/
windows_ad_domain_replication_acl_addition.yml
70 lines (70 loc) · 4.02 KB
/
windows_ad_domain_replication_acl_addition.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Windows AD Domain Replication ACL Addition
id: 8c372853-f459-4995-afdc-280c114d33ab
version: 1
date: "2022-11-18"
author: Dean Luxton
type: TTP
status: experimental
data_source: []
description:
The following analytic detects the addition of the permissions necessary to perform a DCSync attack.
In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain.
- DS-Replication-Get-Changes
- DS-Replication-Get-Changes-All
Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set.
By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.
search: '`wineventlog_security` | rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user_sid>S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid| mvexpand DSRGetChanges_user_sid| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")| where minDCSyncPermissions=\"true\" | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user | rename DSRGetChanges_user_sid as userSid | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet| `windows_ad_domain_replication_acl_addition_filter`'
how_to_implement:
To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting
`Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties`
applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing
accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username.
Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.
known_false_positives:
When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components.
If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
- https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml
tags:
analytic_story:
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
confidence: 80
impact: 100
message: $src_user$ has granted $user$ permission to replicate AD objects
mitre_attack_id:
- T1484
observable:
- name: user
type: User
role:
- Victim
- name: src_user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- dest
- src_user
- AttributeLDAPDisplayName
- AttributeValue
- ObjectClass
risk_score: 80
security_domain: endpoint
manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog