Merge branch 'main' into main

LSerki · Feb 19, 2024 · 19a0bea · 19a0bea
2 parents c3843ff + 63b3aaa
commit 19a0bea
Show file tree

Hide file tree

Showing 52 changed files with 838 additions and 514 deletions.
diff --git a/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md b/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md
@@ -0,0 +1,28 @@
+# Guidance following nation state attack on Microsoft - 20240219002
+
+## Overview
+
+The recent nation state [attack on Microsoft](https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/") highlighted significant configuration vulnerabilities that may be present in Entra ID (previously known as Azure AD) tenants.
+
+## What is vulnerable?
+
+- If a principal holds the **AppRoleAssignment.ReadWrite.All** app role, that principal may grant any principal (including itself) any app role against any resource app, including the **RoleManagement.ReadWrite.Directory** MS Graph app role
+- With the **RoleManagement.ReadWrite.Directory** MS Graph app role, a principal may assign itself or any other principal to any Entra ID role, including Global Administrator
+
+Based on this information, we know we need to look for two primary things:
+
+1. Foreign principals (i.r., those coming from a tenant outside of your own) with escalation privileges which create paths to highly privileged roles
+1. Foreign principals that already hold highly-privileged roles
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendations
+
+Due to the severity of a compromise of an Entra ID tenant managing privileges for an organisation, the WA SOC recommends reviewing the below guidance and ensuring that Enterprise Applications, Application Registrations and Service Principle role assignments are audited regularly as part of operational account audits and [Secure Configuration Assessments](https://soc.cyber.wa.gov.au/guidelines/secure-configuration/ "https://soc.cyber.wa.gov.au/guidelines/secure-configuration/").
+
+## Additional References
+
+- [**Microsoft Breach — How Can I See This In BloodHound?**](https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65)
+- [**AzureHound Community Edition**](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481394564251-AzureHound-Community-Edition)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md
@@ -1,33 +1,34 @@
-## S0154 - Cobalt Strike: DNS Beaconing
+### S0154 - Cobalt Strike: DNS Beaconing
+
+#### DESCRIPTION
 
 Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike to compromise an environment.
 The query tries to detect suspicious DNS queries known from Cobalt Strike beacons.
 
-!!! example
-    ```
-    aaa.stage.[encryptedstage].MaliciousDomain.com
-    baa.stage.[encryptedstage].MaliciousDomain.com
-    caa.stage.[encryptedstage].MaliciousDomain.com
-    post.[EncryptedData].[RandomValue].MaliciousDomain.com
-    ```
+**Example:**
+
+> aaa.stage.\[encryptedstage\].MaliciousDomain.com,\
+> baa.stage.\[encryptedstage\].MaliciousDomain.com,\
+> caa.stage.\[encryptedstage\].MaliciousDomain.com,
+> post.\[EncryptedData\].\[RandomValue\].MaliciousDomain.com
 
-!!! tip "Related"
-    CobaltStrike
+**Related**\
+CobaltStrike
 
-!!! abstract "Reference"
-    - <https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4>
-    - <https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/%5C>
-    - <https://blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-1/>
+**Reference:**\
+https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4\
+https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/\
+https://blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-1/
 
-### ATT&CK TACTICS
+#### ATT&CK TACTICS<br>
 
 {{mitre("S0154")}}
 
 Data Source(s): [Network Traffic](https://attack.mitre.org/datasources/DS0029)
 
-### SENTINEL RULE QUERY
+#### SENTINEL RULE QUERY<br>
 
-```kusto
+```
 let badNames = dynamic(["aaa.stage","baa.stage","caa.stage", "post.1"]);
 (union isfuzzy=true
 (DnsEvents 
@@ -43,11 +44,11 @@ let badNames = dynamic(["aaa.stage","baa.stage","caa.stage", "post.1"]);
 ))
 ```
 
-### Triage
+#### Triage
 
 1. Inspect DNS queries and destination IP
 1. Note source of endpoint beaconing
 
-### VERSION
+#### VERSION
 
 Version 2.0 (date: 19/12/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md
@@ -1,32 +1,33 @@
-## S0154 - Cobalt Strike: NamedPipe
+### S0154 - Cobalt Strike: NamedPipe
+
+#### DESCRIPTION
 
 Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike to compromise an environment.
 CobaltStrike uses named pipes for communication between processes. Default beacon configs use pipes in the format "MSSE-x-server", where "x" is a number from 1 to 4 characters.
 
-!!! example
-    ```
-    "MSSE-x-server", where "x" is a number from 1 to 4 characters
-    ```
+**Example:**
+
+> "MSSE-x-server", where "x" is a number from 1 to 4 characters
 
-!!! tip "Related"
-    CobaltStrike
+**Related**\
+CobaltStrike
 
-!!! abstract "Reference"
-    - <https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4>
-    - <https://twitter.com/d4rksystem/status/1357010969264873472>
-    - <https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/>
-    - <https://github.com/SigmaHQ/sigma/issues/253>
-    - <https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/>
-    - <https://redcanary.com/threat-detection-report/threats/cobalt-strike/>
-    - <https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml>
+**Reference:**\
+https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4\
+https://twitter.com/d4rksystem/status/1357010969264873472\
+https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\
+https://github.com/SigmaHQ/sigma/issues/253\
+https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\
+https://redcanary.com/threat-detection-report/threats/cobalt-strike/\
+https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml
 
-### ATT&CK TACTICS
+#### ATT&CK TACTICS<br>
 
 {{mitre("S0154")}}
 
 Data Source(s): [Named Pipe](https://attack.mitre.org/datasources/DS0023)
 
-### SENTINEL RULE QUERY
+#### SENTINEL RULE QUERY<br>
 
 ```
 let selection_MSSE = dynamic([@'\MSSE-', '-server']);
@@ -41,12 +42,12 @@ DeviceEvents
 //| summarize count(), earliest_Timestamp=min(TimeGenerated) by ActionType, DeviceName, InitiatingProcessParentFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileOperation_, PipeName_, TenantId
 ```
 
-### Triage
+#### Triage
 
 1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
 1. Inspect named pipe pattern if matching "MSSE-x-server"
 1. Examine the InitiatingProcessFolderPath folder location, and check for any mistype on service name
 
-### VERSION
+#### VERSION
 
 Version 2.1 (date: 08/11/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md
@@ -1,40 +1,41 @@
-## S0357 - Potential Impacket Execution "dir" command
+### S0357 - Potential Impacket Execution "dir" command
+
+#### DESCRIPTION
 
 Actor may use Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:\\Windows) containing an epoch timestamp in its name.
 
-!!! example
-    ```
-    cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1
-    ```
+**Example:**
+
+> cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1
 
-!!! tip "Related"
-    Volt Typhoon activity
+**Related**\
+Volt Typhoon activity
 
-!!! abstract "Reference"
-    - <https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection>
-    - <https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/>
-    - <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a>
-    - <https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21>
+**Reference:**\
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
+https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\
+https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21
 
-### ATT&CK TACTICS<br>
+#### ATT&CK TACTICS<br>
 
 {{mitre("S0357")}}
 
 Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/)
 
-### SENTINEL RULE QUERY<br>
+#### SENTINEL RULE QUERY<br>
 
 ```
 let c1 = dynamic(["cmd.exe", "2>&1", "ADMIN$"]);
 find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) 
 ```
 
-### Triage
+#### Triage
 
 1. Identify user/service triggering the activity
 1. Check time of activity if within business hours
 1. Investigate further if the activity is expected and approved
 
-### VERSION
+#### VERSION
 
 Version 1.0 (date: 10/07/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md
@@ -1,28 +1,29 @@
-## S0357 - Impacket Secretdump with SMB2
+### S0357 - Impacket Secretdump with SMB2
+
+#### DESCRIPTION
 
 Actor may use Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:\\Windows) containing an epoch timestamp in its name.
 
-!!! example
-    ```
-    cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1
-    ```
+**Example:**
+
+> cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1
 
-!!! tip "Related"
-    Volt Typhoon activity
+**Related**\
+Volt Typhoon activity
 
-!!! abstract "Reference"
-    - <https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection>
-    - <https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/>
-    - <https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a>
-    - <https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml>
+**Reference:**\
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
+https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\
+https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml
 
-### ATT&CK TACTICS
+#### ATT&CK TACTICS<br>
 
 {{mitre("S0357")}}
 
 Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/)
 
-### SENTINEL RULE QUERY
+#### SENTINEL RULE QUERY
 
 ```
 (union isfuzzy=true
@@ -49,12 +50,12 @@ Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Comman
   | extend Host_0_DnsDomain = DnsDomain
 ```
 
-### Triage
+#### Triage
 
 1. Identify user/service triggering the activity
 1. Validate .tmp file names and location
 1. Investigate further if the activity is expected and approved
 
-### VERSION
+#### VERSION
 
 Version 1.1 (date: 26/10/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0521-BloodHound-Commandlets.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0521-BloodHound-Commandlets.md
@@ -1,20 +1,25 @@
-## S0521 - Bloodhound/Sharphound Execution Commandlets
+### S0521 - Bloodhound/Sharphound Execution Commandlets
+
+#### DESCRIPTION
 
 Detects BloodHound activity in commandlines. Bloodhound is and Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment
 
-!!! tip "Related"
-    Bloodhound/Sharphound
+**example:**\
+N/A
+
+**Related**\
+Bloodhound/Sharphound
 
-!!! abstract "Reference"
-    - <https://github.com/SigmaHQ/sigma/blob/cf29e28a54daa9d52f7d1a5996f023e2d08cde84/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml#L40>
+**Reference:**\
+https://github.com/SigmaHQ/sigma/blob/cf29e28a54daa9d52f7d1a5996f023e2d08cde84/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml#L40
 
-### ATT&CK TACTICS
+#### ATT&CK TACTICS
 
 {{mitre("S0521")}}
 
 Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/)
 
-### SENTINEL RULE QUERY
+#### SENTINEL RULE QUERY
 
 ```
 	let c1 = dynamic([' -CollectionMethod All ', ' --CollectionMethods Session ', ' --Loop --Loopduration ', ' --PortScanTimeout ', '.exe -c All -d', 'Invoke-Bloodhound', 'Get-BloodHoundData']);
@@ -25,11 +30,11 @@ Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/)
     InitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_any (c3) or CommandLine has_all (c3)   
 ```
 
-### Triage
+#### Triage
 
 1. Inspect if the activity is expected and performed by an admin or a pen-test
 1. Check if other programs that use these command line option and accepts an 'All' parameter
 
-### VERSION
+#### VERSION
 
 Version 1.0 (date: 10/07/2023)
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md
@@ -0,0 +1,67 @@
+### S0552 - AdFind Execution
+
+#### DESCRIPTION <br />
+
+Detects the use of Adfind. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
+
+**Example:**
+
+> adfind.exe -f "(objectcategory=person)" > ad_users.txt
+>
+> objectcategory=person – Finds all person objects\
+> objectcategory=computer – Finds all computers in domain\
+> trustdmp – Dumps trust objects.\
+> objectcategory=subnet – Finds all subnets\
+> domainlist – Dumps all Domain NCs in forest in sorted DNS list format\
+> dcmodes – Shows modes of all DCs in forest from config\
+> adinfo – Shows Active Directory Info with whoami info.\
+> dclist – Dumps Domain Controllers FQDNs.\
+> computers_pwdnotreqd – Dumps users set with password not required.
+
+**Related**\
+Common tool
+
+**Reference:**\
+https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\
+https://github.com/SigmaHQ/sigma/blob/b9c0dd661eac6b6efdb47f7cfcbb20b5a5c169da/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml
+https://thedfirreport.com/2020/05/08/adfind-recon/\
+https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
+
+#### ATT&CK TACTICS  <br />
+
+{{mitre("S0552")}}
+
+```
+- attack.discovery
+- attack.t1018
+- attack.t1087.002
+- attack.t1482
+- attack.t1069.002    
+```
+
+Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/)
+
+#### SENTINEL RULE QUERY   <br />
+
+```
+let selection_1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name="Domain Admins"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']); 
+DeviceProcessEvents
+| where ActionType == "ProcessCreated"
+| where FileName == "AdFind.exe" or FolderPath endswith @"\AdFind.exe"
+| where ProcessCommandLine has_any (selection_1)
+```
+
+#### Triage  <br />
+
+1. This is a high-fidelity threat hunt rules, check the user that performed this action.
+1. Inspect if the activity is expected and approved.
+1. If this process is unexpected, build further context upon user and device's activities using timeline analysis
+
+#### FalsePositive  <br />
+
+1. Legitimate administrative activity.
+1. Tuned, high-fidelity threat hunt rules
+
+#### VERSION   <br />
+
+Version 2.0 (date: 10/02/2024)