Name:Windows AD Object Owner Updated id:4af01f6b-d8d4-4f96-8635-758a01557130 version:3 date:2024-09-30 author:Dean Luxton status:production type:TTP Description:AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object. Data_source:
-Windows Security 5136
search:`wineventlog_security` EventCode=5136 | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName | rex field=old_value "O:(?P<old_owner>.*?)G:" | rex field=new_value "O:(?P<new_owner>.*?)G:" | where old_owner!=new_owner ``` optional SID resolution lookups | lookup identity_lookup_expanded objectSid as new_owner OUTPUT downLevelDomainName as new_owner_user | lookup admon_groups_def objectSid as new_owner OUTPUT cn as new_owner_group | lookup identity_lookup_expanded objectSid as old_owner OUTPUT downLevelDomainName as old_owner_user | lookup admon_groups_def objectSid as old_owner OUTPUT cn as old_owner_group ``` | lookup builtin_groups_lookup builtin_group_string as new_owner_group OUTPUT builtin_group_name as new_owner_group_builtin_group | lookup builtin_groups_lookup builtin_group_string as old_owner OUTPUT builtin_group_name as old_owner_group_builtin_group | eval user=coalesce(new_owner_user, new_owner_group, new_owner_group_builtin_group, new_owner), previousOwner=coalesce(old_owner_user, old_owner_group, old_owner_group_builtin_group, old_owner) | stats values(previousOwner) as previousOwner values(user) as user values(SubjectLogonId) as SubjectLogonId by _time ObjectClass ObjectDN src_user OpCorrelationID DSName | `windows_ad_object_owner_updated_filter`
how_to_implement:Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes and include lookups for SID resolution if evt_resolve_ad_obj is set to 0. known_false_positives:Unknown References: -https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings -https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb -https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a -https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: name:'View the detection results for - "$user$" and "$src_user$"' search:'%original_detection_search% | search user = "$user$" src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:100 impact:100 message:$src_user$ has made $user$ the owner of AD object $ObjectDN$ mitre_attack_id: - 'T1484' - 'T1222' - 'T1222.001' observable: name:'user' type:'User' - role: - 'Victim' name:'src_user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:100 required_fields: - '_time' - 'OperationType' - 'ObjectDN' - 'OpCorrelationID' - 'src_user' - 'AttributeLDAPDisplayName' - 'AttributeValue' - 'ObjectClass' - 'SubjectLogonId' - 'DSName' security_domain:endpoint
