GitHub Repo

Detection: Windows AD Self DACL Assignment

Updated Date: 2026-05-13 ID: 16132445-da9f-4d03-ad44-56d717dcd67d Author: Dean Luxton Type: TTP Product: Splunk Enterprise Security

Description

Detect when a user creates a new DACL in AD for their own AD object.

 1`wineventlog_security`
 2EventCode=5136
 3
 4| stats min(_time) as _time
 5        values(
 6          eval(
 7            if(OperationType=="%%14675",AttributeValue,null)
 8            )
 9        ) as old_value
10
11        values(
12          eval(
13            if(OperationType=="%%14674" ,AttributeValue,null)
14          )
15        ) as new_value
16
17        values(OperationType) as OperationType
18by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId dest
19
20
21| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
22
23| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
24
25| mvexpand new_ace
26
27| where NOT new_ace IN (old_values)
28
29| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
30
31| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
32
33| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
34
35
36| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType
37
38| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value
39
40| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
41
42| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
43
44``` Optional SID resolution lookups
45
46| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
47
48| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group

| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group

| eval aceType = coalesce(ace_type_value, aceType), aceInheritance = coalesce(ace_flag_value, "This object only"), aceAccessRights = if( aceAccessRights = "CCDCLCSWRPWPDTLOCRSDRCWDWO", "Full control", coalesce(access_rights_value,AccessRights) ), aceControlAccessRights = if( ( ControlAccessRights = "Write member" OR aceObjectGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2" ) AND ( aceAccessRights = "All validated writes" OR AccessRights = "SW" ), "Add/remove self as member", coalesce(ControlAccessRights,aceObjectGuid) ), user=coalesce(user, group, builtin_group, aceSid)

| stats values(aceType) as aceType values(aceInheritance) as aceInheritance values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(aceInheritedTypeGuid) as aceInheritedTypeGuid

by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID dest

| eval aceControlAccessRights = if( mvcount(aceControlAccessRights) = 1 AND aceControlAccessRights = "", "All rights", "aceControlAccessRights" )

| rex field=user "\\(?P<nt_user>.*?)$"

| where lower(src_user)=lower(nt_user)

| windows_ad_self_dacl_assignment_filter

  1
  2
  3### Data Source
  4
  5| Name | Platform | Sourcetype | Source |
  6|------|----------|------------|--------|
  7| [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835) | <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows](/platform/windows) | `'XmlWinEventLog'` | `'XmlWinEventLog:Security'` |
  8
  9
 10
 11### Macros Used
 12
 13
 14| Name | Value |
 15|------|-------|
 16| [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml) | `eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security"` |
 17| windows_ad_self_dacl_assignment_filter | `search *` |
 18
 19
 20
 21


  windows_ad_self_dacl_assignment_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.



 22
 23
 24
 25
 26### Annotations
 27
 28
 29










  

    

      - MITRE ATT&CK
    

    

      + Kill Chain Phases
    

    

      + NIST
    

    

      + CIS
    

    

      - Threat Actors
    

  


  

    

      

        
          

            ID
            Technique
            Tactic
          

        
        
          
            
            
            
            
              

                T1098
                Account Manipulation
                Persistence
              

            
          
            
            
            
            
              

                T1484
                Domain or Tenant Policy Modification
                Privilege Escalation
              

            
          
        
      

    

  


  

    

      
        
Exploitation

      
        
Installation

      
    

  


  

    

      
        
DE.CM

      
    

  


  

    

      
        
CIS 10

      
    

  


  




 30
 31
 32
 33
 34### Default Configuration
 35<a name="default-configuration"></a>
 36
 37This detection is configured by default in Splunk Enterprise Security to run with the following settings:
 38
 39| Setting | Value |
 40|---------|-------|
 41| Disabled | true |
 42| Cron Schedule | `0 * * * *` |
 43| Earliest Time | `-70m@m` |
 44| Latest Time | `-10m@m` |
 45| Schedule Window | `auto` |
 46| Creates Finding (Notable) | Yes |
 47| Rule Title | `%name%` |
 48| Rule Description | `%description%` |
 49| Notable Event Fields | user, dest |
 50| Creates Intermediate Finding (Risk Event) | No |
 51
 52


  TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.



 53
 54### Implementation
 55
 56Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0.
 57
 58### Known False Positives
 59
 60No false positives have been identified at this time.
 61
 62### Associated Analytic Story
 63
 64
 65* [Sneaky Active Directory Persistence Tricks](/stories/sneaky_active_directory_persistence_tricks/)
 66
 67
 68
 69
 70### Finding
 71| Title | Entity Field | Entity Type | Risk Score |
 72|---|---|---|---|
 73| $user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$ | user | user | 50 |
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83### References
 84
 85
 86* https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
 87
 88
 89
 90### Detection Testing
 91
 92| Test Type | Status | Dataset | Source | Sourcetype |
 93| --------- | ------ | ------- | ------ | ---------- |
 94| Validation |  [Passing](https://github.com/splunk/security_content/actions/workflows/build.yml) | N/A | N/A | N/A |
 95| Unit |  [Passing](https://github.com/splunk/security_content/actions/workflows/build.yml) | [Dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log) | `XmlWinEventLog:Security` | `XmlWinEventLog` |
 96| Integration |  Passing | [Dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log) | `XmlWinEventLog:Security` | `XmlWinEventLog` |
 97
 98Replay any dataset to Splunk Enterprise by using our [`replay.py`](https://github.com/splunk/attack_data#using-replaypy) tool or the [UI](https://github.com/splunk/attack_data#using-ui).
 99Alternatively you can replay a dataset into a [Splunk Attack Range](https://github.com/splunk/attack_range#replay-dumps-into-attack-range-splunk-server)
100
101-----
102
103
104Source: [GitHub](https://github.com/splunk/security_content/tree/develop/detections/endpoint/windows_ad_self_dacl_assignment.yml) |
105Version: **12**