Windows AD Dangerous Deny ACL Modification
Description
This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-11-21
- Author: Dean Luxton
- ID: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
`wineventlog_security` EventCode=5136
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
| mvexpand new_ace
| where NOT new_ace IN (old_values)
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType
| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ```
| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
| stats values(aceType) as aceType values(aceFlags) as aceFlags values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
| search aceType IN ("Access denied",D) AND aceAccessRights IN ("Full control","Read permissions",RC)
| `windows_ad_dangerous_deny_acl_modification_filter`
Macros
The SPL above uses the following Macros:
windows_ad_dangerous_deny_acl_modification_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Lookups
The SPL above uses the following Lookups:
- ace_access_rights_lookup with data
- ace_flag_lookup with data
- ace_type_lookup with data
- builtin_groups_lookup with data
- msad_guid_lookup with data
Required fields
List of fields required to use this analytic.
- _time
- OperationType
- ObjectDN
- OpCorrelationID
- src_user
- AttributeLDAPDisplayName
- AttributeValue
- ObjectClass
- SubjectLogonId
- DSName
How To Implement
Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
Known False Positives
None.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
100.0 | 100 | 100 | $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ $aceAccessRights$ to $ObjectDN$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54
- https://www.youtube.com/watch?v=_nGpZ1ydzS8
- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1