Potential Active Directory Replication Account Backdoor

calendar Aug 9, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Active Directory Use Case: Active Directory Monitoring Data Source: System  ·
Share on: linkedin copy

Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/10"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/08/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a
11user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Potential Active Directory Replication Account Backdoor"
18note = """## Setup
19
20The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
21Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

 1"""
 2references = [
 3    "https://twitter.com/menasec1/status/1111556090137903104",
 4    "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
 5    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml",
 6    "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all",
 7    "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes",
 8    "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"
 9]
10risk_score = 47
11rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac"
12severity = "medium"
13tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"]
14timestamp_override = "event.ingested"
15type = "query"
16
17query = '''
18event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
19  winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
20  winlog.event_data.AttributeValue : (
21    (
22      *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
23      *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
24      *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*
25    )
26  )
27'''
28
29[[rule.threat]]
30framework = "MITRE ATT&CK"
31
32  [[rule.threat.technique]]
33  id = "T1003"
34  reference = "https://attack.mitre.org/techniques/T1003/"
35  name = "OS Credential Dumping"
36
37    [[rule.threat.technique.subtechnique]]
38    id = "T1003.006"
39    reference = "https://attack.mitre.org/techniques/T1003/006/"
40    name = "DCSync"
41
42
43[rule.threat.tactic]
44id = "TA0006"
45reference = "https://attack.mitre.org/tactics/TA0006/"
46name = "Credential Access"

Setup

The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration:

1Computer Configuration >
2Policies >
3Windows Settings >
4Security Settings >
5Advanced Audit Policies Configuration >
6Audit Policies >
7DS Access >
8Audit Directory Service Changes (Success,Failure)

References

Related rules

to-top