Skip to content
/ MonitorACEChanges Public

PowerShell examples to monitor for ACE changes in Active Directory

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

justin-p/MonitorACEChanges

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

2020-11-04_16-52.png

2020-11-04_16-52.png

 
 

2020-11-04_17-08.png

2020-11-04_17-08.png

 
 

2020-11-04_22-23.png

2020-11-04_22-23.png

 
 

2020-11-04_22-46.png

2020-11-04_22-46.png

 
 

GetKnownGoods.ps1

GetKnownGoods.ps1

 
 

LICENSE

LICENSE

 
 

MonitorEvents.ps1

MonitorEvents.ps1

 
 

README.md

README.md

 
 

Repository files navigation

MonitorACEChanges

Note: please test this in a test environment before applying this in production. This should be considered as Proof of Concept code. Tested on Windows Server 2019 with an 2016 forest functional level.

Due the lack of public examples on how to monitor for ACE changes in AD I created these 2 PoC's. There are probally better was to monitor this that either work or scale better, (for example using a SIEM), but this is mainly to show that if you know where to look you can collect enough data to monitor for ACE changes in Active Directory.

Example 1: Get current SDDLs

GetKnownGoods.ps1 will collect SDDL's of all the current AD Objects. This example then exports these values to a XML file.
This process could be implemented to run on a schedule to collect this data over time. Another process could be implemented that compares these results to detect malicious activity.

Example 2: Use EventID 5136 and known 'good' SDDL values to detect changes in ACE's.

After configuring Audit Directory Services Changes and a SACL whenever a change to a ACE of a AD Object is made a Event with EventID 5136 is logged. MonitorEvents.ps1 uses the data collected by previous example GetKnownGoods.ps1 as known good values. It then compares these values against triggered events to determine what changed from the previously known 'good' state.

With known good states
MonitorEvents.ps1

Without known good states MonitorEvents.ps1

Prerequisites for Example 2.

  1. Create a GPO and follow this guide to apply the 'Baseline Recommendation' at minimum.
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

  2. Create a second GPO to enforce Advanced Auditing.
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/Monitoring-Active-Directory-for-Signs-of-Compromise#enforcing-traditional-auditing-or-advanced-auditing

  3. Apply a SACL on the root of AD that monitors changes made to properties and permissions.
    SACL

  4. Apply GPO's to the Domain Controllers OU and reboot them.
    gpos

  5. Run GetKnownGoods.ps1. Make sure to update the paths for Export-CliXML and Import-CliXML.

License

MIT

Authors

Justin Perdok (@justin-p), Orange Cyberdefense

Contributing

Feel free to open issues, contribute and submit your Pull Requests. You can also ping me on Twitter (@JustinPerdok)

About

PowerShell examples to monitor for ACE changes in Active Directory

Topics

powershell ace activedirectory dacl

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages