-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nterl0k - T1087.002 - 4662 EventID AD Enumeration #2716
Nterl0k - T1087.002 - 4662 EventID AD Enumeration #2716
Conversation
Update for better presentation in incident review
update for better presentation in incident review....again
Hello @nterl0k :We are getting some errors for windows_ad_abnormal_object_access_activity.yml. Here is how the given attack data looks in Splunk : you can see that the ObjectName_count is NOT greater than the limit. Do you suspect an issue with the search/ the dataset ? You may need to dump a new dataset for this detetion Screenshot without the |
In our production environment the stddev*3 math seemed to be the sweet spot to avoid the detection being overly sensitive.
I can artificially inflate the dataset to make it work as expected.
If I make a PR to the attack dataset can that be expedited to help with this?
Regards,
Steven.
…-------- Original message --------
From: Bhavin Patel ***@***.***>
Date: 9/12/23 7:56 PM (GMT-05:00)
To: splunk/security_content ***@***.***>
Cc: Steven Dick ***@***.***>, Mention ***@***.***>
Subject: Re: [splunk/security_content] Nterl0k - T1087.002 - 4662 EventID AD Enumeration (PR #2716)
Hello @nterl0k<https://github.com/nterl0k> :We are getting some errors for windows_ad_abnormal_object_access_activity.yml. Here is how the given attack data looks in Splunk : you can see that the ObjectName_count is NOT greater than the limit. Do you suspect an issue with the search/ the dataset ? You may need to dump a new dataset for this detetion
Screenshot without the | where ObjectName_count > limit condition
[image]<https://user-images.githubusercontent.com/7771446/267493748-a79c1a71-2249-4c33-840e-c9e92f426589.png>
—
Reply to this email directly, view it on GitHub<#2716 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7UP45GKRC5DFJVJLILX2DZBHANCNFSM6AAAAAAZEYZPUA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@patel-bhavin - I've built an updated dataset that will trigger the detection as expected. - See PR splunk/attack_data#833 for the updated data. |
awesome! i merged the attack_data PR and looks like this passes our detection testing now! Thank you for being so prompt as always. Closing this PR and we will be merging the updated PR that contains your content and will be released in ESCU 4.12.0 |
Pending splunk/attack_data#816
Details
Showcases when attackers enumerate AD in mass or for specific high priv (default) groups.
Must allow 4662 events to be ingested by Splunk, which is typically advised against/filtered by the Windows TA.
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature