Access to a Sensitive LDAP Attribute

Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/11/09"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/04/27"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as
13unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Access to a Sensitive LDAP Attribute"
20note = """## Setup
21
22## Setup
23
24The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
25Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

 1"""
 2references = [
 3    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
 4    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
 5    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
 6]
 7risk_score = 47
 8rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66"
 9severity = "medium"
10tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
11timestamp_override = "event.ingested"
12type = "eql"
13
14query = '''
15any where event.action == "Directory Service Access" and event.code == "4662" and
16
17  not winlog.event_data.SubjectUserSid : "S-1-5-18" and
18
19  winlog.event_data.Properties : (
20   /* unixUserPassword */
21  "*612cb747-c0e8-4f92-9221-fdd5f15b550d*",
22
23  /* ms-PKI-AccountCredentials */
24  "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*",
25
26  /*  ms-PKI-DPAPIMasterKeys */
27  "*b3f93023-9239-4f7c-b99c-6745d87adbc2*",
28
29  /* msPKI-CredentialRoamingTokens */
30  "*b7ff5a38-0818-42b0-8110-d3d154c97f24*"
31  ) and
32
33  /*
34   Excluding noisy AccessMasks
35   0x0 undefined and 0x100 Control Access
36   https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
37   */
38  not winlog.event_data.AccessMask in ("0x0", "0x100")
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1003"
46name = "OS Credential Dumping"
47reference = "https://attack.mitre.org/techniques/T1003/"
48
49
50[rule.threat.tactic]
51id = "TA0006"
52name = "Credential Access"
53reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

Setup

The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration:

1Computer Configuration >
2Policies >
3Windows Settings >
4Security Settings >
5Advanced Audit Policies Configuration >
6Audit Policies >
7DS Access >
8Audit Directory Service Changes (Success,Failure)

to-top