Beautiful..thank you SO much Risto. I love the fact that you not only provide something I can use right away, but took the time to explain how it works. I learn more about SEC every time I email the list.
Thanks again! James On Thu, 2021-07-08 at 13:08 +0300, Risto Vaarandi wrote: > hi James, > yes, you can employ the EventGroup rule for addressing this task, > andlet me provide two slightly different solutions below. The first > andsomewhat simpler solution looks like this: > type=EventGroupptype=RegExppattern=^\d+\.\d+ \S+ ([\d.]+) \d+ > ([\d.]+) 445 \d+\.\d+\\\\pipe\\\\lsass netlogon > DsrEnumerateDomainTrustscontext=!ATTACKER_$1_DC_$2count=alias > ATTACKER_$1 ATTACKER_$1_DC_$2init=create ATTACKER_$1end=delete > ATTACKER_$1desc=Attacker $1 has enumerated domain trust against > several domain controllersaction=write - %sthresh=3window=30 > The regular expression pattern of the rule has been designed to > matchevents in the format you have described, except the expression > assumesthat instead of SameIP and DifferentIP there are IPv4 > addresses in theevent. For example: > 1625677087.655857 CAY8g9D3jAKFwhD02 10.1.1.1 59143 192.168.1.1 > 4450.017172 \\pipe\\lsass netlogon DsrEnumerateDomainTrusts > Also, it is assumed that the first IP address (10.1.1.1 in the > aboveevent) belongs to the attacker, while the second IP > address(192.168.1.1) belongs to the domain controller. The above > EventGrouprule runs event correlation operations that write alerts to > standardoutput if the same attacker accesses three different > domaincontrollers within 30 seconds. Since the 'desc' field of the > rule hasa value with $1 variable (IP address of the attacker), the > rule runs aseparate event correlation operation for each attacker, > with eachoperation having its own event counter. > In order to make sure that access to each domain controller from > thesame attacker is counted just once by the corresponding operation, > theabove rule employs context aliases which refer to the same > contextdata structure. The use of just one context with multiple > alias namesfor each attacker eases the garbage collection procedure > when eventcorrelation operation for the attacker is complete. Each > time the ruleobserves an event for a new attacker, it creates a new > eventcorrelation operation for this attacker, and the initialization > action'create ATTACKER_$1' provided with the 'init' field is > executed. Thisaction will create the context ATTACKER_<attackerip> > that all futurealias names for this attacker will refer to. > When an event for attacker <attackerip> and domain controller > <dcip>is observed, the rule will check if the context > aliasATTACKER_<attackerip>_DC_<dcip> exists (that check is > implemented bythe 'context' field of the rule). If that alias is not > present, theevent gets processed, and the event correlation operation > that isexecuting for attacker <attackerip> will create a new alias > with thatname, with the alias pointing to context > ATTACKER_<attackerip> (therelevant action is defined in the 'count' > field of the rule). Forexample, when the event > 1625677087.655857 CAY8g9D3jAKFwhD02 10.1.1.1 59143 192.168.1.1 > 4450.017172 \\pipe\\lsass netlogon DsrEnumerateDomainTrusts > is observed, the alias ATTACKER_10.1.1.1_DC_192.168.1.1 gets > createdwhich points to context ATTACKER_10.1.1.1. When the event for > theattacker 10.1.1.1 and domain controller 192.168.1.1 appears again, > theboolean expression !ATTACKER_10.1.1.1_DC_192.168.1.1 provided with > the'context' field evaluates false, and the event is no longer > matchingthe rule. This ensures that when multiple events for the same > domaincontroller and attacker combination appear, only the first > event iscounted. Therefore, if an event correlation operation is > executing forattacker 10.1.1.1 and its event counter reaches the > value of 3, threeevents have been observed for attacker 10.1.1.1 for > different domaincontroller IP addresses. When the event correlation > operation for someattacker IP terminates, the garbage collection > action given with the'end' field is executed, and 'delete > ATTACKER_$1' action will removethe context ATTACKER_<attackerip> and > all its aliases. > In order to illustrate the work of this rule, consider the > followingfour events for attacker 10.1.1.1 and three different > domaincontrollers: > 1625677087.655857 CAY8g9D3jAKFwhD02 10.1.1.1 59143 192.168.1.1 > 4450.017172 \\pipe\\lsass netlogon > DsrEnumerateDomainTrusts1625677087.655860 CAY8g9D3jAKFwhD02 10.1.1.1 > 59143 192.168.1.1 4450.017172 \\pipe\\lsass netlogon > DsrEnumerateDomainTrusts1625677087.744290 C6mmd42niEVcW1djY5 10.1.1.1 > 59144 192.168.1.2 4450.003689 \\pipe\\lsass netlogon > DsrEnumerateDomainTrusts1625677087.776183 CamRzj1Y20KA9cv9Mi 10.1.1.1 > 59145 192.168.1.3 4450.003968 \\pipe\\lsass netlogon > DsrEnumerateDomainTrusts > Here is the debug log of SEC which illustrates the event correlation > process: > 1625677087.655857 CAY8g9D3jAKFwhD02 10.1.1.1 59143 192.168.1.1 > 4450.017172 \\pipe\\lsass netlogon DsrEnumerateDomainTrusts <- > firstinput eventCreating context 'ATTACKER_10.1.1.1' <- an event > correlationoperation starts for attacker 10.1.1.1 and context > ATTACKER_10.1.1.1is createdCreating alias > 'ATTACKER_10.1.1.1_DC_192.168.1.1' for > context'ATTACKER_10.1.1.1' <- a context alias for attacker > 10.1.1.1 andDC 192.168.1.1 is created and event counter of the > operation for10.1.1.1 is incremented to 1 > 1625677087.655860 CAY8g9D3jAKFwhD02 10.1.1.1 59143 192.168.1.1 > 4450.017172 \\pipe\\lsass netlogon DsrEnumerateDomainTrusts <- > secondinput event: since the alias ATTACKER_10.1.1.1_DC_192.168.1.1 > alreadyexists, the input event is not processed > 1625677087.744290 C6mmd42niEVcW1djY5 10.1.1.1 59144 192.168.1.2 > 4450.003689 \\pipe\\lsass netlogon DsrEnumerateDomainTrusts <- > thirdinput eventCreating alias 'ATTACKER_10.1.1.1_DC_192.168.1.2' for > context'ATTACKER_10.1.1.1' <- a context alias for attacker > 10.1.1.1 andDC 192.168.1.2 is created and event counter of the > operation for10.1.1.1 is incremented to 2 > 1625677087.776183 CamRzj1Y20KA9cv9Mi 10.1.1.1 59145 192.168.1.3 > 4450.003968 \\pipe\\lsass netlogon DsrEnumerateDomainTrusts <- > fourthinput eventCreating alias 'ATTACKER_10.1.1.1_DC_192.168.1.3' > for context'ATTACKER_10.1.1.1' <- a context alias for attacker > 10.1.1.1 andDC 192.168.1.3 is created and event counter of the > operation for10.1.1.1 is incremented to 3 > Writing event 'Attacker 10.1.1.1 has enumerated domain trust > againstseveral domain controllers' to file '-'Attacker 10.1.1.1 has > enumerated domain trust against several domaincontrollers <- > since the counter of the operation for 10.1.1.1 hasreached the value > of 3, write an alert message to standard output > Deleting context 'ATTACKER_10.1.1.1' <- the event > correlationoperation for attacker 10.1.1.1 is terminating and > dropping thecontext ATTACKER_10.1.1.1 and its aliasesContext > 'ATTACKER_10.1.1.1' deletedContext 'ATTACKER_10.1.1.1_DC_192.168.1.1' > deletedContext 'ATTACKER_10.1.1.1_DC_192.168.1.3' deletedContext > 'ATTACKER_10.1.1.1_DC_192.168.1.2' deleted > The above EventGroup rule has one drawback -- if the threshold of > 3events is not reached during 30 seconds for an event > correlationoperation, the 30 second event correlation window of the > operationwill start to slide, and the operation could potentially > exist for alonger period of time. However, since aliases do not have > any fixedlifetime, they will continue to suppress events for a > givencombination of attacker and domain controller, even if the first > eventfor this combination is already outside of the 30 second > eventcorrelation window. If this is an issue in your environment and > youwant to address it, you could enhance the 'count' field of the > aboverule as follows:alias ATTACKER_$1 ATTACKER_$1_DC_$2; create > ATTACKER_$1_DC_$2_LIFETIME30 ( unalias ATTACKER_$1_DC_$2 )Here is the > full rule definition with the modified 'count' field: > type=EventGroupptype=RegExppattern=^\d+\.\d+ \S+ ([\d.]+) \d+ > ([\d.]+) 445 \d+\.\d+\\\\pipe\\\\lsass netlogon > DsrEnumerateDomainTrustscontext=!ATTACKER_$1_DC_$2count=alias > ATTACKER_$1 ATTACKER_$1_DC_$2; \ create > ATTACKER_$1_DC_$2_LIFETIME 30 ( unalias ATTACKER_$1_DC_$2 > )init=create ATTACKER_$1end=delete ATTACKER_$1desc=Attacker $1 has > enumerated domain trust against several domain > controllersaction=write - %sthresh=3window=30 > With this change, a separate > contextATTACKER_<attackerip>_DC_<dcip>_LIFETIME will be set up for > each aliasafter the creation of the alias. The context will exist for > 30 seconds(the size of the event correlation window) and will drop > the aliaswith 'unalias' action when context lifetime expires. > Therefore, eachalias will exist for 30 seconds only, and when the > event thattriggered its creation moves outside the event correlation > window, theoperation is able to count the event for the given > attacker and domaincontroller combination again. Note that although > the *_LIFETIMEcontexts are not removed when the operation terminates, > they will timeout quite quickly, and executing 'unalias' action for a > non-existingalias name is no-op (you will only get a debug-level > message into SEClog that the alias does not exist). > One final note -- you can find a similar solution for this scenario > ina paper that is available from the SEC home page: > https://ristov.github.io/publications/cogsima15-sec-web.pdf > > Hope this helps,risto > > > Kontakt James Lay (<j...@slave-tothe-box.net>) kirjutas kuupƤeval > K,7. juuli 2021 kell 22:23: > > Hey all. > > So....been looking at EventGroups thinking this might fit the bill, > > but I'm not sure so I'm coming to you folks. I have the below: > > 1625677087.655857 CAY8g9D3jAKFwhD02 SameIP 59143 DifferentIP 445 > > 0.017172 \\pipe\\lsass netlogon > > DsrEnumerateDomainTrusts1625677087.744290 C6mmd42niEVcW1djY5 SameIP > > 59144 DifferentIP 445 0.003689 \\pipe\\lsass netlogon > > DsrEnumerateDomainTrusts1625677087.776183 CamRzj1Y20KA9cv9Mi SameIP > > 59145 DifferentIP 445 0.003968 \\pipe\\lsass netlogon > > DsrEnumerateDomainTrusts1625677203.779593 CF4JvS21lo6Beh3jUb SameIP > > 59149 DifferentIP 445 0.001475 \\pipe\\lsass netlogon > > DsrEnumerateDomainTrusts1625677203.892484 C6LZI2ooakJbNI6vj SameIP > > 59150 DifferentIP 445 0.023818 \\pipe\\lsass netlogon > > DsrEnumerateDomainTrusts > > My goal is to flag on this type of behaviour (a single IP > > enumerating domain trust against several domain controllers in a > > small space of time). Anyone have any tips on how to implement > > something like this? Is EventGroup not what I need? Thank you. > > James_______________________________________________Simple-evcorr- > > users mailing listsimple-evcorr-us...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
