| ID | Technique | Tactic |
|---|---|---|
| T1484 | Domain or Tenant Policy Modification | Defense Evasion |
| T1098 | Account Manipulation | Privilege Escalation |
Detection: Windows AD Self DACL Assignment
Description
Detect when a user creates a new DACL in AD for their own AD object.
Search
1`wineventlog_security`
2EventCode=5136
3
4| stats min(_time) as _time
5 values(
6 eval(
7 if(OperationType=="%%14675",AttributeValue,null)
8 )
9 ) as old_value
10
11 values(
12 eval(
13 if(OperationType=="%%14674" ,AttributeValue,null)
14 )
15 ) as new_value
16
17 values(OperationType) as OperationType
18by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId dest
19
20
21| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
22
23| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
24
25| mvexpand new_ace
26
27| where NOT new_ace IN (old_values)
28
29| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
30
31| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
32
33| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
34
35
36| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType
37
38| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value
39
40| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
41
42| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
43
44``` Optional SID resolution lookups
45
46| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
47
48| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group
| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
| eval aceType = coalesce(ace_type_value, aceType), aceInheritance = coalesce(ace_flag_value, "This object only"), aceAccessRights = if( aceAccessRights = "CCDCLCSWRPWPDTLOCRSDRCWDWO", "Full control", coalesce(access_rights_value,AccessRights) ), aceControlAccessRights = if( ( ControlAccessRights = "Write member" OR aceObjectGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2" ) AND ( aceAccessRights = "All validated writes" OR AccessRights = "SW" ), "Add/remove self as member", coalesce(ControlAccessRights,aceObjectGuid) ), user=coalesce(user, group, builtin_group, aceSid)
| stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid
by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID dest
| eval aceControlAccessRights = if( mvcount(aceControlAccessRights) = 1 AND aceControlAccessRights = "", "All rights", "aceControlAccessRights" )
| rex field=user "\\(?P<nt_user>.*?)$"
| where lower(src_user)=lower(nt_user)
| windows_ad_self_dacl_assignment_filter
1
2
3### Data Source
4
5| Name | Platform | Sourcetype | Source |
6|------|----------|------------|--------|
7| [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835) | <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows](/platform/windows) | `'XmlWinEventLog'` | `'XmlWinEventLog:Security'` |
8
9
10
11### Macros Used
12
13| Name | Value |
14|------|-------|
15| [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml) | `eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security"` |
16| windows_ad_self_dacl_assignment_filter | `search *` |
17
18
19
20
windows_ad_self_dacl_assignment_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
21
22
23
24
25### Annotations
26
27
28
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
29
30
31### Default Configuration
32<a name="default-configuration"></a>
33
34This detection is configured by default in Splunk Enterprise Security to run with the following settings:
35
36| Setting | Value |
37|---------|-------|
38| Disabled | true |
39| Cron Schedule | `0 * * * *` |
40| Earliest Time | `-70m@m` |
41| Latest Time | `-10m@m` |
42| Schedule Window | `auto` |
43| Creates Notable | Yes |
44| Rule Title | `%name%` |
45| Rule Description | `%description%` |
46| Notable Event Fields | user, dest |
47| Creates Risk Event | True |
48
49
50
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
51
52
53### Implementation
54
55Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
56
57### Known False Positives
58
59Unknown
60
61### Associated Analytic Story
62
63
64* [Sneaky Active Directory Persistence Tricks](/stories/sneaky_active_directory_persistence_tricks/)
65
66
67### Risk Based Analytics (RBA)
68
69##### Risk Message:
70> $user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$
71
72| Risk Object | Risk Object Type | Risk Score | Threat Objects |
73|--------------|------------|--------|------------|
74| user | user | 80 | No Threat Objects |
75
76
77
78
79### References
80
81
82* https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
83
84
85
86### Detection Testing
87
88| Test Type | Status | Dataset | Source | Sourcetype |
89| --------- | ------ | ------- | ------ | ---------- |
90| Validation | ✅ [Passing](https://github.com/splunk/security_content/actions/workflows/build.yml) | N/A | N/A | N/A |
91| Unit | ✅ [Passing](https://github.com/splunk/security_content/actions/workflows/build.yml) | [Dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log) | `XmlWinEventLog:Security` | `XmlWinEventLog` |
92| Integration | ✅ Passing | [Dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log) | `XmlWinEventLog:Security` | `XmlWinEventLog` |
93
94Replay any dataset to Splunk Enterprise by using our [`replay.py`](https://github.com/splunk/attack_data#using-replaypy) tool or the [UI](https://github.com/splunk/attack_data#using-ui).
95Alternatively you can replay a dataset into a [Splunk Attack Range](https://github.com/splunk/attack_range#replay-dumps-into-attack-range-splunk-server)
96
97-----
98
99
100Source: [GitHub](https://github.com/splunk/security_content/tree/develop/detections/endpoint/windows_ad_self_dacl_assignment.yml) |
101Version: **7**