Skip to content

Commit

Permalink
updating yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
dluxtron committed Jun 26, 2024
1 parent de74f1d commit e13f2f9
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
7 changes: 4 additions & 3 deletions detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Windows AD AdminSDHolder ACL Modified
id: 00d877c3-7b7b-443d-9562-6b231e2abab9
version: 1
date: '2022-11-15'
author: Mauricio Velazco, Splunk
author: Mauricio Velazco, Dean Luxton, Splunk
type: TTP
status: production
data_source:
Expand All @@ -13,7 +13,8 @@ description: The following analytic identifies the modification of the Access Co
match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object
Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder
ACL to establish persistence and allow an unprivileged user to take control of a domain.
search: ' `wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="CN=AdminSDHolder,CN=System*"
search: >-
`wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="CN=AdminSDHolder,CN=System*"
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
Expand All @@ -34,7 +35,7 @@ search: ' `wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="
| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
| search NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP)
| `windows_ad_adminsdholder_acl_modified_filter`'
| `windows_ad_adminsdholder_acl_modified_filter`
how_to_implement: To successfully implement this search, you ned to be ingesting eventcode
`5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes`
within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ description:
- DS-Replication-Get-Changes-All
Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set.
By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.
search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
search: >-
`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
Expand All @@ -35,7 +36,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
| search (aceControlAccessRights="DS-Replication-Get-Changes" AND aceControlAccessRights="DS-Replication-Get-Changes-All") OR (aceControlAccessRights="1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")
| `windows_ad_domain_replication_acl_addition_filter`'
| `windows_ad_domain_replication_acl_addition_filter`
how_to_implement: To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting
`Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties`
applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing
Expand Down

0 comments on commit e13f2f9

Please sign in to comment.