16.A) Remote System Discovery

[Cyb3rWard0g]

Description

The attacker enumerates the environment’s domain controller (T1018)

[neu5ron]

single source with multiple suspicious dce_rpc operations in 5 minutes. use zeek dce_rpc log and operation values of those that would be indicative of "enumeration" like SamrGetGroupsForUser and SamrLookupIdsInDomain

[Cyb3rWard0g]

Niceee I like it! Is that something that can be applied to the Sigma Integration @neu5ron ?

[neu5ron]

definitely possible! Only thing need help with is making sure some of these RPCs arent as common as one would think. I dont think in combination they would be except for how most abused things legitimate things are, admin scenarios. I will do more research on them, make sure don’t write a rule full of false positive.

[neu5ron]

alright here start of my rule, will keep working this with more operations:

title: Domain Enumeration Network Reconnaissance Activity
status: experimental
description: Domain enumeration via network reconnaissance. Seen in APT 29 and other common tactics. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller
references:
    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
author: '@neu5ron (Nate Guagenti)'
date: 2020/05/03
modified: 2020/05/03
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1082
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation:
            - SamrLookupIdsInDomain
            - SamrGetGroupsForUser
    timeframe: 30s
    condition: selection | count(operation) by src_ip > 4
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

[Cyb3rWard0g]

That's awesome brother you are on 🔥 . We are adding the rules here. I was asking in the other issue where you shared a rule also if it would be good to create a new folder for zeek in the rules folder or keep the rule under Windows since it is technically a rule for Windows environments. right? https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules

[neu5ron]

testing this rule for false positives still, so far its looking really good

[neu5ron]

@Cyb3rWard0g what should I put as the OTRF community author name? I have it in their, but let me know if that is right name to use. I will submit this one this weekend, going to use for my talk and such on Tuesday

title: Domain Enumeration Network Reconnaissance Activity
description: Domain enumeration via network reconnaissance. Seen in APT 29 and other common tactics. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller
id: 66a0bdc6-ee04-441a-9125-99d2eb547942
references:
    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
author: 'Nate Guagenti (@neu5ron), Open Threat Research Forge Community (OTRF)'
date: 2020/05/03
modified: 2020/05/03
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1082
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation:
            - SamrLookupIdsInDomain #method translates a set of RIDs into account names
            - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
            - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
            - SamrEnumerateDomainsInSamServer #thod obtains a listing of all domains hosted by the server side of this protocol
            - SamrQueryInformationGroup #obtains attributes from a group object
            - LsarLookupNames3 #method translates a batch of security principal names to their SID form  
            - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
            - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
            - LsarEnumerateTrustedDomains
    timeframe: 30s
    condition: selection | count(operation) by src_ip > 4
falsepositives:
    - Devices that may do authentication like a VPN or a firewall that looksup IPs to username
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium
status: experimental

[Cyb3rWard0g]

Hey @neu5ron , yeah it would be Open Threat Research (OTR) . Open Threat Research Forge is the GitHub repo (a Forge) for the OTR initiative 😉 . so Open Threat Research (OTR) would be better to reference the community in general. Thank you very much for asking! . Regarding submitting the rule to SIGMA, yes that works. I will track it as a rule created from this event.

Would it possible that when you submit the rule your reference in the PR title or the description the event and the community? Thank you very much for your contributions man. I appreciate it!! I have a few rules coming too 😉

[neu5ron]

@Cyb3rWard0g can you verify this meets your requests? https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml
Only reason I did not put APT 29 in title, is because this goes far beyond any APT and is going to work for many things :) ie: technique for domain enumeration used by whoever 💥

[Cyb3rWard0g]

Hey @neu5ron , did you update the link? it does not work.

[neu5ron]

yeah, rule is merged into SIGMA too

https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml