| ID | Technique | Tactic |
|---|---|---|
| T1484 | Domain or Tenant Policy Modification | Defense Evasion |
| T1098 | Account Manipulation | Privilege Escalation |
Detection: Windows AD Self DACL Assignment
Description
Detect when a user creates a new DACL in AD for their own AD object.
Search
1`wineventlog_security`
2EventCode=5136
3
4| stats min(_time) as _time
5 values(
6 eval(
7 if(OperationType=="%%14675",AttributeValue,null)
8 )
9 ) as old_value
10
11 values(
12 eval(
13 if(OperationType=="%%14674" ,AttributeValue,null)
14 )
15 ) as new_value
16
17 values(OperationType) as OperationType
18by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId dest
19
20
21| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
22
23| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
24
25| mvexpand new_ace
26
27| where NOT new_ace IN (old_values)
28
29| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
30
31| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
32
33| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
34
35
36| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType
37
38| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value
39
40| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
41
42| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
43
44``` Optional SID resolution lookups
45
46| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
47
48| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group
| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
| eval aceType = coalesce(ace_type_value, aceType), aceInheritance = coalesce(ace_flag_value, "This object only"), aceAccessRights = if( aceAccessRights = "CCDCLCSWRPWPDTLOCRSDRCWDWO", "Full control", coalesce(access_rights_value,AccessRights) ), aceControlAccessRights = if( ( ControlAccessRights = "Write member" OR aceObjectGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2" ) AND ( aceAccessRights = "All validated writes" OR AccessRights = "SW" ), "Add/remove self as member", coalesce(ControlAccessRights,aceObjectGuid) ), user=coalesce(user, group, builtin_group, aceSid)
| stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid
by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID dest
| eval aceControlAccessRights = if( mvcount(aceControlAccessRights) = 1 AND aceControlAccessRights = "", "All rights", "aceControlAccessRights" )
| rex field=user "\\(?P<nt_user>.*?)$"
| where lower(src_user)=lower(nt_user)
| windows_ad_self_dacl_assignment_filter
1
2
3### Data Source
4
5| Name | Platform | Sourcetype | Source |
6|------|----------|------------|--------|
7| [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835) | <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows](/platform/windows) | `'XmlWinEventLog'` | `'XmlWinEventLog:Security'` |
8
9
10
11### Macros Used
12
13| Name | Value |
14|------|-------|
15| [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml) | `eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security"` |
16| windows_ad_self_dacl_assignment_filter | `search *` |
17
18
19
20
windows_ad_self_dacl_assignment_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
21
22
23
24
25### Annotations
26
27
28
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.CM
CIS 10
29
30
31
32
33### Default Configuration
34<a name="default-configuration"></a>
35
36This detection is configured by default in Splunk Enterprise Security to run with the following settings:
37
38| Setting | Value |
39|---------|-------|
40| Disabled | true |
41| Cron Schedule | `0 * * * *` |
42| Earliest Time | `-70m@m` |
43| Latest Time | `-10m@m` |
44| Schedule Window | `auto` |
45| Creates Notable | Yes |
46| Rule Title | `%name%` |
47| Rule Description | `%description%` |
48| Notable Event Fields | user, dest |
49| Creates Risk Event | True |
50
51
52
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
53
54
55### Implementation
56
57Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
58
59### Known False Positives
60
61No false positives have been identified at this time.
62
63### Associated Analytic Story
64
65
66* [Sneaky Active Directory Persistence Tricks](/stories/sneaky_active_directory_persistence_tricks/)
67
68
69### Risk Based Analytics (RBA)
70
71##### Risk Message:
72> $user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$
73
74| Risk Object | Risk Object Type | Risk Score | Threat Objects |
75|--------------|------------|--------|------------|
76| user | user | 80 | No Threat Objects |
77
78
79
80
81### References
82
83
84* https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
85
86
87
88### Detection Testing
89
90| Test Type | Status | Dataset | Source | Sourcetype |
91| --------- | ------ | ------- | ------ | ---------- |
92| Validation | ✅ [Passing](https://github.com/splunk/security_content/actions/workflows/build.yml) | N/A | N/A | N/A |
93| Unit | ✅ [Passing](https://github.com/splunk/security_content/actions/workflows/build.yml) | [Dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log) | `XmlWinEventLog:Security` | `XmlWinEventLog` |
94| Integration | ✅ Passing | [Dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log) | `XmlWinEventLog:Security` | `XmlWinEventLog` |
95
96Replay any dataset to Splunk Enterprise by using our [`replay.py`](https://github.com/splunk/attack_data#using-replaypy) tool or the [UI](https://github.com/splunk/attack_data#using-ui).
97Alternatively you can replay a dataset into a [Splunk Attack Range](https://github.com/splunk/attack_range#replay-dumps-into-attack-range-splunk-server)
98
99-----
100
101
102Source: [GitHub](https://github.com/splunk/security_content/tree/develop/detections/endpoint/windows_ad_self_dacl_assignment.yml) |
103Version: **8**