Name:Windows AD Suspicious Attribute Modification id:5682052e-ce55-4f9f-8d28-59191420b7e0 version:2 date:2024-09-30 author:Dean Luxton status:production type:TTP Description:This detection monitors changes to the following Active Directory attributes: "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink", "scriptPath", and "msTSInitialProgram". Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert. Data_source:
-Windows Security 5136
search:`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName IN ("msDS-AllowedToDelegateTo","msDS-AllowedToActOnBehalfOfOtherIdentity","scriptPath","msTSInitialProgram") OperationType=%%14674 ```Changes to the attribute "msDS-KeyCredentialLink" are also worth moniroting, however tuning will need to be applied``` | table _time ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId DSName AttributeValue AttributeLDAPDisplayName | rename SubjectLogonId as TargetLogonId, src_user as initiator, _time as eventTime | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | stats min(eventTime) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(ObjectDN) as ObjectDN, values(ObjectClass) as ObjectClass, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType values(AttributeValue) as AttributeValue values(AttributeLDAPDisplayName) as AttributeLDAPDisplayName by TargetLogonId | rex field=ObjectDN "^CN=(?P<cn>.*?),[A-Z]{2}\=" | eval dest=if(ObjectClass="computer",cn,null), user=if(ObjectClass="user",cn,null) | fields - cn | `windows_ad_suspicious_attribute_modification_filter`
how_to_implement:Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes. known_false_positives:If key credentials are regularly assigned to users, these events will need to be tuned out. References: -https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a -https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: name:'View the detection results for - "$src_user$" and "$dest$"' search:'%original_detection_search% | search src_user = "$src_user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:100 impact:100 message:$src_user$ has added $AttributeLDAPDisplayName$ ACL rights to $ObjectClass$ $ObjectDN$ mitre_attack_id: - 'T1550' - 'T1222' - 'T1222.001' observable: name:'src_user' type:'User' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:100 required_fields: - '_time' - 'OperationType' - 'ObjectDN' - 'OpCorrelationID' - 'src_user' - 'AttributeLDAPDisplayName' - 'AttributeValue' - 'ObjectClass' - 'SubjectLogonId' - 'DSName' security_domain:endpoint
