Access to a Sensitive LDAP Attribute

  1[metadata]
  2creation_date = "2022/11/09"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
 11unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
 12"""
 13from = "now-9m"
 14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Access to a Sensitive LDAP Attribute"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Access to a Sensitive LDAP Attribute
 24
 25LDAP (Lightweight Directory Access Protocol) is crucial for accessing and managing directory information in Active Directory environments. Adversaries may exploit LDAP to access sensitive attributes like passwords and decryption keys, facilitating credential theft or privilege escalation. The detection rule identifies unauthorized access attempts by monitoring specific event codes and attribute identifiers, excluding benign activities to reduce noise, thus highlighting potential security threats.
 26
 27### Possible investigation steps
 28
 29- Review the event logs for event code 4662 to identify the specific user or process attempting to access the sensitive LDAP attributes.
 30- Check the winlog.event_data.SubjectUserSid to determine the identity of the user or service account involved in the access attempt, excluding the well-known SID S-1-5-18 (Local System).
 31- Analyze the winlog.event_data.Properties field to confirm which sensitive attribute was accessed, such as unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens.
 32- Investigate the context of the access attempt by correlating the event with other logs or alerts around the same timestamp to identify any suspicious patterns or activities.
 33- Verify the legitimacy of the access by checking if the user or process has a valid reason or permission to access the sensitive attributes, considering the organization's access control policies.
 34- Assess the potential impact of the access attempt on the organization's security posture, focusing on credential theft or privilege escalation risks.
 35- Document findings and, if necessary, escalate the incident to the appropriate security team for further action or remediation.
 36
 37### False positive analysis
 38
 39- Access by legitimate administrative accounts: Regular access by system administrators to sensitive LDAP attributes can trigger alerts. To manage this, create exceptions for known administrative accounts by excluding their SIDs from the detection rule.
 40- Scheduled system processes: Automated tasks or system processes that require access to certain LDAP attributes may cause false positives. Identify these processes and exclude their specific event codes or AccessMasks if they are consistently benign.
 41- Service accounts: Service accounts that perform routine directory operations might access sensitive attributes as part of their normal function. Exclude these accounts by adding their SIDs to the exception list to prevent unnecessary alerts.
 42- Monitoring tools: Security or monitoring tools that scan directory attributes for compliance or auditing purposes can generate false positives. Whitelist these tools by excluding their event sources or specific actions from the detection criteria.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 47- Conduct a thorough review of the access logs to identify any unauthorized users or systems that accessed the sensitive LDAP attributes.
 48- Reset passwords and revoke any potentially compromised credentials associated with the affected accounts, focusing on those with access to sensitive attributes.
 49- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
 50- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to access sensitive LDAP attributes.
 51- Review and update access controls and permissions for sensitive LDAP attributes to ensure they are restricted to only necessary personnel.
 52- Conduct a post-incident analysis to identify any gaps in security controls and update policies or procedures to prevent similar incidents in the future."""
 53references = [
 54    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
 55    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
 56    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
 57]
 58risk_score = 47
 59rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
 60setup = """## Setup
 61
 62Audit Directory Service Access must be enabled to generate the events used by this rule.
 63Setup instructions: https://ela.st/audit-directory-service-access
 64"""
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Credential Access",
 71    "Tactic: Privilege Escalation",
 72    "Use Case: Active Directory Monitoring",
 73    "Data Source: Active Directory",
 74    "Data Source: Windows Security Event Logs",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81any where host.os.type == "windows" and event.code == "4662" and
 82
 83  not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 84
 85  winlog.event_data.Properties : (
 86   /* unixUserPassword */
 87  "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
 88
 89  /* ms-PKI-AccountCredentials */
 90  "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
 91
 92  /*  ms-PKI-DPAPIMasterKeys */
 93  "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
 94
 95  /* msPKI-CredentialRoamingTokens */
 96  "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
 97  ) and
 98
 99  /*
100   Excluding noisy AccessMasks
101   0x0 undefined and 0x100 Control Access
102   https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
103   */
104  not winlog.event_data.AccessMask in ("0x0", "0x100")
105'''
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110
111[[rule.threat.technique]]
112id = "T1003"
113name = "OS Credential Dumping"
114reference = "https://attack.mitre.org/techniques/T1003/"
115
116[[rule.threat.technique]]
117id = "T1552"
118name = "Unsecured Credentials"
119reference = "https://attack.mitre.org/techniques/T1552/"
120
121[[rule.threat.technique.subtechnique]]
122id = "T1552.004"
123name = "Private Keys"
124reference = "https://attack.mitre.org/techniques/T1552/004/"
125
126[[rule.threat.technique]]
127id = "T1649"
128name = "Steal or Forge Authentication Certificates"
129reference = "https://attack.mitre.org/techniques/T1649/"
130
131[rule.threat.tactic]
132id = "TA0006"
133name = "Credential Access"
134reference = "https://attack.mitre.org/tactics/TA0006/"
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138
139[[rule.threat.technique]]
140id = "T1078"
141name = "Valid Accounts"
142reference = "https://attack.mitre.org/techniques/T1078/"
143
144[[rule.threat.technique.subtechnique]]
145id = "T1078.002"
146name = "Domain Accounts"
147reference = "https://attack.mitre.org/techniques/T1078/002/"
148
149[rule.threat.tactic]
150id = "TA0004"
151name = "Privilege Escalation"
152reference = "https://attack.mitre.org/tactics/TA0004/"
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156
157[[rule.threat.technique]]
158id = "T1213"
159name = "Data from Information Repositories"
160reference = "https://attack.mitre.org/techniques/T1213/"
161
162[rule.threat.tactic]
163id = "TA0009"
164name = "Collection"
165reference = "https://attack.mitre.org/tactics/TA0009/"