ID | Technique | Tactic |
---|---|---|
T1484 | Domain or Tenant Policy Modification | Defense Evasion |
T1098 | Account Manipulation | Privilege Escalation |
Detection: Windows AD Self DACL Assignment
Description
Detect when a user creates a new DACL in AD for their own AD object.
Search
1`wineventlog_security` EventCode=5136
2| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
3| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
4| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
5| mvexpand new_ace
6| where NOT new_ace IN (old_values)
7| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
8| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
9| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
10| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType
11| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value
12| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
13| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights ``` Optional SID resolution lookups
14| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
15| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ```
16| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
17| eval aceType=coalesce(ace_type_value,aceType), aceInheritance=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=if((ControlAccessRights="Write member" OR aceObjectGuid="bf9679c0-0de6-11d0-a285-00aa003049e2") AND (aceAccessRights="All validated writes" OR AccessRights="SW"),"Add/remove self as member",coalesce(ControlAccessRights,aceObjectGuid)), user=coalesce(user, group, builtin_group, aceSid)
18| stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
19| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
20| rex field=user "\\\(?P<nt_user>.*?)$"
21| where lower(src_user)=lower(nt_user)
22| `windows_ad_self_dacl_assignment_filter`
Data Source
No data sources specified for this detection.
Macros Used
Name | Value |
---|---|
wineventlog_security | eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security |
windows_ad_self_dacl_assignment_filter | search * |
windows_ad_self_dacl_assignment_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_CM
Cis18Value.CIS_10
HAFNIUM
Lazarus Group
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
Known False Positives
Unknown
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
$src_user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$ | 80 | 80 | 100 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2