-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dlux update #2906
Dlux update #2906
Conversation
Merging latest detections from develop into branch to continue to work on them
@dluxtron : Hey buddy! Can we fix up the conflicts in this PR? |
You can ignore the changes in |
detections/application/authentication_dm_distributed_password_spray.yml
Outdated
Show resolved
Hide resolved
detections/application/authentication_dm_distributed_password_spray.yml
Outdated
Show resolved
Hide resolved
detections/application/authentication_dm_distributed_password_spray.yml
Outdated
Show resolved
Hide resolved
detections/application/authentication_dm_distributed_password_spray.yml
Outdated
Show resolved
Hide resolved
Hey Bhavin, I've reviewed the conflicts, resolved a couple of the redundant ones. These two which are left, keen to keep the version in this PR if possible. |
Adding some updates on Azure detections post BOTS. Update 1 Problem: List of privileged groups needs to be updated Update 2 Detections: Update 3 Problem: Target user doesn't pick up when SPNs are added Update 4 Problem: When an SPN is used to add a new Client Secret, this isn't being picked up by the detection Update 5 Problem: For some reason the IP address wasn't logged for this event during BOTS capture, this meant events weren't picked up by the alert, which was aggregating by the src_ip field Update 6 Problem: New Values also includes the previous key details & also creating a key without a name (possibly via powershell) causes the field extraction to break. |
PR Summary
There are 24 new detections, updates to 12 detections, and 5 new lookup files included in this PR.
Also included a whole stack of AD centric detections focusing on group policy & ACLs of AD objects. Potentially worth putting together as its own analytic story? Or just included as part of the sneak AD story (current state).
Breakdown of each of the new/modified files below
6 New Detections - misc: Utilising the CIM Datamodel
detections/application/authentication_dm_distributed_password_spray.yml
detections/application/authentication_dm_password_spray.yml
detections/endpoint/windows_network_share_discovery_with_net.yml
detections/network/internal_horizontal_port_scan.yml
detections/network/internal_vertical_port_scan.yml
detections/network/internal_vulnerability_scan.yml
3 New Detections: Misc
detections/application/windows_increase_in_group_or_object_modification_activity.yml
detections/application/windows_increase_in_user_modification_activity.yml
detections/endpoint/windows_vulnerable_driver_installed.yml
5 Updates to existing detections: Fixes
detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
detections/endpoint/windows_ad_domain_replication_acl_addition.yml
detections/cloud/azure_ad_service_principal_new_client_credentials.yml
detections/cloud/azure_ad_privileged_role_assigned.yml
detections/cloud/azure_ad_global_administrator_role_assigned.yml
4 Updates Misc: (additional references, enhancements etc)
detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
detections/endpoint/windows_admon_default_group_policy_object_modified.yml
detections/endpoint/windows_admon_group_policy_object_created.yml
2 Updates to existing detections: Adding support for XMLWinevevntLog
detections/endpoint/detect_new_local_admin_account.yml
detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
15 New Detections: AD Related
detections/application/windows_ad_add_self_to_group.yml
detections/application/windows_ad_dangerous_deny_acl_modification.yml
detections/application/windows_ad_dangerous_group_acl_modification.yml
detections/application/windows_ad_dangerous_user_acl_modification.yml
detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
detections/application/windows_ad_domain_root_acl_deletion.yml
detections/application/windows_ad_domain_root_acl_modification.yml
detections/application/windows_ad_gpo_deleted.yml
detections/application/windows_ad_gpo_disabled.yml
detections/application/windows_ad_gpo_new_cse_addition.yml
detections/application/windows_ad_hidden_ou_creation.yml
detections/application/windows_ad_object_owner_updated.yml
detections/application/windows_ad_privileged_group_modification.yml
detections/application/windows_ad_self_dacl_assignment.yml
detections/application/windows_ad_suspicious_attribute_modification.yml
5 New Lookups to support the SACL/Ace detections
dist/DA-ESS-ContentUpdate/default/transforms.conf
lookups/ace_access_rights_lookup.csv
lookups/ace_access_rights_lookup.yml
lookups/ace_flag_lookup.csv
lookups/ace_flag_lookup.yml
lookups/ace_type_lookup.csv
lookups/ace_type_lookup.yml
lookups/builtin_groups_lookup.csv
lookups/builtin_groups_lookup.yml
lookups/msad_guid_lookup.csv
lookups/msad_guid_lookup.yml
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature