Suspicious Access to LDAP Attributes

calendar Apr 2, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Discovery Data Source: System Data Source: Active Directory Data Source: Windows  ·
Share on: linkedin copy

Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/29"
 3integration = ["windows", "system"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can
13help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Access to LDAP Attributes"
20risk_score = 73
21rule_id = "68ad737b-f90a-4fe5-bda6-a68fa460044e"
22setup = """
23The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
24Steps to implement the logging policy with Advanced Audit Configuration:
25
26Computer Configuration >
27Policies >
28Windows Settings >
29Security Settings >
30Advanced Audit Policies Configuration >
31Audit Policies >
32DS Access >
33Audit Directory Service Changes (Success,Failure)
34"""
35severity = "high"
36tags = [
37    "Domain: Endpoint",
38    "OS: Windows",
39    "Use Case: Threat Detection",
40    "Tactic: Discovery",
41    "Data Source: System",
42    "Data Source: Active Directory",
43    "Data Source: Windows",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49any where event.action == "Directory Service Access" and
50 event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
51 winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1069"
59name = "Permission Groups Discovery"
60reference = "https://attack.mitre.org/techniques/T1069/"
61
62
63[rule.threat.tactic]
64id = "TA0007"
65name = "Discovery"
66reference = "https://attack.mitre.org/tactics/TA0007/"

Related rules

to-top