Suspicious Access to LDAP Attributes
Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/29"
3integration = ["windows", "system"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can
13help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Access to LDAP Attributes"
20risk_score = 73
21rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
22setup = """The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
23Steps to implement the logging policy with Advanced Audit Configuration:
24
25Computer Configuration >
26Policies >
27Windows Settings >
28Security Settings >
29Advanced Audit Policies Configuration >
30Audit Policies >
31DS Access >
32Audit Directory Service Changes (Success,Failure)
33"""
34severity = "high"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Discovery",
40 "Data Source: System",
41 "Data Source: Active Directory",
42 "Data Source: Windows",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48any where event.action in ("Directory Service Access", "object-operation-performed") and
49 event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
50 winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1069"
58name = "Permission Groups Discovery"
59reference = "https://attack.mitre.org/techniques/T1069/"
60
61
62[rule.threat.tactic]
63id = "TA0007"
64name = "Discovery"
65reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Access to a Sensitive LDAP Attribute
- Active Directory Group Modification by SYSTEM
- AdFind Command Activity
- AdminSDHolder SDProp Exclusion Added
- Creation of a DNS-Named Record