[New] Untrusted DLL Loaded by Azure AD Sync Service (#4151)

Samirbous · github-actions[bot] · commit acc2d51a7d0a · 2024-10-14T17:09:23.000Z
* Create credential_access_imageload_azureadconnectauthsvc.toml * Update credential_access_imageload_azureadconnectauthsvc.toml * Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 8404d41)
diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml
@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2024/10/14"
+integration = ["endpoint", "windows"]
+maturity = "production"
+updated_date = "2024/10/14"
+
+[rule]
+author = ["Elastic", "Matteo Potito Giorgio"]
+description = """
+Identifies the load of a DLL without a valid code signature by the Azure AD Sync process, which may indicate an attempt
+to persist or collect sensitive credentials passing through the Azure AD synchronization server.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Untrusted DLL Loaded by Azure AD Sync Service"
+references = [
+"https://blog.xpnsec.com/azuread-connect-for-redteam/",
+"https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252",
+"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication"
+]
+risk_score = 73
+rule_id = "f909075d-afc7-42d7-b399-600b94352fd9"
+severity = "high"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and 
+(
+ (event.category == "library" and event.action == "load") or 
+ (event.category == "process" and event.action : "Image loaded*")
+) and 
+
+not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not 
+
+  (
+   /* Elastic defend DLL path */
+   ?dll.path :
+         ("?:\\Windows\\assembly\\NativeImages*",
+          "?:\\Windows\\Microsoft.NET\\*",
+          "?:\\Windows\\WinSxS\\*",
+          "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or 
+          
+   /* Sysmon DLL path is mapped to file.path */
+   file.path :
+         ("?:\\Windows\\assembly\\NativeImages*",
+          "?:\\Windows\\Microsoft.NET\\*",
+          "?:\\Windows\\WinSxS\\*",
+          "?:\\Windows\\System32\\DriverStore\\FileRepository\\*")
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
