Access to a Sensitive LDAP Attribute
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/09"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
11unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Access to a Sensitive LDAP Attribute"
18references = [
19 "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
20 "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
21 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
22]
23risk_score = 47
24rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
25setup = """## Setup
26
27The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
28Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Access (Success,Failure)
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Credential Access",
8 "Tactic: Privilege Escalation",
9 "Use Case: Active Directory Monitoring",
10 "Data Source: Active Directory",
11 "Data Source: System",
12]
13timestamp_override = "event.ingested"
14type = "eql"
15
16query = '''
17any where event.action in ("Directory Service Access", "object-operation-performed") and event.code == "4662" and
18
19 not winlog.event_data.SubjectUserSid : "S-1-5-18" and
20
21 winlog.event_data.Properties : (
22 /* unixUserPassword */
23 "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
24
25 /* ms-PKI-AccountCredentials */
26 "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
27
28 /* ms-PKI-DPAPIMasterKeys */
29 "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
30
31 /* msPKI-CredentialRoamingTokens */
32 "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
33 ) and
34
35 /*
36 Excluding noisy AccessMasks
37 0x0 undefined and 0x100 Control Access
38 https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
39 */
40 not winlog.event_data.AccessMask in ("0x0", "0x100")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1003"
48name = "OS Credential Dumping"
49reference = "https://attack.mitre.org/techniques/T1003/"
50
51[[rule.threat.technique]]
52id = "T1552"
53name = "Unsecured Credentials"
54reference = "https://attack.mitre.org/techniques/T1552/"
55[[rule.threat.technique.subtechnique]]
56id = "T1552.004"
57name = "Private Keys"
58reference = "https://attack.mitre.org/techniques/T1552/004/"
59
60
61
62[rule.threat.tactic]
63id = "TA0006"
64name = "Credential Access"
65reference = "https://attack.mitre.org/tactics/TA0006/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1078"
70name = "Valid Accounts"
71reference = "https://attack.mitre.org/techniques/T1078/"
72[[rule.threat.technique.subtechnique]]
73id = "T1078.002"
74name = "Domain Accounts"
75reference = "https://attack.mitre.org/techniques/T1078/002/"
76
77
78
79[rule.threat.tactic]
80id = "TA0004"
81name = "Privilege Escalation"
82reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Service Creation via Local Kerberos Authentication
- Creation of a DNS-Named Record
- Modification of the msPKIAccountCredentials