Analytics Story: Defense Evasion or Unauthorized Access Via SDDL Tampering

Date: 2024-12-06 ID: 8ccdd852-3878-4871-ae37-e5af5c67baf3 Author: Nasreddine Bencherchali, Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story focuses on detecting potential defense evasion or unauthorized access attempts through tampering with Security Descriptor Definition Language (SDDL) settings. Attackers may modify SDDL configurations to alter permissions on critical system components, such as event logs and services, to obscure their activities or gain unauthorized access. This story includes detections for changes to 'ChannelAccess' and 'CustomSD' registry values, as well as the use of tools like 'sc.exe sdset', 'icacls' and 'subinacl' to modify securable objects (files, registry, services, etc) permissions.

Why it matters

Adversaries may attempt to evade detection or gain unauthorized access by modifying ACLs or Security Descriptors of different securable objects on the Windows operating system. By altering these settings, attackers can grant themselves elevated privileges or suppress logging mechanisms, thereby hindering detection and response efforts. Monitoring changes to critical registry values and the execution of specific tools used for SDDL modifications can help identify such malicious activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Icacls Deny Command File and Directory Permissions Modification TTP
ICACLS Grant Command File and Directory Permissions Modification Anomaly
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Anomaly
Windows Files and Dirs Access Rights Modification Via Icacls Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
Windows New Custom Security Descriptor Set On EventLog Channel Disable Windows Event Logging Anomaly
Windows New Deny Permission Set On Service SD Via Sc.EXE Hide Artifacts Anomaly
Windows New EventLog ChannelAccess Registry Value Set Disable Windows Event Logging Anomaly
Windows New Service Security Descriptor Set Via Sc.EXE Hide Artifacts Anomaly
Windows ScManager Security Descriptor Tampering Via Sc.EXE Service Execution TTP
Windows SubInAcl Execution Windows File and Directory Permissions Modification Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1