[Meta] Explore Detection Opportunities on Active Directory Default Groups Abuse

[w0rk3r]

Summary

Explore how attackers abuse default groups (DnsAdmins, Schema Admins, Server Operators, Backup Operators, etc.) to elevate privileges, maintain persistence, and execute payloads in domain servers and hosts,

Tasks

Preview Give feedback

1. Lab Creation
2. Undestand default domain groups and their privileges
3. Read, read, and read blog posts that explain the abuse of the privileges
4. Simulate abuse based on existing research
5. Detection Development

Goals

• Enhance coverage for attacks that target common misconfigurations in active directory environments.

Resources:

https://adsecurity.org/?p=3700
https://cube0x0.github.io/Pocing-Beyond-DA/
https://adsecurity.org/?p=4064
https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll

PRs

• [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717
• [New Rule] DNS Global Query Block List Modified or Disabled #3734
• https://github.com/elastic/endpoint-rules/pull/3540
• [New Rule] Potential WPAD Spoofing via DNS Record Creation #3748
• [New Rule] Potential Privilege Escalation via Service ImagePath Modification #3757
• [New Rule] NTDS Dump via Wbadmin #3758
• [Rule Tuning] User Added to Privileged Group #3763
• [New Rule] AD Group Modification by SYSTEM #3833
• [New Rule] [BBR] Active Directory Object Modification by SYSTEM #3835

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[w0rk3r]

Closing this one as the scoped work is completed.