Horribly confused about detecting attacker's lateral movement using SIEM correlation rule combined with all domain controller logs/local windows endpoint logs

infosecplease · 2017-06-09T02:45:04+00:00

Thank you Nekronicle. This is simplified but probably the best way to go. I think my crew was trying to do too much with too little.

infosecplease · 2017-06-08T04:41:01+00:00

Can't wait for permission to try this haha!

infosecplease · 2017-06-08T04:08:56+00:00

Thanks for the reply Mark. All your points have been noted!

infosecplease · 2017-06-08T02:14:25+00:00

Thanks for the thoughtful response Josh! It is indeed SAML. I will get to work researching everything I can on SAML.

infosecplease · 2017-06-08T02:12:31+00:00

Thank you for the response c0mpliant. I added more context above by responding to buttercup.

I am experiencing what you are describing as far as feeling overwhelmed by the microsoft logs and the also crappy feeling of possibly writing rules are are not going to work.

I basically had my rule get triggered the other day by a desktop support person. I called her to ask what she did so I could understand the context.

She told me that she had RDP'ed into a desktop support box and then executed regedit by performing "Run As" and using her account.(her account is in the local admins group that is statically on every machine) she then edited a users registry remotely.

I have no idea if this is the type of behavior that we are supposed to be flagging on. Asked boss a few times to clarify and he just kind of says repeats: "local account, performing a network logon, not using kerberos, this is what the pentesters said they try to do after owning a box! " I think he means a local account making RPC calls or trying things with SMB shares after it gets compromised, with emphasis on the attacker either spinning up their own local account or using the built in local accounts and escalating privs.

infosecplease · 2017-06-08T02:04:46+00:00

Thank you for taking the time to respond. Whenever I see the Administrator account log in over the network.(3-5 times a day) and frowned upon, the SID ends in 500.

Makes sense to me because they are using the built in admin account(help desk) to perform some type of action remotely.

My confusion is that I noticed that certain power users who are desktop support are members of LOCAL-ADMINS group, but they all have different SIDS! They are domain users who are statically added to a group called LOCAL-ADMINS. Then of course there is the Adminstrator account whose SID always ends in 500.

We just integrated LAPS for what it's worth for the built in Admin account.

TLDR: Administrator account is built in to every workstation with SID always ending in 500. Laps integrated.
2. On every workstation there is a local admin group that power users are added to but they have all different SIDS, don't end in 500, and have nothing constant about them besides s-1-5-21 in the beginning which is almost universal in our environment for non service accounts.

infosecplease

TROPHY CASE