[New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015)

* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

rules/windows/credential_access_dcsync_newterm_subjectuser.toml

@@ -57,7 +57,7 @@ This rule monitors for when a Windows Event ID 4662 (Operation was performed on
 
 ## Setup
 
-The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
 Steps to implement the logging policy with Advanced Audit Configuration:
 
 ```
@@ -68,7 +68,7 @@ Security Settings >
 Advanced Audit Policies Configuration >
 Audit Policies >
 DS Access >
-Audit Directory Service Changes (Success,Failure)
+Audit Directory Service Access (Success,Failure)
 ```
 """
 references = [

rules/windows/credential_access_dcsync_replication_rights.toml

@@ -57,7 +57,7 @@ This rule monitors for Event ID 4662 (Operation was performed on an Active Direc
 
 ## Setup
 
-The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
 Steps to implement the logging policy with Advanced Audit Configuration:
 
 ```
@@ -68,7 +68,7 @@ Security Settings >
 Advanced Audit Policies Configuration >
 Audit Policies >
 DS Access >
-Audit Directory Service Changes (Success,Failure)
+Audit Directory Service Access (Success,Failure)
 ```
 """
 references = [

rules/windows/credential_access_ldap_attributes.toml

@@ -21,7 +21,7 @@ note = """## Setup
 
 ## Setup
 
-The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
 Steps to implement the logging policy with Advanced Audit Configuration:
 
 ```
@@ -32,7 +32,7 @@ Security Settings >
 Advanced Audit Policies Configuration >
 Audit Policies >
 DS Access >
-Audit Directory Service Changes (Success,Failure)
+Audit Directory Service Access (Success,Failure)
 ```
 """
 references = [

rules_building_block/defense_evasion_write_dac_access.toml

@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2023/08/15"
+integration = ["system", "windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write
+Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated
+with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other
+compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation,
+lateral movement, and persistence.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "WRITEDAC Access on Active Directory Object"
+setup = """
+The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Access (Success,Failure)
+```
+"""
+references = [
+    "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"
+]
+risk_score = 21
+rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "query"
+building_block_type = "default"
+
+query = '''
+event.action:"Directory Service Access" and event.code:"5136" and
+  winlog.event_data.AccessMask:"0x40000"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1222"
+reference = "https://attack.mitre.org/techniques/T1222/"
+name = "File and Directory Permissions Modification"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+