Merge pull request #806 from splunk/misko_category_fixes_cred_extract

Fixing categories & text in Credential Extraction detections

Author: peter-cg

detections/endpoint/credential_extraction_fgdump_cachedump_s_option_ssa.yml

@@ -5,9 +5,9 @@ date: '2020-10-18'
 description: Credential extraction is often an illegal recovery of credential material 
   from secured authentication resources and repositories. This process may also involve 
   decryption or other transformations of the stored credential material. 
-  FGdump is a newer version of the pwdump tool for extracting NTLM and LanMan password hashes from Windows. 
-  Cachedump is a publicly-available tool that program extracts cached password hashes from a system's registry. 
-how_to_implement: You must be ingesting Windows Security logs from devices of interest, including event ID 4688 with enabled command line logging.
+  FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. 
+  Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry. 
+how_to_implement: You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
 references: []
 type: SSA
 author: Stanislav Miskovic, Splunk
@@ -30,20 +30,21 @@ search: ' | from read_ssa_enriched_events()
                             ucast(map_get(input_event, "dest_device_id"), "string", null)),
        body = "TBD"
 | into write_ssa_detected_events();'
-eli5: "This detection identifies one of the stages of FGdump in which CacheDump is called.
-  It may also be the case that the detected CacheDump activity is embedded in some exploit tool other than FGdump.
+eli5: "This detection identifies one of the inevitable stages of FGdump in which CacheDump is called.
+  Note, CacheDump activity may also be embedded in other exploit tools.
   For more details on FGdump stages see https://github.com/interference-security/kali-windows-binaries/tree/master/fgdump"
 known_false_positives:
-  "None"
+  "None identified."
 tags:
   cis20:
-    - CIS 8
+    - CIS 16
   kill_chain_phases:
-    - Credential Access
+    - Actions on Objectives
   mitre_technique_id:
     - T1003
   nist:
-    - PR.PT
-    - DE.CM
+    - PR.AC
+    - PR.IP
   risk_severity: high
   security_domain: endpoint
+  asset_type: Windows

detections/endpoint/credential_extraction_fgdump_cachedump_v_option_ssa.yml

@@ -5,9 +5,9 @@ date: '2020-10-18'
 description: Credential extraction is often an illegal recovery of credential material 
   from secured authentication resources and repositories. This process may also involve 
   decryption or other transformations of the stored credential material. 
-  FGdump is a newer version of the pwdump tool for extracting NTLM and LanMan password hashes from Windows. 
-  Cachedump is a publicly-available tool that program extracts cached password hashes from a system's registry. 
-how_to_implement: You must be ingesting Windows Security logs from devices of interest, including event ID 4688 with enabled command line logging.
+  FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. 
+  Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry. 
+how_to_implement: You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
 references: []
 type: SSA
 author: Stanislav Miskovic, Splunk
@@ -29,20 +29,20 @@ search: ' | from read_ssa_enriched_events()
        body = "TBD"
 | into write_ssa_detected_events();'
 eli5: "This detection identifies one of the stages of FGdump in which CacheDump is called.
-  It may also be the case that the detected CacheDump activity is embedded in some exploit tool other than FGdump.
+  Note, CacheDump activity may also be embedded in other exploit tools.
   For more details on FGdump stages see https://github.com/interference-security/kali-windows-binaries/tree/master/fgdump"
 known_false_positives:
-  "None"
+  "None identified."
 tags:
   cis20:
-    - CIS 8
+    - CIS 16
   kill_chain_phases:
-    - Credential Access
+    - Actions on Objectives
   mitre_technique_id:
     - T1003
   nist:
-    - PR.PT
-    - DE.CM
+    - PR.AC
+    - PR.IP
   risk_severity: high
   security_domain: endpoint
-
+  asset_type: Windows

detections/endpoint/credential_extraction_getaddbaccount_from_dump_ssa.yml

@@ -5,8 +5,8 @@ date: '2020-10-18'
 description: Credential extraction is often an illegal recovery of credential material 
   from secured authentication resources and repositories. This process may also involve 
   decryption or other transformations of the stored credential material. 
-  PowerSploit and DSInternals are common exploit APIs offering PowerShell modules with various exploits of Windows and Active Directory environments.
-how_to_implement: You must be ingesting Windows Security logs from devices of interest, including event ID 4688 with enabled command line logging.
+  PowerSploit and DSInternals are common exploit APIs offering PowerShell modules for various exploits of Windows and Active Directory environments.
+how_to_implement: You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
 references: []
 type: SSA
 author: Stanislav Miskovic, Splunk
@@ -26,17 +26,17 @@ search: ' | from read_ssa_enriched_events()
 | into write_ssa_detected_events();'
 eli5: "This detection identifies triggering of the PowerSploit or DSInternals for extraction of all accounts from a previously dumped ntds.dit credential store."
 known_false_positives:
-  "None"
+  "None identified."
 tags:
   cis20:
-    - CIS 8
+    - CIS 16
   kill_chain_phases:
-    - Credential Access
+    - Actions on Objectives
   mitre_technique_id:
     - T1003
   nist:
-    - PR.PT
-    - DE.CM
+    - PR.IP
+    - PR.AC
   risk_severity: high
   security_domain: endpoint
-
+  asset_type: Windows

detections/endpoint/credential_extraction_lazagne_command_options_ssa.yml

@@ -5,8 +5,8 @@ date: '2020-10-18'
 description: Credential extraction is often an illegal recovery of credential material 
   from secured authentication resources and repositories. This process may also involve 
   decryption or other transformations of the stored credential material. 
-  LaZagne is tool that extracts various kinds of credentials from a local computer, including account passwords, domain passwords, browser passwords, etc.
-how_to_implement: You must be ingesting Windows Security logs from devices of interest, including event ID 4688 with enabled command line logging.
+  LaZagne is a tool that extracts various kinds of credentials from a local computer, including account passwords, domain passwords, browser passwords, etc.
+how_to_implement: You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
 references: []
 type: SSA
 author: Stanislav Miskovic, Splunk
@@ -26,17 +26,18 @@ search: ' | from read_ssa_enriched_events()
 eli5: "This detection identifies the most common LaZagne invocation, in which it is instructed to extract all available passwords and output them to a file.
   For more details on LaZagne see https://github.com/AlessandroZ/LaZagne"
 known_false_positives:
-  "None"
+  "None identified."
 tags:
   cis20:
-    - CIS 8
+    - CIS 16
   kill_chain_phases:
-    - Credential Access
+    - Actions on Objectives
   mitre_technique_id:
     - T1003
+    - T1555
   nist:
-    - PR.PT
-    - DE.CM
+    - PR.IP
+    - PR.AC
   risk_severity: high
   security_domain: endpoint
-
+  asset_type: Windows

detections/endpoint/credential_extraction_ms_debuggers_kernel_peek.yml

@@ -7,7 +7,7 @@ description: Credential extraction is often an illegal recovery of credential ma
   decryption or other transformations of the stored credential material. 
   Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from
   memory and process dumps.
-how_to_implement: You must be ingesting Windows Security logs from devices of interest, including event ID 4688 with enabled command line logging.
+how_to_implement: You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
 references: [https://medium.com/@clermont1050/covid-19-cyber-infection-c615ead7c29]
 type: SSA
 author: Stanislav Miskovic, Splunk
@@ -37,14 +37,14 @@ known_false_positives:
    Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps."
 tags:
   cis20:
-    - CIS 8
+    - CIS 16
   kill_chain_phases:
-    - Credential Access
+    - Actions on Objectives
   mitre_technique_id:
     - T1003
   nist:
-    - PR.PT
-    - DE.CM
+    - PR.IP
+    - PR.AC
   risk_severity: medium
   security_domain: endpoint
-
+  asset_type: Windows

detections/endpoint/credential_extraction_ms_debuggers_z_option.yml

@@ -7,7 +7,7 @@ description: Credential extraction is often an illegal recovery of credential ma
   decryption or other transformations of the stored credential material. 
   Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from
   memory and process dumps.
-how_to_implement: You must be ingesting Windows Security logs from devices of interest, including event ID 4688 with enabled command line logging.
+how_to_implement: You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.
 references: []
 type: SSA
 author: Stanislav Miskovic, Splunk
@@ -35,14 +35,14 @@ known_false_positives:
    Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps."
 tags:
   cis20:
-    - CIS 8
+    - CIS 16
   kill_chain_phases:
-    - Credential Access
+    - Actions on Objectives
   mitre_technique_id:
     - T1003
   nist:
-    - PR.PT
-    - DE.CM
+    - PR.AC
+    - PR.IP
   risk_severity: medium
   security_domain: endpoint
-
+  asset_type: Windows