/
windows_ad_adminsdholder_acl_modified.yml
70 lines (70 loc) · 3.58 KB
/
windows_ad_adminsdholder_acl_modified.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Windows AD AdminSDHolder ACL Modified
id: 00d877c3-7b7b-443d-9562-6b231e2abab9
version: 1
date: '2022-11-15'
author: Mauricio Velazco, Splunk
type: TTP
status: production
data_source:
- Windows Event Log Security 5136
description: The following analytic identifies the modification of the Access Control List for the AdminSDHolder object within a Windows domain. Specifically, the
detection triggers on the addition of a new rule to the existing ACL. AdminSDHolder is an object located in the System Partition in Active Directory and is used as a
security template for objects that are members of certain privileged groups. Objects in these groups are enumerated and any objects with security descriptors that dont
match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object
Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder
ACL to establish persistence and allow an unprivileged user to take control of a domain.
search: ' `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor OperationType="%%14674" ObjectDN="CN=AdminSDHolder,CN=System*"
| rex field=AttributeValue max_match=10000 "A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;(?P<added_user_sid>S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)"
| stats values(added_user_sid) by _time, Computer, SubjectUserName, ObjectDN
| `windows_ad_adminsdholder_acl_modified_filter`'
how_to_implement: To successfully implement this search, you ned to be ingesting eventcode
`5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes`
within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.
known_false_positives: Adding new users or groups to the AdminSDHolder ACL is not usual. Filter as needed
references:
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
- https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
- https://adsecurity.org/?p=1906
- https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
- https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950
tags:
analytic_story:
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
confidence: 70
impact: 80
message: The AdminSDHolder domain object has been modified on $Computer$ by $SubjectUserName$
mitre_attack_id:
- T1546
observable:
- name: SubjectUserName
type: User
role:
- Attacker
- name: Computer
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- AttributeLDAPDisplayName
- OperationType
- ObjectDN
- Computer
- SubjectUserName
- AttributeValue
risk_score: 56
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog