SigmaHQ · woundride · Nov 30, 2023 · Nov 30, 2023 · May 8, 2024 · May 9, 2024
diff --git a/rules/windows/builtin/dns_server/win_dns_server_dll_injection_failed.yml b/rules/windows/builtin/dns_server/win_dns_server_dll_injection_failed.yml
@@ -0,0 +1,29 @@
+title: Remote DLL injection failed on DNS server
+id: b1a0f90c-cde2-4aea-9535-d2cbd9f87236
+description: Detects Remote DLL injection failed on DNS server
+kind: evtx
+status: experimental
+date: 2024/03/06
+author: Charles BLANC-ROLIN @woundride
+references:
+    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
+    - https://phackt.com/dnsadmins-group-exploitation-write-permissions
+    - https://attack.mitre.org/techniques/T1055/
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055.001
+logsource:
+    product: windows
+    service: dns-server
+detection:
+    selection: 
+        EventID: 150
+        param1|startwith:
+            - '\\'
+        param1|endswith:
+            - '.dll'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
diff --git a/rules/windows/builtin/security/win_security_ad_container_writedac.yml b/rules/windows/builtin/security/win_security_ad_container_writedac.yml
@@ -0,0 +1,29 @@
+title: AD Container WriteDAC
+id: 57bc5954-f99b-44b5-a5e9-fb061e6d3532
+description: Detects WRITE_DAC to Container object > possible AdminSDHolder Backdooring
+kind: evtx
+status: experimental
+date: 2023/11/30
+modified: 2024/05/09
+author: Charles BLANC-ROLIN @woundride
+references:
+    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
+    - https://learn.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights
+tags:
+    - attack.defense_evasion
+    - attack.t1222.001
+    - attack.t1098 
+logsource:
+    product: windows
+    service: security
+detection:
+    selection: 
+        EventID: 4662
+        ObjectServer: 'DS'
+        AccessMask: '0x40000'
+        ObjectType|contains:
+            - 'bf967a8b-0de6-11d0-a285-00aa003049e2'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
diff --git a/rules/windows/builtin/security/win_security_ad_container_writeowner.yml b/rules/windows/builtin/security/win_security_ad_container_writeowner.yml
@@ -0,0 +1,29 @@
+title: AD Container WriteOwner
+id: bde92e8e-e311-4bbd-bfd9-c824941d8248
+description: Detects WRITE_OWNER to Container object > possible AdminSDHolder Backdooring
+kind: evtx
+status: experimental
+date: 2023/11/30
+modified: 2024/05/09
+author: Charles BLANC-ROLIN @woundride
+references:
+    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
+    - https://learn.microsoft.com/en-us/windows/win32/secauthz/standard-access-rights
+tags:
+    - attack.defense_evasion
+    - attack.t1222.001
+    - attack.t1098 
+logsource:
+    product: windows
+    service: security
+detection:
+    selection: 
+        EventID: 4662
+        ObjectServer: 'DS'
+        AccessMask: '0xc0000'
+        ObjectType|contains:
+            - 'bf967a8b-0de6-11d0-a285-00aa003049e2'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical