adding detection for domain root ACL modification

detections/application/windows_ad_dcshadow_privileges_acl_addition.yml

@@ -0,0 +1,83 @@
+name: Windows AD DCShadow ACL Addition
+id: ae915743-1aa8-4a94-975c-8062ebc8b723
+version: 1
+date: '2023-11-10'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Security 5136
+description: Detect ACL modification event applying the minimum required extended rights to perform a DCShadow attack. 
+search: '`wineventlog_security` EventCode=5136 OperationType="%%14674" ObjectClass=domainDNS
+  | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;(?P<DSInstallReplica_user>.*?)\)" 
+  | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSReplSync_user>.*?)\)" 
+  | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSReplManageTopology_user>.*?)\)" 
+  | mvexpand DSInstallReplica_user 
+  | eval DCShadowPermissions=if(DSInstallReplica_user=DSReplSync_user AND DSInstallReplica_user=DSReplManageTopology_user,"true","false"), permissions_applied=mvappend("DS-Install-Replica","DS-Replication-Synchronize","DS-Replication-Manage-Topology")
+  | where DCShadowPermissions="true" 
+  | stats min(_time) as _time by src_user DSInstallReplica_user permissions_applied, SubjectLogonId, DSName
+  | rename SubjectLogonId as TargetLogonId, src_user as initiator, DSInstallReplica_user as target_user
+  | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
+  | stats min(_time) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(target_user) as user, values(Computer) as dest, values(permissions_applied) as permissions_applied, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType by TargetLogonId
+  ``` uncomment to enable SID lookups as required
+  | lookup identity_lookup_expanded objectSid as user OUTPUT downLevelDomainName as translated_user
+  | lookup admon_groups_def objectSid as user OUTPUT cn as group_user
+  | eval user=if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}") AND translated_user like "%" OR group_user like "%",coalesce(translated_user,group_user),user)
+  | fields - translated_user group_user
+  ```
+  | eval comment=mvappend(if(isnull(src_ip),"Finding: Rerun search over longer time-range to locate src_ip from the captured TargetLogonId",null),if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}"),"Finding: Captured SID could not be found in A&I lookup, ensure A&I lookup is configured, also check potential group SIDs for a match",null))
+  | `windows_ad_dcshadow_acl_addition_filter`'
+how_to_implement: See link in references for how to configure logging for these eventcodes. 
+known_false_positives: Unknown
+references:
+- https://www.labofapenetrationtester.com/2018/04/dcshadow.html
+- https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1
+- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a
+tags:
+  analytic_story:
+    - Sneaky Active Directory Persistence Tricks
+  asset_type: Endpoint
+  confidence: 100
+  impact: 100
+  message: $targetDomain$ ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. 
+  mitre_attack_id:
+  - T1484
+  - T1207
+  observable:
+    - name: user
+      type: User
+      role:
+        - Victim
+    - name: src_user
+      type: User
+      role:
+        - Victim
+    - name: dest
+      type: Hostname
+      role:
+        - Victim
+    - name: src_ip
+      type: Hostname
+      role:
+        - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 100
+  required_fields:
+    - _time
+    - OperationType
+    - src_user
+    - AttributeLDAPDisplayName
+    - AttributeValue
+    - ObjectClass
+    - SubjectLogonId
+    - DSName
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
+        source: XmlWinEventLog:Security
+        sourcetype: xmlwineventlog

detections/application/windows_ad_domain_root_acl_modification.yml

@@ -0,0 +1,79 @@
+name: Windows AD Domain Root ACL Modification
+id: 4981e2db-1372-440d-816e-3e7e2ed74433
+version: 1
+date: '2023-11-11'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Security 5136
+description: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. 
+search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS 
+  | eval old_value=if(OperationType=="%%14675",AttributeValue,null), new_value=if(OperationType=="%%14674",AttributeValue,null) 
+  | stats min(_time) as _time values(old_value) as old_value values(new_value) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
+  | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" 
+  | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" 
+  | mvexpand new_ace
+  | where NOT new_ace IN (old_values) 
+  | rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);;(?P<aceSid>.*?)$"
+  | rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})" 
+  | rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})" 
+  | lookup ace_control_access_rights_lookup.csv control_access_rights_guid as aceObjectGuid OUTPUT control_access_rights_value as ControlAccessRights
+  | lookup ace_access_rights_lookup.csv access_rights_string as AccessRights OUTPUT access_rights_value 
+  | lookup ace_type_lookup.csv ace_type_string as aceType OUTPUT ace_type_value 
+  | lookup ace_flag_lookup.csv flag_string as aceFlags OUTPUT flag_value as ace_flag_value
+  ``` Optional SID resolution lookups
+  | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user 
+  | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ```
+  | eval aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",'access_rights_value'), aceType=ace_type_value, aceFlags=coalesce(ace_flag_value,"This object only"), aceControlAccessRights=ControlAccessRights, user=coalesce(user, group, aceSid)
+  | stats values(user) as user values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace by _time ObjectClass ObjectDN src_user SubjectLogonId aceSid OpCorrelationID 
+  | `windows_ad_domain_root_acl_modification_filter`'
+how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. 
+known_false_positives: Unknown
+references:
+- https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
+- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a
+tags:
+  analytic_story:
+    - Sneaky Active Directory Persistence Tricks
+  asset_type: Endpoint
+  confidence: 100
+  impact: 100
+  message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$
+  mitre_attack_id:
+  - T1484
+  - T1222
+  - T1222.001
+  observable:
+    - name: user
+      type: User
+      role:
+        - Victim
+    - name: src_user
+      type: User
+      role:
+        - Victim
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  risk_score: 100
+  required_fields:
+    - _time
+    - OperationType
+    - ObjectDN
+    - OpCorrelationID
+    - src_user
+    - AttributeLDAPDisplayName
+    - AttributeValue
+    - ObjectClass
+    - SubjectLogonId
+    - DSName
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log
+        source: XmlWinEventLog:Security
+        sourcetype: xmlwineventlog

detections/endpoint/windows_ad_domain_replication_acl_addition.yml

@@ -14,17 +14,25 @@ description:
   - DS-Replication-Get-Changes-All
   Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set.
   By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.
-search: '`wineventlog_security` EventCode=5136
-  | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChanges_user_sid>S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)"
-  | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChangesAll_user_sid>S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)"
-  | rex field=AttributeValue max_match=10000 "OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user_sid>S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)"
-  | table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid
-  | mvexpand DSRGetChanges_user_sid
-  | eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,"true","false"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,"true","false")
-  | where minDCSyncPermissions="true"
-  | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user
-  | rename DSRGetChanges_user_sid as userSid
-  | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet
+search: '`wineventlog_security` EventCode=5136 OperationType="%%14674" ObjectClass=domainDNS 
+  | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChanges_user>(S-1-[ 0-59]-|\w+\\\).*?)\)"
+  | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?P<DSRGetChangesAll_user>(S-1-[ 0-59]-|\w+\\\).*?)\)"
+  | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user>(S-1-[ 0-59]-|\w+\\\).*?)\)"
+  | mvexpand DSRGetChanges_user
+  | eval minDCSyncPermissions=if(DSRGetChanges_user=DSRGetChangesAll_user,"true","false"), fullSet=if(DSRGetChanges_user=DSRGetChangesAll_user AND DSRGetChanges_user=DSRGetChangesFiltered_user,"true","false")
+  | where minDCSyncPermissions="true" 
+  | eval permissions_applied=mvappend(if(DSRGetChanges_user like "%","DS-Replication-Get-Changes",null),if(DSRGetChanges_user=DSRGetChangesAll_user,"DS-Replication-Get-Changes-All",null), if(DSRGetChanges_user=DSRGetChangesFiltered_user,"DS-Replication-Get-Changes-In-Filtered-Set",null))
+  | stats min(_time) as _time by src_user DSRGetChanges_user permissions_applied, SubjectLogonId, DSName
+  | rename SubjectLogonId as TargetLogonId, src_user as initiator, DSRGetChanges_user as target_user
+  | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
+  | stats min(_time) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(target_user) as user, values(Computer) as dest, values(permissions_applied) as permissions_applied, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType by TargetLogonId
+  ``` uncomment to enable SID lookups as required
+  | lookup identity_lookup_expanded objectSid as user OUTPUT downLevelDomainName as translated_user
+  | lookup admon_groups_def objectSid as user OUTPUT cn as group_user
+  | eval user=if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}") AND translated_user like "%" OR group_user like "%",coalesce(translated_user,group_user),user)
+  | fields - translated_user group_user
+  ```
+  | eval comment=mvappend(if(isnull(src_ip),"Finding: Rerun search over longer time-range to locate src_ip from the captured TargetLogonId",null),if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}"),"Finding: Captured SID could not be found in A&I lookup, ensure A&I lookup is configured, also check potential group SIDs for a match",null))
   | `windows_ad_domain_replication_acl_addition_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting
   `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to  `Write All Properties`
@@ -55,21 +63,19 @@ tags:
       type: User
       role:
         - Victim
-    - name: dest
-      type: Hostname
-      role:
-        - Victim
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
     - Splunk Cloud
   required_fields:
     - _time
-    - dest
+    - OperationType
     - src_user
     - AttributeLDAPDisplayName
     - AttributeValue
     - ObjectClass
+    - SubjectLogonId
+    - DSName
   risk_score: 80
   security_domain: endpoint
   manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested.

dist/DA-ESS-ContentUpdate/default/transforms.conf

@@ -47,6 +47,22 @@ case_sensitive_match = false
 # description = An MLTK model for detecting malicious commandlines
 min_matches = 1
 
+[ace_access_rights_lookup]
+filename = ace_access_rights_lookup.csv
+# description = A lookup file that will contain translations for AD object ace access rights strings
+
+[ace_control_access_rights_lookup]
+filename = ace_control_access_rights_lookup.csv
+# description = A lookup file that will contain translations for AD object ace control access rights guids
+
+[ace_flag_lookup]
+filename = ace_flag_lookup.csv
+# description = A lookup file that will contain translations for AD object ace flags strings
+
+[ace_type_lookup]
+filename = ace_type_lookup.csv
+# description = A lookup file that will contain translations for AD object ace type strings
+
 [advanced_audit_policy_guids]
 filename = advanced_audit_policy_guids.csv
 default_match = false

lookups/ace_access_rights_lookup.csv

@@ -0,0 +1,14 @@
+access_rights_string,access_rights_value
+RC,Read permissions
+SD,Delete
+WD,Modify permissions
+WO,Modiy owner
+RP,Read all properties
+WP,Write all properties
+CC,Create all child objects
+DC,Delete all child objects
+LC,List contents
+SW,All validated writes
+LO,List objects
+DT,Delete subtree
+CR,All extended rights

lookups/ace_access_rights_lookup.yml

@@ -0,0 +1,3 @@
+description: A lookup file that will contain translations for AD object ace access rights strings
+filename: ace_access_rights_lookup.csv
+name: ace_access_rights_lookup

lookups/ace_control_access_rights_lookup.csv

@@ -0,0 +1,63 @@
+control_access_rights_value,control_access_rights_guid
+Abandon-Replication,ee914b82-0a98-11d1-adbb-00c04fd8d5cd
+Add-GUID,440820ad-65b4-11d1-a3da-0000f875ae0d
+Allocate-Rids,1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd
+Allowed-To-Authenticate,68b1d179-0d15-4d4f-ab71-46152e79a7bc
+Apply-Group-Policy,edacfd8f-ffb3-11d1-b41d-00a0c968f939
+Certificate-Enrollment,0e10c968-78fb-11d2-90d4-00c04f79dc55
+Certificate-AutoEnrollment,a05b8cc2-17bc-4802-a710-e7c15ab866a2
+Change-Domain-Master,014bf69c-7b3b-11d1-85f6-08002be74fab
+Change-Infrastructure-Master,cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd
+Change-PDC,bae50096-4752-11d1-9052-00c04fc2d4cf
+Change-Rid-Master,d58d5f36-0a98-11d1-adbb-00c04fd8d5cd
+Change-Schema-Master,e12b56b6-0a95-11d1-adbb-00c04fd8d5cd
+Create-Inbound-Forest-Trust,e2a36dc9-ae17-47c3-b58b-be34c55ba633
+Do-Garbage-Collection,fec364e0-0a98-11d1-adbb-00c04fd8d5cd
+Domain-Administer-Server,ab721a52-1e2f-11d0-9819-00aa0040529b
+DS-Check-Stale-Phantoms,69ae6200-7f46-11d2-b9ad-00c04f79f805
+DS-Execute-Intentions-Script,2f16c4a5-b98e-432c-952a-cb388ba33f2e
+DS-Install-Replica,9923a32a-3607-11d2-b9be-0000f87a36b2
+DS-Query-Self-Quota,4ecc03fe-ffc0-4947-b630-eb672a8a9dbc
+DS-Replication-Get-Changes,1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
+DS-Replication-Get-Changes-All,1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
+DS-Replication-Get-Changes-In-Filtered-Set,89e95b76-444d-4c62-991a-0facbeda640c
+DS-Replication-Manage-Topology,1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
+DS-Replication-Monitor-Topology,f98340fb-7c5b-4cdb-a00b-2ebdfa115a96
+DS-Replication-Synchronize,1131f6ab-9c07-11d1-f79f-00c04fc2dcd2
+Enable-Per-User-Reversibly-Encrypted-Password,05c74c5e-4deb-43b4-bd9f-86664c2a7fd5
+Generate-RSoP-Logging,b7b1b3de-ab09-4242-9e30-9980e5d322f7
+Generate-RSoP-Planning,b7b1b3dd-ab09-4242-9e30-9980e5d322f7
+Manage-Optional-Features,7c0e2a7c-a419-48e4-a995-10180aad54dd
+Migrate-SID-History,ba33815a-4f93-4c76-87f3-57574bff8109
+msmq-Open-Connector,b4e60130-df3f-11d1-9c86-006008764d0e
+msmq-Peek,06bd3201-df3e-11d1-9c86-006008764d0e
+msmq-Peek-computer-Journal,4b6e08c3-df3c-11d1-9c86-006008764d0e
+msmq-Peek-Dead-Letter,4b6e08c1-df3c-11d1-9c86-006008764d0e
+msmq-Receive,06bd3200-df3e-11d1-9c86-006008764d0e
+msmq-Receive-computer-Journal,4b6e08c2-df3c-11d1-9c86-006008764d0e
+msmq-Receive-Dead-Letter,4b6e08c0-df3c-11d1-9c86-006008764d0e
+msmq-Receive-journal,06bd3203-df3e-11d1-9c86-006008764d0e
+msmq-Send,06bd3202-df3e-11d1-9c86-006008764d0e
+Open-Address-Book,a1990816-4298-11d1-ade2-00c04fd8d5cd
+Read-Only-Replication-Secret-Synchronization,1131f6ae-9c07-11d1-f79f-00c04fc2dcd2
+Reanimate-Tombstones,45ec5156-db7e-47bb-b53f-dbeb2d03c40f
+Recalculate-Hierarchy,0bc1554e-0a99-11d1-adbb-00c04fd8d5cd
+Recalculate-Security-Inheritance,62dd28a8-7f46-11d2-b9ad-00c04f79f805
+Receive-As,ab721a56-1e2f-11d0-9819-00aa0040529b
+Refresh-Group-Cache,9432c620-033c-4db7-8b58-14ef6d0bf477
+Reload-SSL-Certificate,1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8
+Run-Protect_Admin_Groups-Task,7726b9d5-a4b4-4288-a6b2-dce952e80a7f
+SAM-Enumerate-Entire-Domain,91d67418-0135-4acc-8d79-c08e857cfbec
+Send-As,ab721a54-1e2f-11d0-9819-00aa0040529b
+Send-To,ab721a55-1e2f-11d0-9819-00aa0040529b
+Unexpire-Password,ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501
+Update-Password-Not-Required-Bit,280f369c-67c7-438e-ae98-1d46f3c6f541
+Update-Schema-Cache,be2bb760-7f46-11d2-b9ad-00c04f79f805
+User-Change-Password,ab721a53-1e2f-11d0-9819-00aa0040529b
+User-Force-Change-Password,00299570-246d-11d0-a768-00aa006e0529
+DS-Clone-Domain-Controller,3e0f7e18-2c7a-4c10-ba82-4d926db99a3e
+DS-Read-Partition-Secrets,084c93a2-620d-4879-a836-f0ae47de0e89
+DS-Write-Partition-Secrets,94825a8d-b171-4116-8146-1e34d8f54401
+DS-Set-Owner,4125c71f-7fac-4ff0-bcb7-f09a41325286
+DS-Bypass-Quota,88a9933e-e5c8-4f2a-9dd7-2527416b8092
+DS-Validated-Write-Computer,9b026da6-0d3c-465c-8bee-5199d7165cba

lookups/ace_control_access_rights_lookup.yml

@@ -0,0 +1,3 @@
+description: A lookup file that will contain translations for AD object ace control access rights guids
+filename: ace_control_access_rights_lookup.csv
+name: ace_control_access_rights_lookup

lookups/ace_flag_lookup.csv

@@ -0,0 +1,10 @@
+flag_string,flag_value
+CI,Container inherit
+OI,Object inherit
+NP,No propagate
+IO,Inherit only
+ID,Inherited
+SA,Audit success
+FA,Audit failure
+TP,Trust protected filter
+CR,Critical

lookups/ace_flag_lookup.yml

@@ -0,0 +1,3 @@
+description: A lookup file that will contain translations for AD object ace flags strings
+filename: ace_flag_lookup.csv
+name: ace_flag_lookup.yml

lookups/ace_type_lookup.csv

@@ -0,0 +1,18 @@
+ace_type_string,ace_type_value
+A,Access allowed
+D,Access denied
+OA,Object access allowed
+OD,Object access denied
+AU,Audit
+AL,Alarm
+OU,Object audit
+OL,Object alarm
+ML,Mandatory label
+XA,Callback access allowed
+XD,Callback access denied
+RA,Resource attribute
+SP,Scoped policy ID
+XU,Callback audit
+ZA,Callback object access allowed
+TL,Process trust label
+FL,Access filter

lookups/ace_type_lookup.yml

@@ -0,0 +1,3 @@
+description: A lookup file that will contain translations for AD object ace type strings
+filename: ace_type_lookup.csv
+name: ace_type_lookup