-
Notifications
You must be signed in to change notification settings - Fork 362
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding detection for domain root ACL modification
- Loading branch information
Showing
12 changed files
with
317 additions
and
16 deletions.
There are no files selected for viewing
83 changes: 83 additions & 0 deletions
83
detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
name: Windows AD DCShadow ACL Addition | ||
id: ae915743-1aa8-4a94-975c-8062ebc8b723 | ||
version: 1 | ||
date: '2023-11-10' | ||
author: Dean Luxton | ||
status: production | ||
type: TTP | ||
data_source: | ||
- Windows Security 5136 | ||
description: Detect ACL modification event applying the minimum required extended rights to perform a DCShadow attack. | ||
search: '`wineventlog_security` EventCode=5136 OperationType="%%14674" ObjectClass=domainDNS | ||
| rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;(?P<DSInstallReplica_user>.*?)\)" | ||
| rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSReplSync_user>.*?)\)" | ||
| rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSReplManageTopology_user>.*?)\)" | ||
| mvexpand DSInstallReplica_user | ||
| eval DCShadowPermissions=if(DSInstallReplica_user=DSReplSync_user AND DSInstallReplica_user=DSReplManageTopology_user,"true","false"), permissions_applied=mvappend("DS-Install-Replica","DS-Replication-Synchronize","DS-Replication-Manage-Topology") | ||
| where DCShadowPermissions="true" | ||
| stats min(_time) as _time by src_user DSInstallReplica_user permissions_applied, SubjectLogonId, DSName | ||
| rename SubjectLogonId as TargetLogonId, src_user as initiator, DSInstallReplica_user as target_user | ||
| appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | ||
| stats min(_time) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(target_user) as user, values(Computer) as dest, values(permissions_applied) as permissions_applied, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType by TargetLogonId | ||
``` uncomment to enable SID lookups as required | ||
| lookup identity_lookup_expanded objectSid as user OUTPUT downLevelDomainName as translated_user | ||
| lookup admon_groups_def objectSid as user OUTPUT cn as group_user | ||
| eval user=if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}") AND translated_user like "%" OR group_user like "%",coalesce(translated_user,group_user),user) | ||
| fields - translated_user group_user | ||
``` | ||
| eval comment=mvappend(if(isnull(src_ip),"Finding: Rerun search over longer time-range to locate src_ip from the captured TargetLogonId",null),if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}"),"Finding: Captured SID could not be found in A&I lookup, ensure A&I lookup is configured, also check potential group SIDs for a match",null)) | ||
| `windows_ad_dcshadow_acl_addition_filter`' | ||
how_to_implement: See link in references for how to configure logging for these eventcodes. | ||
known_false_positives: Unknown | ||
references: | ||
- https://www.labofapenetrationtester.com/2018/04/dcshadow.html | ||
- https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1 | ||
- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a | ||
tags: | ||
analytic_story: | ||
- Sneaky Active Directory Persistence Tricks | ||
asset_type: Endpoint | ||
confidence: 100 | ||
impact: 100 | ||
message: $targetDomain$ ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. | ||
mitre_attack_id: | ||
- T1484 | ||
- T1207 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: src_user | ||
type: User | ||
role: | ||
- Victim | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: src_ip | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
risk_score: 100 | ||
required_fields: | ||
- _time | ||
- OperationType | ||
- src_user | ||
- AttributeLDAPDisplayName | ||
- AttributeValue | ||
- ObjectClass | ||
- SubjectLogonId | ||
- DSName | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log | ||
source: XmlWinEventLog:Security | ||
sourcetype: xmlwineventlog |
79 changes: 79 additions & 0 deletions
79
detections/application/windows_ad_domain_root_acl_modification.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
name: Windows AD Domain Root ACL Modification | ||
id: 4981e2db-1372-440d-816e-3e7e2ed74433 | ||
version: 1 | ||
date: '2023-11-11' | ||
author: Dean Luxton | ||
status: production | ||
type: TTP | ||
data_source: | ||
- Windows Security 5136 | ||
description: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. | ||
search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | ||
| eval old_value=if(OperationType=="%%14675",AttributeValue,null), new_value=if(OperationType=="%%14674",AttributeValue,null) | ||
| stats min(_time) as _time values(old_value) as old_value values(new_value) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | ||
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" | ||
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" | ||
| mvexpand new_ace | ||
| where NOT new_ace IN (old_values) | ||
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);;(?P<aceSid>.*?)$" | ||
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})" | ||
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})" | ||
| lookup ace_control_access_rights_lookup.csv control_access_rights_guid as aceObjectGuid OUTPUT control_access_rights_value as ControlAccessRights | ||
| lookup ace_access_rights_lookup.csv access_rights_string as AccessRights OUTPUT access_rights_value | ||
| lookup ace_type_lookup.csv ace_type_string as aceType OUTPUT ace_type_value | ||
| lookup ace_flag_lookup.csv flag_string as aceFlags OUTPUT flag_value as ace_flag_value | ||
``` Optional SID resolution lookups | ||
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | ||
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | ||
| eval aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",'access_rights_value'), aceType=ace_type_value, aceFlags=coalesce(ace_flag_value,"This object only"), aceControlAccessRights=ControlAccessRights, user=coalesce(user, group, aceSid) | ||
| stats values(user) as user values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace by _time ObjectClass ObjectDN src_user SubjectLogonId aceSid OpCorrelationID | ||
| `windows_ad_domain_root_acl_modification_filter`' | ||
how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. | ||
known_false_positives: Unknown | ||
references: | ||
- https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings | ||
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb | ||
- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a | ||
tags: | ||
analytic_story: | ||
- Sneaky Active Directory Persistence Tricks | ||
asset_type: Endpoint | ||
confidence: 100 | ||
impact: 100 | ||
message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ | ||
mitre_attack_id: | ||
- T1484 | ||
- T1222 | ||
- T1222.001 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: src_user | ||
type: User | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
risk_score: 100 | ||
required_fields: | ||
- _time | ||
- OperationType | ||
- ObjectDN | ||
- OpCorrelationID | ||
- src_user | ||
- AttributeLDAPDisplayName | ||
- AttributeValue | ||
- ObjectClass | ||
- SubjectLogonId | ||
- DSName | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log | ||
source: XmlWinEventLog:Security | ||
sourcetype: xmlwineventlog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
access_rights_string,access_rights_value | ||
RC,Read permissions | ||
SD,Delete | ||
WD,Modify permissions | ||
WO,Modiy owner | ||
RP,Read all properties | ||
WP,Write all properties | ||
CC,Create all child objects | ||
DC,Delete all child objects | ||
LC,List contents | ||
SW,All validated writes | ||
LO,List objects | ||
DT,Delete subtree | ||
CR,All extended rights |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
description: A lookup file that will contain translations for AD object ace access rights strings | ||
filename: ace_access_rights_lookup.csv | ||
name: ace_access_rights_lookup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
control_access_rights_value,control_access_rights_guid | ||
Abandon-Replication,ee914b82-0a98-11d1-adbb-00c04fd8d5cd | ||
Add-GUID,440820ad-65b4-11d1-a3da-0000f875ae0d | ||
Allocate-Rids,1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd | ||
Allowed-To-Authenticate,68b1d179-0d15-4d4f-ab71-46152e79a7bc | ||
Apply-Group-Policy,edacfd8f-ffb3-11d1-b41d-00a0c968f939 | ||
Certificate-Enrollment,0e10c968-78fb-11d2-90d4-00c04f79dc55 | ||
Certificate-AutoEnrollment,a05b8cc2-17bc-4802-a710-e7c15ab866a2 | ||
Change-Domain-Master,014bf69c-7b3b-11d1-85f6-08002be74fab | ||
Change-Infrastructure-Master,cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd | ||
Change-PDC,bae50096-4752-11d1-9052-00c04fc2d4cf | ||
Change-Rid-Master,d58d5f36-0a98-11d1-adbb-00c04fd8d5cd | ||
Change-Schema-Master,e12b56b6-0a95-11d1-adbb-00c04fd8d5cd | ||
Create-Inbound-Forest-Trust,e2a36dc9-ae17-47c3-b58b-be34c55ba633 | ||
Do-Garbage-Collection,fec364e0-0a98-11d1-adbb-00c04fd8d5cd | ||
Domain-Administer-Server,ab721a52-1e2f-11d0-9819-00aa0040529b | ||
DS-Check-Stale-Phantoms,69ae6200-7f46-11d2-b9ad-00c04f79f805 | ||
DS-Execute-Intentions-Script,2f16c4a5-b98e-432c-952a-cb388ba33f2e | ||
DS-Install-Replica,9923a32a-3607-11d2-b9be-0000f87a36b2 | ||
DS-Query-Self-Quota,4ecc03fe-ffc0-4947-b630-eb672a8a9dbc | ||
DS-Replication-Get-Changes,1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | ||
DS-Replication-Get-Changes-All,1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | ||
DS-Replication-Get-Changes-In-Filtered-Set,89e95b76-444d-4c62-991a-0facbeda640c | ||
DS-Replication-Manage-Topology,1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 | ||
DS-Replication-Monitor-Topology,f98340fb-7c5b-4cdb-a00b-2ebdfa115a96 | ||
DS-Replication-Synchronize,1131f6ab-9c07-11d1-f79f-00c04fc2dcd2 | ||
Enable-Per-User-Reversibly-Encrypted-Password,05c74c5e-4deb-43b4-bd9f-86664c2a7fd5 | ||
Generate-RSoP-Logging,b7b1b3de-ab09-4242-9e30-9980e5d322f7 | ||
Generate-RSoP-Planning,b7b1b3dd-ab09-4242-9e30-9980e5d322f7 | ||
Manage-Optional-Features,7c0e2a7c-a419-48e4-a995-10180aad54dd | ||
Migrate-SID-History,ba33815a-4f93-4c76-87f3-57574bff8109 | ||
msmq-Open-Connector,b4e60130-df3f-11d1-9c86-006008764d0e | ||
msmq-Peek,06bd3201-df3e-11d1-9c86-006008764d0e | ||
msmq-Peek-computer-Journal,4b6e08c3-df3c-11d1-9c86-006008764d0e | ||
msmq-Peek-Dead-Letter,4b6e08c1-df3c-11d1-9c86-006008764d0e | ||
msmq-Receive,06bd3200-df3e-11d1-9c86-006008764d0e | ||
msmq-Receive-computer-Journal,4b6e08c2-df3c-11d1-9c86-006008764d0e | ||
msmq-Receive-Dead-Letter,4b6e08c0-df3c-11d1-9c86-006008764d0e | ||
msmq-Receive-journal,06bd3203-df3e-11d1-9c86-006008764d0e | ||
msmq-Send,06bd3202-df3e-11d1-9c86-006008764d0e | ||
Open-Address-Book,a1990816-4298-11d1-ade2-00c04fd8d5cd | ||
Read-Only-Replication-Secret-Synchronization,1131f6ae-9c07-11d1-f79f-00c04fc2dcd2 | ||
Reanimate-Tombstones,45ec5156-db7e-47bb-b53f-dbeb2d03c40f | ||
Recalculate-Hierarchy,0bc1554e-0a99-11d1-adbb-00c04fd8d5cd | ||
Recalculate-Security-Inheritance,62dd28a8-7f46-11d2-b9ad-00c04f79f805 | ||
Receive-As,ab721a56-1e2f-11d0-9819-00aa0040529b | ||
Refresh-Group-Cache,9432c620-033c-4db7-8b58-14ef6d0bf477 | ||
Reload-SSL-Certificate,1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8 | ||
Run-Protect_Admin_Groups-Task,7726b9d5-a4b4-4288-a6b2-dce952e80a7f | ||
SAM-Enumerate-Entire-Domain,91d67418-0135-4acc-8d79-c08e857cfbec | ||
Send-As,ab721a54-1e2f-11d0-9819-00aa0040529b | ||
Send-To,ab721a55-1e2f-11d0-9819-00aa0040529b | ||
Unexpire-Password,ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501 | ||
Update-Password-Not-Required-Bit,280f369c-67c7-438e-ae98-1d46f3c6f541 | ||
Update-Schema-Cache,be2bb760-7f46-11d2-b9ad-00c04f79f805 | ||
User-Change-Password,ab721a53-1e2f-11d0-9819-00aa0040529b | ||
User-Force-Change-Password,00299570-246d-11d0-a768-00aa006e0529 | ||
DS-Clone-Domain-Controller,3e0f7e18-2c7a-4c10-ba82-4d926db99a3e | ||
DS-Read-Partition-Secrets,084c93a2-620d-4879-a836-f0ae47de0e89 | ||
DS-Write-Partition-Secrets,94825a8d-b171-4116-8146-1e34d8f54401 | ||
DS-Set-Owner,4125c71f-7fac-4ff0-bcb7-f09a41325286 | ||
DS-Bypass-Quota,88a9933e-e5c8-4f2a-9dd7-2527416b8092 | ||
DS-Validated-Write-Computer,9b026da6-0d3c-465c-8bee-5199d7165cba |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
description: A lookup file that will contain translations for AD object ace control access rights guids | ||
filename: ace_control_access_rights_lookup.csv | ||
name: ace_control_access_rights_lookup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
flag_string,flag_value | ||
CI,Container inherit | ||
OI,Object inherit | ||
NP,No propagate | ||
IO,Inherit only | ||
ID,Inherited | ||
SA,Audit success | ||
FA,Audit failure | ||
TP,Trust protected filter | ||
CR,Critical |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
description: A lookup file that will contain translations for AD object ace flags strings | ||
filename: ace_flag_lookup.csv | ||
name: ace_flag_lookup.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
ace_type_string,ace_type_value | ||
A,Access allowed | ||
D,Access denied | ||
OA,Object access allowed | ||
OD,Object access denied | ||
AU,Audit | ||
AL,Alarm | ||
OU,Object audit | ||
OL,Object alarm | ||
ML,Mandatory label | ||
XA,Callback access allowed | ||
XD,Callback access denied | ||
RA,Resource attribute | ||
SP,Scoped policy ID | ||
XU,Callback audit | ||
ZA,Callback object access allowed | ||
TL,Process trust label | ||
FL,Access filter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
description: A lookup file that will contain translations for AD object ace type strings | ||
filename: ace_type_lookup.csv | ||
name: ace_type_lookup |