Suspicious Access to LDAP Attributes

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Discovery Data Source: System Data Source: Active Directory Data Source: Windows  ·
Share on: linkedin copy

Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/29"
 3integration = ["windows", "system"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can
13help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Access to LDAP Attributes"
20risk_score = 73
21rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
22setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
23Steps to implement the logging policy with Advanced Audit Configuration:
24
25Computer Configuration >
26Policies >
27Windows Settings >
28Security Settings >
29Advanced Audit Policies Configuration >
30Audit Policies >
31DS Access >
32Audit Directory Service Changes (Success,Failure)
33"""
34severity = "high"
35tags = [
36    "Domain: Endpoint",
37    "OS: Windows",
38    "Use Case: Threat Detection",
39    "Tactic: Discovery",
40    "Data Source: System",
41    "Data Source: Active Directory",
42    "Data Source: Windows",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48any where event.action in ("Directory Service Access", "object-operation-performed") and
49 event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
50 winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1069"
58name = "Permission Groups Discovery"
59reference = "https://attack.mitre.org/techniques/T1069/"
60
61
62[rule.threat.tactic]
63id = "TA0007"
64name = "Discovery"
65reference = "https://attack.mitre.org/tactics/TA0007/"

Related rules

to-top