Access to a Sensitive LDAP Attribute
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/09"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
13unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Access to a Sensitive LDAP Attribute"
20references = [
21 "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
22 "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
23 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
24]
25risk_score = 47
26rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
27setup = """
28
29The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
30Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Access (Success,Failure)
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"]
4timestamp_override = "event.ingested"
5type = "eql"
6
7query = '''
8any where event.action == "Directory Service Access" and event.code == "4662" and
9
10 not winlog.event_data.SubjectUserSid : "S-1-5-18" and
11
12 winlog.event_data.Properties : (
13 /* unixUserPassword */
14 "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
15
16 /* ms-PKI-AccountCredentials */
17 "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
18
19 /* ms-PKI-DPAPIMasterKeys */
20 "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
21
22 /* msPKI-CredentialRoamingTokens */
23 "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
24 ) and
25
26 /*
27 Excluding noisy AccessMasks
28 0x0 undefined and 0x100 Control Access
29 https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
30 */
31 not winlog.event_data.AccessMask in ("0x0", "0x100")
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1003"
39name = "OS Credential Dumping"
40reference = "https://attack.mitre.org/techniques/T1003/"
41
42[[rule.threat.technique]]
43id = "T1552"
44name = "Unsecured Credentials"
45reference = "https://attack.mitre.org/techniques/T1552/"
46[[rule.threat.technique.subtechnique]]
47id = "T1552.004"
48name = "Private Keys"
49reference = "https://attack.mitre.org/techniques/T1552/004/"
50
51[rule.threat.tactic]
52id = "TA0006"
53name = "Credential Access"
54reference = "https://attack.mitre.org/tactics/TA0006/"
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1078"
60name = "Valid Accounts"
61reference = "https://attack.mitre.org/techniques/T1078/"
62[[rule.threat.technique.subtechnique]]
63id = "T1078.002"
64name = "Domain Accounts"
65reference = "https://attack.mitre.org/techniques/T1078/002/"
66
67
68
69[rule.threat.tactic]
70id = "TA0004"
71name = "Privilege Escalation"
72reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Potential Credential Access via DCSync
- Service Creation via Local Kerberos Authentication
- Group Policy Abuse for Privilege Addition