Suspicious Access to LDAP Attributes
Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/29"
3integration = ["windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can
13help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Access to LDAP Attributes"
20risk_score = 73
21rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
22setup = """
23The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
24Steps to implement the logging policy with Advanced Audit Configuration:
25
26Computer Configuration >
27Policies >
28Windows Settings >
29Security Settings >
30Advanced Audit Policies Configuration >
31Audit Policies >
32DS Access >
33Audit Directory Service Changes (Success,Failure)
34"""
35severity = "high"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Discovery",
41 "Data Source: System",
42 "Data Source: Active Directory",
43 "Data Source: Windows",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49any where event.action == "Directory Service Access" and
50 event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
51 winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1069"
59name = "Permission Groups Discovery"
60reference = "https://attack.mitre.org/techniques/T1069/"
61
62
63[rule.threat.tactic]
64id = "TA0007"
65name = "Discovery"
66reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE
- Enumeration of Administrator Accounts