Name:Windows AD DCShadow Privileges ACL Addition id:ae915743-1aa8-4a94-975c-8062ebc8b723 version:2 date:2024-09-30 author:Dean Luxton status:production type:TTP Description:This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack. Data_source:
-Windows Security 5136
search:`wineventlog_security` EventCode=5136 ObjectClass=domainDNS | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)" | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)" | mvexpand new_ace | where NOT new_ace IN (old_values) | rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);;(?P<aceSid>.*?)$" | search aceObjectGuid IN ("9923a32a-3607-11d2-b9be-0000f87a36b2","1131f6ab-9c07-11d1-f79f-00c04fc2dcd2","1131f6ac-9c07-11d1-f79f-00c04fc2dcd2") | rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})" | rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})" | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value ``` Optional SID resolution lookups | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid) | stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId by ObjectClass ObjectDN src_user user | search (aceControlAccessRights="Add/Remove Replica In Domain" AND aceControlAccessRights="Manage Replication Topology" AND aceControlAccessRights="Replication Synchronization") OR (aceControlAccessRights="9923a32a-3607-11d2-b9be-0000f87a36b2" AND aceControlAccessRights="1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ac-9c07-11d1-f79f-00c04fc2dcd2") | `windows_ad_dcshadow_privileges_acl_addition_filter`
how_to_implement:Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives:Unknown References: -https://www.labofapenetrationtester.com/2018/04/dcshadow.html -https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1 -https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a -https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: name:'View the detection results for - "$user$" and "$src_user$"' search:'%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:100 impact:100 message:ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. mitre_attack_id: - 'T1484' - 'T1207' - 'T1222.001' observable: name:'user' type:'User' - role: - 'Victim' name:'src_user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:100 required_fields: - '_time' - 'OperationType' - 'src_user' - 'AttributeLDAPDisplayName' - 'AttributeValue' - 'ObjectClass' - 'SubjectLogonId' - 'DSName' security_domain:endpoint
