-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBIOC_PingCastle_ADCS_scanning.bioc
2 lines (2 loc) · 2.98 KB
/
BIOC_PingCastle_ADCS_scanning.bioc
1
2
853cebc76865cb88de26d165fba901c5
[{"rule_id":542,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1670590326287,"modify_time":1670591050090,"severity":"SEV_030_MEDIUM","source":"frank.bussink@scrt.ch","comment":"Probably PingCastle","status":"ENABLED","category":"RECONNAISSANCE","indicator":{"runOnCGO":true,"investigationType":"WINDOWS_EVENT_LOG","investigation":{"WINDOWS_EVENT_LOG":{"filter":{"AND":[{"SEARCH_FIELD":"action_evtlog_data_fields","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"certificateTemplates","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"OR":[{"SEARCH_FIELD":"actor_process_image_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"Microsoft.ActiveDirectory.WebServices.exe","EXTRA_FIELDS":["causality_actor_process_image_name","os_actor_process_image_name"],"isExtended":false,"node":"xdr_actor"},{"SEARCH_FIELD":"causality_actor_process_image_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"Microsoft.ActiveDirectory.WebServices.exe","isExtended":true,"node":"xdr_actor"},{"SEARCH_FIELD":"os_actor_process_image_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"Microsoft.ActiveDirectory.WebServices.exe","isExtended":true,"node":"xdr_actor"}]},{"SEARCH_FIELD":"action_evtlog_event_id","SEARCH_TYPE":"EQ","SEARCH_VALUE":"30","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"725628dc77b3f1e3f9788d48ebfbb532","indicator_text":"Event Log event log raw data =~ certificateTemplates AND event log id = 30 Process initiated by = Microsoft.ActiveDirectory.WebServices.exe, cgo name = Microsoft.ActiveDirectory.WebServices.exe, os parent name = Microsoft.ActiveDirectory.WebServices.exe","name":"ADCS querying information via ADWS (PingCastle ?)","mitre_technique_id_and_name":"T1018 - Remote System Discovery","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"T1018","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ADCS querying information via ADWS (PingCastle ?)","tactic_id":[],"technique_id":["T1018"],"biocRuleName":"ADCS querying information via ADWS (PingCastle ?)","biocId":542,"additionalData":"{}"}}},"rule_data":"(deftemplate log_event_542 (slot cid)) (defrule log_event_542 (process_start (cid ?cid) (instance_id ?parent_instance_id) (process_image_name ?act_process_image_name &: (eq ?act_process_image_name \"microsoft.activedirectory.webservices.exe\"))) (log_event (raw_data_fields ?raw_data_fields) (instance_id ?os_act_parent_instance_id) (actor_instance_id ?act_parent_instance_id) (cid ?cid) (log_event_id ?log_event_id &: (and (regex ?raw_data_fields \"certificatetemplates\" 0) (and (eq ?act_process_image_name \"microsoft.activedirectory.webservices.exe\") (eq ?act_parent_instance_id ?parent_instance_id)) (eq ?log_event_id 30)))) (not (log_event_542 (cid ?cid))) => (assert (log_event_542 (cid ?cid))))"}},"btp_rule_name":"log_event_542","is_preventable":1,"supported_os":1,"btp_validation_error":"WINDOWS_SUPPORT_ONLY","xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1670591024402}]