AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
Sigma rule (View on GitHub)
1title: AD Object WriteDAC Access
2id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
3status: test
4description: Detects WRITE_DAC access to a domain object
5references:
6 - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
7 - https://threathunterplaybook.com/library/windows/active_directory_replication.html
8 - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
9author: Roberto Rodriguez @Cyb3rWard0g
10date: 2019/09/12
11modified: 2021/11/27
12tags:
13 - attack.defense_evasion
14 - attack.t1222.001
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4662
21 ObjectServer: 'DS'
22 AccessMask: '0x40000'
23 ObjectType:
24 - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
25 - 'domainDNS'
26 condition: selection
27falsepositives:
28 - Unknown
29level: critical
References
-
Offensive Tradecraft An adversary can abuse this model and request information about a specific account via the replication request. This is done from an account with sufficient permissions (usuall...
Read More -
Active Directory Replication Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that ...
Read More -
Offensive Tradecraft An adversary with enough permissions (domain admin) can add an ACL to the Root Domain for any user, despite being in no privileged groups, having no malicious sidHistory, and n...
Read More
Related rules
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Renamed Jusched.EXE Execution
- Renamed MegaSync Execution
- Renamed Autohotkey Binary
- DNS Server Error Failed Loading the ServerLevelPluginDLL