Powerview Add-DomainObjectAcl DCSync AD Extend Right

calendar Aug 12, 2024 · attack.persistence attack.t1098  ·
Share on: linkedin copy

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Sigma rule (View on GitHub)

 1title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
 2id: 2c99737c-585d-4431-b61a-c911d86ff32f
 3status: test
 4description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 5references:
 6    - https://twitter.com/menasec1/status/1111556090137903104
 7    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
 8author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
 9date: 2019-04-03
10modified: 2022-08-16
11tags:
12    - attack.persistence
13    - attack.t1098
14logsource:
15    product: windows
16    service: security
17    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'
18detection:
19    selection:
20        EventID: 5136
21        AttributeLDAPDisplayName: 'ntSecurityDescriptor'
22        AttributeValue|contains:
23            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
24            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
25            - '89e95b76-444d-4c62-991a-0facbeda640c'
26    filter_main_dns_object_class:
27        ObjectClass:
28            - 'dnsNode'
29            - 'dnsZoneScope'
30            - 'dnsZone'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
34level: high

References

  • x.com


    Read More

  • õwñø¼'ļ;o¤XǧËpñÍ”ÜîÜå³Û>˜¦ê5d•î®U£y]ZÆ6—ã�YûOØt›I>Í š\ÊWj§“Í&—ã�{YžXlt›I(ÚGB¸P2O'Ú—ÂvñZx�ƖЮØâ´¹D_@�Y_ ˆ]_ScÀà Rê»6º+þe,+¤×[~D§âŽ¢ NµÈãï5ð´µúÚÿßMWüªXÚi°Yϧ[ëÒÜj–ŽDç éÏzÈø†...


    Read More

Related rules

to-top