Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1087.002 - 4662 EventID AD Enumeration #2716

Closed

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Jun 13, 2023

Pending splunk/attack_data#816

Details

Showcases when attackers enumerate AD in mass or for specific high priv (default) groups.

Must allow 4662 events to be ingested by Splunk, which is typically advised against/filtered by the Windows TA.

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

@MHaggis MHaggis added the 4.6.0 label Jun 15, 2023
nterl0k added 2 commits June 15, 2023 14:56
Update for better presentation in incident review
update for better presentation in incident review....again
@P4T12ICK P4T12ICK removed the 4.6.0 label Jun 22, 2023
@patel-bhavin
Copy link
Contributor

Hello @nterl0k :We are getting some errors for windows_ad_abnormal_object_access_activity.yml. Here is how the given attack data looks in Splunk : you can see that the ObjectName_count is NOT greater than the limit. Do you suspect an issue with the search/ the dataset ? You may need to dump a new dataset for this detetion

Screenshot without the | where ObjectName_count > limit condition

image

@nterl0k
Copy link
Contributor Author

nterl0k commented Sep 13, 2023 via email

@nterl0k
Copy link
Contributor Author

nterl0k commented Sep 13, 2023

@patel-bhavin - I've built an updated dataset that will trigger the detection as expected. - See PR splunk/attack_data#833 for the updated data.

image

@patel-bhavin
Copy link
Contributor

awesome! i merged the attack_data PR and looks like this passes our detection testing now! Thank you for being so prompt as always. Closing this PR and we will be merging the updated PR that contains your content and will be released in ESCU 4.12.0

#2810

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants