Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alerts
The following rules are used to identify suspicious activity with sensitive Windows Active Directory attribute modification. Any one or more of these will trigger Sensitive Windows Active Directory Attribute Modification Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Suspicious LDAP-Attributes Used |
Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. More details
Rule IDQuery{'selection': {'EventID': 5136, 'AttributeValue|contains': '*', 'AttributeLDAPDisplayName': ['primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d00a9a72-2c09-4459-ad03-5e0a23351e36 Author: xknow @xknow_infosec Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
User account exposed to Kerberoasting |
Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting. More details
Rule IDQuery{'selection1': {'EventID': 5136}, 'selection2': {'ObjectClass': 'user'}, 'selection3': {'AttributeLDAPDisplayName': 'servicePrincipalName'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Powerview Add-DomainObjectAcl DCSync AD Extend Right |
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer More details
Rule IDQuery{'selection': {'EventID': 5136, 'AttributeLDAPDisplayName': 'ntSecurityDescriptor', 'AttributeValue|contains': ['1131f6ad-9c07-11d1-f79f-00c04fc2dcd2', '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', '89e95b76-444d-4c62-991a-0facbeda640c']}, 'filter1': {'ObjectClass': ['dnsNode', 'dnsZoneScope', 'dnsZone']}, 'condition': 'selection and not 1 of filter*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2c99737c-585d-4431-b61a-c911d86ff32f Author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Possible Shadow Credentials Added |
Detects possible addition of shadow credentials to an active directory object. More details
Rule IDQuery{'selection': {'EventID': 5136, 'AttributeLDAPDisplayName': 'msDS-KeyCredentialLink'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f598ea0c-c25a-4f72-a219-50c44411c791 Author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Potential Shadow Credentials added to AD Object |
Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object. More details
Rule IDQuery{'selection1': {'EventID': 5136}, 'selection2': {'AttributeLDAPDisplayName': 'msDS-KeyCredentialLink'}, 'selection3': {'AttributeValue': 'B:828*'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
AdminSDHolder Backdoor |
Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges. More details
Rule IDQuery{'selection1': {'EventID': 5136}, 'selection2': {'ObjectDN': 'CN=AdminSDHolder,CN=System*'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Possible DC Shadow Attack |
Detects DCShadow via create new SPN More details
Rule IDQuery{'selection1': {'EventID': 4742, 'ServicePrincipalNames|contains': 'GC/'}, 'selection2': {'EventID': 5136, 'AttributeLDAPDisplayName': 'servicePrincipalName', 'AttributeValue|startswith': 'GC/'}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,32e19d25-4aed-4860-a55a-be99cb0bf7ed Author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Modification of the msPKIAccountCredentials |
Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. More details
Rule IDQuery{'selection1': {'EventID': 5136}, 'selection2': {'AttributeLDAPDisplayName': 'msPKIAccountCredentials'}, 'selection3': {'OperationType': '%%14674'}, 'selection4': {'SubjectUserSid': 'S-1-5-18'}, 'condition': 'selection1 and selection2 and selection3 and (not selection4)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|