-
Notifications
You must be signed in to change notification settings - Fork 502
/
credential_access_saved_creds_vault_winlog.toml
78 lines (65 loc) · 2.89 KB
/
credential_access_saved_creds_vault_winlog.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
[metadata]
creation_date = "2022/08/30"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/10/15"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
description = """
Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected
applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for
saved usernames and passwords. This may also be performed in preparation of lateral movement.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Multiple Vault Web Credentials Read"
references = [
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",
"https://www.elastic.co/security-labs/detect-credential-access",
]
risk_score = 47
rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: System"]
type = "eql"
query = '''
sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
/* 2 consecutive vault reads from same pid for web creds */
[any where event.code : "5382" and
(winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
not winlog.event_data.SubjectLogonId : "0x3e7" and
not winlog.event_data.Resource : "http://localhost/"]
[any where event.code : "5382" and
(winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
not winlog.event_data.SubjectLogonId : "0x3e7" and
not winlog.event_data.Resource : "http://localhost/"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[[rule.threat.technique.subtechnique]]
id = "T1555.004"
name = "Windows Credential Manager"
reference = "https://attack.mitre.org/techniques/T1555/004/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"