Splunk Search for Bloodhound

Öncelikle Group Pollicy üzerinde aşağıdaki ayarlamaları yapmalısınız.

Computer Configuration è Policies è Windows Settings è Security Settings è Advanced Audit Policy Configuration è Audit Policies è DS Access : Audit Directory Service Access (success and failure)

Bloodhound’u çalıştırıldığında AD Security loglarına aşağıdaki gibi loglar düşer.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 20/08/2019 09:00:29

Event ID: 4662

Task Category: Directory Service Access

Level: Information

Keywords: Audit Success

User: N/A

Computer: dc1.ceyhuncamli.com

Description:

An operation was performed on an object.

 

Subject :

    Security ID:        ceyhuncamli\Administrator

    Account Name:        Administrator

    Account Domain:        ceyhuncamli

    Logon ID:        0x2FA81

 

Object:

    Object Server:        DS

    Object Type:        user

    Object Name:        CN=canary,CN=Users,DC=ceyhuncamli,DC=com

    Handle ID:        0x0

 

Operation:

    Operation Type:        Object Access

    Accesses:        Read Property    

    Access Mask:        0x10

    Properties:        Read Property

        General Information

            sAMAccountType

            primaryGroupID

        Account Restrictions

            userAccountControl

        Public Information

            objectClass

    User

 

 

Additional Information:

    Parameter 1:        –

    Parameter 2:        

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 20/08/2019 09:00:29

Event ID: 4662

Task Category: Directory Service Access

Level: Information

Keywords: Audit Success

User: N/A

Computer: dc1.ceyhuncamli.com

Description:

An operation was performed on an object.

 

Subject :

    Security ID:        ceyhuncamli\Administrator

    Account Name:        Administrator

    Account Domain:        ceyhuncamli

    Logon ID:        0x2FA81

 

Object:

    Object Server:        DS

    Object Type:        user

    Object Name:        CN=canary,CN=Users,DC=ceyhuncamli,DC=com

    Handle ID:        0x0

 

Operation:

    Operation Type:        Object Access

    Accesses:        Read Property

                

    Access Mask:        0x10

    Properties:        Read Property

    User

        Public Information

            cn

            distinguishedName

        Group Membership

            member

        General Information

            primaryGroupID

            objectSid

            sAMAccountName

            sAMAccountType

        dNSHostName

            dNSHostName

 

 

Additional Information:

    Parameter 1:        –

    Parameter 2:        

 

Bloudhount tespiti için oldukça iyi sonuç veren bir Splunk araması (60 dakikalık periyotlarla çalıştırılabilir.)

index=winevent_sec EventCode=4662 Accesses=”Read Property”

| rex field=_raw “(?<PropertiesLIST>(?s)(?<=Properties:).+?(?=Additional))”

| eval PropertiesLIST=replace(PropertiesLIST, “[\n\r]”,”;”)

| makemv delim=”;” PropertiesLIST

| stats count values(PropertiesLIST) as PropertiesLIST by user

| eval propertyLen=mvcount(PropertiesLIST)

| where propertyLen=16

| search (PropertiesLIST=”*User*” AND

PropertiesLIST=”*Public Information*” AND

PropertiesLIST=”*cn*” AND

PropertiesLIST=”*distinguishedName*” AND

PropertiesLIST=”*Group Membership*” AND

PropertiesLIST=”*member*” AND

PropertiesLIST=”*General Information*” AND

PropertiesLIST=”*primaryGroupID*” AND

PropertiesLIST=”*objectSid*” AND

PropertiesLIST=”*sAMAccountName*” AND

PropertiesLIST=”*sAMAccountType*” AND

PropertiesLIST=”*dNSHostName*” AND

PropertiesLIST=”*Account Restrictions*” AND

PropertiesLIST=”*userAccountControl*” AND

PropertiesLIST=”*objectClass*” AND

PropertiesLIST=”*Read Property*”)

 

Yararlanılan Kaynaklar

 

http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html

https://blog.menasec.net/2019/02/threat-hunting-7-detecting.html