[New Rule] AD Group Modification by SYSTEM #3833

w0rk3r · 2024-06-26T18:27:40Z

Issues

Part of #3005

Summary

Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is moving to a domain account.

Sample Data

{
  "_index": ".ds-logs-system.security-default-2024.06.02-000027",
  "_id": "_mshUZABiLqpmBCYIc0d",
  "_score": 1,
  "_source": {
    "agent": {
      "name": "kingslanding",
      "id": "7f284723-4887-414a-850a-8d097a39e724",
      "type": "filebeat",
      "ephemeral_id": "6298e1e7-ea91-48d6-987f-327a7d4b18c4",
      "version": "8.13.4"
    },
    "winlog": {
      "computer_name": "kingslanding.sevenkingdoms.local",
      "process": {
        "pid": 668,
        "thread": {
          "id": 8020
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x3e7"
      },
      "channel": "Security",
      "event_data": {
        "SubjectUserName": "KINGSLANDING$",
        "MemberSid": "S-1-5-21-3200723231-2776246397-2794615967-1606",
        "TargetSid": "S-1-5-21-3200723231-2776246397-2794615967-512",
        "SubjectDomainName": "SEVENKINGDOMS",
        "TargetUserName": "Domain Admins",
        "SubjectLogonId": "0x3e7",
        "MemberName": "CN=griselda2,CN=Users,DC=sevenkingdoms,DC=local",
        "TargetDomainName": "SEVENKINGDOMS",
        "PrivilegeList": "-",
        "SubjectUserSid": "S-1-5-18"
      },
      "opcode": "Info",
      "record_id": "2938367",
      "task": "Security Group Management",
      "event_id": "4728",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "7f284723-4887-414a-850a-8d097a39e724",
      "version": "8.13.4",
      "snapshot": false
    },
    "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKINGSLANDING$\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x3E7\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-3200723231-2776246397-2794615967-1606\n\tAccount Name:\t\tCN=griselda2,CN=Users,DC=sevenkingdoms,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-3200723231-2776246397-2794615967-512\n\tGroup Name:\t\tDomain Admins\n\tGroup Domain:\t\tSEVENKINGDOMS\n\nAdditional Information:\n\tPrivileges:\t\t-",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2024-06-25T20:40:33.459Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "user": [
        "griselda2",
        "KINGSLANDING$"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "kingslanding",
      "os": {
        "build": "17763.1935",
        "kernel": "10.0.17763.1935 (WinBuild.160101.0800)",
        "name": "Windows Server 2019 Datacenter Evaluation",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "fe80::98c4:385f:70be:f82b",
        "192.168.56.10",
        "fe80::9948:9670:8a73:3d70",
        "192.168.133.157"
      ],
      "name": "kingslanding",
      "id": "c5747c57-62e2-4ca2-9860-0e4753b435ca",
      "mac": [
        "00-0C-29-3D-2F-47",
        "00-0C-29-3D-2F-51"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-06-25T20:40:44Z",
      "code": "4728",
      "provider": "Microsoft-Windows-Security-Auditing",
      "kind": "event",
      "created": "2024-06-25T20:40:34.659Z",
      "action": "added-member-to-group",
      "category": [
        "iam"
      ],
      "type": [
        "group",
        "change"
      ],
      "dataset": "system.security",
      "outcome": "success"
    },
    "user": {
      "domain": "SEVENKINGDOMS",
      "name": "KINGSLANDING$",
      "id": "S-1-5-18",
      "target": {
        "domain": "local",
        "name": "griselda2",
        "group": {
          "domain": "SEVENKINGDOMS",
          "name": "Domain Admins",
          "id": "S-1-5-21-3200723231-2776246397-2794615967-512"
        }
      }
    },
    "group": {
      "domain": "SEVENKINGDOMS",
      "name": "Domain Admins",
      "id": "S-1-5-21-3200723231-2776246397-2794615967-512"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.13.4"
    ],
    "event.category": [
      "iam"
    ],
    "host.os.name.text": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "user.target.group.domain": [
      "SEVENKINGDOMS"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "winlog.computer_name": [
      "kingslanding.sevenkingdoms.local"
    ],
    "host.mac": [
      "00-0C-29-3D-2F-47",
      "00-0C-29-3D-2F-51"
    ],
    "winlog.process.pid": [
      668
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "2938367"
    ],
    "winlog.logon.id": [
      "0x3e7"
    ],
    "host.os.name": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "kingslanding"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "user.target.name.text": [
      "griselda2"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "group.name": [
      "Domain Admins"
    ],
    "winlog.event_data.TargetUserName": [
      "Domain Admins"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-18"
    ],
    "user.target.group.id": [
      "S-1-5-21-3200723231-2776246397-2794615967-512"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "griselda2",
      "KINGSLANDING$"
    ],
    "user.target.name": [
      "griselda2"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4728"
    ],
    "agent.id": [
      "7f284723-4887-414a-850a-8d097a39e724"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-06-25T20:40:34.659Z"
    ],
    "agent.version": [
      "8.13.4"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-18"
    ],
    "winlog.process.thread.id": [
      8020
    ],
    "user.target.group.name": [
      "Domain Admins"
    ],
    "winlog.event_data.PrivilegeList": [
      "-"
    ],
    "group.id": [
      "S-1-5-21-3200723231-2776246397-2794615967-512"
    ],
    "user.name": [
      "KINGSLANDING$"
    ],
    "host.os.build": [
      "17763.1935"
    ],
    "host.ip": [
      "fe80::98c4:385f:70be:f82b",
      "192.168.56.10",
      "fe80::9948:9670:8a73:3d70",
      "192.168.133.157"
    ],
    "agent.type": [
      "filebeat"
    ],
    "winlog.event_data.MemberName": [
      "CN=griselda2,CN=Users,DC=sevenkingdoms,DC=local"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x3e7"
    ],
    "winlog.event_data.TargetSid": [
      "S-1-5-21-3200723231-2776246397-2794615967-512"
    ],
    "group.domain": [
      "SEVENKINGDOMS"
    ],
    "host.os.kernel": [
      "10.0.17763.1935 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "user.target.domain": [
      "local"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "SEVENKINGDOMS"
    ],
    "host.id": [
      "c5747c57-62e2-4ca2-9860-0e4753b435ca"
    ],
    "winlog.task": [
      "Security Group Management"
    ],
    "elastic_agent.id": [
      "7f284723-4887-414a-850a-8d097a39e724"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "KINGSLANDING$"
    ],
    "message": [
      "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tKINGSLANDING$\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x3E7\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-3200723231-2776246397-2794615967-1606\n\tAccount Name:\t\tCN=griselda2,CN=Users,DC=sevenkingdoms,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-3200723231-2776246397-2794615967-512\n\tGroup Name:\t\tDomain Admins\n\tGroup Domain:\t\tSEVENKINGDOMS\n\nAdditional Information:\n\tPrivileges:\t\t-"
    ],
    "winlog.event_id": [
      "4728"
    ],
    "event.action": [
      "added-member-to-group"
    ],
    "event.ingested": [
      "2024-06-25T20:40:44Z"
    ],
    "@timestamp": [
      "2024-06-25T20:40:33.459Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "winlog.event_data.MemberSid": [
      "S-1-5-21-3200723231-2776246397-2794615967-1606"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "group",
      "change"
    ],
    "winlog.event_data.TargetDomainName": [
      "SEVENKINGDOMS"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "6298e1e7-ea91-48d6-987f-327a7d4b18c4"
    ],
    "winlog.event_data.SubjectDomainName": [
      "SEVENKINGDOMS"
    ],
    "event.dataset": [
      "system.security"
    ],
    "user.name.text": [
      "KINGSLANDING$"
    ]
  }
}

rules/windows/persistence_group_modification_by_system.toml

Co-authored-by: Terrance DeJesus <[email protected]>

rules/windows/persistence_group_modification_by_system.toml

terrancedejesus · 2024-06-26T18:45:51Z

rules/windows/persistence_group_modification_by_system.toml

+
+query = '''
+iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and
+winlog.event_data.SubjectUserSid : "S-1-5-18" and


This should exclude known AD managed service accounts (MSA) as well or do we want to include those?

I expect the MSAs to have a different SID, as this one should be limited to Local System

terrancedejesus

Looks good! Added some thoughts, but should not block.

rules/windows/persistence_group_modification_by_system.toml

Co-authored-by: Justin Ibarra <[email protected]>

* [New Rule] AD Group Modification by SYSTEM * . * Update rules/windows/persistence_group_modification_by_system.toml Co-authored-by: Terrance DeJesus <[email protected]> * Tighten up indexes * Update persistence_group_modification_by_system.toml * Apply suggestions from code review Co-authored-by: Justin Ibarra <[email protected]> --------- Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit deb08fd)

[New Rule] AD Group Modification by SYSTEM

ed7e94e

w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jun 26, 2024

w0rk3r requested review from brokensound77, DefSecSentinel, Samirbous, Aegrah and terrancedejesus June 26, 2024 18:27

w0rk3r self-assigned this Jun 26, 2024

.

2304cd8

terrancedejesus reviewed Jun 26, 2024

View reviewed changes

rules/windows/persistence_group_modification_by_system.toml Outdated Show resolved Hide resolved

Update rules/windows/persistence_group_modification_by_system.toml

1ad0b8f

Co-authored-by: Terrance DeJesus <[email protected]>

terrancedejesus reviewed Jun 26, 2024

View reviewed changes

rules/windows/persistence_group_modification_by_system.toml Outdated Show resolved Hide resolved

Tighten up indexes

ac7345b

terrancedejesus reviewed Jun 26, 2024

View reviewed changes

rules/windows/persistence_group_modification_by_system.toml Show resolved Hide resolved

Update persistence_group_modification_by_system.toml

5f23c99

terrancedejesus reviewed Jun 26, 2024

View reviewed changes

terrancedejesus approved these changes Jun 26, 2024

View reviewed changes

brokensound77 reviewed Jun 26, 2024

View reviewed changes

rules/windows/persistence_group_modification_by_system.toml Outdated Show resolved Hide resolved

brokensound77 reviewed Jun 26, 2024

View reviewed changes

rules/windows/persistence_group_modification_by_system.toml Outdated Show resolved Hide resolved

Apply suggestions from code review

ca7d4ac

Co-authored-by: Justin Ibarra <[email protected]>

w0rk3r mentioned this pull request Jun 26, 2024

[Meta] Explore Detection Opportunities on Active Directory Default Groups Abuse #3005

Closed

w0rk3r requested a review from brokensound77 June 26, 2024 21:04

brokensound77 approved these changes Jun 26, 2024

View reviewed changes

w0rk3r merged commit deb08fd into main Jun 26, 2024
9 checks passed

w0rk3r deleted the system_group_member branch June 26, 2024 21:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Rule] AD Group Modification by SYSTEM #3833

[New Rule] AD Group Modification by SYSTEM #3833

w0rk3r commented Jun 26, 2024

terrancedejesus Jun 26, 2024

w0rk3r Jun 26, 2024

terrancedejesus left a comment

[New Rule] AD Group Modification by SYSTEM #3833

[New Rule] AD Group Modification by SYSTEM #3833

Conversation

w0rk3r commented Jun 26, 2024

Issues

Summary

terrancedejesus Jun 26, 2024

Choose a reason for hiding this comment

w0rk3r Jun 26, 2024

Choose a reason for hiding this comment

terrancedejesus left a comment

Choose a reason for hiding this comment