T1210-win-检测到匿名计算机账户更改的使用
来自ATT&CK的描述
攻击者一旦进入网络,便可能利用远程服务获得对内部系统的未授权访问。当攻击者利用程序,服务或操作系统软件或内核本身内的编程错误来执行攻击者控制的代码时,就会利用软件漏洞。建立立足点后利用远程服务的目标是横向移动以实现对远程系统的访问。
攻击者可能需要确定远程系统是否处于易受攻击状态,这可以通过网络服务扫描或其他发现方法来完成,以寻找在网络中部署的常见易受攻击软件,检测或包含远程利用的漏洞或安全软件。服务器可能是横向移动中的高价值目标,但是如果端点系统提供访问其他资源的方式,则端点系统也可能处于危险之中。
常见服务(例如SMB和RDP)以及可能在内部网络(例如MySQL)和Web服务器服务中使用的应用程序中存在多个众所周知的漏洞。
根据易受攻击的远程服务的权限级别,攻击者也可能由于横向移动利用而实现对特权升级的利用。
测试案例
参考资料如下:
https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/
检测日志
windows安全日志
测试复现
暂无
测试留痕
暂无,仅提供检测规则相关的日志示例
windows server 2016/win10
EventID:4742
A computer account was changed.
Subject:
Security ID: ACME\Administrator
Account Name: Administrator
Account Domain: ACME
Logon ID: 0x27a79
Computer Account That Was Changed:
Security ID: S-1-5-21-3108364787-189202583-342365621-1109
Account Name: WS2321$
Account Domain: ACME
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x85
New UAC Value: 0x84
User Account Control:
Account Enabled
User Parameters: -
SID History: -
Logon Hours: -
DNS Host Name: -
Service Principal Names: -
Additional Information:
Privileges: -
EventID:4624
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-LLHJ389$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 7
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: AzureAD\RandyFranklinSmith
Account Name: [email protected]
Account Domain: AzureAD
Logon ID: 0xFD5113F
Linked Logon ID: 0xFD5112A
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x30c
Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: DESKTOP-LLHJ389
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Negotiat
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
检测规则/思路
sigma规则
title: 检测到匿名计算机账户更改的使用
description: 通过windows安全日志,检测匿名用户更改的使用。
tags: T1210
status: experimental
references:
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_computer_changed_with_anonymous_account.yml
logsource:
product: windows
service: security
detection:
selection:
EventID:
- “4742”
- “4624”
Account Name: “ANONYMOUSLOGON”
Logon Type: 3
condition: selection
level: medium
建议
此搜索需要启用审核计算机帐户管理在系统上生成事件ID4742。我们强烈建议您指定特定于环境的配置(索引,源,源类型等)Windows事件日志。
相关TIP
[[T1210-win-异常的SMB链接行为]]
参考推荐
MITRE-ATT&CK-T1210
https://attack.mitre.org/techniques/T1210
检测到匿名计算机账户更改的使用