Skip to content

Commit e13f2f9

Browse files
committed
updating yaml
1 parent de74f1d commit e13f2f9

File tree

2 files changed

+7
-5
lines changed

2 files changed

+7
-5
lines changed

detections/endpoint/windows_ad_adminsdholder_acl_modified.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: Windows AD AdminSDHolder ACL Modified
22
id: 00d877c3-7b7b-443d-9562-6b231e2abab9
33
version: 1
44
date: '2022-11-15'
5-
author: Mauricio Velazco, Splunk
5+
author: Mauricio Velazco, Dean Luxton, Splunk
66
type: TTP
77
status: production
88
data_source:
@@ -13,7 +13,8 @@ description: The following analytic identifies the modification of the Access Co
1313
match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object
1414
Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder
1515
ACL to establish persistence and allow an unprivileged user to take control of a domain.
16-
search: ' `wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="CN=AdminSDHolder,CN=System*"
16+
search: >-
17+
`wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="CN=AdminSDHolder,CN=System*"
1718
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
1819
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
1920
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
@@ -34,7 +35,7 @@ search: ' `wineventlog_security` EventCode=5136 ObjectClass=container ObjectDN="
3435
| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
3536
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
3637
| search NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP)
37-
| `windows_ad_adminsdholder_acl_modified_filter`'
38+
| `windows_ad_adminsdholder_acl_modified_filter`
3839
how_to_implement: To successfully implement this search, you ned to be ingesting eventcode
3940
`5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes`
4041
within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for the AdminSDHolder object in order to log modifications.

detections/endpoint/windows_ad_domain_replication_acl_addition.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ description:
1414
- DS-Replication-Get-Changes-All
1515
Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set.
1616
By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.
17-
search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
17+
search: >-
18+
`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
1819
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
1920
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
2021
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
@@ -35,7 +36,7 @@ search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS
3536
| eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
3637
| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
3738
| search (aceControlAccessRights="DS-Replication-Get-Changes" AND aceControlAccessRights="DS-Replication-Get-Changes-All") OR (aceControlAccessRights="1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")
38-
| `windows_ad_domain_replication_acl_addition_filter`'
39+
| `windows_ad_domain_replication_acl_addition_filter`
3940
how_to_implement: To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting
4041
`Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties`
4142
applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing

0 commit comments

Comments
 (0)