| ID | Technique | Tactic |
|---|---|---|
| T1484 | Domain or Tenant Policy Modification | Defense Evasion |
| T1207 | Rogue Domain Controller | Privilege Escalation |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
Detection: Windows AD DCShadow Privileges ACL Addition
Description
This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.
Search
1`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
2| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
3| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
4| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
5| mvexpand new_ace
6| where NOT new_ace IN (old_values)
7| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);;(?P<aceSid>.*?)$"
8| search aceObjectGuid IN ("9923a32a-3607-11d2-b9be-0000f87a36b2","1131f6ab-9c07-11d1-f79f-00c04fc2dcd2","1131f6ac-9c07-11d1-f79f-00c04fc2dcd2")
9| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
10| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
11| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
12| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
13| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value
14| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups
15| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
16| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ```
17| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
18| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
19| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
20| search (aceControlAccessRights="Add/Remove Replica In Domain" AND aceControlAccessRights="Manage Replication Topology" AND aceControlAccessRights="Replication Synchronization") OR (aceControlAccessRights="9923a32a-3607-11d2-b9be-0000f87a36b2" AND aceControlAccessRights="1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ac-9c07-11d1-f79f-00c04fc2dcd2")
21| `windows_ad_dcshadow_privileges_acl_addition_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| wineventlog_security | eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security |
| windows_ad_dcshadow_privileges_acl_addition_filter | search * |
windows_ad_dcshadow_privileges_acl_addition_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
NistCategory.DE_CM
Cis18Value.CIS_10
Wizard Spider
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
Known False Positives
Unknown
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. | 100 | 100 | 100 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
-
https://www.labofapenetrationtester.com/2018/04/dcshadow.html
-
https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1
-
https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2