Merge pull request #680 from splunk/zerologon_CVE-2020-1472

Detect Zerologon Attack CVE-2020-1472 Story and detections

Author: rosplk

bin/generate.py

@@ -300,7 +300,6 @@ def generate_workbench_panels(response_tasks, stories):
     output = template.render(response_tasks=workbench_panel_objects, stories=stories)
     with open(output_path, 'w') as f:
         f.write(output)
-
     j2_env = Environment(loader=FileSystemLoader(TEMPLATE_PATH),
                          trim_blocks=True)
     template = j2_env.get_template('workflow_actions.j2')
@@ -402,7 +401,7 @@ def map_response_tasks_to_stories(response_tasks):
                 for story in response_task['tags']['analytics_story']:
                     if 'type' in response_task.keys():
                         task_name = str(response_task['type'] + ' - ' + response_task['name'])
-                    else: 
+                    else:
                         task_name = str('ESCU - ' + response_task['name'])
                     if not (story in sto_res):
                         sto_res[story] = {task_name}

bin/jinja2_templates/es_investigations.j2

@@ -4,7 +4,12 @@
 label = {{ story.name }}
 description = {{ story.description }}
 disabled = 0
+
+{% if story.workbench_panels is defined %}
 panels = {{ story.workbench_panels | tojson }}
+{% else %}
+panels =
+{% endif %}
 
 {% endfor %}
 

detections/detect_computer_changed_with_anonymous_account.yml

@@ -0,0 +1,33 @@
+name: Detect Computer Changed with Anonymous Account
+id: 1400624a-d42d-484d-8843-e6753e6e3645
+version: 1
+date: '2020-09-18'
+description: This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.
+how_to_implement: This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+type: ESCU
+references:
+- https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/
+author: Rod Soto, Jose Hernandez, Splunk
+search: '`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3
+| stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user
+| `detect_computer_changed_with_anonymous_account_filter`'
+known_false_positives: None thus far found
+tags:
+  analytics_story:
+  - Detect Zerologon Attack
+  mitre_attack_id:
+  - T1210
+  kill_chain_phases:
+  - Actions on Objectives
+  cis20:
+  - CIS 6
+  - CIS 8
+  nist:
+  - DE.AE
+  - DE.CM
+  security_domain: endpoint
+  asset_type: Windows

detections/detect_credential_dumping_through_lsass_access.yml

@@ -25,6 +25,7 @@ known_false_positives: The activity may be legitimate. Other tools can access ls
 tags:
   analytics_story:
   - Credential Dumping
+  - Detect Zerologon Attack
   mitre_attack_id:
   - T1003.001
   kill_chain_phases:

detections/detect_mimikatz_using_loaded_images.yml

@@ -24,6 +24,7 @@ known_false_positives: Other tools can import the same DLLs. These tools should
 tags:
   analytics_story:
   - Credential Dumping
+  - Detect Zerologon Attack
   mitre_attack_id:
   - T1003.001
   kill_chain_phases:

detections/detect_zerologon_via_zeek.yml

@@ -0,0 +1,38 @@
+name: Detect Zerologon via Zeek
+id: bf7a06ec-f703-11ea-adc1-0242ac120002
+version: 1
+date: '2020-09-15'
+description: This search detects Zerologon attempts via Zeek DCE-RPC data.
+how_to_implement: You must be ingesting Zeek DCE-RPC data into Splunk.
+  Zeek data should also be getting ingested in JSON format.  We are detecting
+  when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app
+  via bro:rpc:json.  These three operations are then correlated on the Zeek UID field.
+description: This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC
+type: ESCU
+references:
+- https://www.secura.com/blog/zero-logon
+- https://github.com/SecuraBV/CVE-2020-1472
+- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+author: Shannon Davis, Splunk
+search: '`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3)
+| bin span=5m _time
+| stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge
+count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount
+count as totalcount by _time,src_ip,dest_ip
+| search opscount=3 authcount>4 passcount>0
+| search `detect_zerologon_via_zeek_filter`'
+known_false_positives: unknown
+tags:
+  analytics_story:
+  - Detect Zerologon Attack
+  mitre_attack_id:
+  - T1190
+  kill_chain_phases:
+  - Exploitation
+  cis20:
+  - CIS 8
+  - CIS 11
+  nist:
+  - DE.CM
+  security_domain: network
+  asset_type: Network

macros/detect_zerologon_via_zeek_filter.yml

@@ -0,0 +1,4 @@
+definition: search *
+description: Use this macro to add additional filters
+name: detect_zerologon_via_zeek_filter
+

macros/zeek_rpc.yml

@@ -0,0 +1,4 @@
+definition: index=zeek sourcetype="zeek:rpc:json"
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: zeek_rpc

stories/detect_zerologon_attack.yml

@@ -0,0 +1,29 @@
+name: Detect Zerologon Attack
+id: 5d14a962-569e-4578-939f-f386feb63ce4
+version: 1
+date: '2020-09-18'
+description: 'Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein
+  attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack
+  is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story
+  are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz
+  as payload carrier.'
+narrative: 'This attack is a privilege escalation technique, where attacker targets a Netlogon secure channel connection to a domain controller,
+  using Netlogon Remote Protocol (MS-NRPC).
+  This vulnerability exposes vulnerable Windows Domain Controllers to be targeted via unaunthenticated RPC calls which eventually
+  reset Domain Contoller computer account ($) providing the attacker the opportunity to exfil domain controller credential secrets and
+  assign themselve high privileges that can lead to domain controller and potentially complete network takeover.
+  The detection searches in this Analytic Story use Windows Event viewer events and Sysmon events to detect attack execution, these
+  searches monitor access to the Local Security Authority Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz
+  tool which has bee updated to carry this attack payload.'
+author: 'Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk'
+type: ESCU
+references:
+- https://attack.mitre.org/wiki/Technique/T1003
+- https://github.com/SecuraBV/CVE-2020-1472
+- https://www.secura.com/blog/zero-logon
+- https://nvd.nist.gov/vuln/detail/CVE-2020-1472
+tags:
+  analytics_story: Detect Zerologon Attack
+  usecase: Advanced Threat Detection
+  category:
+    - Adversary Tactics