You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document describes the different ways of simulating alerts and the alerts generated via the Mitre Attack Matrix techniques, and mechanisms to test these alerts.
Currently, a splunk app has not been built for this, however, it is possible to view the logs through an app like Crescendo
Get an application such as App Store to trigger a dialog box to capture credentials
Emulating via bash CLI
osascript -e 'tell app "App Store" to activate' -e 'tell app "App Store" to activate' -e 'tell app "App Store" to display dialog "Update required, please enter your password." & return & return default answer "" with icon 1 with hidden answer with title "App Store Alert"'
# Create a temp file with command to execute
echo 'echo testing1234 > /tmp/testing1234.txt' > /tmp/test.sh; chmod +x /tmp/test.sh
# Add the following configuration to ~/.bash_profile, ~/.zshrc, and others
alias sudo='sudo sh -c '\''/tmp/test.sh & exec "$@"'\'' sh'
sudo whoami
# List the backups
sudo tmutil listbackups
# Delete the backup via tmutil (made up timestamp)
backup="test123"; timestamp="2020-11-18-100936"; sudo tmutil delete -d "$backup" -t "$timestamp"
This document describes the alerts built in splunkawssecuritymon splunk app as referenced by Mitre Attack Matrix techniques, and mechanisms to test these alerts.
Note: This alert may need to be baselined to your environment to ignore activity from known accounts that pull authorization tokens for image configuration.
Emulate via awscli
aws ecr create-repository --repository-name $REPOSITORY_NAME --region ap-southeast-2
# Replace AWS_ACCOUNT_ID with your AWS Account ID
aws ecr get-login-password --region ap-southeast-2 | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.ap-southeast-2.amazonaws.com
# If additional steps needed to understand how this would work further, execute commands below:
## Build an image
docker build -t $REPOSITORY_NAME .
## Tage the image
docker tag testrepo:latest 169917409101.dkr.ecr.ap-southeast-2.amazonaws.com/testrepo:latest
## Push the image for execution
docker push 169917409101.dkr.ecr.ap-southeast-2.amazonaws.com/testrepo:latest
aws_detect_ecr_new_repo_image_create
Alert to detect creation of a new repository in AWS ECR and image push
Alert to detect addition of AWS user with AWS Group
Note: This rule should be baselined to exclude usernames that usually add accounts to groups (e.g. CI/CD service accounts). Examples of how to achieve this to add an account $CI_CD_SERVICE_ACCOUNT:
...
| where (eventSource = "iam.amazonaws.com" AND eventName = "AddUserToGroup")
```Exclude normal accounts here```
| where !(requestParametersUserName = "$CI_CD_SERVICE_ACCOUNT")
...
Emulate via AWSCLI
aws iam list-users
aws iam list-groups
aws iam add-user-to-group --group-name $GROUP_TO_ADD_TO --user-name $USER_TO_ADD
aws_detect_iam_group_added_with_user_from_ec2
Alert to detect addition of a user to a group from an EC2 instance
Emulate via AWSCLI
Note: This rule should be baselined to exclude usernames that usually add accounts to groups (e.g. CI/CD service accounts). Examples of how to achieve this to add an account $CI_CD_SERVICE_ACCOUNT:
# Create an EC2 instance and assign it a privileged role e.g. AdministratorAccess
# Install AWSCLI
sudo apt-get -y install awscli
sudo apt-get -y update && sudo apt-get -y install awscli
# Add a user to the specified group `security_audit_team`
date; aws iam add-user-to-group --group-name security_audit_team --user-name testuser2
T1098.001 Additional Cloud Credentials
aws_detect_iam_user_created
Alert to detect creation of a new IAM user for persistence
Emulate via awscli
aws iam create-user --user-name $USERNAME
aws_detect_iam_user_deleted
Alert to detect clean-up of an IAM user for persistence
Emulate via awscli
aws iam list-users
aws iam delete-user --user-name $USERNAME
aws_detect_iam_accesskey_created
Alert to detect creation of a new access key for an IAM user for persistence
Emulate via awscli
aws iam create-access-key --user-name $USERNAME
aws_detect_iam_accesskey_deleted
Alert to detect deletion of a new access key for an IAM user for persistence
Emulate via awscli
To list existing access key IDs which can be deleted
aws iam list-access-keys --user-name $USERNAME
aws iam delete-access-key --user-name $USERNAME --access-key-id $ACCESS_KEY_ID
aws_detect_iam_login_profile_create
Alert to detect creation of a console login for a user
Note: This rule should be baselined to exclude usernames that usually create login profile for users e.g. AWS System Admin
Emulate via AWSCLI
aws iam create-login-profile --user-name testuser3 --password Password123! --no-password-reset-required
aws_detect_iam_login_profile_update
Alert to detect update of the existing console login for a user
Note: This rule should be baselined to exclude usernames that usually updates login profile for users e.g. AWS System Admin
Emulate via AWSCLI
aws iam create-login-profile --user-name testuser3 --password Password123! --no-password-reset-required
aws iam update-login-profile --user-name testuser3 --password Password234 --no-password-reset-required
T1098.004 SSH Authorized Keys
aws_detect_ec2_ssh_public_key_addition
Alert to detect attempt to add SSH Public Key for logging to the EC2 instance
Emulate via UI / EC2 Connect
Launch an EC2 instance via the UI > Select Connect > Select EC2 Instance Connect > Select Connect
TA0004 Privilege Escalation
aws_detect_iam_default_policy_version_set
Alert to detect if a default policy version has been assigned
Note: This rule should be baselined to exclude usernames that usually set the default policy version setting.
# /tmp/admin_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEverything",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
# /tmp/restricted.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEverything",
"Effect": "Allow",
"Action": "iam:SetDefaultPolicyVersion",
"Resource": "arn:aws:iam::*:policy/test"
}
]
}
# Get the AWS Policy ARN for the new policy that allows all access
aws iam create-policy --policy-name 'alloweverythingpolicy' --policy-document file:///tmp/admin_policy.json
# Create a new policy version which is very restrictive
aws iam create-policy-version --policy-arn $POLICY_ARN --policy-document file:///tmp/admin_policy2.json --set-as-default
# Create a new group
aws iam create-group --group-name testgroup
# Create a new user
aws iam create-user --user-name testuser
# Add the new user to the group
aws iam add-user-to-group --group-name testgroup --user-name testuser
# Attach the AWS policy
aws iam attach-group-policy --group-name testgroup --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/alloweverythingpolicy
# Try to list the S3 buckets as the new user (assumes credentials added to ~/.aws/credentials file) - access should be denied
aws s3 ls --profile testuser
# Now change and wait for a couple of minutes - access will be allowed
aws iam set-default-policy-version --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/alloweverythingpolicy --version-id v1
aws_detect_iam_new_policy_version_assignment
Alert to detect if iam:CreatePolicyVersion permission was used to overwrite a new policy version for an existing policy
Note: This rule should be baselined to exclude usernames that usually add accounts to groups (e.g. CI/CD service accounts). Examples of how to achieve this to add an account $CI_CD_SERVICE_ACCOUNT:
...
| where (eventSource = "iam.amazonaws.com" AND eventName = "CreatePolicyVersion")
```Exclude normal accounts here```
| where !(requestParametersUserName = "$CI_CD_SERVICE_ACCOUNT")
...
Emulate via AWSCLI
# admin_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEverything",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
# Identify the policies
aws iam list-policies
aws iam list-policy-versions --policy-arn $POLICY_ARN
# Create new defaultpolicy version
aws iam create-policy-version --policy-arn $POLICY_ARN --policy-document file:///tmp/admin_policy.json --set-as-default
# Users / Entities that the group the policy is attached to is part of should have full access
aws iam list-entities-for-policy --policy-arn $POLICY_ARN
aws iam list-groups-for-user --user-name $USER_NAME
# Obtain the detector ID and finding IDs via the list-detectors and list-findings awscli commands respectively
aws guardduty archive-findings --detector-id 5....5e --finding-ids 6....a e....3
aws_detect_guardduty_suppression_filter_creation
Alert to detect if Suppression filter has been created in AWS GuardDuty which can be used to suppress important findings
Alert to detect the deletion of log-stream within a given log-group in CloudWatch
Emulate via AWSCLI
# First list all log groups
aws logs describe-log-groups
# Then list all log streams
aws logs describe-log-streams --log-group-name "$LOG_GROUP_NAME"
# Ensure that any $ get escaped with \$
aws logs delete-log-stream --log-group-name "$LOG_GROUP_NAME" --log-stream-name "$LOG_STREAM_NAME"
T1556 Modify Authentication Process
aws_detect_iam_password_policy_update
Alert to detect a change in AWS IAM Password Policy
Emulate via awscli
aws iam update-account-password-policy --require-numbers
TA0006 Credential Access
T1110 Brute Force
T1110.004 Credential Stuffing
aws_detect_signin_credential_stuffing
Alert to detect credential stuffing attack affecting the AWS Console Sign-in page
This alert checks if there is an attempt to perform AWS Cloud Infrastructure Discovery via Golang tools such as Bishop Fox's smogcloud
Emulate
Install and run smogcloud as follows using keys available for an AWS environment:
go install github.com/BishopFox/smogcloud@latest
export AWS_ACCOUNT_ID="smogcloud_test"
export AWS_ACCESS_KEY_ID="<replace-access-key-id-here>"
export AWS_SECRET_ACCESS_KEY="<replace-secret-access-key-here>"
smogcloud
Other Usecases
This section describes use-cases which can be detected by one or more of the alerts above.
03 - iam:PassRole and ec2:RunInstances
By using a role with permissions iam:PassRole and ec2:RunInstances on any resource assigned to a user, a user can start a new instance with an arbitrary role and assign a new permissions to a user from inside the running EC2 instance.
aws_detect_ec2_instances_run: Creation of new EC2 instances (which can also be extended to use a role)
aws_detect_iam_group_added_with_user_from_ec2: Addition of a user to the group from an EC2 instance using an EC2 role
Emulate via awscli
# Create test users where `testuser` will start the EC2 instance with a role that can be used to add the user to `testuser2` to `security_audit_team` group from the EC2 instance
aws iam create-user --user-name testuser
aws iam create-access-key --user-name testuser
aws iam create-user --user-name testuser2
# Create a policy which allows iam:passRole and EC2:RunInstances and assign it to the user
aws iam create-policy --policy-name 'testpassrolecreateinstance' --policy-document file:///tmp/testpassrolecreateinstance.json
aws iam create-group --group-name testgroup
aws iam add-user-to-group --group-name testgroup --user-name testuser
aws iam attach-group-policy --group-name testgroup --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/testpassrolecreateinstance
# Create a new role to be passed to EC2 instance which gives AdministratorAccess
aws iam create-role --role-name test-ec2-admin-role --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"
Action":"sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name test-ec2-admin-role --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Create a new EC2 security group which will be used by the user to login
aws ec2 describe-vpcs
aws ec2 describe-subnets
aws ec2 describe-security-groups
aws ec2 create-security-group --group-name test-ssh-ingress --description "Security group for SSH ingress and open egress" --vpc-id vpc-032d10b8504c5c9c7
aws ec2 authorize-security-group-ingress --group-id sg-0f1c7fa18048f7bc9 --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-egress --group-id sg-0f1c7fa18048f7bc9 --protocol all --cidr 0.0.0.0/0\n
# Create an instance profile which can be assigned to the EC2 instance
aws iam create-instance-profile --instance-profile-name test-instance-profile
aws iam add-role-to-instance-profile --instance-profile-name test-instance-profile --role-name test-ec2-admin-role
# Start the EC2 instance with the role passed in by the `testuser` with the Instance Profile,
aws ec2 run-instances --image-id ami-0e2e4c9e55712f9e3 --instance-type t2.micro --iam-instance-profile Arn=arn:aws:iam::$AWS_ACCOUNT_ID:instance-profile/test-instance-profile --key-name "test-instance" --security-group-ids "sg-0f1c7fa18048f7bc9" --profile testuser --subnet-id subnet-0a70e41ea53aab6ab --region ap-southeast-2
# `testuser` then will SSH to the EC2 instance and execute the following commands
sudo apt-get -y install awscli
sudo apt-get -y update && sudo apt-get -y install awscli
aws iam add-user-to-group --group-name security_audit_team --user-name testuser2
This document describes the alerts built in splunkgcpsecuritymon splunk app as referenced by Mitre Attack Matrix techniques, and mechanisms to test these alerts.
#Visit GCP Console > BigQuery > SQL Workspace > Create Dataset
# Once Dataset is created, click on the ... drop-down > select Share > Select 'AllUsers' or 'AllAuthenticatedUsers' > Assign
'BigQuery Viewer' > Consent to creation of Public Dataset
gcp_detect_kms_key_permissions
Alert for detecting creation of Public KMS Keyrings or keys with excessive permissions assignment to users
# First create a test keyring
gcloud kms keyrings create testkeyring --location=australia-southeast1
# Create a test key
gcloud kms keys create testkey --keyring=testkeyring --location=australia-southeast1 --purpose="encryption"
# List the keyring to ensure it is available
gcloud kms keyrings list --location=australia-southeast1
# Assign allUsers editor permission to the keyring
gcloud kms keyrings add-iam-policy-binding testkeyring --location=australia-southeast1 --member=allUsers --role=roles/editor
# Assign allUsers editor permission to the key
gcloud kms keys add-iam-policy-binding testkey --keyring=testkeyring --location=australia-southeast1 --member=allUsers --role=roles/editor
# Remove allUsers permissions on key and keyring
gcloud kms keys remove-iam-policy-binding testkey --location=australia-southeast1 --member=allUsers --role=roles/editor --keyring=testkeyring
gcloud kms keyrings remove-iam-policy-binding testkeyring --location=australia-southeast1 --member=allUsers --role=roles/editor
TA0002 Execution
User Execution
gcp_detect_kubernetes_pod_exec_attempt
Alert to detect attempts to exec into already running Kubernetes pod
Emulate via gcloud
Deploy a test kubernetes cluster in the GCP project (a single node g1-small cluster should be sufficient)
Once the cluster is up, connect to the test pod via gcloud (ensuring that we have already authenticated gcloud to our GCP account):
gcloud auth login
gcloud container clusters get-credentials $CLUSTER_NAME --zone australia-southeast1-a --project $PROJECT_ID
Create a test pod 'testpod':
kubectl run testpod --rm -i --tty --image ubuntu -- bash
Exec into the test pod 'testpod':
kubectl exec testpod -i --tty -- bash
gcp_detect_kubernetes_pod_create_attempt
Alerrt to detect attempts to spawn / create new Kubernetes pod
Emulate via gcloud
Similar to steps described in section gcp_detect_kubernetes_pod_exec_attempt
# Create a service account e.g. $SERVICE_ACCOUNT_NAME in a project with ID $PROJECT_ID
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --display-name "$SERVICE_ACCOUNT_NAME"
# List the service accounts and get the email of the created service account
gcloud iam service-accounts list --format='value(EMAIL)' --filter="displayName:$SERVICE_ACCOUNT_NAME"
# Assign excessive permissions (e.g. project owner role) to the service
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT" --role="roles/iam.serviceAccountUser" --role="roles/owner"
gcp_detect_iam_service_account_key_user_managed
Alert for Creation of User Managed Service Account keys for user-managed service accounts
# Create a test service account
gcloud iam service-accounts create test-service-account2
# Create a private key of p12 format and replace $PROJECT_ID
gcloud iam service-accounts keys create /tmp/key.json --iam-account=test-service-account2@$PROJECT_ID.iam.gserviceaccount.com --key-file-type=p12
# List existing api keys and identify the key ID via the key_id field
gcloud alpha services api-keys list
# Get the Key ID via the api-keys list above
gcloud alpha services api-keys update \
$key_id \
--allowed-referrers="https://www.example.com/*,http://sub.example.com/*"
SSH Authorized Keys
gcp_detect_ssh_keys_added_to_compute_metadata
Alert to detect creation of SSH keys to SSH into compute instance
# Create a test compute instance 'test-instance-1' via the console - can be an f1-micro instance
# Build an SSH key
ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P ""
NEWKEY="$(cat ./key.pub)"
echo "$NEWUSER:$NEWKEY" > ./meta.txt
# Add the SSH key to the 'test-instance-1' to
gcloud compute instances add-metadata "test-instance-1" --metadata-from-file ssh-keys=meta.txt --zone "australia-southeast1-b" --project "test-project-2-355701"
TA0004 Privilege Escalation
Domain Policy Modification
Domain Trust Modification
gcp_detect_org_policy_changes
Alert to detect any modifications to the GCP Organizational Policy
Emulate via Google Console UI
Pre-requisite is an GCP organization setup which consists of atleast one project
Select Organization from resource selector > IAM & Admin > Organizational Policies > Visit a policy e.g. 'Allowed Ingress Settings (Cloud Functions)' > Select 'Google Managed Default' > Save
Valid Accounts
Cloud Accounts
gcp_detect_service_account_impersonation_perms
Alert for creation of an account or assignment of a privilege providing Service Account User, Service Account Token Creator roles
Alert to detect disable of Cloud DNS Audit logging
Emulate via gcloud
gcloud dns managed-zones list
gcloud dns managed-zones update $DNS_ZONE --no-log-dns-queries
gcp_detect_load_balancer_logging_disabled
Alert to disable Load Balancer Logging to prevent detection of untracked configuration changes
Emulate via UI
# Create a new instance group and a new instance template using 1 min and 1 max instances (f1-micro)
# Create a HTTP load balancer > From Internet to my VMs or serverless services > Create a backend service and point to instance-template-1
> Under Logging, leave 'Enable Logging' unchecked
# Continue with all the steps to create the backend service
# Alternatively, for existing load balancer using backend service, edit Load balancer > Backend Configuration > Edit Backend > Uncheck Enable Logging > Update
gcp_detect_audit_config_change
Alert to detect removal of audit config logging settings
Emulate via GCP Console UI
# Visit the GCP Console UI > Audit Logs > Visit Log Types > Uncheck an option (e.g. `Data Read`)
gcp_detect_logsink_disable
Alert to disabling of log sinks that forward data to other sources
Emulate via GCP Console UI
# Open GCP Console > Logging Explorer > Logs Router > Select a Logging Sink > Click on 'Disable' on the '...' drop-down
Alert to detect disable or modification of VPC Service Controls on the Service Perimeter
Pre-requisite is an GCP organization setup which consists of atleast one project
Emulate via GCP Console UI
# Create a service perimeter
# Select Organization from resource selector > Security > VPC Service Controls > Visit Dry Run > New Perimeter > Create a Perimeter Title > Select 'Regular Perimeter' > Add a test project > Select 'Create Perimeter'
Alert to detect disabling or modification of VPC Service Controls - Access Policy
Emulate via GCP Console UI
Pre-requisite is an GCP organization setup which consists of atleast one project
# Create a service perimeter
Select Organization from resource selector > Security > VPC Service Controls > Visit Manage Policies > Create > Provide an access policy name > add a test project > 'Create Access Policy'
Disable or Modify Tools
gcp_detect_clouddns_dnssec_disabled
Alert to detect disabling of DNSSEC for Cloud DNS logging
Emulate via gcloud
# create a cloud dns managed zone with dnssec state switched off
gcloud dns managed-zones create $DNS_ZONE --description="Test DNS Zone" --dns-name="testdnszone.com" --dnssec-state=off
# update the cloud dns managed zone from off to on OR vice-versa
gcloud dns managed-zones update $DNS_ZONE --dnssec-state=on
gcloud dns managed-zones update $DNS_ZONE --dnssec-state=off
# delete the cloud dns managed zone
gcloud dns managed-zones delete $DNS_ZONE
Emulate via GCP Console UI
# Visit Cloud DNS > Create Zone > Ensure that "Cloud Logging" is not enabled > Create
TA0006 Credential Access
TA0007 Discovery
Cloud Service Discovery
gcp_detect_excessive_services_enabled
Alert to detect excessive number of services enabled which indicates potential enumeration
Emulate via GCP Console UI
Use gcloud CLI:
gcloud services enable $SERVICE_NAME
TA0010 Exfiltration
gcp_detect_api_activity_unusually_high_last7days
Alert to detect unusually High API usage by any user identity
Perform large number of actions with the user account in GCP console e.g. create service account, disable service account, enable service account etc. compared to last 4 days
Transfer Data to Cloud Account
gcp_detect_vpc_service_controls_violation
Alert on GCP Actions violating VPC Service Controls
# Create a new test GCS bucket in a test project
# Create a new service perimeter and include the test project in the service perimeter and the GCS Cloud Storage API in the perimeter
# Now attempt to list the files in the GCS bucket
gsutil ls
This document describes the alerts built in splunksysmonsecurity splunk app as referenced by Mitre Attack Matrix techniques, and mechanisms to test these alerts.
Opening of Encrypted zip files with Winows Zip OR 7zip followed by opening of Common Phishing documents.
Alert pre-requisite
Windows Event ID 5379 (Credential Manager credentials were read) which are typically generated in Windows 10/2016 onwards
Emulate via UI
Open an encrypted (using ZipCrypto) zip file in Windows by double-clicking. Encrypted zip file can be generated via 7z with ZipCrypto encryption algorithm
Alert to detect that AppLocker had blocked an execution of application
Alert pre-requisite: Windows App Locker Logs - Event ID 8004
Emulate via UI
First, follow steps for alert 'Modifying the Applocker policy used for application whitelisting' to enable applocker policy
Then attempt to run an .exe file via command prompt from folder C:\Users\\$AUTHENTICATED_USER\Downloads folder (where $AUTHENTICATED_USER is a normal user's authenticated user ID)
When file execution is blocked the following error message is displayed "This program is blocked by group policy"
sysmon_detect_malicious_file_av
Alert to detect that malware was detected by Windows Defender AV
Alert pre-requisite: Windows Defender being installed on System Event ID 1116
Emulate via UI/EICAR
Deploy an EICAR file to the local disk as text.exe file via an editor from the following link: https://secure.eicar.org/eicar.com.txt and validate that Windows AV defender is still running
Alert to detect execution of Powershell Assembly System.Management.Automation from unsual targets without other Powershell utilities referenced
Note: Currently this alert focuses on a very specific set of locations to reduce False Positives (eg \Users and \Temp\ directories)
App users should expand on these locations after baselining their individual environment.
Emulate via nimplant C2
There are a number of ways to execute this. One method is to setup nimplant and execute the following command from server once a client is setup:
powershell Get-Process
This can also be emulated via powerpick utility in Cobaltstrike
Alert to detect execution of Powershell commands from non Windows-Powershell locations (e.g. powershell.exe)
Emulate via nimplant C2
This would be similar to steps discussed in sysmon_detect_powershell_assembly_invoked_unusual_targets. The invocation of powershell would be directly through the process running as agent (and not from powershell.exe as would normally be expected )
TA0003 Persistence
Event Triggered Execution
Accessibility Features
sysmon_detect_sticky_keys_sethc_file_tamper
Alert detects addition of sethc backdoor for persistence.
A new dashboard panel called SHA256 Hash vs Process Image in Windows Security Monitoring Dashboard has also been added to detect executables with hashes being executed from multiple paths
Change owner of C:\Windows\System32\sethc.exe file from TrustedInstaller to Builtin\Administrator Change permissions of Builtin\Administrator to have 'Full Control' permission Backup the sethc.exe to sethc.exe.bak Launch Command Prompt and copy cmd.exe to sethc.exe
Control Panel > Services > Application Identity Services > Start Service Local Security Policy > Application Control Rules > Applocker > Executable Rules > Configured Local Security Policy > Application Control Rules > Applocker > Executable Rules > (Right-Click) Create Default Rules
sysmon_detect_windows_defender_av_switched_off
Alert to detect Windows Defender Real-Time Protection or Cloud-Protection Switched off
Pre-requisite: Windows Defender Log Event ID 5007
Emulate via UI
Control Panel > Windows Defender > Windows Defender Settings > Windows Security > Virus and Threat Protection > Manage Settings > Turn-off Real Time Protection > Turn-off Cloud Delievered Protection
Change the value of the registry key in LoggedOnUser and LoggedOnSAMUser in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI to a known user e.g. HACKER\Administrator where HACKER is an example short domain name and user is Administrator which we want to show
Note: App users should baseline and can tune this alert for their environment to ignore triggers seen within their environment. This could done in these lines of the alert within the app
...
```Ignore process and parent process image paths that are known to execute .net legitimate binaries. Note: Users should expand this block to exclude more paths for their environments```
| where !(
like(Image, "C:\Windows\Microsoft.NET\%") OR
like(Image, "C:\Windows\System32\%") OR
like(ParentImage, "C:\Windows\System32\services.exe")
)
...
Emulate via Watson.exe
There are many ways to execute this alert including via various C2's execute-assembly commands such as Cobaltstrike and NimPlant - it can be done by executing a .NET binary e.g. Watson.exe available here. This will generate image load events (if capturing of Sysmon Event ID 7 is enabled) for clr.dll and clrjit.dll which should trigger this alert.
Copy NPPSPY.dll to C:\Windows\System32 folder and execute the powershell script provided here: ConfigureRegistrySettings.ps1
Then sign out and sign in to see the credentials stored in C:\NPPSPY.txt file
Security Account Manager
sysmon_detect_lsass_memory_createremotethread
Alert for detection of use of offensive tools such as gsecdump that create thread into LSASS memory for reading credentials
Pre-requisite: Windows Sysmon Logs - Event ID 8
Download gsecdump.exe from the link in Alert References and run the following command:
gsecdump.exe -a
Steal or Forge Authentication Certificates
sysmon_detect_ntlm_hashes_extraction_masky
Alert for detection of possible AD Certificate Services Abuse to dump NTLM hashes via Masky
Emulate via crackmapexec (using masky under the hood)
# Edit the /etc/hosts file to include the IP for the DC pointing to the domain
echo "$DC_IP $DOMAIN" >> /etc/hosts
echo "$DC_IP $DC_HOSTNAME.$DOMAIN" >> /etc/hosts
# We utilize the latest version of crackmapexec from releases to get ADCS details ($PKI_ENROLMENT_SERVER\PKI_ENROLMENT_CN)
# Normal username can be used for querying PKI info
./cme ldap -u $USER_NAME -p $USER_PASSWORD -M adcs $DC_IP
# We leverage the Local Admin username/password to get the masky agent to run and dump info
date ; ./cme smb -u $USER_NAME -p $USER_PASSWORD -o CA='$PKI_ENROLMENT_SERVER\$PKI_ENROLMENT_CN' -M masky $DC_IP ; date
T1555 Credentials from Password Stores
T1555.003 Credentials from Web Browsers
sysmon_detect_firefox_credentials_read
Alert to detect attempts to read firefox credentials from a non-Firefox process
Pre-requisites
This alert requires the File Auditing to be enabled via secpol.msc > Local Policy > Audit Policy > Audit Object Access (Success/Failure)
Once enabled, the file auditing for Read, Read and Execute and List Contents should be enabled on the folder C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox folder from Everyone for Success and Failure. Option available on right-click > Properties > Security > Advanced > Auditing
Emulate via PasswordFox
Download PasswordFox: https://www.nirsoft.net/utils/passwordfox.html
Extract PasswordFox
Execute Password Fox
sysmon_detect_chrome_credentials_read
Alert to detect attempts to read Google Chrome credentials from a non-Chrome process
Pre-requisites
This alert requires the File Auditing to be enabled via secpol.msc > Local Policy > Audit Policy > Audit Object Access (Success/Failure)
Once enabled, the file auditing for Read, Read and Execute and List Contents should be enabled on the folder C:\Users\<Username>\AppData\Roaming\Chrome\User Data\Default\Login Data folder from Everyone for Success and Failure. Option available on right-click > Properties > Security > Advanced > Auditing
Alert for detecting Bruteforcing username and password combination via tools such as kerbrute
Pre-requisite: Windows Event Log - 4768 (Kerberos Pre-Authentication Ticket Requested) Enable Audit Logon Events (Success Failure) in Local Security Policy > Security Settings > Local Policies > Audit Policy
Note: The threshold in this rule must be set as appropriate for the environment (depending on how many failed authentication attempts are typically seen)
Emulate via cmd/kerbrute
# For kerbrute, refer to the link in Alert references to execute attack via kerbrute. Here is a sample command:
/root/go/bin/kerbrute bruteforce --dc $DC_IP -d $DOMAIN /tmp/usernamepassword.txt
sysmon_detect_password_bruteforce
Alert to detect Bruteforcing password for a given username via tools such as kerbrute
Note: The threshold in this rule must be set as appropriate for the environment (depending on how many failed authentication attempts are typically seen)
# Here, username consists of the same value
# For kerbrute, refer to the link in Alert references to execute attack via kerbrute. Here is a sample command:
/root/go/bin/kerbrute bruteforce --dc $DC_IP -d $DOMAIN /tmp/usernamepassword.txt
TA0007 Discovery
T1087 Account Discovery
sysmon_detect_domain_enumeration_bloodhound
This alert checks if there is an attempt to perform enumeration via bloodhound.py. This has been tested to detect both DCOM and the DEFAULT methods.
Emulate via bloodhound.py
Install and configure bloodhound.py and run the following command to connect to the domain controller and enumerate the domain: