You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
+4-3Lines changed: 4 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@ name: Windows AD AdminSDHolder ACL Modified
2
2
id: 00d877c3-7b7b-443d-9562-6b231e2abab9
3
3
version: 1
4
4
date: '2022-11-15'
5
-
author: Mauricio Velazco, Splunk
5
+
author: Mauricio Velazco, Dean Luxton, Splunk
6
6
type: TTP
7
7
status: production
8
8
data_source:
@@ -13,7 +13,8 @@ description: The following analytic identifies the modification of the Access Co
13
13
match the AdminSDHolder ACL are flagged for updating. The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object
14
14
Access Control List (ACL) with the security permissions set on the AdminSDHolder. An adversary who has obtained privileged access to a Windows Domain may modify the AdminSDHolder
15
15
ACL to establish persistence and allow an unprivileged user to take control of a domain.
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
18
19
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
19
20
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
35
36
| eval aceControlAccessRights=if(mvcount(aceControlAccessRights)=1 AND aceControlAccessRights="","All rights",'aceControlAccessRights')
36
37
| search NOT aceType IN (*denied*,D,OD,XD) AND aceAccessRights IN ("Full control","All extended rights","All validated writes","Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties",CC,CR,DC,DT,SD,SW,WD,WO,WP)
37
-
| `windows_ad_adminsdholder_acl_modified_filter`'
38
+
| `windows_ad_adminsdholder_acl_modified_filter`
38
39
how_to_implement: To successfully implement this search, you ned to be ingesting eventcode
Copy file name to clipboardExpand all lines: detections/endpoint/windows_ad_domain_replication_acl_addition.yml
+3-2Lines changed: 3 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,8 @@ description:
14
14
- DS-Replication-Get-Changes-All
15
15
Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set.
16
16
By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId
19
20
| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
20
21
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
| stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user
37
38
| search (aceControlAccessRights="DS-Replication-Get-Changes" AND aceControlAccessRights="DS-Replication-Get-Changes-All") OR (aceControlAccessRights="1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")
0 commit comments