forked from wagov/wasocshared
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
52 changed files
with
838 additions
and
514 deletions.
There are no files selected for viewing
28 changes: 28 additions & 0 deletions
28
docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Guidance following nation state attack on Microsoft - 20240219002 | ||
|
||
## Overview | ||
|
||
The recent nation state [attack on Microsoft](https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/") highlighted significant configuration vulnerabilities that may be present in Entra ID (previously known as Azure AD) tenants. | ||
|
||
## What is vulnerable? | ||
|
||
- If a principal holds the **AppRoleAssignment.ReadWrite.All** app role, that principal may grant any principal (including itself) any app role against any resource app, including the **RoleManagement.ReadWrite.Directory** MS Graph app role | ||
- With the **RoleManagement.ReadWrite.Directory** MS Graph app role, a principal may assign itself or any other principal to any Entra ID role, including Global Administrator | ||
|
||
Based on this information, we know we need to look for two primary things: | ||
|
||
1. Foreign principals (i.r., those coming from a tenant outside of your own) with escalation privileges which create paths to highly privileged roles | ||
1. Foreign principals that already hold highly-privileged roles | ||
|
||
## What has been observed? | ||
|
||
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. | ||
|
||
## Recommendations | ||
|
||
Due to the severity of a compromise of an Entra ID tenant managing privileges for an organisation, the WA SOC recommends reviewing the below guidance and ensuring that Enterprise Applications, Application Registrations and Service Principle role assignments are audited regularly as part of operational account audits and [Secure Configuration Assessments](https://soc.cyber.wa.gov.au/guidelines/secure-configuration/ "https://soc.cyber.wa.gov.au/guidelines/secure-configuration/"). | ||
|
||
## Additional References | ||
|
||
- [**Microsoft Breach — How Can I See This In BloodHound?**](https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65) | ||
- [**AzureHound Community Edition**](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481394564251-AzureHound-Community-Edition) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33 changes: 17 additions & 16 deletions
33
docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,40 +1,41 @@ | ||
## S0357 - Potential Impacket Execution "dir" command | ||
### S0357 - Potential Impacket Execution "dir" command | ||
|
||
#### DESCRIPTION | ||
|
||
Actor may use Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:\\Windows) containing an epoch timestamp in its name. | ||
|
||
!!! example | ||
``` | ||
cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1 | ||
``` | ||
**Example:** | ||
|
||
> cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1 | ||
!!! tip "Related" | ||
Volt Typhoon activity | ||
**Related**\ | ||
Volt Typhoon activity | ||
|
||
!!! abstract "Reference" | ||
- <https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection> | ||
- <https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/> | ||
- <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a> | ||
- <https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21> | ||
**Reference:**\ | ||
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ | ||
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\ | ||
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\ | ||
https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21 | ||
|
||
### ATT&CK TACTICS<br> | ||
#### ATT&CK TACTICS<br> | ||
|
||
{{mitre("S0357")}} | ||
|
||
Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) | ||
|
||
### SENTINEL RULE QUERY<br> | ||
#### SENTINEL RULE QUERY<br> | ||
|
||
``` | ||
let c1 = dynamic(["cmd.exe", "2>&1", "ADMIN$"]); | ||
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) | ||
``` | ||
|
||
### Triage | ||
#### Triage | ||
|
||
1. Identify user/service triggering the activity | ||
1. Check time of activity if within business hours | ||
1. Investigate further if the activity is expected and approved | ||
|
||
### VERSION | ||
#### VERSION | ||
|
||
Version 1.0 (date: 10/07/2023) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
### S0552 - AdFind Execution | ||
|
||
#### DESCRIPTION <br /> | ||
|
||
Detects the use of Adfind. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. | ||
|
||
**Example:** | ||
|
||
> adfind.exe -f "(objectcategory=person)" > ad_users.txt | ||
> | ||
> objectcategory=person – Finds all person objects\ | ||
> objectcategory=computer – Finds all computers in domain\ | ||
> trustdmp – Dumps trust objects.\ | ||
> objectcategory=subnet – Finds all subnets\ | ||
> domainlist – Dumps all Domain NCs in forest in sorted DNS list format\ | ||
> dcmodes – Shows modes of all DCs in forest from config\ | ||
> adinfo – Shows Active Directory Info with whoami info.\ | ||
> dclist – Dumps Domain Controllers FQDNs.\ | ||
> computers_pwdnotreqd – Dumps users set with password not required. | ||
**Related**\ | ||
Common tool | ||
|
||
**Reference:**\ | ||
https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\ | ||
https://github.com/SigmaHQ/sigma/blob/b9c0dd661eac6b6efdb47f7cfcbb20b5a5c169da/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml | ||
https://thedfirreport.com/2020/05/08/adfind-recon/\ | ||
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ | ||
|
||
#### ATT&CK TACTICS <br /> | ||
|
||
{{mitre("S0552")}} | ||
|
||
``` | ||
- attack.discovery | ||
- attack.t1018 | ||
- attack.t1087.002 | ||
- attack.t1482 | ||
- attack.t1069.002 | ||
``` | ||
|
||
Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/) | ||
|
||
#### SENTINEL RULE QUERY <br /> | ||
|
||
``` | ||
let selection_1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name="Domain Admins"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']); | ||
DeviceProcessEvents | ||
| where ActionType == "ProcessCreated" | ||
| where FileName == "AdFind.exe" or FolderPath endswith @"\AdFind.exe" | ||
| where ProcessCommandLine has_any (selection_1) | ||
``` | ||
|
||
#### Triage <br /> | ||
|
||
1. This is a high-fidelity threat hunt rules, check the user that performed this action. | ||
1. Inspect if the activity is expected and approved. | ||
1. If this process is unexpected, build further context upon user and device's activities using timeline analysis | ||
|
||
#### FalsePositive <br /> | ||
|
||
1. Legitimate administrative activity. | ||
1. Tuned, high-fidelity threat hunt rules | ||
|
||
#### VERSION <br /> | ||
|
||
Version 2.0 (date: 10/02/2024) |
Oops, something went wrong.