Placeholder News

Hello again! I am back with part 2 of Building Robust Detection Capabilities. Last time we talked about how awesome the SigmaHQ detection repository is. We covered some of the main points which consisted of what sigma HQ detections are, how they are used, and how they are formatted. Let’s get into some practical uses with how to write them out using logs that exist in your environment. Content warning this will go into the nerdiness of detection engineering and will contain lots of details that could be possibly used in your environment.

Where do we start……

Well Let’s start with a log that exists in your environment that can be fed into a SEIM of your choosing with some minor work. There are several uses for sigma detections but I want to focus on one that is pretty general, has multiple use cases, and is near and dear to how Recon likes to use detections. We will be making a basic detection for a user being added to a Domain Administrator group. You ask though “why would i want to know this?”. Well, several reasons: to catch bad guys, to catch good guys, and maybe because you are just curious. For a very basic understanding from a senior soc analyst who thoroughly appreciates the rockstar Security Devops Team. We run sysmon and LC to ship logs from endpoints to our log collection and SEIM platform see cool example picture below. 

(maybe add a generalized pipeline shot)
Behold we have our very generic log entry nicely formatted so we can use this as our starting point. What you will be looking at below is a simple organic windows event 4728 (click here if you want some additional information about windows logs related to user activity) which looks at when  A member was added to a security-enabled global group. This is a log generated by windows by default.

An account was successfully logged on.
A member was added to a security-enabled global group.
Subject:
   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x27a79
Member:
   Security ID:  ACME\gkhan
   Account Name:  cn=Ghenghis Khan,CN=Users,DC=acme,DC=local
Group:
   Security ID:  S-1-5-21-3108364787-189202583-342365621-1108
   Group Name:  Historical Figures
   Group Domain:  Domain Admins
Additional Information:
   Privileges:  -
Expiration time:  

An account was successfully logged on.
A member was added to a security-enabled global group.
Subject:
   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x27a79
Member:
   Security ID:  ACME\gkhan
   Account Name:  cn=Ghenghis Khan,CN=Users,DC=acme,DC=local
Group:
   Security ID:  S-1-5-21-3108364787-189202583-342365621-1108
   Group Name:  Historical Figures
   Group Domain:  Domain Admins
Additional Information:
   Privileges:  -
Expiration time:  

sourcetype="access_combined_wcookie" status=200
| rex "clientip=(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| table _time, client_ip, method, uri_path, status
| head 10

sourcetype="access_combined_wcookie" status=200
| rex "clientip=(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| table _time, client_ip, method, uri_path, status
| head 10