Windows AD Self DACL Assignment

Try in Splunk Security Cloud

Description

Detect when a user creates a new DACL in AD for their own AD object.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-12-18
• Author: Dean Luxton
• ID: 16132445-da9f-4d03-ad44-56d717dcd67d

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1484	Domain or Tenant Policy Modification	Defense Evasion, Privilege Escalation

T1098

Account Manipulation

Persistence, Privilege Escalation

Kill Chain Phase

• Exploitation
• Installation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`wineventlog_security` EventCode=5136  
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId  
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"  
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"  
| mvexpand new_ace  
| where NOT new_ace IN (old_values)  
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"  
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"  
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"  
| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType  
| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value  
| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value  
| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights ``` Optional SID resolution lookups  
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user  
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group  ``` 
| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group  
| eval aceType=coalesce(ace_type_value,aceType), aceInheritance=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=if((ControlAccessRights="Write member" OR aceObjectGuid="bf9679c0-0de6-11d0-a285-00aa003049e2") AND (aceAccessRights="All validated writes" OR AccessRights="SW"),"Add/remove self as member",coalesce(ControlAccessRights,aceObjectGuid)), user=coalesce(user, group, builtin_group, aceSid)  
| stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID  
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights') 
| rex field=user "\\\(?P<nt_user>.*?)$" 
| where lower(src_user)=lower(nt_user) 
| `windows_ad_self_dacl_assignment_filter`

Macros

The SPL above uses the following Macros:

• wineventlog_security

windows_ad_self_dacl_assignment_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Lookups

The SPL above uses the following Lookups:

• ace_access_rights_lookup with data
• ace_flag_lookup with data
• ace_type_lookup with data
• builtin_groups_lookup with data
• msad_guid_lookup with data

Required fields

List of fields required to use this analytic.

• _time
• OperationType
• ObjectDN
• OpCorrelationID
• src_user
• AttributeLDAPDisplayName
• AttributeValue
• ObjectClass
• SubjectLogonId
• DSName

How To Implement

Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.

Known False Positives

Unknown

Associated Analytic Story

• Sneaky Active Directory Persistence Tricks

RBA

Risk Score	Impact	Confidence	Message
80.0	80	100	$src_user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1