valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
11df6468c4
atomic-threat-coverage/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md

3.9 KiB
Raw Blame History

Title Access to ADMIN$ Share
Description Detects access to $ADMIN share
ATT&CK Tactic
ATT&CK Technique
Data Needed
Trigger
Severity Level low
False Positives
  • Legitimate administrative activity
Development Status experimental
References
    Author Florian Roth

    Detection Rules

    Sigma rule

    title: Access to ADMIN$ Share
description: Detects access to $ADMIN share
tags:
    - attack.lateral_movement
    - attack.t1077
status: experimental
author: Florian Roth
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5140
        ShareName: Admin$
    filter:
        SubjectUserName: '*$'
    condition: selection and not filter
falsepositives: 
    - Legitimate administrative activity
level: low

    Kibana query

    ((EventID:"5140" AND ShareName:"Admin$") AND NOT (SubjectUserName.keyword:*$))

    X-Pack Watcher

    curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Access-to-ADMIN$-Share <<EOF\n{\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "query_string": {\n              "query": "((EventID:\\"5140\\" AND ShareName:\\"Admin$\\") AND NOT (SubjectUserName.keyword:*$))",\n              "analyze_wildcard": true\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": null,\n        "subject": "Sigma Rule \'Access to ADMIN$ Share\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n

    Graylog

    ((EventID:"5140" AND ShareName:"Admin$") AND NOT (SubjectUserName:"*$"))