
detections/application/windows_ad_object_owner_updated.yml
detections/application/windows_ad_privileged_group_modification.yml
detections/application/windows_ad_self_dacl_assignment.yml
detections/application/windows_ad_suspicious_attribute_modification.yml
5 New Lookups to support the SACL/Ace detections
dist/DA-ESS-ContentUpdate/default/transforms.conf
lookups/ace_access_rights_lookup.csv
lookups/ace_access_rights_lookup.yml
lookups/ace_flag_lookup.csv
lookups/ace_flag_lookup.yml
lookups/ace_type_lookup.csv
lookups/ace_type_lookup.yml
lookups/builtin_groups_lookup.csv
lookups/builtin_groups_lookup.yml
lookups/msad_guid_lookup.csv
lookups/msad_guid_lookup.yml
I have no idea about this change
dist/api/detections.json
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclature