99 101 121 104 117 110 32 58 47
Kendim için aldığım notlar belki sizler için de yararlı olur. TWVyYWsgYmlsZ2l5ZSBna WRlbiB5b2xkYSBlbiDDtm5 lbWxpIGFkxLFtZMSxci4=
Home Yaralı İpuçları Splunk Search for Bloodhound

Splunk Search for Bloodhound

Öncelikle Group Pollicy üzerinde aşağıdaki ayarlamaları yapmalısınız.

Computer Configuration è Policies è Windows Settings è Security Settings è Advanced Audit Policy Configuration è Audit Policies è DS Access : Audit Directory Service Access (success and failure)

Bloodhound’u çalıştırıldığında AD Security loglarına aşağıdaki gibi loglar düşer.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 20/08/2019 09:00:29

Event ID: 4662

Task Category: Directory Service Access

Level: Information

Keywords: Audit Success

User: N/A

Computer: dc1.ceyhuncamli.com

Description:

An operation was performed on an object.

 

Subject :

    Security ID:        ceyhuncamli\Administrator

    Account Name:        Administrator

    Account Domain:        ceyhuncamli

    Logon ID:        0x2FA81

 

Object:

    Object Server:        DS

    Object Type:        user

    Object Name:        CN=canary,CN=Users,DC=ceyhuncamli,DC=com

    Handle ID:        0x0

 

Operation:

    Operation Type:        Object Access

    Accesses:        Read Property    

    Access Mask:        0x10

    Properties:        Read Property

        General Information

            sAMAccountType

            primaryGroupID

        Account Restrictions

            userAccountControl

        Public Information

            objectClass

    User

 

 

Additional Information:

    Parameter 1:        –

    Parameter 2:        

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 20/08/2019 09:00:29

Event ID: 4662

Task Category: Directory Service Access

Level: Information

Keywords: Audit Success

User: N/A

Computer: dc1.ceyhuncamli.com

Description:

An operation was performed on an object.

 

Subject :

    Security ID:        ceyhuncamli\Administrator

    Account Name:        Administrator

    Account Domain:        ceyhuncamli

    Logon ID:        0x2FA81

 

Object:

    Object Server:        DS

    Object Type:        user

    Object Name:        CN=canary,CN=Users,DC=ceyhuncamli,DC=com

    Handle ID:        0x0

 

Operation:

    Operation Type:        Object Access

    Accesses:        Read Property

                

    Access Mask:        0x10

    Properties:        Read Property

    User

        Public Information

            cn

            distinguishedName

        Group Membership

            member

        General Information

            primaryGroupID

            objectSid

            sAMAccountName

            sAMAccountType

        dNSHostName

            dNSHostName

 

 

Additional Information:

    Parameter 1:        –

    Parameter 2:        

 

Bloudhount tespiti için oldukça iyi sonuç veren bir Splunk araması (60 dakikalık periyotlarla çalıştırılabilir.)

index=winevent_sec EventCode=4662 Accesses=”Read Property”

| rex field=_raw “(?<PropertiesLIST>(?s)(?<=Properties:).+?(?=Additional))”

| eval PropertiesLIST=replace(PropertiesLIST, “[\n\r]”,”;”)

| makemv delim=”;” PropertiesLIST

| stats count values(PropertiesLIST) as PropertiesLIST by user

| eval propertyLen=mvcount(PropertiesLIST)

| where propertyLen=16

| search (PropertiesLIST=”*User*” AND

PropertiesLIST=”*Public Information*” AND

PropertiesLIST=”*cn*” AND

PropertiesLIST=”*distinguishedName*” AND

PropertiesLIST=”*Group Membership*” AND

PropertiesLIST=”*member*” AND

PropertiesLIST=”*General Information*” AND

PropertiesLIST=”*primaryGroupID*” AND

PropertiesLIST=”*objectSid*” AND

PropertiesLIST=”*sAMAccountName*” AND

PropertiesLIST=”*sAMAccountType*” AND

PropertiesLIST=”*dNSHostName*” AND

PropertiesLIST=”*Account Restrictions*” AND

PropertiesLIST=”*userAccountControl*” AND

PropertiesLIST=”*objectClass*” AND

PropertiesLIST=”*Read Property*”)

 

Yararlanılan Kaynaklar

 

http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html

https://blog.menasec.net/2019/02/threat-hunting-7-detecting.html

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy