Potential Active Directory Replication Account Backdoor
Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/10"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2025/01/22"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a
13user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential Active Directory Replication Account Backdoor"
20note = """## Triage and analysis
21
22> **Disclaimer**:
23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
24
25### Investigating Potential Active Directory Replication Account Backdoor
26
27Active Directory (AD) is a critical component in many enterprise environments, managing user and computer accounts. Adversaries may exploit AD by modifying security descriptors to gain replication rights, allowing them to extract sensitive credential data. The detection rule identifies suspicious changes to security descriptors, specifically targeting attributes that grant replication capabilities, which could indicate an attempt to establish a backdoor for credential access.
28
29### Possible investigation steps
30
31- Review the event logs for the specific event code 5136 to identify the exact changes made to the nTSecurityDescriptor attribute and the account involved.
32- Examine the winlog.event_data.AttributeValue to determine if the changes include the specific GUIDs (*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, *89e95b76-444d-4c62-991a-0facbeda640c) that indicate replication rights were granted.
33- Identify the user or computer account (S-1-5-21-*) that was granted these rights and assess whether this account should have such permissions.
34- Check the account's recent activity and login history to identify any unusual or unauthorized access patterns.
35- Investigate any recent changes or anomalies in the directory service that could correlate with the suspicious modification event.
36- Consult with the Active Directory administrators to verify if the changes were authorized and part of any legitimate administrative tasks.
37
38### False positive analysis
39
40- Changes made by authorized administrators during legitimate security audits or system maintenance can trigger the rule. To manage this, create exceptions for known administrative accounts performing regular audits.
41- Automated scripts or tools used for Active Directory management might modify security descriptors as part of their normal operation. Identify these scripts and exclude their associated accounts from triggering alerts.
42- Scheduled tasks or system processes that require replication rights for synchronization purposes may also cause false positives. Review and whitelist these processes if they are verified as non-threatening.
43- Third-party applications with legitimate replication needs might alter security descriptors. Ensure these applications are documented and their actions are excluded from the rule.
44- Temporary changes during system migrations or upgrades can be mistaken for suspicious activity. Monitor these events closely and apply temporary exceptions as needed.
45
46### Response and remediation
47
48- Immediately isolate the affected user or computer account from the network to prevent further unauthorized access or data exfiltration.
49- Revoke any unauthorized permissions or changes made to the nTSecurityDescriptor attribute for the affected account to remove replication rights.
50- Conduct a thorough review of recent changes to the AD environment, focusing on accounts with elevated privileges, to identify any other unauthorized modifications.
51- Reset passwords for all accounts that may have been compromised, prioritizing those with administrative or sensitive access.
52- Implement additional monitoring on the affected account and related systems to detect any further suspicious activity.
53- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.
54- Review and update access control policies and security descriptors in Active Directory to prevent similar unauthorized changes in the future.
55
56## Setup
57
58The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
59Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)
1"""
2references = [
3 "https://twitter.com/menasec1/status/1111556090137903104",
4 "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
5 "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml",
6 "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all",
7 "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes",
8 "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"
9]
10risk_score = 47
11rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac"
12severity = "medium"
13tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System", "Resources: Investigation Guide"]
14timestamp_override = "event.ingested"
15type = "query"
16
17query = '''
18event.code:"5136" and
19 winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
20 winlog.event_data.AttributeValue : (
21 (
22 *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
23 *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
24 *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*
25 )
26 )
27'''
28
29[[rule.threat]]
30framework = "MITRE ATT&CK"
31
32 [[rule.threat.technique]]
33 id = "T1003"
34 reference = "https://attack.mitre.org/techniques/T1003/"
35 name = "OS Credential Dumping"
36
37 [[rule.threat.technique.subtechnique]]
38 id = "T1003.006"
39 reference = "https://attack.mitre.org/techniques/T1003/006/"
40 name = "DCSync"
41
42
43[rule.threat.tactic]
44id = "TA0006"
45reference = "https://attack.mitre.org/tactics/TA0006/"
46name = "Credential Access"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Active Directory Replication Account Backdoor
Active Directory (AD) is a critical component in many enterprise environments, managing user and computer accounts. Adversaries may exploit AD by modifying security descriptors to gain replication rights, allowing them to extract sensitive credential data. The detection rule identifies suspicious changes to security descriptors, specifically targeting attributes that grant replication capabilities, which could indicate an attempt to establish a backdoor for credential access.
Possible investigation steps
- Review the event logs for the specific event code 5136 to identify the exact changes made to the nTSecurityDescriptor attribute and the account involved.
- Examine the winlog.event_data.AttributeValue to determine if the changes include the specific GUIDs (*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, *89e95b76-444d-4c62-991a-0facbeda640c) that indicate replication rights were granted.
- Identify the user or computer account (S-1-5-21-*) that was granted these rights and assess whether this account should have such permissions.
- Check the account's recent activity and login history to identify any unusual or unauthorized access patterns.
- Investigate any recent changes or anomalies in the directory service that could correlate with the suspicious modification event.
- Consult with the Active Directory administrators to verify if the changes were authorized and part of any legitimate administrative tasks.
False positive analysis
- Changes made by authorized administrators during legitimate security audits or system maintenance can trigger the rule. To manage this, create exceptions for known administrative accounts performing regular audits.
- Automated scripts or tools used for Active Directory management might modify security descriptors as part of their normal operation. Identify these scripts and exclude their associated accounts from triggering alerts.
- Scheduled tasks or system processes that require replication rights for synchronization purposes may also cause false positives. Review and whitelist these processes if they are verified as non-threatening.
- Third-party applications with legitimate replication needs might alter security descriptors. Ensure these applications are documented and their actions are excluded from the rule.
- Temporary changes during system migrations or upgrades can be mistaken for suspicious activity. Monitor these events closely and apply temporary exceptions as needed.
Response and remediation
- Immediately isolate the affected user or computer account from the network to prevent further unauthorized access or data exfiltration.
- Revoke any unauthorized permissions or changes made to the nTSecurityDescriptor attribute for the affected account to remove replication rights.
- Conduct a thorough review of recent changes to the AD environment, focusing on accounts with elevated privileges, to identify any other unauthorized modifications.
- Reset passwords for all accounts that may have been compromised, prioritizing those with administrative or sensitive access.
- Implement additional monitoring on the affected account and related systems to detect any further suspicious activity.
- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the full scope of the breach.
- Review and update access control policies and security descriptors in Active Directory to prevent similar unauthorized changes in the future.
Setup
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration:
1Computer Configuration >
2Policies >
3Windows Settings >
4Security Settings >
5Advanced Audit Policies Configuration >
6Audit Policies >
7DS Access >
8Audit Directory Service Changes (Success,Failure)
References
Related rules
- Access to a Sensitive LDAP Attribute
- Creation of a DNS-Named Record
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Potential ADIDNS Poisoning via Wildcard Record Creation