跳转至

T1210-win-检测到匿名计算机账户更改的使用

来自ATT&CK的描述

攻击者一旦进入网络,便可能利用远程服务获得对内部系统的未授权访问。当攻击者利用程序,服务或操作系统软件或内核本身内的编程错误来执行攻击者控制的代码时,就会利用软件漏洞。建立立足点后利用远程服务的目标是横向移动以实现对远程系统的访问。

攻击者可能需要确定远程系统是否处于易受攻击状态,这可以通过网络服务扫描或其他发现方法来完成,以寻找在网络中部署的常见易受攻击软件,检测或包含远程利用的漏洞或安全软件。服务器可能是横向移动中的高价值目标,但是如果端点系统提供访问其他资源的方式,则端点系统也可能处于危险之中。

常见服务(例如SMB和RDP)以及可能在内部网络(例如MySQL)和Web服务器服务中使用的应用程序中存在多个众所周知的漏洞。

根据易受攻击的远程服务的权限级别,攻击者也可能由于横向移动利用而实现对特权升级的利用。

测试案例

参考资料如下:

https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/

检测日志

windows安全日志

测试复现

暂无

测试留痕

暂无,仅提供检测规则相关的日志示例

windows server 2016/win10

EventID:4742

A computer account was changed.

Subject:

Security ID:  ACME\Administrator
Account Name:  Administrator
Account Domain:  ACME
Logon ID:  0x27a79

Computer Account That Was Changed:

Security ID:  S-1-5-21-3108364787-189202583-342365621-1109
Account Name:  WS2321$
Account Domain:  ACME


Changed Attributes:

SAM Account Name: -
Display Name:  -
User Principal Name: -
Home Directory:  -
Home Drive:  -
Script Path:  -
Profile Path:  -
User Workstations: -
Password Last Set: -
Account Expires:  -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value:  0x85
New UAC Value:  0x84
User Account Control: 
Account Enabled
User Parameters: -
SID History:  -
Logon Hours:  -
DNS Host Name:  -
Service Principal Names: -

Additional Information:

Privileges:  -

EventID:4624

An account was successfully logged on.

Subject:
    Security ID: SYSTEM
    Account Name: DESKTOP-LLHJ389$
    Account Domain: WORKGROUP
    Logon ID: 0x3E7

Logon Information:
    Logon Type: 7
    Restricted Admin Mode: -
    Virtual Account: No
    Elevated Token: No

Impersonation Level: Impersonation

New Logon:
    Security ID: AzureAD\RandyFranklinSmith
    Account Name: [email protected]
    Account Domain: AzureAD
    Logon ID: 0xFD5113F
    Linked Logon ID: 0xFD5112A
    Network Account Name: -
    Network Account Domain: -
    Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID: 0x30c
    Process Name: C:\Windows\System32\lsass.exe

Network Information:
    Workstation Name: DESKTOP-LLHJ389
    Source Network Address: -
    Source Port: -

Detailed Authentication Information:
    Logon Process: Negotiat
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

检测规则/思路

sigma规则

title: 检测到匿名计算机账户更改的使用
description: 通过windows安全日志,检测匿名用户更改的使用。
tags: T1210
status: experimental
references:
    - https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_computer_changed_with_anonymous_account.yml
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 
             - “4742”
             - “4624”
        Account Name: “ANONYMOUSLOGON”
        Logon Type: 3

    condition: selection
level: medium

建议

此搜索需要启用审核计算机帐户管理在系统上生成事件ID4742。我们强烈建议您指定特定于环境的配置(索引,源,源类型等)Windows事件日志。

相关TIP

[[T1210-win-异常的SMB链接行为]]

参考推荐

MITRE-ATT&CK-T1210

https://attack.mitre.org/techniques/T1210

检测到匿名计算机账户更改的使用

https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_computer_changed_with_anonymous_account.yml