Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alerts

The following rules are used to identify suspicious activity with Sensitive Windows Active Directory Attribute Modification. Any one or more of these will trigger Sensitive Windows Active Directory Attribute Modification Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Suspicious LDAP-Attributes Used

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

Rule ID

windows_security_12

Query

{'selection': {'EventID': 5136, 'AttributeValue|contains': '*', 'AttributeLDAPDisplayName': ['primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

  • The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)

Rule Source

SigmaHQ,d00a9a72-2c09-4459-ad03-5e0a23351e36

Author: xknow @xknow_infosec

Tactics, Techniques, and Procedures

T1001.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/03/24 high

  • Companies, who may use these default LDAP-Attributes for personal information

User account exposed to Kerberoasting

Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.

Rule ID

windows_security_15

Query

{'selection1': {'EventID': 5136}, 'selection2': {'ObjectClass': 'user'}, 'selection3': {'AttributeLDAPDisplayName': 'servicePrincipalName'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1558

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/02/22 high N/A

Powerview Add-DomainObjectAcl DCSync AD Extend Right

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Rule ID

windows_security_27

Query

{'selection': {'EventID': 5136, 'AttributeLDAPDisplayName': 'ntSecurityDescriptor', 'AttributeValue|contains': ['1131f6ad-9c07-11d1-f79f-00c04fc2dcd2', '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', '89e95b76-444d-4c62-991a-0facbeda640c']}, 'filter1': {'ObjectClass': ['dnsNode', 'dnsZoneScope', 'dnsZone']}, 'condition': 'selection and not 1 of filter*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

  • The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)

Rule Source

SigmaHQ,2c99737c-585d-4431-b61a-c911d86ff32f

Author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2019/04/03 high

  • New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.

Possible Shadow Credentials Added

Detects possible addition of shadow credentials to an active directory object.

Rule ID

windows_security_72

Query

{'selection': {'EventID': 5136, 'AttributeLDAPDisplayName': 'msDS-KeyCredentialLink'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

  • The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)

Rule Source

SigmaHQ,f598ea0c-c25a-4f72-a219-50c44411c791

Author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea)

Tactics, Techniques, and Procedures

T1556

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2022/10/17 high

  • Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)

Potential Shadow Credentials added to AD Object

Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.

Rule ID

windows_security_73

Query

{'selection1': {'EventID': 5136}, 'selection2': {'AttributeLDAPDisplayName': 'msDS-KeyCredentialLink'}, 'selection3': {'AttributeValue': 'B:828*'}, 'condition': 'selection1 and selection2 and selection3'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1556

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/01/26 high

  • Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions.

AdminSDHolder Backdoor

Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.

Rule ID

windows_security_108

Query

{'selection1': {'EventID': 5136}, 'selection2': {'ObjectDN': 'CN=AdminSDHolder,CN=System*'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/01/31 high N/A

Possible DC Shadow Attack

Detects DCShadow via create new SPN

Rule ID

windows_security_121

Query

{'selection1': {'EventID': 4742, 'ServicePrincipalNames|contains': 'GC/'}, 'selection2': {'EventID': 5136, 'AttributeLDAPDisplayName': 'servicePrincipalName', 'AttributeValue|startswith': 'GC/'}, 'condition': '1 of selection*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

  • The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)

Rule Source

SigmaHQ,32e19d25-4aed-4860-a55a-be99cb0bf7ed

Author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah

Tactics, Techniques, and Procedures

T1207

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2019/10/25 medium

  • Valid on domain controllers; exclude known DCs

Modification of the msPKIAccountCredentials

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Rule ID

windows_security_129

Query

{'selection1': {'EventID': 5136}, 'selection2': {'AttributeLDAPDisplayName': 'msPKIAccountCredentials'}, 'selection3': {'OperationType': '%%14674'}, 'selection4': {'SubjectUserSid': 'S-1-5-18'}, 'condition': 'selection1 and selection2 and selection3 and (not selection4)'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, T1068

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022/11/09 medium N/A