AdminSDHolder SDProp Exclusion Added

Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/02/24"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from
13the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder
14object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected
15accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will
16remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these
17groups.
18"""
19from = "now-9m"
20index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
21language = "eql"
22license = "Elastic License v2"
23name = "AdminSDHolder SDProp Exclusion Added"
24note = """## Triage and analysis
25
26### Investigating AdminSDHolder SDProp Exclusion Added
27
28The SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.
29
30The dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.
31
32Administrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):
33
34- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).
35
36The usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.
37
38This rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.
39
40#### Possible investigation steps
41
42- Identify the user account that performed the action and whether it should perform this kind of action.
43- Contact the account and system owners and confirm whether they are aware of this activity.
44- Investigate other alerts associated with the user/host during the past 48 hours.
45- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:
46    - Account Operators eq 1
47    - Server Operators eq 2
48    - Print Operators eq 4
49    - Backup Operators eq 8
50    The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.
51
52### False positive analysis
53
54- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.
55
56### Response and remediation
57
58- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.
59- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
60"""
61references = [
62    "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad",
63    "https://petri.com/active-directory-security-understanding-adminsdholder-object",
64]
65risk_score = 73
66rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7"
67setup = """## Setup
68
69The 'Audit Directory Service Changes' logging policy must be configured for (Success).
70Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success)

 1
 2If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 3events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 4Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 5`event.ingested` to @timestamp.
 6For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 7"""
 8severity = "high"
 9tags = [
10    "Domain: Endpoint",
11    "OS: Windows",
12    "Use Case: Threat Detection",
13    "Tactic: Persistence",
14    "Data Source: Active Directory",
15    "Resources: Investigation Guide",
16    "Use Case: Active Directory Monitoring",
17    "Data Source: System",
18]
19timestamp_override = "event.ingested"
20type = "eql"
21
22query = '''
23any where event.action in ("Directory Service Changes", "directory-service-object-modified") and
24  event.code == "5136" and
25  winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and
26  length(winlog.event_data.AttributeValue) > 15 and
27  winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*"
28'''
29
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1078"
35name = "Valid Accounts"
36reference = "https://attack.mitre.org/techniques/T1078/"
37[[rule.threat.technique.subtechnique]]
38id = "T1078.002"
39name = "Domain Accounts"
40reference = "https://attack.mitre.org/techniques/T1078/002/"
41
42
43[[rule.threat.technique]]
44id = "T1098"
45name = "Account Manipulation"
46reference = "https://attack.mitre.org/techniques/T1098/"
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Investigating AdminSDHolder SDProp Exclusion Added

The SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.

The dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.

Administrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):

  • For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).

The usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.

This rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.

Possible investigation steps

  • Identify the user account that performed the action and whether it should perform this kind of action.
  • Contact the account and system owners and confirm whether they are aware of this activity.
  • Investigate other alerts associated with the user/host during the past 48 hours.
  • Check the value assigned to the 16th bit of the string on the winlog.event_data.AttributeValue field:
    • Account Operators eq 1
    • Server Operators eq 2
    • Print Operators eq 4
    • Backup Operators eq 8 The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the c value on the bit.

False positive analysis

  • While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.

Response and remediation

  • The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

References

Related rules

to-top